Analysis

  • max time kernel
    149s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2025, 12:13

General

  • Target

    2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe

  • Size

    2.3MB

  • MD5

    ccd8fe83b3d1ac5c96579c464a5b5553

  • SHA1

    b5563fe70d4aeed1b64ae61e7c49c5a9fa458069

  • SHA256

    4085f4b81411c793a9b8790fc3b56d80d4b8a695e4f7f590dc267ebb10e5c80a

  • SHA512

    54cf0218e375d19d784f71c37a00d53b41a3837bcd34ed508a599491488d8f50bf8887542b8091f218e1b331a4b7ce3dd864897f913a3814c09723632b163b9d

  • SSDEEP

    49152:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLeuT9:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL1

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 61 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 63 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3280
      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5396
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a680C.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3028
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a69F0.bat
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3132
              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:628
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6A5D.bat
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4444
                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                    8⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:4952
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6B19.bat
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:5056
                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                        10⤵
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of WriteProcessMemory
                        PID:4396
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6BB5.bat
                          11⤵
                          • Suspicious use of WriteProcessMemory
                          PID:5044
                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                            12⤵
                            • Executes dropped EXE
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:5624
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6C71.bat
                              13⤵
                              • Suspicious use of WriteProcessMemory
                              PID:5052
                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                14⤵
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • Suspicious use of WriteProcessMemory
                                PID:2216
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6D3C.bat
                                  15⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:4760
                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                    16⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of WriteProcessMemory
                                    PID:840
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6DF7.bat
                                      17⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of WriteProcessMemory
                                      PID:2280
                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                        18⤵
                                        • Executes dropped EXE
                                        • Drops file in Windows directory
                                        • Suspicious use of WriteProcessMemory
                                        PID:4812
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6E94.bat
                                          19⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:6028
                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                            20⤵
                                            • Executes dropped EXE
                                            • Drops file in Windows directory
                                            • Suspicious use of WriteProcessMemory
                                            PID:2880
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6F30.bat
                                              21⤵
                                                PID:2996
                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                  22⤵
                                                  • Executes dropped EXE
                                                  • Drops file in Windows directory
                                                  • System Location Discovery: System Language Discovery
                                                  PID:5792
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6FFB.bat
                                                    23⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:3452
                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                      24⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Windows directory
                                                      PID:2740
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a70A7.bat
                                                        25⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2100
                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                          26⤵
                                                          • Executes dropped EXE
                                                          • Drops file in Windows directory
                                                          PID:3380
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7133.bat
                                                            27⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5788
                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                              28⤵
                                                              • Executes dropped EXE
                                                              • Drops file in Windows directory
                                                              PID:4892
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a71DF.bat
                                                                29⤵
                                                                  PID:4272
                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                    30⤵
                                                                    • Executes dropped EXE
                                                                    • Drops file in Windows directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:5780
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a72CA.bat
                                                                      31⤵
                                                                        PID:1156
                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                          32⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in Windows directory
                                                                          PID:4848
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7347.bat
                                                                            33⤵
                                                                              PID:3556
                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                34⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in Windows directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:6048
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a73D3.bat
                                                                                  35⤵
                                                                                    PID:1532
                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                      36⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in Windows directory
                                                                                      PID:2828
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7470.bat
                                                                                        37⤵
                                                                                          PID:1672
                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                            38⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in Windows directory
                                                                                            PID:556
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a74FC.bat
                                                                                              39⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1172
                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                40⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in Windows directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:4992
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7589.bat
                                                                                                  41⤵
                                                                                                    PID:3780
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                      42⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in Windows directory
                                                                                                      PID:4080
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7615.bat
                                                                                                        43⤵
                                                                                                          PID:3784
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                            44⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in Windows directory
                                                                                                            PID:4560
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a76A2.bat
                                                                                                              45⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:5484
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                46⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in Windows directory
                                                                                                                PID:5908
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a772F.bat
                                                                                                                  47⤵
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:1960
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                    48⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in Windows directory
                                                                                                                    PID:5244
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a778C.bat
                                                                                                                      49⤵
                                                                                                                        PID:3012
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                          50⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in Windows directory
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:920
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77DB.bat
                                                                                                                            51⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:1904
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                              52⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in Windows directory
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:2036
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7858.bat
                                                                                                                                53⤵
                                                                                                                                  PID:5584
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                    54⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in Windows directory
                                                                                                                                    PID:3552
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a78C5.bat
                                                                                                                                      55⤵
                                                                                                                                        PID:2316
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                          56⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Drops file in Windows directory
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:2616
                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7913.bat
                                                                                                                                            57⤵
                                                                                                                                              PID:380
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                58⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:4116
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7961.bat
                                                                                                                                                  59⤵
                                                                                                                                                    PID:4776
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                      60⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:1128
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79AF.bat
                                                                                                                                                        61⤵
                                                                                                                                                          PID:484
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                            62⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:5828
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79EE.bat
                                                                                                                                                              63⤵
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:6096
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                64⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                PID:568
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A4C.bat
                                                                                                                                                                  65⤵
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:3324
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                    66⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:2832
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A9A.bat
                                                                                                                                                                      67⤵
                                                                                                                                                                        PID:5976
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                          68⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                          PID:1080
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7B07.bat
                                                                                                                                                                            69⤵
                                                                                                                                                                              PID:3460
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                70⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:5176
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7B74.bat
                                                                                                                                                                                  71⤵
                                                                                                                                                                                    PID:3028
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                      72⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:924
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7BC3.bat
                                                                                                                                                                                        73⤵
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:628
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                          74⤵
                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:4456
