Malware Analysis Report

2025-01-02 03:06

Sample ID 240815-b6zeqatblr
Target eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe
SHA256 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6
Tags
discovery remcos remotehost collection credential_access rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6

Threat Level: Known bad

The file eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe was found to be: Known bad.

Malicious Activity Summary

discovery remcos remotehost collection credential_access rat spyware stealer

Remcos

Credentials from Password Stores: Credentials from Web Browsers

Detected Nirsoft tools

NirSoft MailPassView

NirSoft WebBrowserPassView

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Executes dropped EXE

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 01:46

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 01:46

Reported

2024-08-15 01:48

Platform

win7-20240708-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2236 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2236 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2236 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2748 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2748 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2748 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2748 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2844 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2844 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2844 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2844 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2964 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2964 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2964 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2964 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2244 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1040 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1040 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1040 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1040 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2364 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2364 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2364 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2364 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2544 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2544 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2544 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2544 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2196 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2196 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2196 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2196 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 600 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 600 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 600 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 600 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2064 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2064 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2064 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2064 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1616 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1616 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1616 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1616 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2640 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2640 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2640 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2640 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1560 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1560 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1560 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1560 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

Network

N/A

Files

memory/2236-11-0x00000000001A0000-0x00000000001A4000-memory.dmp

\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

MD5 2592d02088ef02e13ad5740fd85ceb17
SHA1 7abba6c521701ae077d7c29f28c87b44d8411922
SHA256 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6
SHA512 50314d33155c066f1cfbb9efac5cfcc9e540c63ff1ccb3c463e6286ee6acac81a09bb1a1b552c2b6243df4ec52aa015ee803900566f1c25f0edfbbe408547310

C:\Users\Admin\AppData\Local\Temp\Clinton

MD5 eb1d1b864ad0ed4efa8d4b52cad77a57
SHA1 cf25a5ee400ee35800602403feefe6890750d2b8
SHA256 3f05521a0f1414f9f21c8108d479de3dad21e1653a4fa340d1cd7a1c0c6d5388
SHA512 ad685f8da8d9fa8d1bd3eadea9d648ccb8c761577bca997dd20d54f8c32805589312d3ff3ca8bcac276762d68478db15a4e02d111876e0be0d200ce191df3155

C:\Users\Admin\AppData\Local\Temp\nonplacental

MD5 39f11e09f25827416870bd8fb80dae80
SHA1 f2ae6e01c6ea97ec0c8231cb1b1dbcc5bb40b559
SHA256 98639412ce9f24682c61415e01b68edc3ad92ef2f2df8c5ec7a9b6c026ae8061
SHA512 a0e8a9e8353e0849257baa2b205ffc85ce493a3de0d695164deb7bc50ed3906ceeb089e1ce5dce3e34da29a1544d26ff6b92690d1122e0af65e2351456551596

C:\Users\Admin\AppData\Local\Temp\Clinton

MD5 823cf32035f1d36f08bc7dab73617f39
SHA1 e0c9647c45085bcc273f86682cf926c700da860a
SHA256 b33311317ab40041043ab5ac39b74dfa8d04dae7f30a745c4df08a4f67104b44
SHA512 b1f86dcd6964cc68686e3df4356067405bdd17d0ef5c6156193442dc86ac1a5b97285a2125f11db4a46658662e80af9a50079524fff17b364cad12ec012f84f6

C:\Users\Admin\AppData\Local\Temp\aut59C4.tmp

MD5 7586ea2d22723d5c80e760e7f115905f
SHA1 7eec84c9e175cd5708a979a07b15b2308c31ca89
SHA256 8ed2769776974e959a64d8df8958a0f044c50cc0a58cec4310ff65949e78a77b
SHA512 4a7f7d431fc43995b4524f2ab96b8a45a92e8ca8a18ec9e7d0e3cd19cfc8e7d28d9bd87b2e9d9b26c26e2b858930ad40773d630ffff2455c2a74913f6de66ef7

C:\Users\Admin\AppData\Local\Temp\aut59E4.tmp

MD5 a5a40fc934677f0fdd666bb4d91792fb
SHA1 379dd9be82f137f8f8ca0ef28cbaafc8c13dbac9
SHA256 8089238b137c0839db63e68c3e80eef93bb312c4111d3672145cac4f8a6e350c
SHA512 64cddeb941a39b46f780b30f509fc4993e78a0a74505ad69b3cbb5b75e0299f1387f68c83b35507975d72187cbcbffd82a7e3f389cc3f690b30b140291b99810

