file_name,expected_file_path,vulnerable_file_name,file_type,file_hash,link,hijacklib_link wsc.dll,C:\Program Files\AVAST Software\Avast*;C:\Program Files\Norton\Suite*;C:\Program Files\AVG\Antivirus*,wsc_proxy.exe,Search Order,85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654,https://github.com/netero1010/Vulnerability-Disclosure/tree/main/CVE-2022-AVAST2;https://securelist.com/cycldek-bridging-the-air-gap/97157/,HijackLibs/yml/3rd_party/avast/wsc.yml tosbtkbd.dll,C:\Program Files\Toshiba\Bluetooth Toshiba Stack*,C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe,Sideloading,,https://www.secureworks.com/research/shadowpad-malware-analysis;https://vms.drweb.com/virus/?i=21995048;https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/,HijackLibs/yml/3rd_party/toshiba/tosbtkbd.yml facesdk.dll,C:\Program Files\luxand\facesdk\bin\win64*,C:\Program Files\luxand\facesdk\bin\win64\FacialFeatureDemo.exe,Sideloading,0d243cbcd1c3654ca318d2d6d08f4e9d293fc85a68d751a52c23b04314c67b99,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/,HijackLibs/yml/3rd_party/luxand/facesdk.yml libcurl.dll,C:\Program Files\Notepad++\updater*;C:\Program Files\WindowsApps\MSTeams_*;C:\Program Files\Coolmuster\Coolmuster PDF Creator Pro\*\Bin*,C:\Program Files\Notepad++\updater\GUP.exe,Sideloading,e5bbbf34414426f63e6cd1354c306405e54bf31279829c7542dccfb7d85af0ec,https://www.virustotal.com/gui/file/d1e44e4224899cb160a92f4c7f4f042b10ae0ee3fc16bbe457ad32e8b1527ed5;https://www.virustotal.com/gui/file/dd0c2d79fef0cf5e2d32dcdd661d6ba0a6e9901ffe047fad2d081bbc28daad2c,HijackLibs/yml/3rd_party/curl/libcurl.yml flutter_gpu_texture_renderer_plugin.dll,C:\Users\*\AppData\Local\rustdesk*;C:\Program Files\RustDesk*,C:\Users\*\AppData\Local\rustdesk\rustdesk.exe,Sideloading,8128917d9f3e7ecabbc39f4c221afdf9171ee8b71b2c0ef11fce8e14c13c91fe,https://www.trendmicro.com/en_us/research/25/a/how-cracks-and-installers-bring-malware-to-your-device.html;https://www.virustotal.com/gui/file/857e4cb0b41f7aac5494c8554601888c1c82202de3dab7258b2ff322bc94ca43,HijackLibs/yml/3rd_party/rustdesk/flutter_gpu_texture_renderer_plugin.yml avdevice-54.dll,C:\Program Files\AnyMP4 Studio\AnyMP4 Blu-ray Creator*,C:\Program Files\AnyMP4 Studio\AnyMP4 Blu-ray Creator\AnyMP4 Blu-ray Creator.exe,Sideloading,98c9c45cf18434fe9ab79c9db2e88c1f1db48c95338864421e4d761d71c2fbc6,,HijackLibs/yml/3rd_party/anymp4/avdevice-54.yml tutil32.dll,C:\Program Files\PDE*,C:\Program Files\PDE\PDE.exe,Sideloading,6243d4d73e8d43dd2d4dd7dc3ef761d7c23581ee7f3d047699d894b01bc022d6,https://www.mitec.cz/pde.html,HijackLibs/yml/3rd_party/mitec/tutil32.yml relay.dll,,UniversalInstaller.exe,Sideloading,a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3,https://www.virustotal.com/gui/file/6122b4ceb394e4a441b4f7ac92745b1aa64b6c83a4101d6d326e130efa5a5d10/details,HijackLibs/yml/3rd_party/canon/relay.yml atl71.dll,C:\Program Files\Common Files\Thunder Network\TP\*,C:\Program Files\Common Files\Thunder Network\TP\*\XLBugReport.exe,Sideloading,64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0,https://www.virustotal.com/gui/file/07ff27bfc879ad9f4d90f17c755c89d2fc3a84994c2304ee3cd79eb84674b9c0/relations;https://www.virustotal.com/gui/file/d42dc50226c59ab41afb691a0d94fa4e141702b678d8bd2fdaaaecb43a8e5b4b/details,HijackLibs/yml/3rd_party/xunlei/atl71.yml sqlite.dll,C:\Program Files\NetWorx*,C:\Program Files\NetWorx\networx.exe,Sideloading,29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5,https://www.virustotal.com/gui/file/0271e401ca9e430868f45148a04680295929450aecc537285359a28605645daf;https://www.virustotal.com/gui/file/4489bffe08dcbd1e9741f9b66f8ba10b7526318a1dc8d190aef13bbc1599b0f7/details,HijackLibs/yml/3rd_party/softperfect/sqlite.yml unityplayer.dll,C:\Users\*\AppData\Local\Temp\*\Windows*,KingdomTwoCrowns.exe,Sideloading,03b1df2b08999262c772b67a7bd65e9e8f6058036b5e7a382f06d3aa672854d0,https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/,HijackLibs/yml/3rd_party/unity/unityplayer.yml cc3260mt.dll,C:\Program Files\TiVo\Desktop*,C:\Program Files\TiVo\Desktop\TiVoServer.exe,Sideloading,482ec2cfaba9e58435c807cf43f6cfa3eff0093d0128b066378e103e6ddf69ec,https://www.virustotal.com/gui/file/3d8181ea38667550d141f813372b2d7bae7b7f43cdc17e24688d72be97751505/details,HijackLibs/yml/3rd_party/tivo/cc3260mt.yml bugsplat64.dll,C:\Program Files\Nitro\PDF Pro\*;C:\Program Files\Nitro\Pro*,BugSplatHD64.exe,Sideloading,b874075e7bc7c9dbf25fed0d3f54aa694957e5ff57c0ebbcf88c9c277771d37c,https://x.com/ankit_anubhav/status/1895061182689747333;https://bazaar.abuse.ch/sample/97791eba8ac9745155cea4cc1a90e44765a97b840441220ec13c82f719c65f1a/,HijackLibs/yml/3rd_party/bugsplat/bugsplat64.yml liteskinutils.dll,C:\Program Files\ICQLite*,C:\Program