gurcu | e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264

Analysis

max time kernel
1009s
max time network
1052s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celestial.exe
Size

297KB
MD5

9b650b738d97c0e39717fe86401a6726
SHA1

34f361ab5024ad4390a3906cb3fff5a7b5f7e656
SHA256

e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264
SHA512

a6664916c5c1bfd66e58face5c1811f95b6489c3e1d4728d4efee92233192fb145c8f0cca46582d560356b92732a8727794a7d8765d16c4df567eb5eb84b1e30
SSDEEP

6144:Ka4InuJg58BkgqPoDH49n8Bb/cQ/gW/tQtbgk3KlRWvWl/HrrACG7:Kat0EAH49n8BLgSZQKXW+l/HnACs

Score

10^/10

gurcu xworm discovery evasion persistence privilege_escalation rat stealer trojan

Malware Config

Extracted

Family

xworm

engineering-thoroughly.gl.at.ply.gg:32901

20.ip.gl.ply.gg:32901

Attributes

install_file
USB.exe

Extracted

Family

gurcu

https://api.telegram.org/bot7268785583:AAFvSoXRrVhV7krjc8W8iUc9VL5ZyOqftLY/sendMessage?chat_id=https://t.me/ratnichektg_bot

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/4608-88-0x000000001B390000-0x000000001B39E000-memory.dmp	disable_win_def

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002347b-6.dat	family_xworm
behavioral2/files/0x00080000000234db-16.dat	family_xworm
behavioral2/memory/2096-25-0x0000000000120000-0x0000000000136000-memory.dmp	family_xworm
behavioral2/memory/4608-26-0x0000000000370000-0x000000000039E000-memory.dmp	family_xworm
behavioral2/files/0x00020000000230af-105.dat	family_xworm
behavioral2/memory/184-112-0x0000000000C30000-0x0000000000C60000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4948	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Celestial.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	1Celestial.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	1Celestial.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	1Celestial.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	nildsh.exe

Executes dropped EXE 4 IoCs

pid	Process
2096	XClient.exe
4608	1Celestial.exe
5388	ywidxm.exe
184	nildsh.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com
94	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celestial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywidxm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	calc.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4216	msedge.exe
4216	msedge.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe
4608	1Celestial.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	1Celestial.exe
Token: SeDebugPrivilege	2096	XClient.exe
Token: SeDebugPrivilege	4608	1Celestial.exe
Token: SeDebugPrivilege	184	nildsh.exe
Token: SeDebugPrivilege	184	nildsh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5220	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 2096	820	Celestial.exe	85
PID 820 wrote to memory of 2096	820	Celestial.exe	85
PID 820 wrote to memory of 4608	820	Celestial.exe	87
PID 820 wrote to memory of 4608	820	Celestial.exe	87
PID 3204 wrote to memory of 4044	3204	msedge.exe	141
PID 3204 wrote to memory of 4044	3204	msedge.exe	141
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 556	3204	msedge.exe	142
PID 3204 wrote to memory of 4216	3204	msedge.exe	143
PID 3204 wrote to memory of 4216	3204	msedge.exe	143
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144
PID 3204 wrote to memory of 3736	3204	msedge.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Celestial.exe
"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\1Celestial.exe
  "C:\Users\Admin\AppData\Local\Temp\1Celestial.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4948
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c start calc
    3⤵
    PID:5380
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:5140
- - C:\Users\Admin\AppData\Local\Temp\ywidxm.exe
    "C:\Users\Admin\AppData\Local\Temp\ywidxm.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5388
- - C:\Users\Admin\AppData\Local\Temp\nildsh.exe
    "C:\Users\Admin\AppData\Local\Temp\nildsh.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta5ae53c7hc24fh49e7h8d75hdd902aef5e1e
1⤵
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7fff09a046f8,0x7fff09a04708,0x7fff09a04718
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,12556902729136631314,171095082331583764,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,12556902729136631314,171095082331583764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,12556902729136631314,171095082331583764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:3736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5284

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6efb861fa40631f30ce77593188aacd9

SHA1
da685227c5f7920704a9ddfb2f2d240774c35acd

SHA256
f9edd1a79c85c536381b75c8d5336f9d260d36d89b44911c6a54857818af6186

SHA512
5729182a6ce17169823f2ac71115cb4c5da0f1c6daa21e0dc59a0cdbe422ee97e86aaf33103b8464fd49320eb87bc83263284f20f1a74a4b5d0927040d2848b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ce6b03ea015405f03c4fee44ec54f5c6

