Analysis
-
max time kernel
149s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:13
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
Resource
win10v2004-20250619-en
General
-
Target
2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
-
Size
2.3MB
-
MD5
ccd8fe83b3d1ac5c96579c464a5b5553
-
SHA1
b5563fe70d4aeed1b64ae61e7c49c5a9fa458069
-
SHA256
4085f4b81411c793a9b8790fc3b56d80d4b8a695e4f7f590dc267ebb10e5c80a
-
SHA512
54cf0218e375d19d784f71c37a00d53b41a3837bcd34ed508a599491488d8f50bf8887542b8091f218e1b331a4b7ce3dd864897f913a3814c09723632b163b9d
-
SSDEEP
49152:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLeuT9:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL1
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 61 IoCs
pid Process 2680 Logo1_.exe 3028 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 628 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4952 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5624 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2216 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 840 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4812 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2880 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5792 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2740 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3380 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4892 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5780 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4848 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 6048 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2828 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 556 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4992 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4080 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4560 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5908 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5244 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 920 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2036 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3552 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2616 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4116 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1128 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5828 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 568 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2832 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1080 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5176 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 924 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4456 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4984 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5048 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2356 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5128 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5308 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4316 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4696 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4232 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4640 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2412 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2120 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 4268 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5496 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3816 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5916 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1192 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3712 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3136 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 1784 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5556 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3860 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3784 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 3120 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2944 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files\Google\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\EBWebView\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_proxy\win11\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Internet Explorer\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\MEIPreload\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\AdSelectionAttestationsPreloaded\_desktop.ini Logo1_.exe -
Drops file in Windows directory 63 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\rundl132.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe File created C:\Windows\Logo1_.exe 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5396 wrote to memory of 2044 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 78 PID 5396 wrote to memory of 2044 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 78 PID 5396 wrote to memory of 2044 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 78 PID 5396 wrote to memory of 2680 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 79 PID 5396 wrote to memory of 2680 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 79 PID 5396 wrote to memory of 2680 5396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 79 PID 2680 wrote to memory of 6056 2680 Logo1_.exe 81 PID 2680 wrote to memory of 6056 2680 Logo1_.exe 81 PID 2680 wrote to memory of 6056 2680 Logo1_.exe 81 PID 6056 wrote to memory of 3400 6056 net.exe 83 PID 6056 wrote to memory of 3400 6056 net.exe 83 PID 6056 wrote to memory of 3400 6056 net.exe 83 PID 2044 wrote to memory of 3028 2044 cmd.exe 84 PID 2044 wrote to memory of 3028 2044 cmd.exe 84 PID 2044 wrote to memory of 3028 2044 cmd.exe 84 PID 3028 wrote to memory of 3132 3028 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 85 PID 3028 wrote to memory of 3132 3028 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 85 PID 3028 wrote to memory of 3132 3028 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 85 PID 3132 wrote to memory of 628 3132 cmd.exe 87 PID 3132 wrote to memory of 628 3132 cmd.exe 87 PID 3132 wrote to memory of 628 3132 cmd.exe 87 PID 628 wrote to memory of 4444 628 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 88 PID 628 wrote to memory of 4444 628 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 88 PID 628 wrote to memory of 4444 628 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 88 PID 4444 wrote to memory of 4952 4444 cmd.exe 90 PID 4444 wrote to memory of 4952 4444 cmd.exe 90 PID 4444 wrote to memory of 4952 4444 cmd.exe 90 PID 4952 wrote to memory of 5056 4952 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 91 PID 4952 wrote to memory of 5056 4952 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 91 PID 4952 wrote to memory of 5056 4952 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 91 PID 5056 wrote to memory of 4396 5056 cmd.exe 93 PID 5056 wrote to memory of 4396 5056 cmd.exe 93 PID 5056 wrote to memory of 4396 5056 cmd.exe 93 PID 4396 wrote to memory of 5044 4396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 94 PID 4396 wrote to memory of 5044 4396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 94 PID 4396 wrote to memory of 5044 4396 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 94 PID 5044 wrote to memory of 5624 5044 cmd.exe 96 PID 5044 wrote to memory of 5624 5044 cmd.exe 96 PID 5044 wrote to memory of 5624 5044 cmd.exe 96 PID 5624 wrote to memory of 5052 5624 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 97 PID 5624 wrote to memory of 5052 5624 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 97 PID 5624 wrote to memory of 5052 5624 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 97 PID 5052 wrote to memory of 2216 5052 cmd.exe 99 PID 5052 wrote to memory of 2216 5052 cmd.exe 99 PID 5052 wrote to memory of 2216 5052 cmd.exe 99 PID 2216 wrote to memory of 4760 2216 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 100 PID 2216 wrote to memory of 4760 2216 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 100 PID 2216 wrote to memory of 4760 2216 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 100 PID 4760 wrote to memory of 840 4760 cmd.exe 102 PID 4760 wrote to memory of 840 4760 cmd.exe 102 PID 4760 wrote to memory of 840 4760 cmd.exe 102 PID 840 wrote to memory of 2280 840 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 103 PID 840 wrote to memory of 2280 840 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 103 PID 840 wrote to memory of 2280 840 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 103 PID 2280 wrote to memory of 4812 2280 cmd.exe 105 PID 2280 wrote to memory of 4812 2280 cmd.exe 105 PID 2280 wrote to memory of 4812 2280 cmd.exe 105 PID 4812 wrote to memory of 6028 4812 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 106 PID 4812 wrote to memory of 6028 4812 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 106 PID 4812 wrote to memory of 6028 4812 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 106 PID 6028 wrote to memory of 2880 6028 cmd.exe 108 PID 6028 wrote to memory of 2880 6028 cmd.exe 108 PID 6028 wrote to memory of 2880 6028 cmd.exe 108 PID 2880 wrote to memory of 2996 2880 2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe 109