Files\ICQLite\ICQLite.exe,Sideloading,e6baea057b35e495a3fc3cdf3b95d503c3abc63c371fbb0067f1052798ce3601,https://www.virustotal.com/gui/file/e5e53392b29b74545e463b65052e0b6b07e8299d709f07501fb0f31b97a679ab/details;https://www.virustotal.com/gui/file/a278d5604a93e93a5580845da93af6c316a37a4cd35c1fc9348958ae1bebdb90/details;https://www.virustotal.com/gui/file/104ca4690b0ff17eb55e1330c5baf5580a731b6834f0716c483e646d6030855c/relations;https://www.virustotal.com/gui/file/010f55aef8ccba2ea1307d934decd577a08fa21547d1db30e01f3ae5ff1cce07/relations,HijackLibs/yml/3rd_party/icq/liteskinutils.yml skinutils.dll,C:\Program Files\ICQLite*,C:\Program Files\ICQLite\ICQLite.exe,Sideloading,e6baea057b35e495a3fc3cdf3b95d503c3abc63c371fbb0067f1052798ce3601,https://www.virustotal.com/gui/file/e5e53392b29b74545e463b65052e0b6b07e8299d709f07501fb0f31b97a679ab/details;https://www.virustotal.com/gui/file/a278d5604a93e93a5580845da93af6c316a37a4cd35c1fc9348958ae1bebdb90/details;https://www.virustotal.com/gui/file/104ca4690b0ff17eb55e1330c5baf5580a731b6834f0716c483e646d6030855c/relations;https://www.virustotal.com/gui/file/010f55aef8ccba2ea1307d934decd577a08fa21547d1db30e01f3ae5ff1cce07/relations,HijackLibs/yml/3rd_party/icq/skinutils.yml ci.dll,C:\Program Files\Digiarty\WinX Blu-ray Decrypter*;C:\Windows\System32*,C:\Program Files\Digiarty\WinX Blu-ray Decrypter\WinX Blu-ray Decrypter.exe,Sideloading,1fd92aa46464f8453e33dc7461f80ee7b441f9042e9d0110086226c5f725bd9f,https://www.virustotal.com/gui/file/2560b7390da7c7a1d92050d9c1f5e3a8025cd35fff5360fe73583b5e3f48731e;https://www.virustotal.com/gui/file/ae2453d0e03d72759d5239dcfe9518d6a721319006613a41f8bb53d37d4d1391/details;https://www.virustotal.com/gui/file/7306316b53f915aaff06f00896829884db857b7e5c2747188ae080cad5b8c0e1,HijackLibs/yml/3rd_party/digiarty/ci.yml qtgui4.dll,C:\Program Files\Audacity*;C:\Program Files\AOMEI\AOMEI Backupper\*,C:\Program Files\Audacity\crashreporter.exe,Sideloading,51de0b104e9ced3028a41d01dedf735809eb7f60888621027c7f00f0fcf9c834,https://www.virustotal.com/gui/file/dbdf5e11ec81ed1d941ec16fc7b94ab65f814ceb1e7fb524f2c64cbb422f7382/details;https://forum.eset.com/topic/44610-im-afraid-i-did-something-stupid-and-im-usually-very-careful-i-keep-getting-an-address-has-been-blocked-message/page/2/,HijackLibs/yml/3rd_party/qt/qtgui4.yml qt5core.dll,C:\Program Files\Electronic Arts\EA Desktop\EA Desktop*;C:\Program Files\Microsoft Onedrive\*;C:\Users\*\AppData\Local\Microsoft\Onedrive\*;C:\Program Files\Dropbox\Client\*;C:\Program Files\LogiOptionsPlus*,C:\Program Files\Electronic Arts\EA Desktop\EA Desktop\EASteamProxy.exe,Sideloading,4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e,https://www.virustotal.com/gui/file/2251e6582a12427b9b70d0e9ec7c8c27debe22b0a08b6ff6be46f4fb8914338c;https://www.virustotal.com/gui/file/173e138d5cf12f7eb55a67bcf3afc97ac1d7598fe4290ca4f125f28692e90fed,HijackLibs/yml/3rd_party/qt/qt5core.yml qt5network.dll,C:\Program Files\LSoft Technologies\Active@ Data Studio*;C:\Program Files\LSoft Technologies\Active@ File Recovery*;C:\Program Files\LSoft Technologies\Active@ Disk Editor*;C:\Program Files\LSoft Technologies\Active@ Password Changer*;C:\Program Files\LSoft Technologies\Active@ ISO Manager*;C:\Program Files\LSoft Technologies\Active@ UNERASER*;C:\Program Files\LSoft Technologies\Active@ KillDisk 25*;C:\Program Files\LSoft Technologies\Active@ UNDELETE*;C:\Program Files\LSoft Technologies\Active@ Disk Monitor*;C:\Program Files\LSoft Technologies\Active@ Partition Manager*,C:\Program Files\LSoft Technologies\Active@ Password Changer\PasswordChanger.exe,Sideloading,6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2,https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/;https://www.virustotal.com/gui/file/dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250,HijackLibs/yml/3rd_party/qt/qt5network.yml register.dll,C:\Program Files\IObit\Driver Booster\*,C:\Program Files\IObit\Driver Booster\*\DriverBooster.exe,Sideloading,8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473,https://www.virustotal.com/gui/file/0500e5ad7e344d32ee26da988aeb30f6344a0c89a68eacce5d6a5683d1fee0e1/relations;https://www.virustotal.com/gui/file/cdfe0f80cd3dc1914c7ad1a6305c0c1116168a37c5cfe8ff51650e2ac814b818/details,HijackLibs/yml/3rd_party/iobit/register.yml epnsm.dll,C:\Program Files\Epson Software\Document Capture Server*;C:\Program Files\Epson Software\Event Manager*,C:\Program Files\Epson Software\Document Capture Server\EEventManager.exe,Sideloading,88760201ada655d230fb40988bb50fdd46b152c9407565d0a4081d4540c0ac01,https://www.virustotal.com/gui/file/d70cd4df89b101f34ea6b17bc07a88b096bae2220fb04e200443b09a2b681091/relations;https://www.virustotal.com/gui/file/8313f3970982cbd425a0c769c8a690fef456d31d321c7de1e588e572948afed9/details,HijackLibs/yml/3rd_party/seiko/epnsm.yml