Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 12:13

General

  • Target

    2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe

  • Size

    2.3MB

  • MD5

    ccd8fe83b3d1ac5c96579c464a5b5553

  • SHA1

    b5563fe70d4aeed1b64ae61e7c49c5a9fa458069

  • SHA256

    4085f4b81411c793a9b8790fc3b56d80d4b8a695e4f7f590dc267ebb10e5c80a

  • SHA512

    54cf0218e375d19d784f71c37a00d53b41a3837bcd34ed508a599491488d8f50bf8887542b8091f218e1b331a4b7ce3dd864897f913a3814c09723632b163b9d

  • SSDEEP

    49152:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLeuT9:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL1

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 61 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 63 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3416
      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a64A5.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3376
          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4988
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a667A.bat
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:444
              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of WriteProcessMemory
                PID:1032
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a67F1.bat
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2680
                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                    8⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1876
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a69C6.bat
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2700
                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                        10⤵
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of WriteProcessMemory
                        PID:5048
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6AA1.bat
                          11⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4584
                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                            12⤵
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • Suspicious use of WriteProcessMemory
                            PID:1476
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6BAA.bat
                              13⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:4196
                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                14⤵
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • Suspicious use of WriteProcessMemory
                                PID:4592
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6CB4.bat
                                  15⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3984
                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                    16⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • Suspicious use of WriteProcessMemory
                                    PID:3128
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6DFC.bat
                                      17⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:2852
                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                        18⤵
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        • Suspicious use of WriteProcessMemory
                                        PID:2144
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6F06.bat
                                          19⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:3640
                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                            20⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            • System Location Discovery: System Language Discovery
                                            PID:1480
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6FA2.bat
                                              21⤵
                                                PID:1728
                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                  22⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2580
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a707D.bat
                                                    23⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2928
                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                      24⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Windows directory
                                                      PID:1592
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a71D4.bat
                                                        25⤵
                                                          PID:4824
                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                            26⤵
                                                            • Executes dropped EXE
                                                            • Drops file in Windows directory
                                                            PID:1412
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a734B.bat
                                                              27⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:4336
                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                28⤵
                                                                • Executes dropped EXE
                                                                • Drops file in Windows directory
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1936
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a73C8.bat
                                                                  29⤵
                                                                    PID:4300
                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                      30⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in Windows directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:1956
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7484.bat
                                                                        31⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2136
                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                          32⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in Windows directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2816
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a756E.bat
                                                                            33⤵
                                                                              PID:3788
                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                34⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in Windows directory
                                                                                PID:4856
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a76B6.bat
                                                                                  35⤵
                                                                                    PID:1828
                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                      36⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in Windows directory
                                                                                      PID:1888
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77D0.bat
                                                                                        37⤵
                                                                                          PID:692
                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                            38⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in Windows directory
                                                                                            PID:4820
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a78D9.bat
                                                                                              39⤵
                                                                                                PID:3108
                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                  40⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in Windows directory
                                                                                                  PID:4372
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79A4.bat
                                                                                                    41⤵
                                                                                                      PID:2168
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                        42⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in Windows directory
                                                                                                        PID:4940
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7AAE.bat
                                                                                                          43⤵
                                                                                                            PID:4444
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                              44⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in Windows directory
                                                                                                              PID:3812
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7B5A.bat
                                                                                                                45⤵
                                                                                                                  PID:1716
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                    46⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in Windows directory
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:2256
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7BE7.bat
                                                                                                                      47⤵
                                                                                                                        PID:3252
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                          48⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in Windows directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:3872
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C54.bat
                                                                                                                            49⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:4756
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                              50⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in Windows directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:3576
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7CF0.bat
                                                                                                                                51⤵
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:1592
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                  52⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in Windows directory
                                                                                                                                  PID:1396
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D6D.bat
                                                                                                                                    53⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:1108
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                      54⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Drops file in Windows directory
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:4296
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7DCB.bat
                                                                                                                                        55⤵
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:4968
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                          56⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Drops file in Windows directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:1936
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E48.bat
                                                                                                                                            57⤵
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:4564
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                              58⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              PID:3192
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7EB5.bat
                                                                                                                                                59⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:4300
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                  60⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                  PID:2828
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F03.bat
                                                                                                                                                    61⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:4836
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                      62⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:5004
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F61.bat
                                                                                                                                                        63⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:4216
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                          64⤵
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:212
                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7FDE.bat
                                                                                                                                                            65⤵
                                                                                                                                                              PID:3504
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                66⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:4964
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a801D.bat
                                                                                                                                                                  67⤵
                                                                                                                                                                    PID:4592
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                      68⤵
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                      PID:692
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a807A.bat
                                                                                                                                                                        69⤵
                                                                                                                                                                          PID:4348
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                            70⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                            PID:3108
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a80D8.bat
                                                                                                                                                                              71⤵
                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                              PID:3508
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                72⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                PID:4220
