Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 12:05

General

  • Target

    2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe

  • Size

    5.0MB

  • MD5

    da05404cb8d5af4f7ecc3366ed7f8b9d

  • SHA1

    acad65c14e7027521f82be3ab42c7aceaf5fc86f

  • SHA256

    e657a432aa54bfe93259ebfbd34dc4a3712133e5c134bc722f587db3e5dfa90c

  • SHA512

    bf92dde5fed7ec33ba0ea1e9ee81d6e736c713f80b913cce7749e658bb7356842146eb4e2ac2f64a4db6ae563ca2484457dfd055fe76bc1bcc3c19d138608eb9

  • SSDEEP

    98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLY:CjJS

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3304
      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E96.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1852
          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:3324
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7FFD.bat
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:904
              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3552
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8184.bat
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:6004
                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:2016
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a83A7.bat
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1368
                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                        10⤵
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of WriteProcessMemory
                        PID:1816
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a850E.bat
                          11⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4896
                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                            12⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:5080
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8685.bat
                              13⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:896
                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                14⤵
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • Suspicious use of WriteProcessMemory
                                PID:1432
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8879.bat
                                  15⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:1208
                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                    16⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:4320
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a89F0.bat
                                      17⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:780
                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                        18⤵
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:988
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8BA6.bat
                                          19⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:4392
                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                            20⤵
                                            • Executes dropped EXE
                                            PID:5572
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8D4C.bat
                                              21⤵
                                                PID:2800
                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                  22⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  PID:5760
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8F11.bat
                                                    23⤵
                                                      PID:2352
                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                        24⤵
                                                        • Executes dropped EXE
                                                        PID:4616
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a90B7.bat
                                                          25⤵
                                                            PID:4028
                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                              26⤵
                                                              • Executes dropped EXE
                                                              PID:2320
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a922E.bat
                                                                27⤵
                                                                  PID:3344
                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                    28⤵
                                                                    • Executes dropped EXE
                                                                    PID:5340
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a93B4.bat
                                                                      29⤵
                                                                        PID:1476
                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                          30⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in Windows directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:4808
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9579.bat
                                                                            31⤵
                                                                              PID:3520
                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                32⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:4780
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9700.bat
                                                                                  33⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2040
                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                    34⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:2052
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a98A6.bat
                                                                                      35⤵
                                                                                        PID:2944
                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                          36⤵
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in Windows directory
                                                                                          PID:2584
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9A0D.bat
                                                                                            37⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:1248
                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                              38⤵
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in Windows directory
                                                                                              PID:3844
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9B84.bat
                                                                                                39⤵
                                                                                                  PID:2340
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                    40⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in Windows directory
                                                                                                    PID:4976
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9D69.bat
                                                                                                      41⤵
                                                                                                        PID:4964
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                          42⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:5464
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9F4D.bat
                                                                                                            43⤵
                                                                                                              PID:2304
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                44⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:800
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA0D4.bat
                                                                                                                  45⤵
                                                                                                                    PID:3852
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                      46⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in Windows directory
                                                                                                                      PID:4360
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA1FD.bat
                                                                                                                        47⤵
                                                                                                                          PID:5196
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                            48⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in Windows directory
                                                                                                                            PID:2308
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA3A2.bat
                                                                                                                              49⤵
                                                                                                                                PID:2296
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                  50⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:4292
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA47D.bat
                                                                                                                                    51⤵
                                                                                                                                      PID:4064
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                        52⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:4392
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA4EB.bat
                                                                                                                                          53⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:2424
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                            54⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:4080
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA548.bat
                                                                                                                                              55⤵
                                                                                                                                                PID:3756
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                  56⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  PID:1172
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA587.bat
                                                                                                                                                    57⤵
                                                                                                                                                      PID:5708
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                        58⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:5004
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA5F4.bat
                                                                                                                                                          59⤵
                                                                                                                                                            PID:4784
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                              60⤵
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                              PID:3644
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA642.bat
                                                                                                                                                                61⤵
                                                                                                                                                                  PID:5204
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                    62⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:5404
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA6A0.bat
                                                                                                                                                                      63⤵
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:1112
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                        64⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                        PID:2976
                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA6EE.bat
                                                                                                                                                                          65⤵
                                                                                                                                                                            PID:3004
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                              66⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              PID:2888
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA73C.bat
                                                                                                                                                                                67⤵
                                                                                                                                                                                  PID:4816
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                    68⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                    PID:4848
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA79A.bat
                                                                                                                                                                                      69⤵
                                                                                                                                                                                        PID:1476
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                          70⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          PID:5048
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA7D9.bat
                                                                                                                                                                                            71⤵
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:576
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                              72⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                              PID:1040
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA884.bat
                                                                                                                                                                                                73⤵
                                                                                                                                                                                                  PID:676
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                    74⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                    PID:5688
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA9BD.bat
                                                                                                                                                                                                      75⤵
                                                                                                                                                                                                        PID:660
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                          76⤵
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          PID:5328
                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD86.bat
                                                                                                                                                                                                            77⤵
                                                                                                                                                                                                              PID:4328
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                78⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                PID:4736
                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAE70.bat
                                                                                                                                                                                                                  79⤵
                                                                                                                                                                                                                    PID:2196
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                      80⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:3380
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAF5A.bat
                                                                                                                                                                                                                        81⤵
                                                                                                                                                                                                                          PID:6076
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                            82⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            PID:6004
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB054.bat
                                                                                                                                                                                                                              83⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:4064
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                84⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:5264
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB13F.bat
                                                                                                                                                                                                                                  85⤵
                                                                                                                                                                                                                                    PID:4856
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                      86⤵
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      PID:5248
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB248.bat
                                                                                                                                                                                                                                        87⤵
                                                                                                                                                                                                                                          PID:1628