basicnetutils.dll,C:\Users\*\AppData\Local\Temp\*\Application2*;C:\Program Files\BAIDU\BAIDUPINYIN\*,C:\Users\*\AppData\Local\Temp\*\Application2\XLGameUpdate.exe,Sideloading,769d59d03036af86c7a9950f03ebc7b693a94d3e2f8ecd1d74cf5600ab948105,https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/;https://www.welivesecurity.com/2023/03/16/not-so-private-messaging-trojanized-whatsapp-telegram-cryptocurrency-wallets/,HijackLibs/yml/3rd_party/baidu/basicnetutils.yml avutil.dll,C:\Program Files\VSO\ConvertX\7*;C:\Program Files\VSO\convertXtoDVD*;C:\Program Files\Common Files\Oracle\Java\javapath*,C:\Program Files\VSO\ConvertX\7\ConvertXToDVD.exe,Sideloading,ba4612db8ce37b8e64d163a4c8e236b0ad2ddc223b91383f270924846394bf95;7dd16890875b1bd76d94fcea709019f1125c7eb1ffd7203ff5436ac1f7430bac,https://twitter.com/Tac_Mangusta/status/1807778398887928313;https://www.joesandbox.com/analysis/1357123/0/html,HijackLibs/yml/3rd_party/vsosoftware/avutil.yml tmdbglog.dll,C:\Program Files\Trend Micro\Titanium*,PtWatchDog.exe,Sideloading,75f2e752983a9f46082e7b35820f23db577a5aff9ad946b05b0d3871a9df686b,https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/,HijackLibs/yml/3rd_party/trendmicro/tmdbglog.yml utiluniclient.dll,,C:\Program Files\trend micro\amsp\coreserviceshell.exe,Phantom,,https://safebreach.com/blog/2019/trend-micro-security-16-dll-search-order-hijacking-and-potential-abuses/,HijackLibs/yml/3rd_party/trendmicro/utiluniclient.yml tmtap.dll,,C:\Program Files\trend micro\passwordmanager\pwmsvc.exe,Phantom,,https://medium.com/@infiniti_css/trend-micro-password-manager-dll-hijack-fa839acaad59,HijackLibs/yml/3rd_party/trendmicro/tmtap.yml siteadv.dll,C:\Program Files\SiteAdvisor\*,sideadv.exe,Sideloading,d3a50abae9ab782b293d7e06c7cd518bbcec16df867f2bdcc106dec1e75dc80b,https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf;https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/,HijackLibs/yml/3rd_party/mcafee/siteadv.yml lockdown.dll,C:\Program Files\McAfee\VirusScan Enterprise*,mfeann.exe,Sideloading,07bbd8a80b5377723b13dbb40a01ca44cbc203369f5e5652a25b448e27ca108c,https://twitter.com/thepacketrat/status/1520878930449817600;https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/,HijackLibs/yml/3rd_party/mcafee/lockdown.yml ashldres.dll,C:\Program Files\McAfee.com\VSO*,mcvsshld.exe,Sideloading,4512d852cad65ab6bee423619ed32188e444ee5518f51adc5502961724af62e7,https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-tomato-campaign.pdf,HijackLibs/yml/3rd_party/mcafee/ashldres.yml mcutil.dll,C:\Program Files\McAfee Inc.\McAfee Total Protection 2009*,mcoemcpy.exe,Sideloading,3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe,https://www.virustotal.com/gui/file/3bcb28d19a779b6da0c42c1506cd1908f9bcceeffff45f572677e032551f9a96/relations;https://www.virustotal.com/gui/file/b0263de0622050091a0fbf06428229e5da291b87926ca29c8ee3b01a2a514e4f/detection;https://web-assets.esetstatic.com/wls/2018/03/ESET_OceanLotus.pdf;https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders,HijackLibs/yml/3rd_party/mcafee/mcutil.yml vsodscpl.dll,C:\Program Files\McAfee\VirusScan Enterprise*,scncfg32.exe,Sideloading,8374046690b8bb2468cfa636ebbe731ea79103825d2450057338214d3112909f,https://eiploader.wordpress.com/2011/03/28/digitally-signed-malware-without-stealing-certificates/,HijackLibs/yml/3rd_party/mcafee/vsodscpl.yml libsqlite3-0.dll,C:\Program Files*,C:\Program Files\FileZilla FTP Client\filezilla.exe,Sideloading,ab3a652984d875269b7e7487d38852cd8301d5d4c57030b9640f097549fd6d8b,https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/;https://www.virustotal.com/gui/file/506ab08d0a71610793ae2a5c4c26b1eb35fd9e3c8749cd63877b03c205feb48a/details,HijackLibs/yml/3rd_party/sqlite/libsqlite3-0.yml smadhook32c.dll,C:\Program Files\Smadav*,C:\Program Files\Smadav\SmadHook.exe,Sideloading,4f54a6555a7a3bec84e8193d2ff9ae75eb7f06110505e78337fa2f515790a562,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/,HijackLibs/yml/3rd_party/smadav/smadhook32c.yml mfcu100u.dll,C:\Program Files\TechSmith\Camtasia Studio 8*,C:\Program Files\TechSmith\Camtasia Studio 8\CamMenuMaker.exe,Sideloading,88a1f9a40eb7ece8999092b2872b6afde0fb3776e29384c5b00631bb0fca34d1,https://www.virustotal.com/gui/file/73670defa750d0a09470356279494a0c947245229d283c42e7ef0f2b8427b847,HijackLibs/yml/3rd_party/techsmith/mfcu100u.yml common.dll,C:\Program Files\iroot*,C:\Program Files\iroot\romasterconnection.exe,Sideloading,12cbaa57e3241d9f997c41a171ff40cf37ee8ab421fa1f35d2354891bf51815c,https://www.herdprotect.com/romasterconnection.exe-61602b5ec9ff4f651e87c9c4a15a7e4cc7c733aa.aspx;https://www.virustotal.com/gui/file/5aef5d7e917612b6390904f6468c3d0dbcf30345277b3ad0fe79e62fa8003c5b,HijackLibs/yml/3rd_party/iroot/common.yml