SHA1
558f611a44529e7446922734a893e34d6c55aa78

SHA256
0f11f4e57fceb40394edadfbe8532142b640ce5484d59bdede61f66e263f1cc3

SHA512
3bb68b9f9b8741d94a979cbb5b37cc14bd014ee45ea9e3bc906051db06c804a5597d5e8d3c85a2af9db4baec290992a97bd604d62571ebd5b65d501b3595b0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Celestial.exe

Filesize
162KB

MD5
d726f0f603538577a7e12448419fed1a

SHA1
1ea8047f9e825c9dd648a12c98689e1c6ad11c70

SHA256
e4d2faf2aa895163625ea12416ce945b256f0e13b8327152d6eb80f3ee9fc332

SHA512
a9643b891d7a092799ee032c032daa0e1303f639a1893fe1ea7e2830cbae12dbb0d754ebe7bbedcb2396f6bfed5539a932c8f8726b7ff13e217fc39f630b7dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
66KB

MD5
2c2bf7640b13839dcffc5524e9ff6972

SHA1
4e91d65f34a33498b39419dbffee5efd8703ca05

SHA256
58588e19dac77c6689a6167865f9ad8f0fe531afbe4d66243d55f3e0e5a555c4

SHA512
980afa1660da3522c5a0d6296fb1fe9ddcb53dfa829d6d64bd9c63714147536c090f12c9f533e67187d5250b5a219a9c9aa876ee375995a2e1cb1dac1e6de65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nildsh.exe

Filesize
167KB

MD5
56b98a62fc1cae2b9ab7bd2a6086d663

SHA1
d6b3c7b87ec42f88a43d0fd48055718d7ad7df44

SHA256
5c008fab245ab2aec9aa04b2f9043123fc0f54cea6ff0a8d73d60aa20b1b3f5b

SHA512
f1eb0d30e10594c9a0a154883e90318fb93c241dc4d3e2b4786583f570a73e58b5ec7f37038d24c6df6a2a8aa030f165b4233e57c97f951e8bf08c957346981d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywidxm.exe

Filesize
300KB

MD5
2324ea475f42c09270792c59ce2f38dd

SHA1
9848fe52a65322a4c2ccb004443a7a4d6e2587cb

SHA256
a9abd6d067071432f297a9953537e96e810c5b45f68b273b479be91c1392a3ac

SHA512
61c1f695fbe17bd465a09490233b6ab73e632b2e4fef35d9240d9cd45e877af4326ec8b93d8606eb03eb1069a98804cd15753b21cdd21ebe10d3d55eab3c2422

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Filesize
771B

MD5
088cb71a2ef703fd14308a5427d27bce

SHA1
880b857757c787acdd8cad76a38e902865f46170

SHA256
4425c21d499f87119d6237377ca52295fc56f9fa75ecaaf6b65355ec43bd9fe9

SHA512
6599102281cccedf1b2998e347b022ddfbc13aff4c175ad020997b366aa0c33daf0d455c0e6e5bcb359ee3125a5e225860e3d5278321dcbb209c946b685d3903

Download Submit
memory/184-112-0x0000000000C30000-0x0000000000C60000-memory.dmp

Filesize
192KB

Download
memory/2096-28-0x00007FFF10720000-0x00007FFF111E1000-memory.dmp

Filesize
10.8MB

Download
memory/2096-35-0x00007FFF10720000-0x00007FFF111E1000-memory.dmp

Filesize
10.8MB

Download
memory/2096-89-0x00007FFF10720000-0x00007FFF111E1000-memory.dmp

Filesize
10.8MB

Download
memory/2096-25-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/2096-21-0x00007FFF10723000-0x00007FFF10725000-memory.dmp

Filesize
8KB

Download
memory/4608-36-0x00007FFF10720000-0x00007FFF111E1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-88-0x000000001B390000-0x000000001B39E000-memory.dmp

Filesize
56KB

Download
memory/4608-87-0x0000000002410000-0x000000000241C000-memory.dmp

Filesize
48KB

Download
memory/4608-90-0x000000001B7F0000-0x000000001B826000-memory.dmp

Filesize
216KB

Download
memory/4608-34-0x00007FFF10720000-0x00007FFF111E1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-29-0x00007FFF10720000-0x00007FFF111E1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-27-0x00007FFF10720000-0x00007FFF111E1000-memory.dmp

Filesize
10.8MB

Download
memory/4608-26-0x0000000000370000-0x000000000039E000-memory.dmp

Filesize
184KB

Download