Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:13
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
-
Size
2.3MB
-
MD5
ccd8fe83b3d1ac5c96579c464a5b5553
-
SHA1
b5563fe70d4aeed1b64ae61e7c49c5a9fa458069
-
SHA256
4085f4b81411c793a9b8790fc3b56d80d4b8a695e4f7f590dc267ebb10e5c80a
-
SHA512
54cf0218e375d19d784f71c37a00d53b41a3837bcd34ed508a599491488d8f50bf8887542b8091f218e1b331a4b7ce3dd864897f913a3814c09723632b163b9d
-
SSDEEP
49152:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLeuT9:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL1
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 61 IoCs
pid Process 3604 Logo1_.exe 4988 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1032 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1876 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5048 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1476 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4592 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3128 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2144 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1480 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2580 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1592 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1412 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1936 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1956 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2816 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4856 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1888 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4820 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4372 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4940 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3812 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2256 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3872 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3576 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4296 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1936 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3192 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2828 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5004 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 212 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4964 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 692 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3108 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4220 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1268 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3504 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4168 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3036 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5000 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4640 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3888 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1432 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3148 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3968 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4164 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2260 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3364 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1392 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4324 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2232 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2228 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 460 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4152 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4864 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1828 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3032 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3228 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3032 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\management\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\AdSelectionAttestationsPreloaded\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\BHO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Install\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Configuration\Schema\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini Logo1_.exe -
Drops file in Windows directory 63 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\rundl132.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe 3604 Logo1_.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 3376 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 85 PID 2684 wrote to memory of 3376 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 85 PID 2684 wrote to memory of 3376 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 85 PID 2684 wrote to memory of 3604 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 86 PID 2684 wrote to memory of 3604 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 86 PID 2684 wrote to memory of 3604 2684 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 86 PID 3604 wrote to memory of 2276 3604 Logo1_.exe 88 PID 3604 wrote to memory of 2276 3604 Logo1_.exe 88 PID 3604 wrote to memory of 2276 3604 Logo1_.exe 88 PID 2276 wrote to memory of 2124 2276 net.exe 90 PID 2276 wrote to memory of 2124 2276 net.exe 90 PID 2276 wrote to memory of 2124 2276 net.exe 90 PID 3376 wrote to memory of 4988 3376 cmd.exe 91 PID 3376 wrote to memory of 4988 3376 cmd.exe 91 PID 3376 wrote to memory of 4988 3376 cmd.exe 91 PID 4988 wrote to memory of 444 4988 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 92 PID 4988 wrote to memory of 444 4988 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 92 PID 4988 wrote to memory of 444 4988 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 92 PID 444 wrote to memory of 1032 444 cmd.exe 94 PID 444 wrote to memory of 1032 444 cmd.exe 94 PID 444 wrote to memory of 1032 444 cmd.exe 94 PID 1032 wrote to memory of 2680 1032 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 95 PID 1032 wrote to memory of 2680 1032 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 95 PID 1032 wrote to memory of 2680 1032 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 95 PID 2680 wrote to memory of 1876 2680 cmd.exe 97 PID 2680 wrote to memory of 1876 2680 cmd.exe 97 PID 2680 wrote to memory of 1876 2680 cmd.exe 97 PID 1876 wrote to memory of 2700 1876 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 98 PID 1876 wrote to memory of 2700 1876 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 98 PID 1876 wrote to memory of 2700 1876 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 98 PID 2700 wrote to memory of 5048 2700 cmd.exe 100 PID 2700 wrote to memory of 5048 2700 cmd.exe 100 PID 2700 wrote to memory of 5048 2700 cmd.exe 100 PID 5048 wrote to memory of 4584 5048 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 101 PID 5048 wrote to memory of 4584 5048 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 101 PID 5048 wrote to memory of 4584 5048 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 101 PID 4584 wrote to memory of 1476 4584 cmd.exe 104 PID 4584 wrote to memory of 1476 4584 cmd.exe 104 PID 4584 wrote to memory of 1476 4584 cmd.exe 104 PID 1476 wrote to memory of 4196 1476 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 105 PID 1476 wrote to memory of 4196 1476 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 105 PID 1476 wrote to memory of 4196 1476 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 105 PID 3604 wrote to memory of 3416 3604 Logo1_.exe 56 PID 3604 wrote to memory of 3416 3604 Logo1_.exe 56 PID 4196 wrote to memory of 4592 4196 cmd.exe 107 PID 4196 wrote to memory of 4592 4196 cmd.exe 107 PID 4196 wrote to memory of 4592 4196 cmd.exe 107 PID 4592 wrote to memory of 3984 4592 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 108 PID 4592 wrote to memory of 3984 4592 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 108 PID 4592 wrote to memory of 3984 4592 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 108 PID 3984 wrote to memory of 3128 3984 cmd.exe 110 PID 3984 wrote to memory of 3128 3984 cmd.exe 110 PID 3984 wrote to memory of 3128 3984 cmd.exe 110 PID 3128 wrote to memory of 2852 3128 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 111 PID 3128 wrote to memory of 2852 3128 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 111 PID 3128 wrote to memory of 2852 3128 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 111 PID 2852 wrote to memory of 2144 2852 cmd.exe 114 PID 2852 wrote to memory of 2144 2852 cmd.exe 114 PID 2852 wrote to memory of 2144 2852 cmd.exe 114 PID 2144 wrote to memory of 3640 2144 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 115 PID 2144 wrote to memory of 3640 2144 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 115 PID 2144 wrote to memory of 3640 2144 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 115 PID 3640 wrote to memory of 1480 3640 cmd.exe 117 PID 3640 wrote to memory of 1480 3640 cmd.exe 117