vivaldi_elf.dll,C:\Users\*\AppData\Local\Vivaldi\Application*;C:\Users\*\AppData\Local\Vivaldi\Application\*;C:\Users\*\AppData\Local\Programs\Vivaldi\Application\*,C:\Users\*\AppData\Local\Vivaldi\Application\vivaldi.exe,Sideloading,58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494,https://securityintelligence.com/posts/vizom-malware-targets-brazilian-bank-customers-remote-overlay/;https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/,HijackLibs/yml/3rd_party/vivaldi/vivaldi_elf.yml corefoundation.dll,C:\Program Files\Common Files\Apple\Apple Application Support*;C:\Program Files\iTunes*;C:\Windows\System32*,C:\Program Files\iTunes\ituneshelper.exe,Sideloading,0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda,https://analyze.intezer.com/analyses/82011cc1-c3df-4c63-9945-8730b0d1cf3e;https://www.virustotal.com/gui/file/ff5e56c20591a9019eb28b3cab88f5a240657c1c360bf01ad3a6d417fa10b7f5;https://www.joesandbox.com/analysis/1394928/0/html;https://discussions.apple.com/thread/2732037?sortBy=best;https://iosninja.io/dll/download/corefoundation-dll,HijackLibs/yml/3rd_party/apple/corefoundation.yml log.dll,C:\Program Files\Bitdefender Antivirus Free*,C:\Program Files\Bitdefender Antivirus Free\BDReinit.exe,Sideloading,386EB7AA33C76CE671D6685F79512597F1FAB28EA46C8EC7D89E58340081E2BD,https://www.secureworks.com/research/shadowpad-malware-analysis;https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/,HijackLibs/yml/3rd_party/bitdefender/log.yml winutils.dll,C:\Program Files\Palo Alto Networks\Traps*,C:\Program Files\Palo Alto Networks\Traps\cydump.exe,Sideloading,4874d336c5c7c2f558cfd5954655cacfc85bcfcb512a45fb0ff461ce9c38b86d,https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/;https://security.paloaltonetworks.com/PAN-SA-2023-0002,HijackLibs/yml/3rd_party/paloalto/winutils.yml madhcnet32.dll,C:\Program Files\Multimedia\K-Lite Codec Pack\Filters\madVR*;C:\Program Files\K-Lite Codec Pack\Filters\madVR*,C:\Program Files\K-Lite Codec Pack\Filters\madVR\madHcCtrl.exe,Sideloading,69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699,https://www.virustotal.com/gui/file/d98677d4cf165a8885dc16e8a8411b36bfe39b10e188c6277253173b3ff73346/relations,HijackLibs/yml/3rd_party/systemsoftwaremathiasrauen/madhcnet32.yml classicexplorer32.dll,C:\Program Files\Classic Shell*;C:\Program Files\Open-Shell*,ClassicExplorerSettings.exe,Sideloading,b44cc792ae7f58e9a12a121c14a067ee1dd380df093339b4bf2b02df5937b2af,https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets,HijackLibs/yml/3rd_party/classicshell/classicexplorer32.yml tbb.dll,C:\Program Files\Adobe\Adobe Photoshop CC *,C:\Program Files\Adobe\Adobe Photoshop CC *\AGF3DPrinterDriver.exe,Sideloading,6a7a23891816196fa6a6966886bc14edf6cd1f1cc9d865e8dbed8b59adc7c7c2,https://www.virustotal.com/gui/file/d6ca9b88d5eb884a761a068700b8bbb509b01bba322ce6086e500e4e6f332adf/detection,HijackLibs/yml/3rd_party/intel/tbb.yml rzlog4cpp_logger.dll,C:\Users\*\AppData\Local\razer\InGameEngine\cache\RzFpsApplet*,C:\Users\*\AppData\Local\razer\InGameEngine\cache\RzFpsApplet\RzCefRenderProcess.exe,Sideloading,fb5edfcba99e2df2b7f6f40e8615f5cb247803180464e584161c7c91405aae4a,https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia;https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/,HijackLibs/yml/3rd_party/razer/rzlog4cpp_logger.yml x32bridge.dll,,x32dbg.exe,Sideloading,ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15,https://www.trendmicro.com/en_th/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html;https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/?cmp=30728;https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/,HijackLibs/yml/3rd_party/x64dbg/x32bridge.yml avupdate.dll,C:\Program Files\Confer\scanner\upd.exe*,C:\Program Files\Confer\scanner\upd.exe,Sideloading,3dfae7b23f6d1fe6e37a19de0e3b1f39249d146a1d21102dcc37861d337a0633,https://blackpointcyber.com/resources/blog/qilin-ransomware-and-the-hidden-dangers-of-byovd/,HijackLibs/yml/3rd_party/carbonblack/avupdate.yml dal_keepalives.dll,C:\Program Files\audinate\shared files*,C:\Program Files\audinate\shared files\mDnsResponder.exe,Sideloading,8360c2391f373c9de46c5b37fef952c2309be34e62127777ad7358ddb1d437ff,https://research.checkpoint.com/2023/stayin-alive-targeted-attacks-against-telecoms-and-government-ministries-in-asia/;https://www.cisa.gov/news-events/alerts/2025/02/06/cisa-adds-five-known-exploited-vulnerabilities-catalog;https://www.virustotal.com/gui/file/d4bd89ff56b75fc617f83eb858b6dbce7b36376889b07fa0c2417322ca361c30,HijackLibs/yml/3rd_party/audinate/dal_keepalives.yml ciscosparklauncher.dll,C:\Users\*\AppData\Local\CiscoSparkLauncher*;C:\Users\*\AppData\Local\Programs\Cisco