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8136.bat
                                                                                                                                                                                  73⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:2232
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                    74⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:1268
                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a81E2.bat
                                                                                                                                                                                      75⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:3100
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                        76⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:3504
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a829D.bat
                                                                                                                                                                                          77⤵
                                                                                                                                                                                            PID:4940
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                              78⤵
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:4168
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8378.bat
                                                                                                                                                                                                79⤵
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:5004
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                  80⤵
                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:3036
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8443.bat
                                                                                                                                                                                                    81⤵
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:2368
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                      82⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:5000
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a853D.bat
                                                                                                                                                                                                        83⤵
                                                                                                                                                                                                          PID:1044
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                            84⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:4640
                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8618.bat
                                                                                                                                                                                                              85⤵
                                                                                                                                                                                                                PID:3176
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                  86⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  PID:3888
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8712.bat
                                                                                                                                                                                                                    87⤵
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:1892
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                      88⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:1432
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a87BE.bat
                                                                                                                                                                                                                        89⤵
                                                                                                                                                                                                                          PID:4444
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                            90⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                            PID:3148
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a882B.bat
                                                                                                                                                                                                                              91⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:3744
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                92⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:3968
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8899.bat
                                                                                                                                                                                                                                  93⤵
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  PID:4408
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                    94⤵
                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                    PID:4164
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a88F6.bat
                                                                                                                                                                                                                                      95⤵
                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                      PID:4980
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                        96⤵
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                        PID:2260
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8954.bat
                                                                                                                                                                                                                                          97⤵
                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                          PID:5028
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                            98⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            PID:3364
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a89A2.bat
                                                                                                                                                                                                                                              99⤵
                                                                                                                                                                                                                                                PID:1844
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                  100⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                  PID:1392
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A00.bat
                                                                                                                                                                                                                                                    101⤵
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:3964
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                      102⤵
                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                      PID:4324
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A4E.bat
                                                                                                                                                                                                                                                        103⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:456
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                          104⤵
                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                                                          PID:1396
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8ABB.bat
                                                                                                                                                                                                                                                            105⤵
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:2368
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                              106⤵
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                              PID:2232
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B0A.bat
                                                                                                                                                                                                                                                                107⤵
                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                PID:4756
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                  108⤵
                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  PID:2228
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B67.bat
                                                                                                                                                                                                                                                                    109⤵
                                                                                                                                                                                                                                                                      PID:3436
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                        110⤵
                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                        PID:460
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8BC5.bat
                                                                                                                                                                                                                                                                          111⤵
                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                          PID:3624
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                            112⤵
                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                            PID:4152
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8C81.bat
                                                                                                                                                                                                                                                                              113⤵
                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                              PID:4508
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                114⤵
                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                PID:4864
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9088.bat
                                                                                                                                                                                                                                                                                  115⤵
                                                                                                                                                                                                                                                                                    PID:4224
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                      116⤵
                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                      PID:1828
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9143.bat
                                                                                                                                                                                                                                                                                        117⤵
                                                                                                                                                                                                                                                                                          PID:628
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                            118⤵
                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                            PID:3032
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a920E.bat
                                                                                                                                                                                                                                                                                              119⤵
                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                              PID:2916
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                120⤵
                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                PID:3228
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a92BA.bat
                                                                                                                                                                                                                                                                                                  121⤵
                                                                                                                                                                                                                                                                                                    PID:4420
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                      122⤵
                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                      PID:3032
                                                      • C:\Windows\Logo1_.exe
                                                        C:\Windows\Logo1_.exe
                                                        3⤵
                                                        • Drops startup file
                                                        • Executes dropped EXE
                                                        • Enumerates connected drives
                                                        • Drops file in Program Files directory
                                                        • Drops file in Windows directory
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:3604
                                                        • C:\Windows\SysWOW64\net.exe
                                                          net stop "Kingsoft AntiVirus Service"
                                                          4⤵
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:2276
                                                          • C:\Windows\SysWOW64\net1.exe
                                                            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                                                            5⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2124

