IOC Report
mozglue.dll.exe

loading gif

Files

File Path
Type
Category
Malicious
mozglue.dll.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_moz_27ecf4c285b5182533f7b3a93e8a8a8fddc58761_134389a9_1de486fd-c9ab-489c-aa10-0c38cdabb530\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_moz_27ecf4c285b5182533f7b3a93e8a8a8fddc58761_134389a9_273e8517-c54d-470f-b1be-6f82d7b9a01d\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_moz_27ecf4c285b5182533f7b3a93e8a8a8fddc58761_134389a9_a4d72ff2-2d42-46e7-9cd5-bbc934cbba1b\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_moz_27ecf4c285b5182533f7b3a93e8a8a8fddc58761_134389a9_e9164dc1-577d-4bcf-b83d-667d25519d07\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA43.tmp.dmp
Mini DuMP crash report, 14 streams, Tue May 28 05:27:55 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA52.tmp.dmp
Mini DuMP crash report, 14 streams, Tue May 28 05:27:55 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCAB1.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCAC1.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCAF1.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB10.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD56E.tmp.dmp
Mini DuMP crash report, 14 streams, Tue May 28 05:27:58 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5AE.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5CE.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE145.tmp.dmp
Mini DuMP crash report, 14 streams, Tue May 28 05:28:01 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE175.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE195.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 8 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll64.exe
loaddll64.exe "C:\Users\user\Desktop\mozglue.dll.dll"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mozglue.dll.dll",#1
C:\Windows\System32\rundll32.exe
rundll32.exe C:\Users\user\Desktop\mozglue.dll.dll,HeapAlloc
C:\Windows\System32\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\mozglue.dll.dll",#1
C:\Windows\System32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7176 -s 296
C:\Windows\System32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7192 -s 292
C:\Windows\System32\rundll32.exe
rundll32.exe C:\Users\user\Desktop\mozglue.dll.dll,HeapFree
C:\Windows\System32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7468 -s 284
C:\Windows\System32\rundll32.exe
rundll32.exe C:\Users\user\Desktop\mozglue.dll.dll,HeapReAlloc
C:\Windows\System32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7668 -s 236
There are 1 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://upx.sf.net
unknown
http://www.mozilla.com/en-US/blocklist/
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
ProgramId
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
FileId
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
LowerCaseLongPath
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
LongPathHash
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
Name
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
OriginalFileName
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
Publisher
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
Version
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
BinFileVersion
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
BinaryType
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
ProductName
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
ProductVersion
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
LinkDate
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
BinProductVersion
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
AppxPackageFullName
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
AppxPackageRelativeId
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
Size
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
Language
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
IsOsComponent
\REGISTRY\A\{00bf46f5-2335-5527-6cb1-6a44a2081af3}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
Usn
There are 10 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
CEC319E000
stack
page read and write
1D108590000
heap
page read and write
7FFDFF1A1000
unkown
page execute read
1D108825000
heap
page read and write
7FFDFF1A1000
unkown
page execute read
21468FE0000
heap
page read and write
1C50C780000
heap
page read and write
1D108490000
heap
page read and write
7FFDFF301000
unkown
page readonly
1C50C860000
heap
page read and write
7FFDFF301000
unkown
page readonly
1D108618000
heap
page read and write
7FFDFF2BA000
unkown
page readonly
21469435000
heap
page read and write
8EB6BEC000
stack
page read and write
13A76F10000
heap
page read and write
733FCFF000
stack
page read and write
7FFDFF2BA000
unkown
page readonly
CEC309C000
stack
page read and write
7FFDFF2F4000
unkown
page write copy
45FD6FE000
stack
page read and write
1D108820000
heap
page read and write
7FFDFF2F9000
unkown
page readonly
214691BF000
heap
page read and write
214690E0000
heap
page read and write
1C50C886000
heap
page read and write
22A242C0000
heap
page read and write
214690C0000
heap
page read and write
7FFDFF301000
unkown
page readonly
1C50C7B0000
heap
page read and write
13A77265000
heap
page read and write
22A242C5000
heap
page read and write
21469430000
heap
page read and write
7FFDFF1A0000
unkown
page readonly
1C50C86D000
heap
page read and write
733F92C000
stack
page read and write
45FD3ED000
stack
page read and write
7FFDFF1A1000
unkown
page execute read
7FFDFF301000
unkown
page readonly
22A240C8000
heap
page read and write
7FFDFF2BA000
unkown
page readonly
7FFDFF2F9000
unkown
page readonly
13A76F18000
heap
page read and write
7FFDFF2F4000
unkown
page write copy
733FDFF000
stack
page read and write
37EFAED000
stack
page read and write
22A240C0000
heap
page read and write
7FFDFF1A0000
unkown
page readonly
7FFDFF2BA000
unkown
page readonly
7FFDFF2F4000
unkown
page write copy
1C50C7D0000
remote allocation
page read and write
7FFDFF1A1000
unkown
page execute read
7FFDFF2F4000
unkown
page write copy
7FFDFF2F9000
unkown
page readonly
7FFDFF2BA000
unkown
page readonly
22A24010000
heap
page read and write
1D108570000
heap
page read and write
13A76E80000
heap
page read and write
8EB6E7E000
stack
page read and write
7FFDFF301000
unkown
page readonly
7FFDFF1A0000
unkown
page readonly
13A76E60000
heap
page read and write
CEC311E000
stack
page read and write
214691B8000
heap
page read and write
7FFDFF2F9000
unkown
page readonly
7FFDFF2F4000
unkown
page write copy
13A77260000
heap
page read and write
7FFDFF1A1000
unkown
page execute read
13A76E50000
heap
page read and write
1C50C6A0000
heap
page read and write
8EB6EFE000
stack
page read and write
22A240CF000
heap
page read and write
22A24030000
heap
page read and write
7FFDFF2F9000
unkown
page readonly
37EFBEE000
stack
page read and write
7FFDFF1A0000
unkown
page readonly
45FD67E000
stack
page read and write
7FFDFF1A0000
unkown
page readonly
1D108610000
heap
page read and write
1C50CB30000
heap
page read and write
22A23F30000
heap
page read and write
214691B0000
heap
page read and write
37EFB6E000
stack
page read and write
There are 73 hidden memdumps, click here to show them.