Spark*;C:\Program Files\Cisco Spark*,CiscoCollabHost.exe,Sideloading,15bb2d1e81a75a92d0012dcbf47686fa2ab10f2174cda36d7c4b03bfb72313b7;7b301cea1feff0add8de512a93ed7bc1b8330caf0c3a6f1585f9887b88db8efb,https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/;https://www.joesandbox.com/analysis/279535/0/html,HijackLibs/yml/3rd_party/cisco/ciscosparklauncher.yml wcldll.dll,C:\Program Files\Cisco Systems\Cisco Jabber*;C:\Program Files\Webex\Applications*;C:\Program Files\Webex\Plugins*,C:\Program Files\Webex\Applications\ptInst.exe,Sideloading,bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5,https://www.virustotal.com/gui/file/26227914bdad9baf491a9b966e6301fc997cff35c677dcfd9628654f4f6bc9fc/relations;https://www.virustotal.com/gui/file/fa1443219f210bdcf3a25b311342851f61378536eb11810366468156fbd5c051,HijackLibs/yml/3rd_party/cisco/wcldll.yml amindpdfcore.dll,C:\Program Files\GeekerPDF\GeekerPDF*,C:\Program Files\GeekerPDF\GeekerPDF\GeekerPDF.exe,Sideloading,107ba73ae05ec6ba6d814665923191f14757015557eeeff16206cc957da29be3,https://www.virustotal.com/gui/file/78a60bea5693138c771386b8c22f0adfe6765a6313b80488bd1084bc9ed370bd,HijackLibs/yml/3rd_party/amindpdf/amindpdfcore.yml glib-2.0.dll,C:\Program Files\VMware\VMware Tools*;C:\Program Files\VMware\VMware Workstation*;C:\Program Files\VMware\VMware Player*,C:\Program Files\VMware\VMware Tools\VMwareXferlogs.exe,Sideloading,935e10f5169397a67f4c36bffbc3ba46c3957b7521edd3fa83bd975157b79bd8,https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/,HijackLibs/yml/3rd_party/vmware/glib-2.0.yml shfolder.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\VMNat.exe,Sideloading,,https://twitter.com/dissectmalware/status/978017957480628226,HijackLibs/yml/3rd_party/vmware/shfolder.yml vmtools.dll,C:\Program Files\VMware\VMware Tools*;C:\Program Files\VMware\VMware Workstation*;C:\Program Files\VMware\VMware Player*,C:\Program Files\VMware\VMware Tools\rvmSetup.exe,Sideloading,0e6f5eaa2cd91747213f6aec05e3de6fb46ea2b7cf4d5f3ac267128abc784d00,https://www.virustotal.com/gui/file/a3d340480fc015cd7c548fccad9218222c37178af95727b612d768d8e4b24964/details,HijackLibs/yml/3rd_party/vmware/vmtools.yml cc32290mt.dll,C:\Program Files\Ahnenblatt4\Ahnenblatt4.exe*,C:\Program Files\Ahnenblatt4\Ahnenblatt4.exe,Sideloading,8f4f53bc02348a549f3437444aacec43eae5f90875ea3c5ec96600ba1cb4a061,https://www.virustotal.com/gui/file/dab744a533bcbc4a2d3f19a54694ceb00587a0ce68d046ca9085d5013321ea5a,HijackLibs/yml/3rd_party/ahnenblatt/cc32290mt.yml opera_elf.dll,C:\Users\*\AppData\Local\Programs\Opera\*;C:\Users\*\AppData\Local\Programs\Opera GX\*;C:\Program Files\Opera\*,C:\Users\*\AppData\Local\programs\opera\*\opera.exe,Sideloading,97b2a5f2a7e7b8048162ef93c932e0ffafdd875d54c026524fc3e340d70e4991,https://twitter.com/ShitSecure/status/1566127363389329412,HijackLibs/yml/3rd_party/opera/opera_elf.yml jli.dll,C:\Program Files\Java\*\bin*;C:\Program Files\*\jre\bin*;C:\Users\*\AppData\Local\Temp\*\bin*,C:\Program Files\Java\*\bin\jsadebugd.exe,Sideloading,76618263ac3d71779c18526c5ecc75a025ad0c78212b6a2bc089b22a1b8ca567,https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/;https://www.virustotal.com/gui/file/18e3d1542d9d375f2e1d4631e03e9874fca9a1655ee6d01121d0c94e138be174;https://securelist.com/apt41-in-africa/116986/;https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting,HijackLibs/yml/3rd_party/oracle/jli.yml qtcorevbox4.dll,C:\Program Files\Oracle\VirtualBox*,C:\Program Files\Oracle\VirtualBox\VBoxTestOGL.exe,Sideloading,e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f,https://asec.ahnlab.com/en/58319/;https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd;https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff,HijackLibs/yml/3rd_party/oracle/qtcorevbox4.yml launcher.dll,C:\Program Files\SQL Developer\ide\bin*;C:\Program Files\sqldeveloper\ide\bin*,C:\Program Files\SQL Developer\sqldeveloper.exe,Search Order,8ceb437a7a38f035587d2e67a2e9d231552680ac34822f9d9e61b7b978160741,https://www.virustotal.com/gui/file/c3b48c62b34510e2328b790f9fabed994a91998f36c0c40bcf628b93f40d8ae5/relations,HijackLibs/yml/3rd_party/oracle/launcher.yml vboxrt.dll,C:\Program Files\Oracle\VirtualBox*,C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe,Sideloading,448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4,https://asec.ahnlab.com/en/58319/;https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd,HijackLibs/yml/3rd_party/oracle/vboxrt.yml keyscramblerie.dll,C:\Program Files\KeyScrambler*,C:\Program