                                                  Network

                                                        MITRE ATT&CK Enterprise v16

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a64A5.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          ec99b0a1b7673db5d1965a6a05906ed1

                                                          SHA1

                                                          04d01a09b0e19893f640bcbc8f3e1e3cbb76ba2a

                                                          SHA256

                                                          7c6b4a283186d5d19e4d7e0b81acbae01834471fa41f5e232628675c11a2c08d

                                                          SHA512

                                                          b3b0a3c72a460e54b36cb94216ec6a11a72a6c17fc63c7e95aa2f7c010f93c513cd520c492df45b257a45fcb432d876c750b1de43cef6b4816bf06b4d271fc6d

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a667A.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          4084ddcc20aab3b55cf62ae6fc3fecc9

                                                          SHA1

                                                          900549795d60b7abb4dc446fac190808bbf8646a

                                                          SHA256

                                                          19b3e69acf550bbb7118fc5aefe069fda02921cb8fa271a65f89b91a2f09c188

                                                          SHA512

                                                          77edd4214d841270052693b7578649f087d28a56c8b935038efc8cb186018337c07bd4c9d772d1cdee71ba024aab4a3cbf26c808d5c13e0ef0e5b0f3a782e483

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a67F1.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          0e2aa693639b8fc31684698d56744d92

                                                          SHA1

                                                          af8b5c17f33d546ff1dc42bc5d70ec53c617d7af

                                                          SHA256

                                                          d52924cf35eb0fb880e8938ae686db24734ff0b75caaf75a24bfeb3d7df8a27d

                                                          SHA512

                                                          2465d18fd61609a59152fd269632fb5f748996298e45f1c0e6c6ea6b50719ad2e0348ed364957bf09eb13b5f1a48ad7bbc8c27f84d2cc3a3b45f46a541677259

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a69C6.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          a5e51307c3e9c1bb2b9b21de9e98c523

                                                          SHA1

                                                          8e6a0d50fc0101a4320cd6a6ab7285f86e815233

                                                          SHA256

                                                          1a80cc8a4955ff5008ba1cc8a36fce33c084567ea76549c87702d4e003fb504f

                                                          SHA512

                                                          f579a319493b0605e04ceac33e7721a0871d582d774ac690efe771f9668e7814788190697807ab5d7b8f297043b4a1fe7a282dbf2972c84c97f916c9c0c8b36f

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a6AA1.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          33b4ef2ff969a9a51551bec427528a53

                                                          SHA1

                                                          0838ebd388e9c8fa76324aa8a9d4eeb8d60472d0

                                                          SHA256

                                                          0506c7f4fe95de573544d5e8b5553f3b3cf3b7f26b1c12d8108272642ad11c76

                                                          SHA512

                                                          b51680f6720566e1c2a0e0c8a0b6148d749d4a9af048fd241469cf8097eae8433c31ddf2bb39ae4ea3cf457222f1391218459f0cf861e1244b669f3ff8543083

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a6BAA.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          3dc56768caa88fef606170c6598ce81d

                                                          SHA1

                                                          4a68bf5c06136300ec88c6b467daba9b28eb8578

                                                          SHA256

                                                          7226f09a51518a0a4df71048a7b516164b2c2d6191c7616708f0036f0cb9f468

                                                          SHA512

                                                          440b7ba6242033340d6e73fa8fbb3a49c0d0ea282508336f77555b8b1ed25a5c513688ed5a16add89c94038f0424dbaf6b510eaceb5cf078af1cbb32b5358f4a

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a6CB4.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          6875bf2ab37be6eecdc483c70abee0d3

                                                          SHA1

                                                          1560c0d4bc83aa175ed1fe2d690586e330588e0b

                                                          SHA256

                                                          ca37eee1d0582684aba4c0442c18c7ea33a730c9e448ec109328d451306b839d

                                                          SHA512

                                                          de0d47c4ef95568faeb2b63854036694984018b259e38afe408213aed51044c613dc73a30f46fa965fdc09c70a4043208076f2207d0bdf999ac421d0daead8a4

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a6DFC.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          623cbb7f15697272c7df20a1ffb54b3b

                                                          SHA1

                                                          6879557a322dd854ec28e0b8eb0eeae34359ea2d

                                                          SHA256

                                                          6b3bd8bd33bebedf417f8ea937358e6d0e9ca41809ffac4588a98287f98d480f

                                                          SHA512

                                                          682149c37dd359d287eab5f5f13f911bc766cd1b31ffcc705de10322493735e9886115a43ce25f43626eafcc764f7c4635fc8214490797be8d86b9ffa4a9a654