                                                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                            88⤵
                                                                                                                                                                                                                                              PID:5196
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                              88⤵
                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                              PID:1304
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB323.bat
                                                                                                                                                                                                                                                89⤵
                                                                                                                                                                                                                                                  PID:6100
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                    90⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:1392
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB3FE.bat
                                                                                                                                                                                                                                                      91⤵
                                                                                                                                                                                                                                                        PID:4064
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                          92⤵
                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                          PID:3092
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB4F8.bat
                                                                                                                                                                                                                                                            93⤵
                                                                                                                                                                                                                                                              PID:4856
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                94⤵
                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                PID:5452
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB602.bat
                                                                                                                                                                                                                                                                  95⤵
                                                                                                                                                                                                                                                                    PID:1896
                                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                      96⤵
                                                                                                                                                                                                                                                                        PID:4328
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                        96⤵
                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                        PID:3548
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB6BD.bat
                                                                                                                                                                                                                                                                          97⤵
                                                                                                                                                                                                                                                                            PID:5072
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                              98⤵
                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                              PID:5024
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB71B.bat
                                                                                                                                                                                                                                                                                99⤵
                                                                                                                                                                                                                                                                                  PID:4976
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                    100⤵
                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                    PID:2204
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB7A7.bat
                                                                                                                                                                                                                                                                                      101⤵
                                                                                                                                                                                                                                                                                        PID:5180
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                          102⤵
                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                          PID:1468
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB7F6.bat
                                                                                                                                                                                                                                                                                            103⤵
                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                            PID:4804
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                              104⤵
                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                              PID:4284
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB853.bat
                                                                                                                                                                                                                                                                                                105⤵
                                                                                                                                                                                                                                                                                                  PID:5420
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                    106⤵
                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                    PID:3728
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB8D0.bat
                                                                                                                                                                                                                                                                                                      107⤵
                                                                                                                                                                                                                                                                                                        PID:3080
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                          108⤵
                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                          PID:2332
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB91E.bat
                                                                                                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                                                                                                              PID:2192
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                110⤵
                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                PID:2660
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB98C.bat
                                                                                                                                                                                                                                                                                                                  111⤵
                                                                                                                                                                                                                                                                                                                    PID:5104
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                      112⤵
                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                      PID:1816
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB9EA.bat
                                                                                                                                                                                                                                                                                                                        113⤵
                                                                                                                                                                                                                                                                                                                          PID:4932
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                            114⤵
                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                            PID:4408
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBA47.bat
                                                                                                                                                                                                                                                                                                                              115⤵
                                                                                                                                                                                                                                                                                                                                PID:660
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                  116⤵
                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                  PID:5296
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBAB5.bat
                                                                                                                                                                                                                                                                                                                                    117⤵
                                                                                                                                                                                                                                                                                                                                      PID:5592
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                        118⤵
                                                                                                                                                                                                                                                                                                                                          PID:3092
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                          118⤵
                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                          PID:5144
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBCE7.bat
                                                                                                                                                                                                                                                                                                                                            119⤵
                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                            PID:4856
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                              120⤵
                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                              PID:5088
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBD35.bat
                                                                                                                                                                                                                                                                                                                                                121⤵
                                                                                                                                                                                                                                                                                                                                                  PID:5456
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                    122⤵
                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                    PID:2828
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBDA3.bat
                                                                                                                                                                                                                                                                                                                                                      123⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2452
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                          124⤵
                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                          PID:2340
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBE20.bat
                                                                                                                                                                                                                                                                                                                                                            125⤵
                                                                                                                                                                                                                                                                                                                                                              PID:3148
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                126⤵
                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                PID:1568
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBE7D.bat
                                                                                                                                                                                                                                                                                                                                                                  127⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:5180
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                      128⤵
                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                      PID:6092
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBF1A.bat
                                                                                                                                                                                                                                                                                                                                                                        129⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:4620
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                            130⤵
                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                            PID:3376
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBF68.bat
                                                                                                                                                                                                                                                                                                                                                                              131⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:5420
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                  132⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:2332
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBFE5.bat
                                                                                                                                                                                                                                                                                                                                                                                      133⤵
                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                      PID:3996
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                        134⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:4292
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC043.bat
                                                                                                                                                                                                                                                                                                                                                                                            135⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:4376
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                136⤵
                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                PID:2020
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC0B0.bat
                                                                                                                                                                                                                                                                                                                                                                                                  137⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                  PID:5136
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    138⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:5936
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC10E.bat
                                                                                                                                                                                                                                                                                                                                                                                                        139⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:344