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C20.bat
                                                                                                                                                                                            75⤵
                                                                                                                                                                                              PID:5012
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                76⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                PID:4984
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C7E.bat
                                                                                                                                                                                                  77⤵
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:4544
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                    78⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:5048
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7CCC.bat
                                                                                                                                                                                                      79⤵
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:5092
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                        80⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                        PID:2356
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D2A.bat
                                                                                                                                                                                                          81⤵
                                                                                                                                                                                                            PID:5344
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                              82⤵
                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:5128
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D78.bat
                                                                                                                                                                                                                83⤵
                                                                                                                                                                                                                  PID:5732
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                    84⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:5308
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7DD6.bat
                                                                                                                                                                                                                      85⤵
                                                                                                                                                                                                                        PID:4728
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                          86⤵
                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                          PID:4316
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E34.bat
                                                                                                                                                                                                                            87⤵
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:772
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                              88⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                              PID:4696
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E91.bat
                                                                                                                                                                                                                                89⤵
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:3628
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                  90⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  PID:4232
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7EEF.bat
                                                                                                                                                                                                                                    91⤵
                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                    PID:5060
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                      92⤵
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                      PID:4640
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F7C.bat
                                                                                                                                                                                                                                        93⤵
                                                                                                                                                                                                                                          PID:2448
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                            94⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                            PID:2412
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7FCA.bat
                                                                                                                                                                                                                                              95⤵
                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                              PID:5996
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                96⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                PID:2120
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8047.bat
                                                                                                                                                                                                                                                  97⤵
                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                  PID:3500
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                    98⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:4268
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a80A5.bat
                                                                                                                                                                                                                                                      99⤵
                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                      PID:4224
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                        100⤵
                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:5496
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8102.bat
                                                                                                                                                                                                                                                          101⤵
                                                                                                                                                                                                                                                            PID:4732
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                              102⤵
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                              PID:3816
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8170.bat
                                                                                                                                                                                                                                                                103⤵
                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                PID:1972
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                  104⤵
                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                  PID:5916
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a81FC.bat
                                                                                                                                                                                                                                                                    105⤵
                                                                                                                                                                                                                                                                      PID:5408
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                        106⤵
                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                        PID:1192
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a824A.bat
                                                                                                                                                                                                                                                                          107⤵
                                                                                                                                                                                                                                                                            PID:1768
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                              108⤵
                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                                                                                                                              PID:3712
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8299.bat
                                                                                                                                                                                                                                                                                109⤵
                                                                                                                                                                                                                                                                                  PID:2508
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                    110⤵
                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                    PID:3136
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a82D7.bat
                                                                                                                                                                                                                                                                                      111⤵
                                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                      PID:1292
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                        112⤵
                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                        PID:1784
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8335.bat
                                                                                                                                                                                                                                                                                          113⤵
                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                          PID:4604
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                            114⤵
                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                            PID:5556
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8393.bat
                                                                                                                                                                                                                                                                                              115⤵
                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                              PID:4592
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                116⤵
                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                PID:3860
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a83F0.bat
                                                                                                                                                                                                                                                                                                  117⤵
                                                                                                                                                                                                                                                                                                    PID:132
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                      118⤵
                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                      PID:3784
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a843E.bat
                                                                                                                                                                                                                                                                                                        119⤵
                                                                                                                                                                                                                                                                                                          PID:4872
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                            120⤵
                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                            PID:3120
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a849C.bat
                                                                                                                                                                                                                                                                                                              121⤵
                                                                                                                                                                                                                                                                                                                PID:2432
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe"
                                                                                                                                                                                                                                                                                                                  122⤵
                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                  PID:2944
                                                                  • C:\Windows\Logo1_.exe
                                                                    C:\Windows\Logo1_.exe
                                                                    3⤵
                                                                    • Drops startup file
                                                                    • Executes dropped EXE
                                                                    • Enumerates connected drives
                                                                    • Drops file in Program Files directory
                                                                    • Drops file in Windows directory
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of WriteProcessMemory
                                                                    PID:2680
                                                                    • C:\Windows\SysWOW64\net.exe
                                                                      net stop "Kingsoft AntiVirus Service"
                                                                      4⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious use of WriteProcessMemory
                                                                      PID:6056
                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
                                                                        5⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:3400

                                                              Network

                                                                    MITRE ATT&CK Enterprise v16

                                                                    Replay Monitor

                                                                    Loading Replay Monitor...