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a6F06.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          3d3d9a64fd1ee6fc45817959e3017d35

                                                          SHA1

                                                          a474ba28f9b3c1f6feb63ec2b2979110a144e4ac

                                                          SHA256

                                                          a77f48752d56ebb1e6cb9d44d21126e6488a823fc1aef83b53c276c41458fa70

                                                          SHA512

                                                          690e8ab2ac162f7308e2138cae4e6ccb221f9c963823b1f265df8d62c5d46cba43acb3191948e9bbbf78baddc4062f54ee0bdcb695467f612849882e80781253

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a6FA2.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          e575d6d4deafd3900aaa45c546a59b6c

                                                          SHA1

                                                          6d780e6264c49f7bc21da5be05bb9f33b2169e81

                                                          SHA256

                                                          80ec038069274a970a5a2cd1788dbf425e40db817827f44266879a825fff5028

                                                          SHA512

                                                          69dc1fc775234f714585f16367e232f32bbfea7f6cdb23d723aa67553e1ca71f44a52c80b37f5db0f4fba8e3934bb96db48a919390ad6ec4068345591d377f0d

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a707D.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          ef3904e0aa09d7249a550ff70b134e09

                                                          SHA1

                                                          fa1502663140474d4fc24c23b0ee8d355ca32249

                                                          SHA256

                                                          66d06d60be923d074202ceeb5ddda7b2103e59d086cc0054d41625182a4e4abc

                                                          SHA512

                                                          57dc6ad98815007a7583b146e44209582ce9b3ba93ddaaca68fdc7de6131d47eaecd4f7a405d10c533d4fbcc9b8b8cb0e15a55188b096d73f772f27297721170

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a71D4.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          5cfc8f20170c7ae42d87240b6deb8122

                                                          SHA1

                                                          ea311d1b8ff67ceb9e01f740a536d6c40c7130fe

                                                          SHA256

                                                          b6dcfd9c1f18c886a61ac55e2d91788d6a3056c0995367a616103342395d98db

                                                          SHA512

                                                          016774d9c2e465695da176f0ac05aec62f1ec14685e5f9e3f27496a4d2d96bdb1425dff64856cbfd9e373677931e7a3bc87da5cb544294a36f9606a8e33850a7

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a734B.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          69f4a48e2f88758a73662938213a98fa

                                                          SHA1

                                                          8d610557dd54784d42863ace4704e748c18706e0

                                                          SHA256

                                                          47a7839ca9bcab3f42ffa8caaf7629cc6a8ce4c2b2087d6bcff84026bdc13d5b

                                                          SHA512

                                                          778552dafb564d3322816251b77c9a53d89d3ee3b49617b68bdea574066eade698b445b1b55ca758da1b695c46101c69f42f7039546c74635f9f740054493bbd

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a73C8.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          42ed8af7889fdcc03b89159d86a1f50a

                                                          SHA1

                                                          1e2a5154a7ab27da5297448c1e7943da1b5fd597

                                                          SHA256

                                                          ba8a0e4d2d3e7739dedb08a2fdfe7939c29154c8b65c8d5d6820f3a84cb7f0f1

                                                          SHA512

                                                          2b5d54406da1464ba57b31665f1672999f49bc87e9487c5a32e42317ffb632914bc7b07dbb713215a8c813f7bdbb6bc9de584325cc542486d6955244252e4177

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a7484.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          58749395a7a6f7188245ea2b36f41ccc

                                                          SHA1

                                                          829f7dca477103984519eed2cdd10a9d1462280e

                                                          SHA256

                                                          1b5c2aef17d067fbe17d8ccd2eb31de22ec95527f541a073ce2cebe38f8a8a2d

                                                          SHA512

                                                          b01198e0bc69a96311e57f1216d977530bd3dbae752064ba16c10c154fc762d34c2e2beb9ea0f42df5ad337af2016df703c1b7628264ccd16c6902edabdc3c1d

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a756E.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          40bafb0620d0bbf6b65dd2819c6ea56c

                                                          SHA1

                                                          05878376174e6b8ed984a69c3f0626dd24a7937f

                                                          SHA256

                                                          bb944b6aea9ca3f52d8a085f125ac8c7000d23468b9d004834320a94d6e12fc2

                                                          SHA512

                                                          32945262c1f544ba65a2bb6f98cceb1f757f84cf45018bec94af5f006cb07d1bfb76a4e8f66703216f83b1283cda61a11b7bd543cb124ea62c62806be4eae05f