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            140⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:4784
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC15C.bat
                                                                                                                                                                                                                                                                                                                                                                                                                141⤵
                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                PID:4360
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                  142⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1180
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC1BA.bat
                                                                                                                                                                                                                                                                                                                                                                                                                      143⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5156
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                          144⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4872
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC227.bat
                                                                                                                                                                                                                                                                                                                                                                                                                              145⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5488
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                146⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5532
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC294.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                  147⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5868
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      148⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4816
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC2F2.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                          149⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:860
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                              150⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3372
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC36F.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                151⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3176
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  152⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2656
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC3CD.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                    153⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1664
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        154⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:968
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC479.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                          155⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5908
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              156⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5336
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC4E6.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                157⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    158⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3812
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC5C1.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      159⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        160⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          160⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC68C.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              161⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  162⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2828
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC7D4.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    163⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        164⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1536
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC8BE.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          165⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5152
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            166⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:4696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC999.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                167⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    168⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCA93.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        169⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:6104
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            170⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:6064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCBAC.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                171⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    172⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCCD5.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        173⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2460
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            174⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD002.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                175⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    176⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD0EC.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        177⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5256
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          178⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3188
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD205.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            179⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                180⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5152
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  180⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:4364
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD32E.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    181⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2420
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        182⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD37C.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            183⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              184⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD3DA.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  185⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      186⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD448.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        187⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          188⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD4A5.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            189⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5596
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                190⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD4F3.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  191⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      192⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:4424
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD551.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        193⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            194⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD5CE.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                195⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3836
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    196⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD62C.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        197⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            198⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD6D8.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              199⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  200⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD736.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      201⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          202⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD7C2.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              203⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  204⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD83F.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      205⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          206⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4648
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD8AD.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            207⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                208⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:980
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD92A.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  209⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:6016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      210⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD997.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        211⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          212⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD9F5.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            213⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3364
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                214⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDA72.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  215⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      216⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDAC0.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        217⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            218⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1708
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDB0E.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              219⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  220⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDB7B.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    221⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5536
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      222⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDBF8.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          223⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:5656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              224⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDC66.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  225⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      226⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDCE3.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        227⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            228⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDD50.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              229⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1232
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  230⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDDBD.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      231⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:4412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          232⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDE0C.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            233⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2208
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                234⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4824
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDE89.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  235⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      236⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5384
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDEF6.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        237⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          238⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDF63.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              239⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  240⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDFC1.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    241⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        242⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE02E.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            243⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                244⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE08C.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    245⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        246⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1408
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE0FA.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            247⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                248⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE196.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    249⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      250⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:6100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE203.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          251⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3248
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            252⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE261.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                253⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    254⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE2AF.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        255⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            256⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE30D.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                257⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    258⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:5704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE37A.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      259⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          260⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:5888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE3C8.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            261⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              262⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE484.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                263⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    264⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE4E2.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      265⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        266⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:5964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE54F.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          267⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              268⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE5BC.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                269⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    270⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:8
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE62A.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        271⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          272⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:4396
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE6C6.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            273⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              274⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:5088
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE714.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                275⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:4708
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  276⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2424
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE781.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    277⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        278⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE7D0.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            279⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:4908
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              280⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE81E.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  281⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1192
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      282⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:5296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE87B.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        283⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            284⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3096
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE8D9.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              285⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:5560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  286⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:5404
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE937.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    287⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        288⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3208
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE9A4.bat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            289⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              290⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2008
                                                                                                                                                                                                                                                                                                                • C:\Windows\Logo1_.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\Logo1_.exe
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Drops startup file
                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                  • Drops file in Program Files directory
                                                                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                  PID:1532
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                                                                                                    net stop "Kingsoft AntiVirus Service"
                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                    PID:924
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                        PID:112