                                                                    Downloads

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a680C.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      239ba6329bc19bb30d348f826f1a7837

                                                                      SHA1

                                                                      7fd09bcd68268ffbd9bbc9468b5b7bf78fbd8ad0

                                                                      SHA256

                                                                      a96aeed78515fb98625ca8c87ddf3c126037658ece628a405018c2ba1b4023a6

                                                                      SHA512

                                                                      1e6f0e84e6d884a7464bd9b25e479ee108681f80d396ba400168a393c899d6b9c8063a1dfa7bac2e697d00c065f1b39344617b8934383fdb7049f1f263e6f6dc

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a69F0.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      8ea62722a99de07d5afcabe591b20343

                                                                      SHA1

                                                                      188b0e2e2c102674e11f8386f7dcd7703e904f14

                                                                      SHA256

                                                                      496e2819dd495cf60af1a232d849ffa50b227e5fcdea661016c5f317efae6723

                                                                      SHA512

                                                                      f7ca72f008fb9a384ac41cd67c1072a29fd58895a9c13e863d3b2afc7ee6f0306b281132ab48a10412688dfa684650f6dddcf124115c1ed4b05ecc23807120c8

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a6A5D.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      eaf88fb0e07d6dcda75e149f92e15643

                                                                      SHA1

                                                                      21c860b4d00a2ad1c3578481be8d521f1c20ce98

                                                                      SHA256

                                                                      549a7e09c444d215ed77841d6f3a302767a4036643e4e9c74c5b07a808bcc9fa

                                                                      SHA512

                                                                      99197a81bafce02757287bfaa546845cdb1e732ff813a3a688789a8d34a7a84a0407b36542fe44a9764aa9bc63e10a84fc8477d972c2c1de6b45c886f6008283

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a6B19.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      66cc50fcd4aa83cf1f6dac14f5726048

                                                                      SHA1

                                                                      6a097ea43837ee8b476d2edaf1b578efc5f6d9d7

                                                                      SHA256

                                                                      0939d2d37b9c0e870ce5ea21a5f631f7fcb071be23d417bd716ef55cd290490a

                                                                      SHA512

                                                                      5bd750b1112d76c8345305bcc96a1c2b5d040111bddc56a637a7026459cd58f9ec3e38d07f7aba9b60575f2d4a3e1c8b994e6d544f5f33027d4901ed6db2e486

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a6BB5.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      c0644a83bbb0253904a0e077d9ede4e3

                                                                      SHA1

                                                                      b2b67792d60daef12d270bf916e96f9026005ffa

                                                                      SHA256

                                                                      395e4420e3225938fb8023caae4887e1c0bb3b1840aedd7a92b9576e5dfaa732

                                                                      SHA512

                                                                      00a5f0a9b85f202955a71ec0633efaa233896e3629d5e71cd0e418cd0e1fe0512106ee75718bed2b38198b91cdaa6b3532143b1f9ce6e7dc673222fa56cd537f

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a6C71.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      ee769f7e3deaadf41e7f059abd7b4689

                                                                      SHA1

                                                                      179e1384a4cbc609c295c0fb6d28509dc57dd2e4

                                                                      SHA256

                                                                      d72a7756a1640972c494676b4b37eb05d3382e14e85d59bb991ef28969727c6e

                                                                      SHA512

                                                                      65d0a52b255d9cfe6a4a6db7b0f211d09ad2eec85cd8c83741d422e25f482cbf19edb0c111049186b8ad325d462d03a194f9e1b62b28ecd3e3a5e79518ab9cc0

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a6D3C.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      151c22d8b91ac2043e18ba7136195243

                                                                      SHA1

                                                                      7226dbcf7a4bb875066c7ee1e2b3e39537085b07

                                                                      SHA256

                                                                      32ab6f779278d3a5382894219dde22ed9774e561a5f7325515c3c00b8afee7fe

                                                                      SHA512

                                                                      aacf06b6916f2b3d884c39556441bb0dfb7bce0a10ad562fe7b01b6f300a7de0d2e9498bb4dc8c082cd7814675f74fbbeed514b6f53ac8bc596599a1b194bfb1