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a76B6.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          4e990ba4022eb169f6af3c9a06016b83

                                                          SHA1

                                                          b9b2bbc349bdf04766bf0d4ca739b9eeee6e1baa

                                                          SHA256

                                                          5eb503aa11049675044f2b80e5962e6b6450d1e7e89299aa90f3813d637b4fa8

                                                          SHA512

                                                          ba16a3c2d9f7dc17d12c875178434364a99909e79ab312d203f7e0357ee70590e08f0ffec8d7b9ba60538fc3b4e27ee37cbc93aba325d2a799513653073adbeb

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a77D0.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          b5209029a1fae0dae7d346efb7df4b6d

                                                          SHA1

                                                          72c31da0b7339541257f9ed11309d40f4d6eb44c

                                                          SHA256

                                                          87d58feef5b670b80ef8dc8ef26a72ee099e1ce775918e29eda2b895e5d3dc58

                                                          SHA512

                                                          8b4ed139daa7ae7a5900dcc2edc3d067a3ed93795f313f70d81abdf34d8dd1950f83699bf97995e4bf79937947a33e216a61590554650cca1bbf1534fb9d49e2

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a78D9.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          af0600674ad4041cfd11c56c303b2bd7

                                                          SHA1

                                                          2fa5c95c034ec76ed20c4f8ce7a137367b39e223

                                                          SHA256

                                                          834c667e25b23ca165d9f4a5a5d6ff503ba15938695c4ae12f6b417c67f492a3

                                                          SHA512

                                                          c47810562b2a65ea8164deff9f269c2ff7bfd62c7b174c9cfdb4c1e745511a22b8b77986ba743fd930d6991a94135af5b001806a55193b214c249ced1839717b

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a79A4.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          fe8d319abb41a39aed7197b16fb941b7

                                                          SHA1

                                                          fdf3b314f436ee52c15144b1ca32bd80449df060

                                                          SHA256

                                                          462b053ad8e72e065ba4da93b19f3ae0af9b118dcb845463293b8f83bf48a89c

                                                          SHA512

                                                          27a27a35410bd643a156253cbda2ce4289896f3660cbd355f34ec887b8a14b9eed07d27a3fbf03da439b6edbcc091998b6b584607558132113afe0eb9065ac74

                                                        • C:\Users\Admin\AppData\Local\Temp\$$a7AAE.bat

                                                          Filesize

                                                          776B

                                                          MD5

                                                          012c2d66660064976e3d612cfef536b6

                                                          SHA1

                                                          c6c57eeeb13513a0b5fd94e633ecd9a29a8a7b36

                                                          SHA256

                                                          8eefeee3338ed64ace0ec4442fb71016cd7a37094777a11e3e85c15adf36a6ce

                                                          SHA512

                                                          87e3772001e13298bf4df23da578201000f196aa3b0af278befea09649a2c2fc83b5308aa6b8b8f723fae99a8ce5cc20ddc8c9a40195b24af39ea6e7d0bd11ab

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          2.3MB

                                                          MD5

                                                          266b353a77eb4c93ec246992a813afea

                                                          SHA1

                                                          1e13c4eb9a3729c3edbfa57dff399a3d07983e9f

                                                          SHA256

                                                          945e8240bd45d28cc9a933012b84cc394bb77ed26b07ea6f38477f1a6c99052d

                                                          SHA512

                                                          7893bdf8a68c2bc872cff5a95c3aeb1ea337dcff60b02fa88f0dfe3cabf69a421124e2a710c152eeedf53405e5d18e730be30b7c80780ae65dbdf35b6a0e0978

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          2.3MB

                                                          MD5

                                                          c7f123848ba4c433ffed711d09d9a84c

                                                          SHA1

                                                          abcfadc14301554ec3e7be8dfc4513cc0994f590

                                                          SHA256

                                                          92cabd1a9db819e7d57d59a5f23f6437c61b982443de3c3781010961b79091ac

                                                          SHA512

                                                          7851dd4a461e24b8d47c7e116c2795a8f3915ee9a1a58d7a8c9c6b8bcacccf5dd24e09389b11df22f24d991d7011282fdd63a0167e3b0e6792f6012138eb708c