Files\KeyScrambler\KeyScrambler.exe,Sideloading,f1575259753f52aaabbd6baad3069605d764761c1da92e402f3e781ed3cf7cea;fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1,https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html;https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/;https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/;https://twitter.com/Max_Mal_/status/1775222576639291859;https://twitter.com/DTCERT/status/1712785426895839339;https://www.virustotal.com/gui/file/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/details;https://www.virustotal.com/gui/file/9cfdc3fe2a10fe2b514fc224c9c8740e1de039d90b9c17f85b64ff29d4a4ebb1,HijackLibs/yml/3rd_party/qfx/keyscramblerie.yml nvsmartmax.dll,C:\Program Files\NVIDIA Corporation\Display*,C:\Program Files\NVIDIA Corporation\Display\nvSmartEx.exe,Sideloading,523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256,https://www.cybereason.com/blog/research/deadringer-exposing-chinese-threat-actors-targeting-major-telcos;https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf,HijackLibs/yml/3rd_party/nvidia/nvsmartmax.yml libcef.dll,C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience*,%Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDA Share.exe,Sideloading,f1e2f82d5f21fb8169131fedee6704696451f9e28a8705fca5c0dd6dad151d64,https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html;https://analyze.intezer.com/analyses/93e92d7a-9a46-4c1c-8ac0-87b4453beeb8;https://www.virustotal.com/gui/file/64d0fc47fd77eb300942602a912ea9403960acd4f2ed33a8e325594bf700d65f;https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/,HijackLibs/yml/3rd_party/nvidia/libcef.yml webui.dll,C:\Program Files\iTop Screen Recorder*,C:\Program Files\iTop Screen Recorder\iScrPaint.exe,Sideloading,46afbf1cbd2e1b5e108c133d4079faddc7347231b0c48566fd967a3070745e7f,https://www.virustotal.com/gui/file/063d2c12aa8316b242c5beb9dbbf934be7cee9df93b1612de9aa2f1f3084f0da/relations;https://www.virustotal.com/gui/file/521c0de9a7b2db7d9a65b443dd630a28e2b4e33f8c56336e7630c646aa2cf280/detection,HijackLibs/yml/3rd_party/itop/webui.yml rtl120.dll,C:\Program Files\DualSafe Password Manager*,C:\Program Files\DualSafe Password Manager\DPMInit.exe,Sideloading,26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616,https://www.virustotal.com/gui/file/0e93a41edf1ca3e1723e5e0d73f3e0f54d6d672606b9dc0cda745f87e3fd0339/relations;https://www.virustotal.com/gui/file/6028d64b53880676fcd62b445fd71952f9141b8ac0e60329b15cf9e04e437cea/details,HijackLibs/yml/3rd_party/itop/rtl120.yml mfc140u.dll,C:\Program Files\CheckMAL\AppCheck*,C:\Program Files\CheckMAL\AppCheck\AppCheck.exe,Sideloading,ea987229c8d4e647e0b5a0d6dd08cce9d15e78f74cb5fb5c86a7e9ea6a5ecc82,https://www.virustotal.com/gui/file/c4c85e98452094c8bd395b19c2afe283a50cdbb651e51e09d3f7b0dfa35fda65/details,HijackLibs/yml/3rd_party/checkmal/mfc140u.yml libvlc.dll,C:\Program Files\VideoLAN\VLC*,C:\Program Files\VideoLAN\VLC\vlc.exe,Sideloading,6f924de3f160984740fbac66cf9546125330fc00f4f5d2dbf05601d9d930b7d9,https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/;https://www.microsoft.com/en-us/security/blog/2018/11/08/attack-uses-malicious-inpage-document-and-outdated-vlc-media-player-to-give-attackers-backdoor-access-to-targets/,HijackLibs/yml/3rd_party/vlc/libvlc.yml libvlccore.dll,C:\Program Files\VideoLAN\VLC*,C:\Program Files\VideoLAN\VLC\vlc.exe,Sideloading,1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937,https://asec.ahnlab.com/en/58319/;https://www.virustotal.com/gui/file/33c08eeaff6e9aa686a14144cb84d1895f260d28b767a0d2a10dbe427a65d7c0,HijackLibs/yml/3rd_party/vlc/libvlccore.yml rastls.dll,C:\Program Files\Symantec\Network Connected Devices Auto Setup*;C:\Windows\System32*,C:\Program Files\Symantec\Network Connected Devices Auto Setup\rastlsc.exe,Sideloading,f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68,https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf;https://vms.drweb.com/virus/?i=21995051;https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/,HijackLibs/yml/3rd_party/symantec/rastls.yml shellsel.ocx,,symantec.exe,Sideloading,61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/;https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/,HijackLibs/yml/3rd_party/symantec/shellsel.yml ldvpocx.ocx,C:\Program Files\Symantec_Client_Security\Symantec AntiVirus*;C:\Program Files\Symantec AntiVirus*,C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\ldvpreg.exe,Sideloading,61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde,https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox;https://github.com/RedDrip7/APT_Digital_Weapon/blob/master/APT27/APT27_hash.md;https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/,HijackLibs/yml/3rd_party/symantec/ldvpocx.yml sqlite.dll,C:\Program Files\Adobe\Acrobat Reader DC\Reader*;C:\Program Files\Adobe\Acrobat