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a6DF7.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      855063fd3977effe4cfde2d5bf22f6a0

                                                                      SHA1

                                                                      d74559e6fb9f04a78ae6862a99884352697252bc

                                                                      SHA256

                                                                      9297e5cd23f0a335dc85c513538095ac19406e05e977a591fea61e1a36c24cc1

                                                                      SHA512

                                                                      a83c949a9597973c1c7802337c54b1402af17bc7701e2d047deb30fc8323be6614c44f7aa234d153c483451f8ddcfa43e281a6e142a8bc5e5d1cabfc5aa71e46

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a6E94.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      c152606a122b200f07720f94fac473e6

                                                                      SHA1

                                                                      d4fcf3f78b8668ddf68141d30fa94fdd695afc8a

                                                                      SHA256

                                                                      2c57654ab158453596650838ec569bd19feca28e172b618eaa5c167e20c4041f

                                                                      SHA512

                                                                      b3a78e35b2055d146364f1450230be42afd874f8eadc5db5e71e724ed08f4a1648c80b87f547888f917dd595d7102ed2fea5e7605789e0699e0a51e46c7ae2d0

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a6F30.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      050201b1671334decc0506ee9a6506e9

                                                                      SHA1

                                                                      766df58570462e6f2a0cc4e8afde85d3772045d8

                                                                      SHA256

                                                                      1d09f7aa2ff29628e3e33b7c43c68b4244819c53000912bbe82f4e1dadfccf68

                                                                      SHA512

                                                                      67ff0e5ca8fac387aba6e79f19ad612a9e1ec208d401bda8882f0c41ea3125079c24d1209d24d371ca18b68d08ac596becda2c6b2810e6fe0325ee3cc4be3f91

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a6FFB.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      d1e0f6b1e3bd34a2e7ea3b5d3f2af2da

                                                                      SHA1

                                                                      956ca3016b5c8eba27fd4e220bc0a01b3da6d88c

                                                                      SHA256

                                                                      dd621d32946c86e09eeb895f137c0b03facb971e52746ce8170de8c8c6498626

                                                                      SHA512

                                                                      72df9dc076b28c1d81ac56a5bdeafcba1a57c1266b5a219c193d50558bc0feda85c5cc01bd9a7d5b2aaeb215cca70e3a7ff8b48590c7559c7acc86495acf53a0

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a70A7.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      276a94d3131d36666e4361b93b20d187

                                                                      SHA1

                                                                      c283ab5719f44223be5c8470beb7359af18773e1

                                                                      SHA256

                                                                      b6be53acec81c13672bee37ef82c98369a0d133da43dbfdf6df71b734fbae956

                                                                      SHA512

                                                                      2ac5c83034b09bfab06f88a2e0886d4bb8cd30e2d9f5e41d2c970c0385b901a87873127329f0f3dd193defec05551a2a1ec25e864806bd500795ede821ed9d56

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a7133.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      d1b8a54b2b68da0984681f40a72e6066

                                                                      SHA1

                                                                      af636b9fec7be7fde47e3e0b931e40cfe7ea7129

                                                                      SHA256

                                                                      69a7200314517b83ca8c635ea0daba65e300af9974bc84d9f630a76d2c07ca75

                                                                      SHA512

                                                                      9736ac26ca1a90a3215c6375fa35e51e6b0cee2c134ec05c457ec9e816dae67c562635746d89794e2182b2ab64ded125875a13c4c4c2282de9ccd6d3d934fe52

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a71DF.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      c01010aa6fd6a9359f22000baf070726

                                                                      SHA1

                                                                      81cd49b5e3fc7273f0aa06f16f819da70b9fc3ac

                                                                      SHA256

                                                                      549d005fc6f83d6a966b6ad8104adbaaebbb8b6d45b8dad492f3fc4dd9fd70a4

                                                                      SHA512

                                                                      b94ff8a5a5fbd16d7abd8850fe6e3a3793eb79354e6a74d60d51e83c593b883cf2158bb44857f46fd543433c8ec3432865151c217c2a5d11fdad5191f330959c

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a72CA.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      a7d92a61b19e6466629703ea572be1d8

                                                                      SHA1

                                                                      3abe599e0f3e250d12eb4fe869bf6be49166f877

                                                                      SHA256

                                                                      2509e24048c9da60033025c282caff1c999efcfe96851e82c2583caa4addd1f7

                                                                      SHA512

                                                                      8812fda5f8e3d2f734afa96462ffba8787bdb1e1db20c10d7d6f362b5e0f2f7aa8c056111dc0565185ae4c544bd2c625c0842c1615c3735860352100c402f23c

