Analysis Overview
SHA256
eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6
Threat Level: Known bad
The file eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
NirSoft MailPassView
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
NirSoft WebBrowserPassView
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Executes dropped EXE
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
AutoIT Executable
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 13:34
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 13:34
Reported
2024-08-15 13:37
Platform
win7-20240704-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe
"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"
Network
Files
memory/2092-11-0x0000000000120000-0x0000000000124000-memory.dmp
\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
| MD5 | 2592d02088ef02e13ad5740fd85ceb17 |
| SHA1 | 7abba6c521701ae077d7c29f28c87b44d8411922 |
| SHA256 | eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6 |
| SHA512 | 50314d33155c066f1cfbb9efac5cfcc9e540c63ff1ccb3c463e6286ee6acac81a09bb1a1b552c2b6243df4ec52aa015ee803900566f1c25f0edfbbe408547310 |
C:\Users\Admin\AppData\Local\Temp\Clinton
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\nonplacental
| MD5 | 39f11e09f25827416870bd8fb80dae80 |
| SHA1 | f2ae6e01c6ea97ec0c8231cb1b1dbcc5bb40b559 |
| SHA256 | 98639412ce9f24682c61415e01b68edc3ad92ef2f2df8c5ec7a9b6c026ae8061 |
| SHA512 | a0e8a9e8353e0849257baa2b205ffc85ce493a3de0d695164deb7bc50ed3906ceeb089e1ce5dce3e34da29a1544d26ff6b92690d1122e0af65e2351456551596 |
C:\Users\Admin\AppData\Local\Temp\autCEC4.tmp
| MD5 | 7586ea2d22723d5c80e760e7f115905f |
| SHA1 | 7eec84c9e175cd5708a979a07b15b2308c31ca89 |
| SHA256 | 8ed2769776974e959a64d8df8958a0f044c50cc0a58cec4310ff65949e78a77b |
| SHA512 | 4a7f7d431fc43995b4524f2ab96b8a45a92e8ca8a18ec9e7d0e3cd19cfc8e7d28d9bd87b2e9d9b26c26e2b858930ad40773d630ffff2455c2a74913f6de66ef7 |
C:\Users\Admin\AppData\Local\Temp\autCED4.tmp
| MD5 | a5a40fc934677f0fdd666bb4d91792fb |
| SHA1 | 379dd9be82f137f8f8ca0ef28cbaafc8c13dbac9 |
| SHA256 | 8089238b137c0839db63e68c3e80eef93bb312c4111d3672145cac4f8a6e350c |
| SHA512 | 64cddeb941a39b46f780b30f509fc4993e78a0a74505ad69b3cbb5b75e0299f1387f68c83b35507975d72187cbcbffd82a7e3f389cc3f690b30b140291b99810 |
C:\Users\Admin\AppData\Local\Temp\Clinton
| MD5 | eb1d1b864ad0ed4efa8d4b52cad77a57 |
| SHA1 | cf25a5ee400ee35800602403feefe6890750d2b8 |
| SHA256 | 3f05521a0f1414f9f21c8108d479de3dad21e1653a4fa340d1cd7a1c0c6d5388 |
| SHA512 | ad685f8da8d9fa8d1bd3eadea9d648ccb8c761577bca997dd20d54f8c32805589312d3ff3ca8bcac276762d68478db15a4e02d111876e0be0d200ce191df3155 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 13:34
Reported
2024-08-15 13:37
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
139s
Command Line
Signatures
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1444 set thread context of 1232 | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe |
| PID 1444 set thread context of 3440 | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe |
| PID 1444 set thread context of 460 | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe
"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\nebzgqg"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\qygrgjrpmj"
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\aalchbcrarrqto"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocservice.duckdns.org | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FR | 188.165.120.122:6622 | ocservice.duckdns.org | tcp |
| FR | 188.165.120.122:6622 | ocservice.duckdns.org | tcp |
| FR | 188.165.120.122:6622 | ocservice.duckdns.org | tcp |
| FR | 188.165.120.122:6622 | ocservice.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 122.120.165.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3940-11-0x0000000002630000-0x0000000002634000-memory.dmp
C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
| MD5 | 2592d02088ef02e13ad5740fd85ceb17 |
| SHA1 | 7abba6c521701ae077d7c29f28c87b44d8411922 |
| SHA256 | eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6 |
| SHA512 | 50314d33155c066f1cfbb9efac5cfcc9e540c63ff1ccb3c463e6286ee6acac81a09bb1a1b552c2b6243df4ec52aa015ee803900566f1c25f0edfbbe408547310 |
C:\Users\Admin\AppData\Local\Temp\Clinton
| MD5 | eb1d1b864ad0ed4efa8d4b52cad77a57 |
| SHA1 | cf25a5ee400ee35800602403feefe6890750d2b8 |
| SHA256 | 3f05521a0f1414f9f21c8108d479de3dad21e1653a4fa340d1cd7a1c0c6d5388 |
| SHA512 | ad685f8da8d9fa8d1bd3eadea9d648ccb8c761577bca997dd20d54f8c32805589312d3ff3ca8bcac276762d68478db15a4e02d111876e0be0d200ce191df3155 |
C:\Users\Admin\AppData\Local\Temp\nonplacental
| MD5 | 39f11e09f25827416870bd8fb80dae80 |
| SHA1 | f2ae6e01c6ea97ec0c8231cb1b1dbcc5bb40b559 |
| SHA256 | 98639412ce9f24682c61415e01b68edc3ad92ef2f2df8c5ec7a9b6c026ae8061 |
| SHA512 | a0e8a9e8353e0849257baa2b205ffc85ce493a3de0d695164deb7bc50ed3906ceeb089e1ce5dce3e34da29a1544d26ff6b92690d1122e0af65e2351456551596 |
memory/1444-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-32-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-36-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-43-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1232-46-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3440-55-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3440-61-0x0000000000400000-0x0000000000462000-memory.dmp
memory/460-66-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3440-65-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1232-60-0x0000000000400000-0x0000000000478000-memory.dmp
memory/460-58-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1444-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1232-54-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3440-53-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1232-51-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3440-49-0x0000000000400000-0x0000000000462000-memory.dmp
memory/460-67-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1232-69-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nebzgqg
| MD5 | 16f4f7c4051f4bbdaa93a1ca80690065 |
| SHA1 | 750cacbdd2d089a88119374560d6ac004954e90e |
| SHA256 | 6c4559e4413cccaeab73cad48ffd804506c95566e4d6a3f5ae64017a33ea6ec2 |
| SHA512 | cb0f68d393ad03a5c802a2978ff7b12e20911bac5e27200c2df16d5d3f63dfc2387c0cd1a9075d8e4ba9ae804a6b61225575e2f42b3ef024e863d5b172417964 |
memory/1444-71-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1444-74-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1444-75-0x0000000010000000-0x0000000010019000-memory.dmp
memory/1444-76-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-78-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-81-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-82-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\evferf\logs.dat
| MD5 | e65adcb111158a3129dc8e5b26617fcb |
| SHA1 | fb3147499c5b48d06316724097be13b6db7f534b |
| SHA256 | 9877f19557465c6cb28e82e582ea7b9f4f67723dfc1e704f18491eaff13c232f |
| SHA512 | 4d22741ae76497d31de56e99fa7ec5c61e0c85c6b47bb9d9615f97327def4313cd61f2059e805ebd813d9aa1efd6d335318bc0dc80d073837a4473ee30467f4a |
memory/1444-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-97-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-98-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-105-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-106-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-113-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1444-114-0x0000000000400000-0x0000000000482000-memory.dmp