                                                                                                                                                                                                                                                                                                              Network

                                                                                                                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v16

                                                                                                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a7E96.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      6f7679ef32a92fc8dcd4a98ec521637c

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      27d0472064bb2fe25c889a525423a3421f81e9ec

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      6506b2dfcd7f707cc4e7c4ecc85e23395566fd2b0917a3c010cceecb6ed4bdca

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      076f706f1807bebb18d667f408ff0da64e4c075eb6b9b1763b3f98bebfa0e86788f85d1e9b1deb06f66ffc91ae866d9402e172648d8a0641f49ad098b7b04122

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a7FFD.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      928349d6c3dc2033806e4c935ab7b683

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      c9ae53502e6fe7ebbdeb9956ecfb1c47cd4d57e2

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      2ee9f3a29ee464463d7186f748e13d45cf9a82f05d06d5211d879892be6bf543

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      7b0d5ff2af2a71bd06347cdf811b1ececc23678f24786fa02fbf0bb942ddac19409ec19f2c5b59ec646ed954dcaf370a62297c5c2745ab8650c2def1f4aaa03d

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a8184.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      16ff679cb4486a283e8a58f213414c3d

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      8969a0d5d7d2e9d96b27bd0fb0e60309829077a0

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      af433379699499cca6ad15c7d25bcb34732607b5af72b0f452cd154f0e4abe78

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      daa896f692199be519b8fd3e70d5f4f0d6a351942ff667a2f29b3d0d0354c531904978770dd3c60b07147768581ed539d1f8a2a73b299c33455a69f29e8f1ec9

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a83A7.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      1a44869389d966df6aa822913e92375c

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      0d1947c91741913143d11de1314bca45c168c157

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      3aaaf5ce7f750ca8a0e3a621d6831d372c4203b3b9ecf5b4f22d00dca334afaa

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      af8690feb11f56d2e431df4b0224d6e841a5fc5f0f1b133005ee3f9790a0c98fe62f8a72b69bf6b3c6489274633bb468aa9ffe602899f9b28887173ac6c8f9c9

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a850E.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      20dbf58ece2048a3802f7b84abdddc4f

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      332feae4d535a3a6df1f9c45e77ad4110988d6bc

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      f2a7bb5535e78cdc9c37ba1a0a20e3dc19deda0c5db688a834d5cf1cd269f541

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      cfc4dd2a673f2a00b52f6d6f8a6af4966d875a12011c6af85ba2bef1bb42f56c0cd46063b408cc2e4d0e22049909cc0f9167d30c955857366c91f680a41d0503

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a8685.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      8af18370f8de8fea3b7b20f3970cc4b7

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      f74dfb18326c6e594a46da7918642a8fe6b7f951

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      1e1b7738297fcb43915be23b9313fba0194e79a6400879ad2ffb3f131ce8ffcf

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      cbc55ea5f961aa589fd1fab33b067c55b2ff8e66add15e5ee7f7c61e958c57a7796d3a6c391e085e8c605c74efad775197b0ec8edb847145279f0ab45783a942

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a8879.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      3eac74469208f61b48741aa0f9ea9922

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      46909d52f9c033a79f922fc853d05931dfc054ae

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      804d41dfec828176aba1367c55598644cb270ba6a8deca3aae7786c4c93175bc

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      cb448566a8de983ac4eafa6f991b378ba3820a41a02d1ecc6ae2037a6cad63123237c87029beec6e86ee4c441f6fd3c8f0c566269cb932a9affc7699b8ad5bd4

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a89F0.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      546fe3fe60805758143c2b7f929ab5f9

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      aee6b915ac0ac38413dca53bfb61bf126703da3a

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      dc4588f39f2a191806419a11a079f5b5c51d79842db59becfd653cea8322bce7

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      dd3001cd7719c099e7e99b4e92bcdb660d66a6c96c9f837782ee40c6ed1227d5363bf1d7cb5fbc00ade61b0e3ce7b8259a2b2ed281c10f1a2548abe442e70c45

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a8BA6.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      f18eaf2697f98103f7775586f89dcf80

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      54e62438d698afb452bb053c39122c2bf9d812b0

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      13fe1e3fe20b3338090854478159cc62b09da39913162802bc2b900668e4f13c

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      f932d413eb5af08c406dc0455a04709f9dfdcb4938ac25d13e103e2d719ea147934ff01222ad110e21700173adacd2f8b0d77760b28c29b81b748b8dfb252deb

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a8D4C.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      4b1026b0356e64b0d2082cc799ee8a10

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      724763fcce4bd1c36b08e0aeacd84b9ee89c9a9a

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      af312cb1a698e0fbe3ac44895ffe9ba8856089d32273f96aa7200641bf8cd4d7

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      4b255e0230036e1c86d1c89086252ceee4cb90adf4d367fc3662be38901bda0e8dc8328ac4ff39dcea7f1d61e8e5480f5b9f5a215e308ded7efadaf373bb1173