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a7347.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      37397d5034a9bcfe8daa21ad874bbfe3

                                                                      SHA1

                                                                      74bba1451194c1b562e436a643b3540f117ecb5d

                                                                      SHA256

                                                                      17f6bf777d25f82afe47b746be17f0384273af1453617cae4a98588a8fd11696

                                                                      SHA512

                                                                      dcad836f71ab2c3562c4e695ce4d0b6936ac58c8df8a28cc99ab4ef846da3b8a0c3ef4cbc2d6778653b035616c2a70f2cd58a1db77220893d3dc765e31802652

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a73D3.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      d6f8029c12ad4b0503337baa5fb3240f

                                                                      SHA1

                                                                      515478f2472382424b69dc2400abc2a597d18e61

                                                                      SHA256

                                                                      68b41a8ce52a32e715f63790657e845f5ea82abad6e3c881ca75aaaf68eb32da

                                                                      SHA512

                                                                      1697a601a274a7e903762327764c94f8bc1190fb5cc39e0db4a0c721f308dbecfc9c0e96afe928a08cfe2d6697e38b7f99643346da4c0a309d4300d472f9b1a2

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a7470.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      cf89ed3dc89d8839cbcb664658a75017

                                                                      SHA1

                                                                      fed330b2a246d519d29d9bdf21ec8773b0a0afdf

                                                                      SHA256

                                                                      9cb2b05a6475db835ed1c12b967b1ff2764ff58f4439daf028e26082c61977f5

                                                                      SHA512

                                                                      7af0fc0267a5c814299af516b46117491383ba02be8bd08a0890aca13a4370bafd6168d4b97ba6f18541403704321d5ad947483dd062f0d897e2f6e8da0a1b42

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a74FC.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      822c6be34f17bd349ef01acf90a1f146

                                                                      SHA1

                                                                      27e1dfce4c7faa43a1d268a556a198b2b9e4446e

                                                                      SHA256

                                                                      221fec23af70acfb75264db8ff86cf311dec07b702437034d1e34614915cbcf0

                                                                      SHA512

                                                                      f594d9edec0879fda4be806e045b1409a6411116e128d4d4f1e8d8603eb72e65030ec00111edc2a9f7263996b79c0084c53a350e2746b5a046018acc24901605

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a7589.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      dd7170f55f8fbe0b84632b4faeb27d88

                                                                      SHA1

                                                                      1d5427b618cf193c2fe998010ccd5e2585cf4007

                                                                      SHA256

                                                                      76d3d0a4972ccc9ade619cf222d6bf0feeef9306dbcbeca2721d503118d0969d

                                                                      SHA512

                                                                      53340d21c06802e209cbacfcd08012e07332a3c54fa9b7a10b167310092872eb4223dc9666236b8f86f6174ce03f7998b6c6fdb666e66f3bad2e0bd5a5921d0c

                                                                    • C:\Users\Admin\AppData\Local\Temp\$$a7615.bat

                                                                      Filesize

                                                                      776B

                                                                      MD5

                                                                      e952880abf21ace3e6ad61ff75acb419

                                                                      SHA1

                                                                      b3240ec2b649c1a22015708b3392af45a9343d85

                                                                      SHA256

                                                                      8cd1008646bbc1f77489acef095151b8f3045d266c40dedc1236cefd12c1cf8c

                                                                      SHA512

                                                                      64f7ffa2f0ad84e1f7a7c7284407baf70b5ef9727a30647bb5ddf0741682da556790c48d0139fffca2b83ae240a94476cb1aa6d262a569923c5b9edda42321ad

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      2.3MB

                                                                      MD5

                                                                      266b353a77eb4c93ec246992a813afea

                                                                      SHA1

                                                                      1e13c4eb9a3729c3edbfa57dff399a3d07983e9f

                                                                      SHA256

                                                                      945e8240bd45d28cc9a933012b84cc394bb77ed26b07ea6f38477f1a6c99052d

                                                                      SHA512

                                                                      7893bdf8a68c2bc872cff5a95c3aeb1ea337dcff60b02fa88f0dfe3cabf69a421124e2a710c152eeedf53405e5d18e730be30b7c80780ae65dbdf35b6a0e0978

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      2.2MB

                                                                      MD5

                                                                      19a110c6ec8e337a5328e0d18e50d0fc

                                                                      SHA1

                                                                      fc76008a6ba215d0b710b5868a56dd2cad556df8

                                                                      SHA256

                                                                      04b23c057d97ee46f3ac5ce1bd170761e1bfc28982036db7c6220930dd1cdc4e

                                                                      SHA512

                                                                      a7ec622c7c870fc96160c9fd8fcc9d429db18246af0b3394964d669a8d591338fee04922686ca59115a0b076e3da48fa4d88d7f489048607e2a8a5111d7dd307

