Malware Analysis Report

2025-01-02 03:10

Sample ID 240815-qvch5stgpa
Target eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe
SHA256 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6
Tags
discovery remcos remotehost collection credential_access rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6

Threat Level: Known bad

The file eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe was found to be: Known bad.

Malicious Activity Summary

discovery remcos remotehost collection credential_access rat spyware stealer

Remcos

NirSoft MailPassView

Credentials from Password Stores: Credentials from Web Browsers

Detected Nirsoft tools

NirSoft WebBrowserPassView

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Executes dropped EXE

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

AutoIT Executable

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 13:34

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 13:34

Reported

2024-08-15 13:37

Platform

win7-20240704-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2092 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2092 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2092 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2232 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2232 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2232 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2232 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2356 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2356 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2356 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2356 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2792 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2792 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2792 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2792 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2768 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2768 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2768 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2768 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2580 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2580 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2580 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2580 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2280 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2280 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2280 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2280 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2900 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2900 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2900 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2900 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 784 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 784 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 784 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 784 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2132 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2132 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2132 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2132 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1528 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1528 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1528 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1528 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 3064 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 3064 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 3064 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 3064 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2276 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2276 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2276 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 2276 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 860 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 860 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 860 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 860 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1520 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1520 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1520 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1520 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe"

Network

N/A

Files

memory/2092-11-0x0000000000120000-0x0000000000124000-memory.dmp

\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

MD5 2592d02088ef02e13ad5740fd85ceb17
SHA1 7abba6c521701ae077d7c29f28c87b44d8411922
SHA256 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6
SHA512 50314d33155c066f1cfbb9efac5cfcc9e540c63ff1ccb3c463e6286ee6acac81a09bb1a1b552c2b6243df4ec52aa015ee803900566f1c25f0edfbbe408547310

C:\Users\Admin\AppData\Local\Temp\Clinton

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nonplacental

MD5 39f11e09f25827416870bd8fb80dae80
SHA1 f2ae6e01c6ea97ec0c8231cb1b1dbcc5bb40b559
SHA256 98639412ce9f24682c61415e01b68edc3ad92ef2f2df8c5ec7a9b6c026ae8061
SHA512 a0e8a9e8353e0849257baa2b205ffc85ce493a3de0d695164deb7bc50ed3906ceeb089e1ce5dce3e34da29a1544d26ff6b92690d1122e0af65e2351456551596

C:\Users\Admin\AppData\Local\Temp\autCEC4.tmp

MD5 7586ea2d22723d5c80e760e7f115905f
SHA1 7eec84c9e175cd5708a979a07b15b2308c31ca89
SHA256 8ed2769776974e959a64d8df8958a0f044c50cc0a58cec4310ff65949e78a77b
SHA512 4a7f7d431fc43995b4524f2ab96b8a45a92e8ca8a18ec9e7d0e3cd19cfc8e7d28d9bd87b2e9d9b26c26e2b858930ad40773d630ffff2455c2a74913f6de66ef7

C:\Users\Admin\AppData\Local\Temp\autCED4.tmp

MD5 a5a40fc934677f0fdd666bb4d91792fb
SHA1 379dd9be82f137f8f8ca0ef28cbaafc8c13dbac9
SHA256 8089238b137c0839db63e68c3e80eef93bb312c4111d3672145cac4f8a6e350c
SHA512 64cddeb941a39b46f780b30f509fc4993e78a0a74505ad69b3cbb5b75e0299f1387f68c83b35507975d72187cbcbffd82a7e3f389cc3f690b30b140291b99810

C:\Users\Admin\AppData\Local\Temp\Clinton

MD5 eb1d1b864ad0ed4efa8d4b52cad77a57
SHA1 cf25a5ee400ee35800602403feefe6890750d2b8
SHA256 3f05521a0f1414f9f21c8108d479de3dad21e1653a4fa340d1cd7a1c0c6d5388
SHA512 ad685f8da8d9fa8d1bd3eadea9d648ccb8c761577bca997dd20d54f8c32805589312d3ff3ca8bcac276762d68478db15a4e02d111876e0be0d200ce191df3155