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a8F11.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      a53563855bd113666d6eae34d2f9a744

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      9936fd7713bfdd053f58bc03d3aca1b20327b8a0

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      4fb6f2dd9d2390311d1189176468bacc95bf6208d39eb4e9fd324473ff99a9e5

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      19c31abc78a82eb1f6eb0d466743aa6910cd06e7f8f51548b7b1f8e30d5b061961e63b38ad58195228a3b3a41e5d4a42fe06a0d72cfed89a59c77906ef32edb5

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a90B7.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      4c39116e7f23513b670cc14489c73320

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      5d717248f58abfee82c0e76b709ea97df942e775

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      4d9c611535e8e493fd439b89b1f1004409f3171851d8f8207f2b3e5c4597a5cb

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      dcb1f9635c88001dad4e290ee4884ec5ed602bfe08613398ac491c0738513166127e18a1255e609a05604de491d64fb5b2f2ba7c5239ebc1c3c6ad71983c97e2

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a922E.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      b11e696e43df535c5a6d9ad7d7e4445b

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      1d78192408f67db705346cbd86d4720b8aba9e4d

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      4b919ab79108e82f66765963ef3410bdac920d67229100f68a6601bbebbc264a

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      a1c447b854e570a9f1ef803b8bd717c872684eff7a131764f494c08c259b56fc7ad6007faab475224d0026ed4da5599cd9bdcea473e3801644cb14995714a069

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a93B4.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      c87ad8b829f00ccfd7c8a23ac55a58ec

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      3b803601c784b1d12de869c03cd27520ac26cc5c

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      fbb7169ad15f24ca8ab67591f57530e1cd056dfd0945b193642d4d65988ecd13

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      2f871bdbba52c138cf6e4dc4975ce6ffd180c659e478836afb68dd5a9a4aca3280f4373b3ce7ab123c97801081c08fea81afa9c54f1e421d2c4fb4b24ad91c97

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a9579.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      595868423b90c7239203a1b94d85d545

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      3c7bd89e23eded7c5bad8e2d459604a93b792647

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      10c03c8ac6b79b1ce53501043c1690379fce46ca7fda02adc0441af857a1ce9d

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      c0f109eb7fda550af21c1c7a40701395049561e1d8bc77659656b1575037f69f93b30eba3fe811c56da39b75532e5377158c66ce0cf5a46e03c82b187ea12c7b

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a9700.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      572e63f22439e3f0b9528143889efe3c

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      ee49f2b0776d53b7472bf88b19a72d757b8340e8

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      991866f6911deef0b83c30061c9e130f9aa1723f8726128974d864ed26d5aec3

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      47ee7009d534bbad1f04bd4bd48d0a815f9b001ad6bf66d90abfe547382389bdfe6a5001efb70044f97ef3b2247a7c0b4c298bdbd9817439b6b482b1a10c0b20

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a98A6.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      ea4021bd99364b814db7ffb4c02c9b8f

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      b41076c6cf85b0c599f087b8d0a2dcb8a709797b

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      b0055413730af88b2ae2599de46b7fe02970ea708e504692d478a853e0eaf1c4

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      b0ac694a9d67b6f438054f0a4b357485f8522e610b3ca04339dbfb6a8d2a3f2454875cc6b12edcbf5ba5e30211b67e3ccb03a92de5a5ed8356c3dfdee13ad949

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a9A0D.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      9ca9f015d4d51bc11cad2fd12ab68e85

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      0d887541c74290f338eaa5e503f9b5f7199e22ce

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      88cd8edb4d33499146063b4f1c6f2b02da972fb928dc10634855ba5e4ffcc776

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      18003299fbda885fa609e293bc2ea4e6bdf9f9bbba914fdaa65dd174c6cb605c792cd2996a8efc1bf7d3121c1a97c8a2dd16d60cfc0ce7e81a81d4b1fcab8ed8

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a9B84.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      d249af64d81fea8a9ee1dc336146e16a

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      36c1edd68e42e4cc8793ac25f46b3c7b77a4999d

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      66adc92d7a23ce1537a823e96bc1182d6111f7d1772b4c10580154905795244f

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      efea4294d1893fc52013e6e646ae1641a759f9b72865bf089cbf5775635c0bdf099ba5bf0f4f6098d199ff54b4e5bdfaee782d1a8ba7725c25b103e9c6a4101e

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a9D69.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      6df61fc986f5484da479bcfa48729a2e

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      f8cc9a5de2c44d9b662519e343e61fc4e689b9cb

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      984df7938aa48d80cb5df14194fca70c87648509e45535b9ca624e387b31364a