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      2.3MB

                                                                      MD5

                                                                      c7f123848ba4c433ffed711d09d9a84c

                                                                      SHA1

                                                                      abcfadc14301554ec3e7be8dfc4513cc0994f590

                                                                      SHA256

                                                                      92cabd1a9db819e7d57d59a5f23f6437c61b982443de3c3781010961b79091ac

                                                                      SHA512

                                                                      7851dd4a461e24b8d47c7e116c2795a8f3915ee9a1a58d7a8c9c6b8bcacccf5dd24e09389b11df22f24d991d7011282fdd63a0167e3b0e6792f6012138eb708c

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      2.2MB

                                                                      MD5

                                                                      b429c2b368de54aef2015862f0cc18e2

                                                                      SHA1

                                                                      f1da548a03916b44311cb0e6d9c92fd05d45f5d9

                                                                      SHA256

                                                                      5589ac9fffb48edaa6de1b3381bff554075e83d5da8009b017f9261a5de8e33f

                                                                      SHA512

                                                                      9027ca9ed194c79500172c93f4ac3f9de2390aefe5b88aa5f02011dc49b166ff3760d01efccc742ea91a1bff97485255e7e92c377114468a49d3ea1b524b20ff

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      1.9MB

                                                                      MD5

                                                                      ff9aa2eabd6af37cb4592feeca60e7d9

                                                                      SHA1

                                                                      55c9cb88a56cbf9fcac39158d1e2226f232a7b2c

                                                                      SHA256

                                                                      427e7a9831fd837e8ae648040e1999531fe93673182c77cf2ac8a0677c6262e7

                                                                      SHA512

                                                                      6bbe75f25da9f238ef8abeb1f5ebdf84fceb9b0138f0b46b313d4f2f404bb0e6564d5a157bb8a6895ec04170204df0631a554984f35c5ddd283086d064c82db5

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      2.1MB

                                                                      MD5

                                                                      ca1eef78df829a9a6a6b676652bee86a

                                                                      SHA1

                                                                      260e798ab5f5365c70d601cba16cf43485433d15

                                                                      SHA256

                                                                      33ed29a94afa1d569b04e29d326a7e3979b9a27bd7a8356bf863a661bdbeb3c4

                                                                      SHA512

                                                                      f75e92c41b06f207d609516b4741804885f4df79757ec4fa21e0cee9510c7ab9fbed48291765655190155893598294f461105ea30b151d0f6e663a1fe16df7f9

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      2.2MB

                                                                      MD5

                                                                      372e8975966a02985165b96f51290ab1

                                                                      SHA1

                                                                      f7d64e2fe396ef19a537c66b863d26725938d7ef

                                                                      SHA256

                                                                      ded7b0ec4ef932d17a88eda9cb924fc2c2bb48d95fa654b333b6c0044f21ddb1

                                                                      SHA512

                                                                      6e499b6a47909d2ebc111d8f317a4b865ebca530d37b2e512ab006a1fc034573fcbf168731b23a062595cb6c23bef05122082ecd2a7563799399c2ac01eda7af

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      1.9MB

                                                                      MD5

                                                                      1d71b86aa1f8d32070d5ed79377108bc

                                                                      SHA1

                                                                      f0a2772ec0469409d56b1a42ed8ba7c827ef2c49

                                                                      SHA256

                                                                      1a9dea78ef3a52f777dabc2d41a32cd3e48a0ea54f9153fa55df2ac7eed4138d

                                                                      SHA512

                                                                      cd26f2a3e48b0ac22ea523c253e9668a6a96c094c64af64de0760c66a4953ada4fa62a1882d886da0d3e7540fc26d771821bd85120e17f6bf53577d1ae8a0c65

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      2.0MB

                                                                      MD5

                                                                      b370bf7b5f408728135027702741575f

                                                                      SHA1

                                                                      7d9d0988351850e9254dbb0e413540a602a29f73

                                                                      SHA256

                                                                      5f4ad444f640b440f8dbd93d7b7bdcde6f49eb0d934713639ae1960882b35b10

                                                                      SHA512

                                                                      6f9c83b8b31b4747d934daa6920acf2ff261b045bef62cdc92fcc2bbe4a60e6ca47d85e96a36a35fbaea63ab7dfcfdeb85af81b1988e306563ec5989f349a5cd