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a64A5.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a667A.bat5⤵
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a67F1.bat7⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a69C6.bat9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6AA1.bat11⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6BAA.bat13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6CB4.bat15⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"16⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6DFC.bat17⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"18⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6F06.bat19⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"20⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6FA2.bat21⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a707D.bat23⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"24⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a71D4.bat25⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"26⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a734B.bat27⤵
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"28⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a73C8.bat29⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"30⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7484.bat31⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"32⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a756E.bat33⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"34⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a76B6.bat35⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77D0.bat37⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a78D9.bat39⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"40⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79A4.bat41⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"42⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7AAE.bat43⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"44⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7B5A.bat45⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"46⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7BE7.bat47⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"48⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C54.bat49⤵
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"50⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7CF0.bat51⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"52⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D6D.bat53⤵
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"54⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7DCB.bat55⤵
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"56⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E48.bat57⤵
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"58⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7EB5.bat59⤵
- System Location Discovery: System Language Discovery
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"60⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F03.bat61⤵
- System Location Discovery: System Language Discovery
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"62⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F61.bat63⤵
- System Location Discovery: System Language Discovery
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"64⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7FDE.bat65⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"66⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a801D.bat67⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"68⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a807A.bat69⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"70⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a80D8.bat71⤵
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"72⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8136.bat73⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"74⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a81E2.bat75⤵
- System Location Discovery: System Language Discovery
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"76⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a829D.bat77⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"78⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8378.bat79⤵
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"80⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8443.bat81⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"82⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a853D.bat83⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"84⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8618.bat85⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"86⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8712.bat87⤵
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"88⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a87BE.bat89⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"90⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a882B.bat91⤵
- System Location Discovery: System Language Discovery
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"92⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8899.bat93⤵
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"94⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a88F6.bat95⤵
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"96⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8954.bat97⤵
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"98⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a89A2.bat99⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"100⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A00.bat101⤵
- System Location Discovery: System Language Discovery
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"102⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A4E.bat103⤵
- System Location Discovery: System Language Discovery
PID:456 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"104⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8ABB.bat105⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"106⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B0A.bat107⤵
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"108⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B67.bat109⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"110⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8BC5.bat111⤵
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"112⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8C81.bat113⤵
- System Location Discovery: System Language Discovery
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"114⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9088.bat115⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"116⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9143.bat117⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"118⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a920E.bat119⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"120⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a92BA.bat121⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"122⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-