DC\Acrobat*,C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe,Sideloading,1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215,https://asec.ahnlab.com/en/58319/;https://www.virustotal.com/gui/file/802bad293e5d5e75ffac3df3dd5301315a886534011871275a1b41c9cec1f298,HijackLibs/yml/3rd_party/adobe/sqlite.yml acrodistdll.dll,C:\Program Files\Adobe\Acrobat *\Acrobat*,C:\Program Files\Adobe\Acrobat *\Acrobat\AcroDist.exe,Sideloading,01b68a0c13032bb59f262ed94d2daf85e50fad7a1502a3097029b66b7eb4f903,https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf,HijackLibs/yml/3rd_party/adobe/acrodistdll.yml vcomp100.dll,,C:\Program Files\Adobe\Adobe Photoshop *\convert.exe,Sideloading,db2457caa1ccd65e63718b9e28789a12e17bc7a038975fba4f07dcd9f38e7016,https://www.virustotal.com/gui/file/0ab581841cc19922d424dbc518d279070ea75ec2983334ba1b74c16ca5729bc1/relations;https://www.virustotal.com/gui/file/5a5e1142b50096e3af0f9079c45c84f8a6ca1be60e45dbc489327a2632d73fd5/details,HijackLibs/yml/3rd_party/adobe/vcomp100.yml tts.dll,C:\Program Files\Soundpad*,C:\Program Files\Soundpad\Soundpad.exe,Sideloading,9B17717DFC9852E2C7B730CCE4B8058528667D0B484BB936D3CE07B66AB50D72,https://www.virustotal.com/gui/file/9f45aadddaae7ad3076e0591fa4ccce302248c079dc07f5c9e3da788bdae0292/relations;https://www.virustotal.com/gui/file/af328ef3ae2c81a0ad5937cb186bb45d3190dbee390e180240e0a0218a1bce98,HijackLibs/yml/3rd_party/leppsoft/tts.yml mozglue.dll,C:\Program Files\SeaMonkey*;C:\Program Files\Mozilla Firefox*;C:\Program Files\Mozilla Thunderbird*,C:\Program Files\SeaMonkey\seamonkey.exe,Sideloading,,https://twitter.com/SBousseaden/status/1530595156055011330,HijackLibs/yml/3rd_party/mozilla/mozglue.yml asfbncor.dll,C:\Program Files\Replay Media Splitter*,C:\Program Files\Replay Media Splitter\ReplayMediaSplitter.exe,Sideloading,74b86605a3a2100a9c80bfabc84d22f69b2123ae0a942a1b9a3c4ed050186e0c,https://www.virustotal.com/gui/file/d1d824fc5f3354f68324a319026d089926655b6ce25538279e26c0986374026b/relations,HijackLibs/yml/3rd_party/radioactive/asfbncor.yml iepdf32.dll,C:\Program Files\Handy Viewer*,C:\Program Files\Handy Viewer\hv.exe,Sideloading,6d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2,https://www.virustotal.com/gui/file/b748e5dc64f5ece1b256705b7365a89b3be9284587da5f3abbde4be78864867e/relations;https://www.virustotal.com/gui/file/030ca3bb54a276eea7cdf69d90d04b58a4fa500396e94340895f923d87dc169a/relations,HijackLibs/yml/3rd_party/handysoftware/iepdf32.yml libglib-2.0-0.dll,C:\Program Files\Wireshark*,C:\Program Files\Wireshark\Mergecap.exe,Sideloading,ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da,https://asec.ahnlab.com/en/58319/;https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289,HijackLibs/yml/3rd_party/wireshark/libglib-2.0-0.yml libwsutil.dll,C:\Program Files\Wireshark*,C:\Program Files\Wireshark\Mergecap.exe,Sideloading,ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da,https://asec.ahnlab.com/en/58319/;https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289;https://www.virustotal.com/gui/file/e91c4f990c1b0b58d69f3c3e80916463e5cc87011fd418d610c5264f7d5ecc9b,HijackLibs/yml/3rd_party/wireshark/libwsutil.yml vstdlib_s64.dll,C:\Program Files\Steam*,C:\Program Files\Steam\steamerrorreporter64.exe,Sideloading,0a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba,https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-09-19-IOCs-for-file-downloader-to-Lumma-Stealer.txt;https://twitter.com/Unit42_Intel/status/1837137726409158770,HijackLibs/yml/3rd_party/valve/vstdlib_s64.yml chrome_frame_helper.dll,C:\Users\*\AppData\Local\Google\Chrome\Application*;C:\Program Files\Google\Chrome\Application*,chrome_frame_helper.exe,Sideloading,f95d0ab23f95e169cd2c613a4b8dde731ca6031c5ae11ebf0bdc034db3cc30cd,https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/,HijackLibs/yml/3rd_party/google/chrome_frame_helper.yml fnp_act_installer.dll,C:\Program Files\InstallShield\*\System*,C:\Program Files\InstallShield\*\System\TSConfig.exe,Sideloading,b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac,https://asec.ahnlab.com/en/58319/;https://www.virustotal.com/gui/file/e7b69768215453b2c648d7060161ce9b9eaf1ace631eb2ac11b60a7195e2263e;https://app.any.run/tasks/faf0d668-7e06-4b1c-922b-2bb3a9d81dae,HijackLibs/yml/3rd_party/flexera/fnp_act_installer.yml python39.dll,C:\Program Files\Python39*;C:\Users\*\AppData\Local\Temp\*;C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\VC\SecurityIssueAnalysis\python*;C:\Users\*\anaconda3*,python39.exe,Sideloading,,https://twitter.com/SBousseaden/status/1530595156055011330,HijackLibs/yml/3rd_party/python/python39.yml python311.dll,C:\Program