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      2.1MB

                                                                      MD5

                                                                      2547e7bbe30bb3543dde3176bf8b19a1

                                                                      SHA1

                                                                      7608ecd9326b4373381646cf20d51334388e41da

                                                                      SHA256

                                                                      3f3e63c3f2b9137f4098e9e5cc311b43834e1223912bb65ff5495b56d140465d

                                                                      SHA512

                                                                      650282cfb55213c8c3f7b63174ee317c43f70166c6535fdd1ec06ac527d2f4ef9b9a7c88cc4f7a4fa913ebe39c329a86ebc01f92e960c18f06aa766798dbcebd

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      1.8MB

                                                                      MD5

                                                                      d2ad3ee5a299b23c491dec7c4d12436d

                                                                      SHA1

                                                                      4b1b3500978b6306e6e34cb53a90da7d7bb13a57

                                                                      SHA256

                                                                      95895ddfa7e15e87281def40ad11e103a173a18731b18e69a462098437792596

                                                                      SHA512

                                                                      02b666a31882b040b31b6e89c1b9defa9c51f91ac29883b39fe78fee8f86ca388897bb3a29e94e15d8f28e232d8693f220faa05b672b1fcb5f5471d26e6cc036

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      2.0MB

                                                                      MD5

                                                                      a0fde2f1eef57cfd1fb57a8dd0dbc2aa

                                                                      SHA1

                                                                      7ad54bea32cbaf5c9161b3c98001a4cf6cf6b2dd

                                                                      SHA256

                                                                      07175b86daccf8d25d71eed1ed175db22244f0a65721ffc972bff96bdd6753b2

                                                                      SHA512

                                                                      87599ad66df95f7f212607b8a95cb580acd8633d70aa3495b584dce1efc12bcfc693886734a71412e47285e14aff491b751371be87ef78371e3ae6a9fbcad8a2

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      2.1MB

                                                                      MD5

                                                                      7938572cb00a29f5d274feeac93b4587

                                                                      SHA1

                                                                      fbe6449dbcde47c32c087bf554747cf2bd1901e3

                                                                      SHA256

                                                                      33a99f439b01b893b57cebc91385e0fe3dd817904cd691b21f4b901b91385d59

                                                                      SHA512

                                                                      2e5f9ac2bfdf1d6f3f74ae5513ff8180c637641119a5075cac31840301c4c5675f9ec6763d9cadf722676bf2f91e34ce75d728bd71fa1aa340ecd42cc61c5489

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      1.7MB

                                                                      MD5

                                                                      135ebbe9337d2af180436d5ad036019a

                                                                      SHA1

                                                                      165c97df3f426040c0ca68d7091a6cd5b421c1ff

                                                                      SHA256

                                                                      17554e49a8cb2ddb0658896fca59179a40086668e7e187209656daaaafdcd667

                                                                      SHA512

                                                                      f93564a5bdec18f8b308ffc75dd1406f459429d64b4a48bd6c35914b8d7fe8d861e049b2af6e928fbbe612985a7999a3c73452d7289081ad253d37f02cfffeb5

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      1.9MB

                                                                      MD5

                                                                      b2cc03fec835158f089ea779a0a744aa

                                                                      SHA1

                                                                      70321aa424e53eb6cedde9dc69a6b7cffdbb24cf

                                                                      SHA256

                                                                      340937edc76e4a378505768ef09a0f17874aa913c74b931f6b1f767da2842eb8

                                                                      SHA512

                                                                      60f1214ef1c91ab2ab1f6d6104eba4fd765126075c7f435a7bda6314ab60d049f6e017805fd62bcd96f9fd2b5577c679ad0aee8a38949e11e256cb74b25aa223

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      2.0MB

                                                                      MD5

                                                                      303a355f22509e59a213419f95e6be89

                                                                      SHA1

                                                                      8c4afa4b8b0b2540ccfc7a05cf90c8acd9403902

                                                                      SHA256

                                                                      df0440dc62f4f9ffb87b29a773b34faa7cca111b64000485347fc5461249bcc8

                                                                      SHA512

                                                                      122f1d387c551c405bb8d6b416be8c3ae15239c4180abbfa9edf012bb0061b90fd3bac8a2fd09f1c9ee05a2694cacb5a616bc9a44d9b007a348d3c2999f7e1e6

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      1.7MB

                                                                      MD5

                                                                      7461964b86d8d9ceb81ea27bbd1cead9

                                                                      SHA1

                                                                      1fe3400e26d424b93c055e75ef46952dac20ceca

                                                                      SHA256

                                                                      691c5bfa0bc220695339b8e06e208e4f3d1a625a89cbb2a7f9d15155feacf23c

                                                                      SHA512

                                                                      276da7c1112185df9ec77133e1cb4d87d0b1f4a83f2af8fd43f1e933fe5d481e8462279e97f28ca34d76bb87263ae693944f260cf687251137ed87369c85f288