C:\Users\Admin\AppData\Local\Temp\Clinton

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 01:46

Reported

2024-08-15 01:48

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

Signatures

Remcos

rat remcos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1360 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1360 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2880 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2880 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2880 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 4928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\evujpbedwbjacxiqbjpadqwmktthpuq"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\evujpbedwbjacxiqbjpadqwmktthpuq"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\evujpbedwbjacxiqbjpadqwmktthpuq"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\gyzbqtpwkjbffdwusubtocidtikiifheeg"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\rseurm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 ocservice.duckdns.org udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 188.165.120.122:6622 ocservice.duckdns.org tcp
FR 188.165.120.122:6622 ocservice.duckdns.org tcp
FR 188.165.120.122:6622 ocservice.duckdns.org tcp
FR 188.165.120.122:6622 ocservice.duckdns.org tcp
US 8.8.8.8:53 122.120.165.188.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1360-11-0x00000000027E0000-0x00000000027E4000-memory.dmp

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

MD5 2592d02088ef02e13ad5740fd85ceb17
SHA1 7abba6c521701ae077d7c29f28c87b44d8411922
SHA256 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6
SHA512 50314d33155c066f1cfbb9efac5cfcc9e540c63ff1ccb3c463e6286ee6acac81a09bb1a1b552c2b6243df4ec52aa015ee803900566f1c25f0edfbbe408547310

C:\Users\Admin\AppData\Local\Temp\Clinton

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nonplacental

MD5 39f11e09f25827416870bd8fb80dae80
SHA1 f2ae6e01c6ea97ec0c8231cb1b1dbcc5bb40b559
SHA256 98639412ce9f24682c61415e01b68edc3ad92ef2f2df8c5ec7a9b6c026ae8061
SHA512 a0e8a9e8353e0849257baa2b205ffc85ce493a3de0d695164deb7bc50ed3906ceeb089e1ce5dce3e34da29a1544d26ff6b92690d1122e0af65e2351456551596

C:\Users\Admin\AppData\Local\Temp\aut73F7.tmp

MD5 7586ea2d22723d5c80e760e7f115905f
SHA1 7eec84c9e175cd5708a979a07b15b2308c31ca89
SHA256 8ed2769776974e959a64d8df8958a0f044c50cc0a58cec4310ff65949e78a77b
SHA512 4a7f7d431fc43995b4524f2ab96b8a45a92e8ca8a18ec9e7d0e3cd19cfc8e7d28d9bd87b2e9d9b26c26e2b858930ad40773d630ffff2455c2a74913f6de66ef7

C:\Users\Admin\AppData\Local\Temp\Clinton

MD5 eb1d1b864ad0ed4efa8d4b52cad77a57
SHA1 cf25a5ee400ee35800602403feefe6890750d2b8
SHA256 3f05521a0f1414f9f21c8108d479de3dad21e1653a4fa340d1cd7a1c0c6d5388
SHA512 ad685f8da8d9fa8d1bd3eadea9d648ccb8c761577bca997dd20d54f8c32805589312d3ff3ca8bcac276762d68478db15a4e02d111876e0be0d200ce191df3155

C:\Users\Admin\AppData\Local\Temp\aut7427.tmp

MD5 a5a40fc934677f0fdd666bb4d91792fb
SHA1 379dd9be82f137f8f8ca0ef28cbaafc8c13dbac9
SHA256 8089238b137c0839db63e68c3e80eef93bb312c4111d3672145cac4f8a6e350c
SHA512 64cddeb941a39b46f780b30f509fc4993e78a0a74505ad69b3cbb5b75e0299f1387f68c83b35507975d72187cbcbffd82a7e3f389cc3f690b30b140291b99810

memory/4928-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2672-64-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2672-73-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1604-75-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2672-76-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1604-74-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3980-72-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1604-70-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2672-69-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3980-67-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3980-80-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2672-82-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evujpbedwbjacxiqbjpadqwmktthpuq

MD5 2538ec9e8425a905937573069b77d4c2
SHA1 ad0c2b7aff4382e23444d26adac96d9697b849f3
SHA256 29338949fae4c88a972837aae898529e4c7a2c4df35982eef2f8d7b602c17f4e
SHA512 a867a471b837b9c662528ee7a5904e8fe7b1eebb277b8a7fe4d4caf423fae914baf692bb5004c02ddb539b157d63326178467e28b03aa92a533cda19155d501c

memory/4928-84-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4928-87-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4928-88-0x0000000010000000-0x0000000010019000-memory.dmp

memory/4928-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-96-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\evferf\logs.dat

MD5 e1ae291295f27dc0f84259a4261dafcd
SHA1 e1680bd2bad00f325c0efb81bd47407f8da2a4c7
SHA256 88305e73a48da998d63a2e5bbd23bf73f42000cabbd8a95308c43467fc207990
SHA512 40f7c1bc50f7d38c443675cedc471e9ec937d7d9b013333694467765af48ef88db795455dd3c30a4e7a3efedbc94f5e01fd96e0264ea02d6ad6c25250d3bebb4

memory/4928-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-119-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4928-127-0x0000000000400000-0x0000000000482000-memory.dmp