Malware Analysis Report

2024-12-07 22:30

Sample ID 240405-ntewrsbd44
Target TSTS 0005A.rar
SHA256 264d6866d534205d35dcbbb2e5f031440f5580ae97d0eec657477f957039126a
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

264d6866d534205d35dcbbb2e5f031440f5580ae97d0eec657477f957039126a

Threat Level: Known bad

The file TSTS 0005A.rar was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 11:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 11:41

Reported

2024-04-05 11:43

Platform

win7-20240221-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2276 set thread context of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 2276 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vcEDbAjawlTHE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vcEDbAjawlTHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp48A4.tmp"

C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sembe.duckdns.org udp
BE 194.187.251.115:14645 sembe.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/2276-0-0x00000000002C0000-0x00000000003A8000-memory.dmp

memory/2276-1-0x00000000742A0000-0x000000007498E000-memory.dmp

memory/2276-2-0x0000000004340000-0x0000000004380000-memory.dmp

memory/2276-3-0x00000000002A0000-0x00000000002B0000-memory.dmp

memory/2276-4-0x0000000000420000-0x000000000042C000-memory.dmp

memory/2276-5-0x00000000054D0000-0x0000000005590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp48A4.tmp

MD5 b0dbfda50a11ba2f398c2de3049cddab
SHA1 4c7ec19e990cefcf6182c3c9580ed70dac7ec655
SHA256 ce16e075234483ce823675820b1544d16148e4340e852a1b049df30dfd51a995
SHA512 fcf7d79e2bedc6d05bc1548d36d5a1c67c094e4c71d6e8c1a211e011e95969f1ddd0b7d6b6e7781735507c00832684bb4d3f1faffde66ab1188cf0defde74075

memory/2784-13-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2784-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2276-31-0x00000000742A0000-0x000000007498E000-memory.dmp

memory/2784-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1980-34-0x000000006E880000-0x000000006EE2B000-memory.dmp

memory/1980-36-0x0000000001D20000-0x0000000001D60000-memory.dmp

memory/1980-38-0x0000000001D20000-0x0000000001D60000-memory.dmp

memory/2784-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1980-39-0x0000000001D20000-0x0000000001D60000-memory.dmp

memory/2784-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1980-42-0x000000006E880000-0x000000006EE2B000-memory.dmp

memory/2784-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-45-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\notess\logs.dat

MD5 8d35c03abb01c9c58fd94dd704e98326
SHA1 c53104898af6d9cd4c7906004e6aaef533a1c0b8
SHA256 37df8bcee1574b291aab1e384ceb719d07bd7a70cc781904a33bf365db17569b
SHA512 0e7bb997411a9f64f283ec4b7a0d793e09a5f38da3d5e4ba7a6c8e954b053bf208925b5ded8f8e9fe0872bd27e8e231c6e075195ab5435cac1759adfc892876c

memory/2784-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-71-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2784-79-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 11:41

Reported

2024-04-05 11:43

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3168 set thread context of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3168 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 3168 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 3168 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Windows\SysWOW64\schtasks.exe
PID 3168 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe
PID 3168 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vcEDbAjawlTHE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vcEDbAjawlTHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D12.tmp"

C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe

"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 154.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 sembe.duckdns.org udp
BE 194.187.251.115:14645 sembe.duckdns.org tcp
US 8.8.8.8:53 115.251.187.194.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3168-0-0x00000000008F0000-0x00000000009D8000-memory.dmp

memory/3168-1-0x0000000074850000-0x0000000075000000-memory.dmp

memory/3168-2-0x0000000005A20000-0x0000000005FC4000-memory.dmp

memory/3168-3-0x0000000005470000-0x0000000005502000-memory.dmp

memory/3168-4-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/3168-5-0x0000000005570000-0x000000000557A000-memory.dmp

memory/3168-6-0x0000000005620000-0x0000000005630000-memory.dmp

memory/3168-7-0x00000000056C0000-0x00000000056CC000-memory.dmp

memory/3168-8-0x0000000006B70000-0x0000000006C30000-memory.dmp

memory/3168-9-0x00000000091F0000-0x000000000928C000-memory.dmp

memory/3520-14-0x0000000002E70000-0x0000000002EA6000-memory.dmp

memory/3520-15-0x0000000074850000-0x0000000075000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6D12.tmp

MD5 35bfb4553ad9189205d20be5cc976305
SHA1 485c545ce3701f27694fe4df829b2557ed4f0f48
SHA256 dfa9b03022019b6b2fb30b73957c1bfdecb4b569345d932cf6fc7549e5aa5a7c
SHA512 fb48e2e0fe181865ee5bb481d7825bb6bb1e52feac2dc16f869d8c58458d432b0a4a0b1a62c05effb1a41c2d1d98d68a55771784bb590a8380ff0880082c0e5a

memory/3520-18-0x0000000005AA0000-0x00000000060C8000-memory.dmp

memory/3520-19-0x0000000005460000-0x0000000005470000-memory.dmp

memory/3520-17-0x0000000005460000-0x0000000005470000-memory.dmp

memory/3520-20-0x00000000056D0000-0x00000000056F2000-memory.dmp

memory/4196-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4196-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4196-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3520-23-0x00000000058E0000-0x0000000005946000-memory.dmp

memory/3520-22-0x0000000005870000-0x00000000058D6000-memory.dmp

memory/4196-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3168-30-0x0000000074850000-0x0000000075000000-memory.dmp

memory/4196-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4196-37-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_431gzdhd.le1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4196-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3520-28-0x0000000006180000-0x00000000064D4000-memory.dmp

memory/4196-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3520-44-0x00000000067A0000-0x00000000067BE000-memory.dmp

memory/3520-45-0x0000000006830000-0x000000000687C000-memory.dmp

memory/3520-47-0x0000000007720000-0x0000000007752000-memory.dmp

memory/3520-46-0x000000007F050000-0x000000007F060000-memory.dmp

memory/3520-48-0x0000000071EF0000-0x0000000071F3C000-memory.dmp

memory/3520-58-0x0000000006D50000-0x0000000006D6E000-memory.dmp

memory/3520-59-0x0000000007970000-0x0000000007A13000-memory.dmp

memory/3520-61-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

memory/3520-60-0x0000000008110000-0x000000000878A000-memory.dmp

memory/3520-63-0x0000000007B30000-0x0000000007B3A000-memory.dmp

memory/4196-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4196-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3520-65-0x0000000007D40000-0x0000000007DD6000-memory.dmp

memory/3520-66-0x0000000007CC0000-0x0000000007CD1000-memory.dmp

memory/4196-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3520-68-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

memory/3520-71-0x0000000007D00000-0x0000000007D14000-memory.dmp

memory/3520-72-0x0000000007E00000-0x0000000007E1A000-memory.dmp

memory/3520-73-0x0000000007DE0000-0x0000000007DE8000-memory.dmp

memory/3520-76-0x0000000074850000-0x0000000075000000-memory.dmp

memory/4196-81-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\notess\logs.dat

MD5 4cbbe1ca599b5a09cecc9bad75c441ff
SHA1 6fceb677d32c976de9311404b616001a8dfdcef5
SHA256 75dec0166b55f5ddc0641dbb14257ee904d33426c5a4f15b8e481c52d3b92d99
SHA512 f7f5f27de2c9ded88b091392849df65ad8a7547c47f279c16c77a01ab745c90e13006fe1787304f094b01943900630cee39e22f9df1f3b4c1a987ec72e490081

memory/4196-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4196-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4196-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4196-92-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4196-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4196-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4196-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4196-108-0x0000000000400000-0x0000000000482000-memory.dmp