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a680C.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a69F0.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6A5D.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6B19.bat9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6BB5.bat11⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"12⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6C71.bat13⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6D3C.bat15⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"16⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6DF7.bat17⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"18⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6E94.bat19⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6028 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"20⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6F30.bat21⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6FFB.bat23⤵
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"24⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a70A7.bat25⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"26⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7133.bat27⤵
- System Location Discovery: System Language Discovery
PID:5788 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"28⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a71DF.bat29⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"30⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a72CA.bat31⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"32⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7347.bat33⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"34⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a73D3.bat35⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7470.bat37⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a74FC.bat39⤵
- System Location Discovery: System Language Discovery
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"40⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7589.bat41⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"42⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7615.bat43⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"44⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a76A2.bat45⤵
- System Location Discovery: System Language Discovery
PID:5484 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a772F.bat47⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a778C.bat49⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"50⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77DB.bat51⤵
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"52⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7858.bat53⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"54⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a78C5.bat55⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"56⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7913.bat57⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"58⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7961.bat59⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"60⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79AF.bat61⤵PID:484
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"62⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79EE.bat63⤵
- System Location Discovery: System Language Discovery
PID:6096 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A4C.bat65⤵
- System Location Discovery: System Language Discovery
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"66⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A9A.bat67⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"68⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7B07.bat69⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"70⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7B74.bat71⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"72⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7BC3.bat73⤵
- System Location Discovery: System Language Discovery
PID:628 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"74⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C20.bat75⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"76⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C7E.bat77⤵
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"78⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7CCC.bat79⤵
- System Location Discovery: System Language Discovery
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"80⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D2A.bat81⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"82⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D78.bat83⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"84⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7DD6.bat85⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"86⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E34.bat87⤵
- System Location Discovery: System Language Discovery
PID:772 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"88⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E91.bat89⤵
- System Location Discovery: System Language Discovery
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"90⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7EEF.bat91⤵
- System Location Discovery: System Language Discovery
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"92⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F7C.bat93⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"94⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7FCA.bat95⤵
- System Location Discovery: System Language Discovery
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"96⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8047.bat97⤵
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"98⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a80A5.bat99⤵
- System Location Discovery: System Language Discovery
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"100⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8102.bat101⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"102⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8170.bat103⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"104⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a81FC.bat105⤵PID:5408
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"106⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a824A.bat107⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"108⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8299.bat109⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"110⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a82D7.bat111⤵
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"112⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8335.bat113⤵
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"114⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8393.bat115⤵
- System Location Discovery: System Language Discovery
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"116⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a83F0.bat117⤵PID:132
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"118⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a843E.bat119⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"120⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a849C.bat121⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"122⤵
- Executes dropped EXE
PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-