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      0076738b00103d0f9acd0a5bbc3a19a6d0a25260d00ff848ba2e52cb9aad6e9032fd9ea97fb4378781000f2d226308708eaedf643162e5a648318fcb1f95fcef

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a9F4D.bat

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      776B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      f6c9ce8523af11a511e3c2cf30308209

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      5fa7c4ba3a1a59880b49e136e3852884d8037b7e

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      6aa479bfea1ce2b044ca766d3abe190d586dd2f45cd9da67c94242fd121440f7

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      afcc83033a33c95287b45f59c5f5302b5311784e7ed61138cac624a5636ffe705e3925acb7a99e3a12961d687dd9b347dda4affa97adedf51159d793f331855c

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.4MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      9aa784538afa3768216a11552dec5f31

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      c76583d7673dbb03ade2aee1ae0648055a925188

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      9e7d52450eb305fa1d3a94acc0add00d8e2b748c11decb4da26cab766747e20d

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      9790694f78f22ebb068b22ef1048d591feb0f633476b7aacc3b21ebcd5e014f3b8c480bb3d46797ec51940191c7a1caa83323c08df3fe26f52b5c1b75232dd0b

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      5.0MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      14954aa4a182ab68fc5a7cf3b2b0a0c8

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      486a72e9a30c37cf13615e50733648d2861275ca

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      89052f94feab5419b6c99f995f0ad766d77f0efd6cbf1d75c44d6cead712f28c

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      2f8e2c6bf5645036ccc98b49d0053d9f5f51e18a939cba88eae1f745ae8480444241d31c78bb940fdb8ada6e6c7267f9a4e3017f1164221f46e4d2d92acd4558

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.9MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      39b56f8480e715c1ed3941a140844b95

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      8f59b88c8e35f16d02bf5b87b0e8be8383f529fe

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      cefcefd4b76c6057c5e4adbfa53e2e77de8ba4fe00549ce7a5952f7eff005973

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      1139040e405cb070a7e4e6dff6429140499e196b6ab4e54f75ce7a299775b79aa67a2d356c5e4a70f2276b72fd0455ed2450b696caf24cd54c8058870e4f0481

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      5.0MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      4e44002c76c4b355fc429fdd12201441

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      1786fac31f2677ea678bf769fac75936c60c7f86

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      87b6f408ad747c36db6b2afb0b4ce6104f06651f8163d28d4b1ba49a154570d5

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      886b8e458a3443d1f3d67eb2f61fe24c9442f293ee7c77ccc0f6b1d1b0bdf63f6e1bccf0a56f4259873ca5e4446dd4901c22eb66801f22416982bd7e7c04c926

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.9MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      445e08267e84451c9e36799c5083a84b

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      392e664453840a49f3ce286f145f928f3123d46b

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      af1a9b4dc1a0603cb8d82465cda62e9e8e5776fc12dccdef442adcc8af7af8fb

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      d202881771c106339fd150b5e3168aa47d200bf664a6d6d3a2d9b0cb39821c94e05f7f008b5fd082e08cfb2000eb5bb376e46e4f0a55bb705e8ead22dc202963

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.8MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      904702ee30824b6ccbc12da83158e3c6

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      6f11f225a9cbe4e4b3fb89f3881337f63ffceb20

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      8d20121f552f45e4ccbcb8e82f17702d491281556116f4733e3cb041643fb6ae

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      61ec003f261381dfea494be216145b131871d64fd6b7581bd13160b80d8d4c98531697b3dfc4fdd51a755a7339a33017f41d18848d0b0b22a459de6b65a9ac75

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.9MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      0d65d79ac2053734465a8e58cdc4642a

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      35b193cdae6a6da4d5f7108c50c09cbd0b87c777

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      03c0cf3ded5f31db8c4074f7a6ccb1362470c63ce6438977c7bb95f106190d0d

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      9b652de15ad9eb58afc627c68e8b8011f1d033bbadf925ac3da271e29cf2afb14319a46a11e0eb100c948efd06a53e8a632d57dc811a1994518e70aed6eb0732

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.8MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      485484a2f1b04169655003deb401acd4

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      011d38bc72c6a7340d83422042598fd91efcf618

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      3f45a0a5154d3d23c64942ea6890a306f3308a95fcd806074a10aeef18570af2

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      a547d7c25a26af0488dabef0ce345ab85e3ec0b0a9ee21d24aaa8f82367dd5cbcd8122f514a6f0f579e3aa1dda56a25dc8f20e32b4fb6a5acc9c1de1dad6feef

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.8MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      250b3dda48df2d14e7bb536994822b42

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      eac7926a645df867cde72f58487b361d88b15027

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      617670ea14a1bee928e35179461e621a748733ae54579f10e7fa9476746fe819