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 13:34

Reported

2024-08-15 13:37

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

Signatures

Remcos

rat remcos

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jailkeeper.vbs C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3940 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 3940 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 3940 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe
PID 1444 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

"C:\Users\Admin\AppData\Local\Temp\eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6.exe"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\nebzgqg"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\qygrgjrpmj"

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe /stext "C:\Users\Admin\AppData\Local\Temp\aalchbcrarrqto"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 ocservice.duckdns.org udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FR 188.165.120.122:6622 ocservice.duckdns.org tcp
FR 188.165.120.122:6622 ocservice.duckdns.org tcp
FR 188.165.120.122:6622 ocservice.duckdns.org tcp
FR 188.165.120.122:6622 ocservice.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 122.120.165.188.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3940-11-0x0000000002630000-0x0000000002634000-memory.dmp

C:\Users\Admin\AppData\Local\woolpacks\jailkeeper.exe

MD5 2592d02088ef02e13ad5740fd85ceb17
SHA1 7abba6c521701ae077d7c29f28c87b44d8411922
SHA256 eb183cf5d6e217532b203ab9f336e266537828eed01c53158da95d609f4ebea6
SHA512 50314d33155c066f1cfbb9efac5cfcc9e540c63ff1ccb3c463e6286ee6acac81a09bb1a1b552c2b6243df4ec52aa015ee803900566f1c25f0edfbbe408547310

C:\Users\Admin\AppData\Local\Temp\Clinton

MD5 eb1d1b864ad0ed4efa8d4b52cad77a57
SHA1 cf25a5ee400ee35800602403feefe6890750d2b8
SHA256 3f05521a0f1414f9f21c8108d479de3dad21e1653a4fa340d1cd7a1c0c6d5388
SHA512 ad685f8da8d9fa8d1bd3eadea9d648ccb8c761577bca997dd20d54f8c32805589312d3ff3ca8bcac276762d68478db15a4e02d111876e0be0d200ce191df3155

C:\Users\Admin\AppData\Local\Temp\nonplacental

MD5 39f11e09f25827416870bd8fb80dae80
SHA1 f2ae6e01c6ea97ec0c8231cb1b1dbcc5bb40b559
SHA256 98639412ce9f24682c61415e01b68edc3ad92ef2f2df8c5ec7a9b6c026ae8061
SHA512 a0e8a9e8353e0849257baa2b205ffc85ce493a3de0d695164deb7bc50ed3906ceeb089e1ce5dce3e34da29a1544d26ff6b92690d1122e0af65e2351456551596

memory/1444-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1232-46-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3440-55-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3440-61-0x0000000000400000-0x0000000000462000-memory.dmp

memory/460-66-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3440-65-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1232-60-0x0000000000400000-0x0000000000478000-memory.dmp

memory/460-58-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1444-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1232-54-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3440-53-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1232-51-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3440-49-0x0000000000400000-0x0000000000462000-memory.dmp

memory/460-67-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1232-69-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nebzgqg

MD5 16f4f7c4051f4bbdaa93a1ca80690065
SHA1 750cacbdd2d089a88119374560d6ac004954e90e
SHA256 6c4559e4413cccaeab73cad48ffd804506c95566e4d6a3f5ae64017a33ea6ec2
SHA512 cb0f68d393ad03a5c802a2978ff7b12e20911bac5e27200c2df16d5d3f63dfc2387c0cd1a9075d8e4ba9ae804a6b61225575e2f42b3ef024e863d5b172417964

memory/1444-71-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1444-74-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1444-75-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1444-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-82-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\evferf\logs.dat

MD5 e65adcb111158a3129dc8e5b26617fcb
SHA1 fb3147499c5b48d06316724097be13b6db7f534b
SHA256 9877f19557465c6cb28e82e582ea7b9f4f67723dfc1e704f18491eaff13c232f
SHA512 4d22741ae76497d31de56e99fa7ec5c61e0c85c6b47bb9d9615f97327def4313cd61f2059e805ebd813d9aa1efd6d335318bc0dc80d073837a4473ee30467f4a

memory/1444-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1444-114-0x0000000000400000-0x0000000000482000-memory.dmp