Analysis
-
max time kernel
608s -
max time network
433s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
08-02-2022 13:26
Static task
static1
Behavioral task
behavioral1
Sample
LegionLocker.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
LegionLocker.exe
Resource
win10v2004-en-20220112
General
-
Target
LegionLocker.exe
-
Size
6.6MB
-
MD5
9a72a508fcee3de957167a386f173c44
-
SHA1
55650582fc704d27cd7d95f971b0ddd13dcd9eaf
-
SHA256
22b1a6c34e47c23083fc1d2e3d01bc9dbd3fd4429e13aad6797ad41313447708
-
SHA512
fb8073e5d0c14dbe1780bed15b6a492c0db386acb56b834f56eae9d76cf9872dd95396fd8d6d06048864227fcc90f8cae9d7853169536835a183ea2099994262
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1340 created 364 1340 WerFault.exe backgroundTaskHost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
LegionLocker.exedescription ioc process File renamed C:\Users\Admin\Pictures\ClearTest.tif => C:\Users\Admin\Pictures\ClearTest.tif.lock LegionLocker.exe File renamed C:\Users\Admin\Pictures\EnterMerge.raw => C:\Users\Admin\Pictures\EnterMerge.raw.lock LegionLocker.exe File opened for modification C:\Users\Admin\Pictures\InvokeSkip.tiff LegionLocker.exe File renamed C:\Users\Admin\Pictures\InvokeSkip.tiff => C:\Users\Admin\Pictures\InvokeSkip.tiff.lock LegionLocker.exe File renamed C:\Users\Admin\Pictures\ResizeRestart.png => C:\Users\Admin\Pictures\ResizeRestart.png.lock LegionLocker.exe File opened for modification C:\Users\Admin\Pictures\SelectLimit.tiff LegionLocker.exe File renamed C:\Users\Admin\Pictures\SelectLimit.tiff => C:\Users\Admin\Pictures\SelectLimit.tiff.lock LegionLocker.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
LegionLocker.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LegionLocker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LegionLocker.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LegionLocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation LegionLocker.exe -
Processes:
resource yara_rule behavioral2/memory/620-142-0x00000000007F0000-0x00000000010C4000-memory.dmp themida behavioral2/memory/620-143-0x00000000007F0000-0x00000000010C4000-memory.dmp themida -
Processes:
LegionLocker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LegionLocker.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
LegionLocker.exedescription ioc process File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini LegionLocker.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
LegionLocker.exepid process 620 LegionLocker.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2432 364 WerFault.exe backgroundTaskHost.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exeMusNotifyIcon.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3956 taskkill.exe -
Modifies data under HKEY_USERS 55 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.013021" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3980" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3720" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3668" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3744" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006521" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132889768195402443" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.666677" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LegionLocker.exepid process 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe 620 LegionLocker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
LegionLocker.exetaskkill.exedescription pid process Token: SeDebugPrivilege 620 LegionLocker.exe Token: SeDebugPrivilege 3956 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
LegionLocker.execmd.exeWerFault.exedescription pid process target process PID 620 wrote to memory of 3252 620 LegionLocker.exe cmd.exe PID 620 wrote to memory of 3252 620 LegionLocker.exe cmd.exe PID 620 wrote to memory of 3252 620 LegionLocker.exe cmd.exe PID 3252 wrote to memory of 3956 3252 cmd.exe taskkill.exe PID 3252 wrote to memory of 3956 3252 cmd.exe taskkill.exe PID 3252 wrote to memory of 3956 3252 cmd.exe taskkill.exe PID 1340 wrote to memory of 364 1340 WerFault.exe backgroundTaskHost.exe PID 1340 wrote to memory of 364 1340 WerFault.exe backgroundTaskHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LegionLocker.exe"C:\Users\Admin\AppData\Local\Temp\LegionLocker.exe"1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && taskkill /f /im explorer.exe && Exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 364 -s 20882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 364 -ip 3641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/620-130-0x00000000768A0000-0x0000000076990000-memory.dmpFilesize
960KB
-
memory/620-131-0x00000000768A0000-0x0000000076990000-memory.dmpFilesize
960KB
-
memory/620-132-0x00000000768A0000-0x0000000076990000-memory.dmpFilesize
960KB
-
memory/620-133-0x00000000768A0000-0x0000000076990000-memory.dmpFilesize
960KB
-
memory/620-134-0x00000000768A0000-0x0000000076990000-memory.dmpFilesize
960KB
-
memory/620-135-0x00000000768A0000-0x0000000076990000-memory.dmpFilesize
960KB
-
memory/620-136-0x00000000768A0000-0x0000000076990000-memory.dmpFilesize
960KB
-
memory/620-137-0x00000000768A0000-0x0000000076990000-memory.dmpFilesize
960KB
-
memory/620-138-0x0000000077A40000-0x0000000077BE3000-memory.dmpFilesize
1.6MB
-
memory/620-141-0x0000000074FA0000-0x0000000075750000-memory.dmpFilesize
7.7MB
-
memory/620-142-0x00000000007F0000-0x00000000010C4000-memory.dmpFilesize
8.8MB
-
memory/620-143-0x00000000007F0000-0x00000000010C4000-memory.dmpFilesize
8.8MB
-
memory/620-144-0x0000000006170000-0x0000000006714000-memory.dmpFilesize
5.6MB
-
memory/620-145-0x0000000005BC0000-0x0000000005C52000-memory.dmpFilesize
584KB
-
memory/620-146-0x0000000005BC0000-0x0000000006164000-memory.dmpFilesize
5.6MB
-
memory/620-147-0x0000000005B30000-0x0000000005B3A000-memory.dmpFilesize
40KB
-
memory/620-148-0x0000000005BC0000-0x0000000006164000-memory.dmpFilesize
5.6MB
-
memory/620-149-0x0000000005BC0000-0x0000000006164000-memory.dmpFilesize
5.6MB