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      b277bbe8447915a563e8a33e685f7942858b9e0cb43b84dfebf710f4c0c6144a04354735b110a5f7790b107ed8e0e2c991411d1192b39e375334b26634264d77

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.7MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      2790f79b2751ff31b42a5adbb1d735f7

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      42c89ccd61c74fabfccd7f139627f32776040a8c

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      b8f468666866e9d358805677b7171aa8a9c2264e9c462792f766a7a89b98bb0f

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      1311f96e30fcf6dc58061459a59ab2533466cecae3d01bc6b4a01adda79e2dcfa25dd8d32ceae958e0f25318d313644d9ff5249b7c62ae42ff4552c485726588

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.7MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      9de4a56d9e9e0439babb4c4e50e7e420

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      62a8cc77bbe32ae8ba9caca4c7247a74ad3c443b

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      76ffa186c33c1a6887f0d53c4e9a5b1b2d7ad35ad8018492351025c9fbf23b75

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      80c6b59b031f9158ea3b3c2abc90b3c1c9f5c74a618bea3dc38741d0aea67e0036dee667ef2bbc11077d57a4cdbede35955b4829fb6aea48234fe6dc0adea062

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.6MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      5dbe38913e68b2bb0e4af11bccb686cc

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      8705f93bc0b170e456c4e7eed1f27657ab6d6657

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      eaa296f7df6b8458bdbcc57f8d3ff9156b2685276c9a39f57ac895f5654edb7f

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      9f9d1de40a4eaf979931c3b52b6916fef689fc387d6eb7057afef79546cde41904b6b484f621fbbfe43eae62d270b840e8747e15740dc31ca337e25f9bda642e

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.7MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      9d4488175ef3cd5dfa15483e658b8baf

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      e09bb89ecb5f3aabb46adfda347cc77ba0af1051

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      e82dc11db5e368f864214a1c1632b8bec256a3e6e9251ade10bb2acb15f83a9c

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      31fcba6ea4c062c03d0e20720ac06c24111533230f58002e0551ad4a779c6a6dd073a0d4bb4cf0e43cf11f7bf17497c731cd84cb76129f27e775f8e443f7d091

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.6MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      9337a4f8948cf68787a7294e6780f6e0

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      67417c67b6675c95a3113749cf97d67b71be950d

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      497ba926c05ef9a7c2816b930ccec8a2a48f675fb727c8ce257673d378a55ebb

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      2074398d23447a64c835f28cbd9cc2e2f770aa2d397c2e4533afc3d817c7be5c376a5266113e5d96188da0b6622e82d44fdd94b40239ae648088e98a1cc4c5bd

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.6MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      17b5e016f76c1d3880246f6decf12190

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      3d136d09c4ed6cfb3293ffd4d0007ce1e50261ce

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      17196f1d59a8887168f8432d86aaa12402279bb74f42616297dfd99a2fcfab27

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      83990405125b5c4f6d45acaf723b33441c1de92dbbc07c5a29bfee61f5a72e799d42554e929cb026115467b841c7b0b4e5b88491c5eb1223a55d26742a81f928

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.5MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      699fa2ead16ee89ac41e3f8cb845d2e2

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      241ad0ccdd3c62b8688452e875d876425d6f9720

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      bdb5725bc4666ed43ca0392f8f18c9991fd19f4bce5a4bb9097f0021db72ab7e

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      90533eb9432342fa21ec8f50aa15c4c6cea82dbc0f549c5f05f3c44bd7d75cd92820b1509770dbded690a92c173cb40000abf9a3271329b7974d657ae162e4b8

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.5MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      54cc5134acc90eea347e2157837fd533

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      37ee878656ac0e8761ecf9d2af14d9e38d2b465b

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      82b31e925493980542d8500ebc4efa6f53c1c7121b98b59c68ef711b44f4e057

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      c5228e11602df8cfb8882b9d2c6c34342cf415c1fc169245e24440a747da17e4207243b8a146a54f2d1916c14a6841490dc3e6a99348168b490138987557874c

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.4MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      614eab10eb019be3f2a4e7cdc45b89e9

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      27b9620349f4461469998b1941925de630b94f0f

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      548ba6fc2b1205acea73832c765df974befadadb2c07e3916ce362b3b1e30088

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      42b2fe83ea30b61de6b77c3e2a604ab80e127a0e8187810c6fcaafa3632b8c355237e6db53de4d66e3bbca505e75c48e2ce1a5181853204acb291eaa34e66e36

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.5MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      4e500c9a438449339818afc5ce74e354

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      741e08bd4fb02470639d41e43dde00c6917059a1

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      6635ae34d3354d39ca844b4962a284ff2f178f764f3fc8f8907c59692c996f00

