Malware Analysis Report

2025-01-02 03:14

Sample ID 240405-lvf44sgh4x
Target TSTS 0005A.bat
SHA256 f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2

Threat Level: Known bad

The file TSTS 0005A.bat was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 09:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 09:51

Reported

2024-04-05 09:53

Platform

win7-20240221-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2132 set thread context of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 2132 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 2132 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 2132 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2132 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vcEDbAjawlTHE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vcEDbAjawlTHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp53FA.tmp"

C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sembe.duckdns.org udp
BE 194.187.251.115:14645 sembe.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2132-0-0x0000000001050000-0x0000000001138000-memory.dmp

memory/2132-1-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2132-2-0x00000000006B0000-0x00000000006F0000-memory.dmp

memory/2132-3-0x00000000004D0000-0x00000000004E0000-memory.dmp

memory/2132-4-0x0000000000530000-0x000000000053C000-memory.dmp

memory/2132-5-0x0000000005410000-0x00000000054D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp53FA.tmp

MD5 cc01a42697ae94295ae2a6af635d9bd4
SHA1 963860d791fc394facb7fb425c1d3b8f414afe69
SHA256 e3c9ab5434eeebb5e5ddcdcacfdd7dbe3317db31f287a171601c4ebd46cfc330
SHA512 6ee0602b6c04b912d9e0facc046d86ed18ee65f57e4cda3c721f1da17eb6c650e94b135d72be086b77705a9011e86682d38cd2dca7788af2bb067654de63f18a

memory/1252-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1252-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2132-33-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/1252-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2584-38-0x000000006EC90000-0x000000006F23B000-memory.dmp

memory/2584-40-0x000000006EC90000-0x000000006F23B000-memory.dmp

memory/1252-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2584-41-0x00000000029E0000-0x0000000002A20000-memory.dmp

memory/2584-42-0x000000006EC90000-0x000000006F23B000-memory.dmp

memory/1252-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-53-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\notess\logs.dat

MD5 12ff5ee42c35fa3c4a6000e273f9ab8e
SHA1 1966e9134ba83967ab9646044d015e01131dc8aa
SHA256 10f1f6448cd1f696783456b631c95c761849cfec1e91d7f940246c4d862ace66
SHA512 99511f86b6a2b50c9c76041d072e2b21b438c88d5669bce86e3c3bdaeaa4153f06bcefac7148986646a5f66ea809ba5c1e09096a52ee8c615210680f6555ca75

memory/1252-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-76-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1252-77-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 09:51

Reported

2024-04-05 09:53

Platform

win10v2004-20240226-en

Max time kernel

162s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2672 set thread context of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2672 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vcEDbAjawlTHE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vcEDbAjawlTHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF26E.tmp"

C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4052 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 154.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.74.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 202.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 sembe.duckdns.org udp
BE 194.187.251.115:14645 sembe.duckdns.org tcp
US 8.8.8.8:53 115.251.187.194.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp

Files

memory/2672-0-0x0000000074C70000-0x0000000075420000-memory.dmp

memory/2672-1-0x00000000003A0000-0x0000000000488000-memory.dmp

memory/2672-2-0x0000000005520000-0x0000000005AC4000-memory.dmp

memory/2672-3-0x0000000004E60000-0x0000000004EF2000-memory.dmp

memory/2672-4-0x0000000005010000-0x0000000005020000-memory.dmp

memory/2672-5-0x0000000004F30000-0x0000000004F3A000-memory.dmp

memory/2672-6-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/2672-7-0x00000000051F0000-0x00000000051FC000-memory.dmp

memory/2672-8-0x0000000006600000-0x00000000066C0000-memory.dmp

memory/2672-9-0x0000000008CA0000-0x0000000008D3C000-memory.dmp

memory/2824-14-0x0000000002FD0000-0x0000000003006000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF26E.tmp

MD5 c823d11bc37956da6bccebb9572b4e89
SHA1 0222fe5c2bd680637e2352c3102b12d43a856a51
SHA256 0d310bcb5552909b55c50f2abfd04074870f4caac86b0ea4508484515df8e449
SHA512 2b0285417639984159b20fa80b401e9a1e7f23d8252a9aff57c90552f42664bdb08cb45b41fe6090f20d441b210e8d7207789826e1cb94a142fd65f7469fef98

memory/2824-16-0x0000000074C70000-0x0000000075420000-memory.dmp

memory/2824-18-0x0000000005AE0000-0x0000000006108000-memory.dmp

memory/2824-17-0x00000000030D0000-0x00000000030E0000-memory.dmp

memory/2824-19-0x00000000030D0000-0x00000000030E0000-memory.dmp

memory/2672-20-0x0000000074C70000-0x0000000075420000-memory.dmp

memory/2824-21-0x0000000005810000-0x0000000005832000-memory.dmp

memory/1268-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2824-25-0x0000000006270000-0x00000000062D6000-memory.dmp

memory/1268-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2824-24-0x0000000006110000-0x0000000006176000-memory.dmp

memory/1268-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2672-29-0x0000000074C70000-0x0000000075420000-memory.dmp

memory/2824-38-0x00000000062E0000-0x0000000006634000-memory.dmp

memory/1268-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-37-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqqutoud.mni.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1268-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2824-44-0x00000000068F0000-0x000000000690E000-memory.dmp

memory/2824-45-0x0000000006940000-0x000000000698C000-memory.dmp

memory/1268-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2824-52-0x00000000030D0000-0x00000000030E0000-memory.dmp

memory/2824-53-0x000000007F560000-0x000000007F570000-memory.dmp

memory/2824-54-0x00000000078A0000-0x00000000078D2000-memory.dmp

memory/2824-55-0x0000000071460000-0x00000000714AC000-memory.dmp

memory/2824-65-0x0000000007860000-0x000000000787E000-memory.dmp

memory/2824-66-0x00000000078E0000-0x0000000007983000-memory.dmp

memory/2824-67-0x0000000008240000-0x00000000088BA000-memory.dmp

memory/2824-68-0x0000000007C00000-0x0000000007C1A000-memory.dmp

memory/2824-69-0x0000000007C70000-0x0000000007C7A000-memory.dmp

memory/2824-72-0x0000000007E80000-0x0000000007F16000-memory.dmp

memory/2824-73-0x0000000007E00000-0x0000000007E11000-memory.dmp

memory/2824-74-0x0000000007E30000-0x0000000007E3E000-memory.dmp

memory/2824-75-0x0000000007E40000-0x0000000007E54000-memory.dmp

memory/2824-76-0x0000000007F40000-0x0000000007F5A000-memory.dmp

memory/2824-77-0x0000000007F20000-0x0000000007F28000-memory.dmp

memory/2824-80-0x0000000074C70000-0x0000000075420000-memory.dmp

C:\Users\Admin\AppData\Roaming\notess\logs.dat

MD5 b10e04773cefc430e27a27aef7365059
SHA1 4f58020136a6b7779f7b4a5133fab0c68e6e7ce5
SHA256 4a65428060d2fc34f941159b8a083dc801e270767cb398ebe0ae8d872d86ee50
SHA512 d2aee43332c004d7faef7e1ee50accf37c5709c5ee53f05b5c8a8a9aec569ba7dcc8090d2a73ce606aa0d1d59c595306a69ca8df38b5f6915cb7f2818b4c71f6

memory/1268-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-86-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-109-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1268-110-0x0000000000400000-0x0000000000482000-memory.dmp