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          2.2MB

                                                          MD5

                                                          b429c2b368de54aef2015862f0cc18e2

                                                          SHA1

                                                          f1da548a03916b44311cb0e6d9c92fd05d45f5d9

                                                          SHA256

                                                          5589ac9fffb48edaa6de1b3381bff554075e83d5da8009b017f9261a5de8e33f

                                                          SHA512

                                                          9027ca9ed194c79500172c93f4ac3f9de2390aefe5b88aa5f02011dc49b166ff3760d01efccc742ea91a1bff97485255e7e92c377114468a49d3ea1b524b20ff

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          2.1MB

                                                          MD5

                                                          2547e7bbe30bb3543dde3176bf8b19a1

                                                          SHA1

                                                          7608ecd9326b4373381646cf20d51334388e41da

                                                          SHA256

                                                          3f3e63c3f2b9137f4098e9e5cc311b43834e1223912bb65ff5495b56d140465d

                                                          SHA512

                                                          650282cfb55213c8c3f7b63174ee317c43f70166c6535fdd1ec06ac527d2f4ef9b9a7c88cc4f7a4fa913ebe39c329a86ebc01f92e960c18f06aa766798dbcebd

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          2.1MB

                                                          MD5

                                                          7938572cb00a29f5d274feeac93b4587

                                                          SHA1

                                                          fbe6449dbcde47c32c087bf554747cf2bd1901e3

                                                          SHA256

                                                          33a99f439b01b893b57cebc91385e0fe3dd817904cd691b21f4b901b91385d59

                                                          SHA512

                                                          2e5f9ac2bfdf1d6f3f74ae5513ff8180c637641119a5075cac31840301c4c5675f9ec6763d9cadf722676bf2f91e34ce75d728bd71fa1aa340ecd42cc61c5489

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          1.8MB

                                                          MD5

                                                          d2ad3ee5a299b23c491dec7c4d12436d

                                                          SHA1

                                                          4b1b3500978b6306e6e34cb53a90da7d7bb13a57

                                                          SHA256

                                                          95895ddfa7e15e87281def40ad11e103a173a18731b18e69a462098437792596

                                                          SHA512

                                                          02b666a31882b040b31b6e89c1b9defa9c51f91ac29883b39fe78fee8f86ca388897bb3a29e94e15d8f28e232d8693f220faa05b672b1fcb5f5471d26e6cc036

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          2.2MB

                                                          MD5

                                                          372e8975966a02985165b96f51290ab1

                                                          SHA1

                                                          f7d64e2fe396ef19a537c66b863d26725938d7ef

                                                          SHA256

                                                          ded7b0ec4ef932d17a88eda9cb924fc2c2bb48d95fa654b333b6c0044f21ddb1

                                                          SHA512

                                                          6e499b6a47909d2ebc111d8f317a4b865ebca530d37b2e512ab006a1fc034573fcbf168731b23a062595cb6c23bef05122082ecd2a7563799399c2ac01eda7af

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          2.2MB

                                                          MD5

                                                          19a110c6ec8e337a5328e0d18e50d0fc

                                                          SHA1

                                                          fc76008a6ba215d0b710b5868a56dd2cad556df8

                                                          SHA256

                                                          04b23c057d97ee46f3ac5ce1bd170761e1bfc28982036db7c6220930dd1cdc4e

                                                          SHA512

                                                          a7ec622c7c870fc96160c9fd8fcc9d429db18246af0b3394964d669a8d591338fee04922686ca59115a0b076e3da48fa4d88d7f489048607e2a8a5111d7dd307

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          2.0MB

                                                          MD5

                                                          303a355f22509e59a213419f95e6be89

                                                          SHA1

                                                          8c4afa4b8b0b2540ccfc7a05cf90c8acd9403902

                                                          SHA256

                                                          df0440dc62f4f9ffb87b29a773b34faa7cca111b64000485347fc5461249bcc8

                                                          SHA512

                                                          122f1d387c551c405bb8d6b416be8c3ae15239c4180abbfa9edf012bb0061b90fd3bac8a2fd09f1c9ee05a2694cacb5a616bc9a44d9b007a348d3c2999f7e1e6

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          1.7MB

                                                          MD5

                                                          135ebbe9337d2af180436d5ad036019a

                                                          SHA1

                                                          165c97df3f426040c0ca68d7091a6cd5b421c1ff

                                                          SHA256

                                                          17554e49a8cb2ddb0658896fca59179a40086668e7e187209656daaaafdcd667

                                                          SHA512

                                                          f93564a5bdec18f8b308ffc75dd1406f459429d64b4a48bd6c35914b8d7fe8d861e049b2af6e928fbbe612985a7999a3c73452d7289081ad253d37f02cfffeb5

