diff --git a/README.md b/README.md
index 1b312ae..53efd54 100644
--- a/README.md
+++ b/README.md
@@ -96,6 +96,8 @@ A curated list of awesome malware analysis tools and resources
   * [Process Hacker](https://processhacker.sourceforge.io/) - Tool that monitors system resources.
   * [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) - Advanced monitoring tool for Windows programs.
   * [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility that compares snapshots.
+  * [ProcDot](http://www.procdot.com/) - A graphical malware analysis tool kit.
+
 
 
 
@@ -111,7 +113,10 @@ A curated list of awesome malware analysis tools and resources
 
 
 * Memory Forensics
-  * [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced memory forensics framework.
+  * memory acquisition
+    * [Comae-Toolkit](https://github.com/Crypt2Shell/Comae-Toolkit) _ use DumpIt.exe for sump whole memory
+  * memory analysis
+    * [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced memory forensics framework.
 
 
 * Online Scanners and Sandboxes
@@ -125,6 +130,10 @@ A curated list of awesome malware analysis tools and resources
 * Android
   * [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) – Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
 
+* service emulation
+ * [INetSim](http://www.inetsim.org/) - Network service emulation, useful when building a malware lab.
+ * [FakeNet](https://sourceforge.net/projects/fakenet/) - Windows Network Simulation tool for Malware Analysis
+
  
 
 
@@ -152,6 +161,15 @@ A curated list of awesome malware analysis tools and resources
 * we can bypass all static analysis with rewrite import dll, with call function with address in memory
 * we can create shellcode with FASM tools in assembly
 * the best future of ida is create basic block for application analysis
+* export procmon to csv and send to procdot for create png of malware behaviour
+* almost ransomeware are 32 bit, because they can run on 32 bit and 64 bit architect
+* some ransomware work when we have complex network, we use FakeNet tools for create all network service
+* with FakeNet tools and vmware host only, we can see all network connection with c2 server, because 127.0.0.1 set for all dns query
+* in windows 8 and upper, ther is patchgaurd mechanism that every 30m check critical section and if detedct some app remove linker and DKOM attack happen make bluescrean ! with this role most rootkit lose
+* we can use psscan command in volatility for finding rootkit and hidden process
+* .pdb file is so important for detection function name and indexing of system dll that use in malware
+* in vmware we can suspend vm and copy .vmem for memory analysis. the file size is equal to whole memory size
+
 
 
 ### Books