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      1.8MB

                                                                      MD5

                                                                      bd4088548ede174ddd0ce92fc6975d77

                                                                      SHA1

                                                                      e27a2fb5589b99678482f2cc10481a8c36a016a7

                                                                      SHA256

                                                                      ba2be1ce13e4047ce9e275b7b57f44b819230b91cc4f9c97fc814d49a06b6a96

                                                                      SHA512

                                                                      a88804984e92db658c393684f56b79206b3686d93ab408d49ec0af6b2fd07ad30df4753f86dc91f9e73418a4929397e89392d63635fe56938c4280f7ba70e438

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      1.8MB

                                                                      MD5

                                                                      e753b2cb430b4d9557b1c3c4ebc1699a

                                                                      SHA1

                                                                      0c4fc16e70440cffffe58b699239e7ad842ff9d4

                                                                      SHA256

                                                                      4b3adf8fd153b1648224bf7264ed73e9c3ce4ea7a3a7b43622be4a70f5d2ddaf

                                                                      SHA512

                                                                      4895ad7fb02dab75d99efc3a16f5edfbf214581afac48df07ac61c509b5b0033ee0a73369813e99d05853a0075d61efd001733fc9cf76dfdb99dca56d35b3ded

                                                                    • C:\Users\Admin\AppData\Local\Temp\2025-07-04_ccd8fe83b3d1ac5c96579c464a5b5553_amadey_elex_smoke-loader_stop.exe.exe

                                                                      Filesize

                                                                      1.7MB

                                                                      MD5

                                                                      df0341888d55a56f098914a9b4be90fd

                                                                      SHA1

                                                                      52dc9af602deb7410f93ddb1646afebe7b4ef410

                                                                      SHA256

                                                                      e0ee940392df93819b08cf07ef66c1ace6d9810b14b21beab8c99b83549b696f

                                                                      SHA512

                                                                      84b56fa4e13c6526f5ef11cf3da5f5d32e098e39457f3c7f663dc70c4d35c4a1ffc9cc30dc40f280e74119c023c67fd8b4d942d2c47390bff3da278ff6416ef3

                                                                    • C:\Windows\Logo1_.exe

                                                                      Filesize

                                                                      32KB

                                                                      MD5

                                                                      4f07b7c07db3deeaef154a2f2c9646b0

                                                                      SHA1

                                                                      6ada698575fd2ce3b8041f85d04dad5bd846a03f

                                                                      SHA256

                                                                      5c6ca16525876afba9f88ae6809b550793501ed5c5a73b8a800d4029ff92c98c

                                                                      SHA512

                                                                      35d71140bddbe016fe55a1e9328b3d284b3c9d5ebe9225b062b994bff4c70555fdf81378a299ab70f1c4d37b60a18a5f8a411e63fe4562299863bb1378616a90

                                                                    • F:\$RECYCLE.BIN\S-1-5-21-3625340254-1625357543-1797847221-1000\_desktop.ini

                                                                      Filesize

                                                                      8B

                                                                      MD5

                                                                      6ef23bccadc81fb82d7eeecab7166eed

                                                                      SHA1

                                                                      379fb55375f791483209d02402c6c359fe6afc12

                                                                      SHA256

                                                                      da5498ac44fd5b5f97353e6f28c673c28985ae25330f183b90a1a20b4bf4e85a

                                                                      SHA512

                                                                      6e10f0bfc5983272d128dfe59f9868a59098e8ae388e55a0ab9f25d85b1c979728b295f39bef985bb7ef8ff1bc9b14c5f315ead269b8cefb4aaa2e82ca0cf5b1

                                                                    • memory/556-153-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/568-214-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/628-27-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/840-64-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/920-184-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/924-230-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/1080-222-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/1128-206-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/1192-302-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/1784-314-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2036-188-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2120-280-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2216-57-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2356-248-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2412-276-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2616-198-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2680-8-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2680-83-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2680-2676-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2680-10668-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2740-100-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2828-142-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2832-218-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/2880-79-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/3028-20-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/3120-341-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/3120-327-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/3136-310-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/3380-107-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/3552-194-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/3712-306-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/3784-326-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/3816-294-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/3860-322-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4080-167-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4116-202-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4232-268-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4268-286-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4316-260-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4396-41-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4456-234-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4560-172-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4640-272-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4696-264-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4812-71-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4848-128-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4892-114-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4952-34-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4984-238-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/4992-160-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5048-244-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5128-252-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5176-226-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5244-180-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5308-256-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5396-0-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5396-10-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5496-290-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5556-318-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5624-50-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5780-121-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5792-87-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5828-210-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5908-176-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/5916-298-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB

                                                                    • memory/6048-135-0x0000000000400000-0x0000000000445000-memory.dmp

                                                                      Filesize

                                                                      276KB