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          2.1MB

                                                          MD5

                                                          ca1eef78df829a9a6a6b676652bee86a

                                                          SHA1

                                                          260e798ab5f5365c70d601cba16cf43485433d15

                                                          SHA256

                                                          33ed29a94afa1d569b04e29d326a7e3979b9a27bd7a8356bf863a661bdbeb3c4

                                                          SHA512

                                                          f75e92c41b06f207d609516b4741804885f4df79757ec4fa21e0cee9510c7ab9fbed48291765655190155893598294f461105ea30b151d0f6e663a1fe16df7f9

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          1.9MB

                                                          MD5

                                                          ff9aa2eabd6af37cb4592feeca60e7d9

                                                          SHA1

                                                          55c9cb88a56cbf9fcac39158d1e2226f232a7b2c

                                                          SHA256

                                                          427e7a9831fd837e8ae648040e1999531fe93673182c77cf2ac8a0677c6262e7

                                                          SHA512

                                                          6bbe75f25da9f238ef8abeb1f5ebdf84fceb9b0138f0b46b313d4f2f404bb0e6564d5a157bb8a6895ec04170204df0631a554984f35c5ddd283086d064c82db5

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          1.7MB

                                                          MD5

                                                          7461964b86d8d9ceb81ea27bbd1cead9

                                                          SHA1

                                                          1fe3400e26d424b93c055e75ef46952dac20ceca

                                                          SHA256

                                                          691c5bfa0bc220695339b8e06e208e4f3d1a625a89cbb2a7f9d15155feacf23c

                                                          SHA512

                                                          276da7c1112185df9ec77133e1cb4d87d0b1f4a83f2af8fd43f1e933fe5d481e8462279e97f28ca34d76bb87263ae693944f260cf687251137ed87369c85f288

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          2.0MB

                                                          MD5

                                                          b370bf7b5f408728135027702741575f

                                                          SHA1

                                                          7d9d0988351850e9254dbb0e413540a602a29f73

                                                          SHA256

                                                          5f4ad444f640b440f8dbd93d7b7bdcde6f49eb0d934713639ae1960882b35b10

                                                          SHA512

                                                          6f9c83b8b31b4747d934daa6920acf2ff261b045bef62cdc92fcc2bbe4a60e6ca47d85e96a36a35fbaea63ab7dfcfdeb85af81b1988e306563ec5989f349a5cd

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          1.9MB

                                                          MD5

                                                          1d71b86aa1f8d32070d5ed79377108bc

                                                          SHA1

                                                          f0a2772ec0469409d56b1a42ed8ba7c827ef2c49

                                                          SHA256

                                                          1a9dea78ef3a52f777dabc2d41a32cd3e48a0ea54f9153fa55df2ac7eed4138d

                                                          SHA512

                                                          cd26f2a3e48b0ac22ea523c253e9668a6a96c094c64af64de0760c66a4953ada4fa62a1882d886da0d3e7540fc26d771821bd85120e17f6bf53577d1ae8a0c65

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          2.0MB

                                                          MD5

                                                          a0fde2f1eef57cfd1fb57a8dd0dbc2aa

                                                          SHA1

                                                          7ad54bea32cbaf5c9161b3c98001a4cf6cf6b2dd

                                                          SHA256

                                                          07175b86daccf8d25d71eed1ed175db22244f0a65721ffc972bff96bdd6753b2

                                                          SHA512

                                                          87599ad66df95f7f212607b8a95cb580acd8633d70aa3495b584dce1efc12bcfc693886734a71412e47285e14aff491b751371be87ef78371e3ae6a9fbcad8a2

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          1.9MB

                                                          MD5

                                                          b2cc03fec835158f089ea779a0a744aa

                                                          SHA1

                                                          70321aa424e53eb6cedde9dc69a6b7cffdbb24cf

                                                          SHA256

                                                          340937edc76e4a378505768ef09a0f17874aa913c74b931f6b1f767da2842eb8

                                                          SHA512

                                                          60f1214ef1c91ab2ab1f6d6104eba4fd765126075c7f435a7bda6314ab60d049f6e017805fd62bcd96f9fd2b5577c679ad0aee8a38949e11e256cb74b25aa223