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      1e977c5970dfe7bfb78ef8d027e50614d537afdb646b80ca90ff825130eda329ad5482b70ee6e35a703f6be8cc60de19b6a46a51ed7617f3637f7cbfb17c01ac

                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_da05404cb8d5af4f7ecc3366ed7f8b9d_amadey_elex_smoke-loader_stop.exe.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      4.4MB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      a7a21fec3fd20640882c1795835dc921

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      ec6cfea24e36b4cafdded1dd42c7c2f662c684b1

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      6fac6ed38c0b1315ed662043fdafd6e499fd5eb35598a38299dbdaac3022213a

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      ff316f67bdcd1a538ec9233ee218ac0163016161458aa4c46df5a14473228e090f9c832ce3737042b1043f78757ad51f27feba6c213b29cd145cde11e2e0f841

                                                                                                                                                                                                                                                                                                                    • C:\Windows\Logo1_.exe

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      32KB

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      4f07b7c07db3deeaef154a2f2c9646b0

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      6ada698575fd2ce3b8041f85d04dad5bd846a03f

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      5c6ca16525876afba9f88ae6809b550793501ed5c5a73b8a800d4029ff92c98c

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      35d71140bddbe016fe55a1e9328b3d284b3c9d5ebe9225b062b994bff4c70555fdf81378a299ab70f1c4d37b60a18a5f8a411e63fe4562299863bb1378616a90

                                                                                                                                                                                                                                                                                                                    • F:\$RECYCLE.BIN\S-1-5-21-3625340254-1625357543-1797847221-1000\_desktop.ini

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      8B

                                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                                      6ef23bccadc81fb82d7eeecab7166eed

                                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                                      379fb55375f791483209d02402c6c359fe6afc12

                                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                                      da5498ac44fd5b5f97353e6f28c673c28985ae25330f183b90a1a20b4bf4e85a

                                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                                      6e10f0bfc5983272d128dfe59f9868a59098e8ae388e55a0ab9f25d85b1c979728b295f39bef985bb7ef8ff1bc9b14c5f315ead269b8cefb4aaa2e82ca0cf5b1

                                                                                                                                                                                                                                                                                                                    • memory/8-10891-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/228-10871-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/244-9096-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/344-8324-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/568-10876-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/768-10851-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/800-834-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/968-6314-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/980-10736-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/988-77-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1040-2083-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1112-10691-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1120-10706-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1172-1920-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1180-10786-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1180-6284-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1200-10796-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1296-10746-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1304-4633-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1392-4953-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1408-10831-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1432-63-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1468-5704-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1532-1921-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1532-92-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1532-9-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1536-7781-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1568-6241-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1604-9864-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1708-10761-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1780-10771-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1816-5724-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/1816-42-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2016-35-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2020-6265-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2052-144-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2064-10911-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2204-5700-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2240-10751-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2308-1750-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2320-112-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2332-5716-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2332-6255-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2340-10701-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2340-6237-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2424-10906-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2584-151-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2616-6935-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2656-6309-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2660-5720-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2828-6233-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2828-7496-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2860-10756-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2888-1941-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/2976-1937-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3000-10816-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3012-10791-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3092-5221-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3096-10926-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3188-10318-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3208-10932-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3208-10937-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3324-19-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3352-10836-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3352-0-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3352-8-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3372-6304-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3376-6250-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3376-10716-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3380-3463-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3444-10886-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3484-10846-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3500-10811-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3548-5692-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3552-26-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3644-1929-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3728-5712-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3744-10766-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3764-10856-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3812-6676-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3844-158-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3844-9574-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/3868-10711-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4080-1916-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4284-5708-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4292-1908-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4292-6260-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4320-70-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4360-1212-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4364-10666-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4392-1912-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4396-10896-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4404-10721-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4408-5728-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4424-10696-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4616-105-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4648-10731-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4696-8002-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4736-3197-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4780-135-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4784-6279-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4808-128-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4816-6299-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4824-10801-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4848-1945-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4872-6289-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/4976-473-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5004-1925-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5016-10916-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5024-5696-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5048-1949-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5080-50-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5088-6229-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5088-10901-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5144-6225-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5248-4408-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5264-4047-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5296-10921-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5296-5810-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5328-2893-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5336-6411-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5340-119-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5376-10681-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5384-10806-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5404-1933-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5404-10931-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5408-10741-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5448-10826-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5452-5478-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5464-625-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5532-6294-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5572-88-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5612-10821-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5660-10781-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5688-2596-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5704-10861-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5716-10671-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5760-96-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5780-10776-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5888-10686-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5888-10866-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5936-6274-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5944-10676-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/5964-10881-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/6004-3805-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/6064-8679-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/6068-10726-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/6092-6245-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB

                                                                                                                                                                                                                                                                                                                    • memory/6100-10841-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                      276KB