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          1.8MB

                                                          MD5

                                                          bd4088548ede174ddd0ce92fc6975d77

                                                          SHA1

                                                          e27a2fb5589b99678482f2cc10481a8c36a016a7

                                                          SHA256

                                                          ba2be1ce13e4047ce9e275b7b57f44b819230b91cc4f9c97fc814d49a06b6a96

                                                          SHA512

                                                          a88804984e92db658c393684f56b79206b3686d93ab408d49ec0af6b2fd07ad30df4753f86dc91f9e73418a4929397e89392d63635fe56938c4280f7ba70e438

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          1.8MB

                                                          MD5

                                                          e753b2cb430b4d9557b1c3c4ebc1699a

                                                          SHA1

                                                          0c4fc16e70440cffffe58b699239e7ad842ff9d4

                                                          SHA256

                                                          4b3adf8fd153b1648224bf7264ed73e9c3ce4ea7a3a7b43622be4a70f5d2ddaf

                                                          SHA512

                                                          4895ad7fb02dab75d99efc3a16f5edfbf214581afac48df07ac61c509b5b0033ee0a73369813e99d05853a0075d61efd001733fc9cf76dfdb99dca56d35b3ded

                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                          Filesize

                                                          1.7MB

                                                          MD5

                                                          df0341888d55a56f098914a9b4be90fd

                                                          SHA1

                                                          52dc9af602deb7410f93ddb1646afebe7b4ef410

                                                          SHA256

                                                          e0ee940392df93819b08cf07ef66c1ace6d9810b14b21beab8c99b83549b696f

                                                          SHA512

                                                          84b56fa4e13c6526f5ef11cf3da5f5d32e098e39457f3c7f663dc70c4d35c4a1ffc9cc30dc40f280e74119c023c67fd8b4d942d2c47390bff3da278ff6416ef3

                                                        • C:\Windows\Logo1_.exe

                                                          Filesize

                                                          32KB

                                                          MD5

                                                          4f07b7c07db3deeaef154a2f2c9646b0

                                                          SHA1

                                                          6ada698575fd2ce3b8041f85d04dad5bd846a03f

                                                          SHA256

                                                          5c6ca16525876afba9f88ae6809b550793501ed5c5a73b8a800d4029ff92c98c

                                                          SHA512

                                                          35d71140bddbe016fe55a1e9328b3d284b3c9d5ebe9225b062b994bff4c70555fdf81378a299ab70f1c4d37b60a18a5f8a411e63fe4562299863bb1378616a90

                                                        • F:\$RECYCLE.BIN\S-1-5-21-4097847965-469305640-2969917343-1000\_desktop.ini

                                                          Filesize

                                                          8B

                                                          MD5

                                                          6ef23bccadc81fb82d7eeecab7166eed

                                                          SHA1

                                                          379fb55375f791483209d02402c6c359fe6afc12

                                                          SHA256

                                                          da5498ac44fd5b5f97353e6f28c673c28985ae25330f183b90a1a20b4bf4e85a

                                                          SHA512

                                                          6e10f0bfc5983272d128dfe59f9868a59098e8ae388e55a0ab9f25d85b1c979728b295f39bef985bb7ef8ff1bc9b14c5f315ead269b8cefb4aaa2e82ca0cf5b1

                                                        • memory/212-218-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/460-2050-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/692-226-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1032-27-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1268-328-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1392-2030-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1396-2038-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1396-194-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1412-111-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1432-1998-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1476-51-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1480-85-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1592-104-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1828-3463-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1876-36-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1888-148-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1936-118-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1936-202-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1956-125-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/2144-78-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/2228-2046-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/2232-2042-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/2256-180-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/2260-2022-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/2580-93-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/2684-11-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/2684-0-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/2816-134-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/2828-210-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3032-3663-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3036-892-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3108-230-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3128-71-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3148-2010-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3192-206-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3228-3790-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3228-3748-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3364-2026-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3504-483-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3576-188-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3604-8-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3604-2177-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3604-10086-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3604-89-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3812-176-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3872-184-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3888-1812-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3968-2014-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4152-2339-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4164-2018-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4168-654-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4220-234-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4296-198-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4324-2034-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4372-164-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4592-58-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4640-1528-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4820-155-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4856-141-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4864-3255-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4940-171-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4964-222-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/4988-20-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/5000-1220-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/5004-214-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/5048-43-0x0000000000400000-0x0000000000445000-memory.dmp

                                                          Filesize

                                                          276KB