Files\Python311*;C:\Users\*\AppData\Local\Programs\Python\Python311*,pythonw.exe,Sideloading,24385D352B83222DC5AB92FA57B6649854ECD74DE378E279D8AC20A0B3B16009,https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/;https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/;https://www.virustotal.com/gui/file/9514035fea8000a664799e369ae6d3af6abfe8e5cda23cdafbede83051692e63;https://www.rapid7.com/blog/post/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/,HijackLibs/yml/3rd_party/python/python311.yml python310.dll,C:\Program Files\Python310*;C:\Users\*\AppData\Local\Temp\*;C:\Program Files\DWAgent\runtime*;C:\Users\*\anaconda3*,pythonw.exe,Sideloading,,https://www.virustotal.com/gui/file/115fba7a9ea7d2e38d042c7fa5f81209e0d712c107ceb2eafe2f27f94c8f6054/details,HijackLibs/yml/3rd_party/python/python310.yml libxfont-1.dll,C:\Program Files\Mobatek\MobaXterm Personal Edition*;C:\Program Files\Mobatek\MobaXterm*,C:\Program Files\Mobatek\MobaXterm Personal Edition\MobaXterm.exe,Sideloading,35132e05638b942403b8a813925de7b54e2e2e35b6ba7a8a081e8b96edd4c0aa,https://www.virustotal.com/gui/file/b99bd7ffb7634749487570d0b3a7e423047de4ab13a10c2d912660aec322618e/details,HijackLibs/yml/3rd_party/mobatek/libxfont-1.yml wxmsw313u_aui_vc_custom.dll,C:\Program Files\Audacity*,C:\Program Files\Audacity\audacity.exe,Sideloading,7677111340eea8915dd609236febf14f9a4d4416a2a33fd11daf505ab5bc7867,https://x.com/CyberRaiju/status/1914454438116540702,HijackLibs/yml/3rd_party/wxwidgets/wxmsw313u_aui_vc_custom.yml providers.dll,,C:\Program Files\nodejs\node.exe,Phantom,,https://blog.aquasec.com/cve-2022-32223-dll-hijacking,HijackLibs/yml/3rd_party/npm/providers.yml lmiguardiandll.dll,C:\Program Files\LogMeIn*;C:\Program Files\LogMeIn\x86*;C:\Program Files\LogMeIn\x64*,LMIGuardianSvc.exe,Sideloading,26C855264896DB95ED46E502F2D318E5F2AD25B59BDC47BD7FFE92646102AE0D,https://twitter.com/StopMalvertisin/status/1610961056163311619;https://blog.osarmor.com/311/lmiguardiansvc-exe-logmein-abused-to-sideload-malicious-dll/,HijackLibs/yml/3rd_party/logmein/lmiguardiandll.yml vntfxf32.dll,C:\Program Files\Venta\VentaFax & Voice*,C:\Program Files\Venta\VentaFax & Voice\spoololk.exe,Sideloading,390d75e6c7fc1cf258145dc712c1fac1eb183efccee1b03c058cec1d790e46b1,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/,HijackLibs/yml/3rd_party/ventafax/vntfxf32.yml duilib_u.dll,C:\Program Files\AnyViewer*,SplashWin.exe,Sideloading,c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1,https://www.virustotal.com/gui/file/e770be8fba337cc01e24c7f059368526a804d2af64136a39bb84adeebcf9cfbc;https://bazaar.abuse.ch/sample/d99d382868e2e1191c2ac403d9985569d18e534883b3c64606d08847d68a96b6/;https://www.anyviewer.com/download.html,HijackLibs/yml/3rd_party/anyviewer/duilib_u.yml hpcustpartui.dll,C:\Program Files\HP*,HPCustParticUI.exe,Sideloading,8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6,https://www.trellix.com/en-us/about/newsroom/stories/research/operation-harvest-a-deep-dive-into-a-long-term-campaign.html;https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/,HijackLibs/yml/3rd_party/hp/hpcustpartui.yml hpqhvsei.dll,C:\Program Files\HP*,hpqhvind.exe,Sideloading,404c4ab8ea4d0c05ac78038a7addb045861706832ea3a51dec8c39cfc15017d3,https://www.secureworks.com/research/shadowpad-malware-analysis;https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/;https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/,HijackLibs/yml/3rd_party/hp/hpqhvsei.yml tpsvc.dll,C:\Program Files\VMWare\VMWare Tools*;C:\Program Files\Common Files\ThinPrint*,TPAutoConnect.exe,Sideloading,e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f,https://asec.ahnlab.com/en/58319/;https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd;https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff,HijackLibs/yml/3rd_party/thinprint/tpsvc.yml avkkid.dll,C:\Program Files\G DATA\TotalSecurity\avkkid*,C:\Program Files\G DATA\TotalSecurity\avkkid\avkkid.exe,Sideloading,388b0714e2a8146c270afe6a4c80d109988ad8dc026a0f260b376d9c35a330ed,https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/;https://www.virustotal.com/gui/file/68eb5590d8ad952215cf54741b0ed6204c19bba4dcb8d704883e007f16de5028,HijackLibs/yml/3rd_party/gdata/avkkid.yml goopdate.dll,C:\Program Files\Dropbox\Update*;C:\Program Files\Dropbox\Update\*;C:\Users\*\AppData\Local\DropboxUpdate\Update*,DropboxUpdate.exe,Sideloading,47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc,https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders,HijackLibs/yml/3rd_party/dropbox/goopdate.yml safestore32.dll,C:\Program Files\Sophos\Sophos Anti-Virus*,C:\Program Files\Sophos\Sophos Anti-Virus\ssr32.exe,Sideloading,,https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf,HijackLibs/yml/3rd_party/sophos/safestore32.yml badata_x64.dll,C:\Program Files\True Burner*,C:\Program Files\True Burner\TrueBurner.exe,Sideloading,3e190f160218ad78c85c169dfd0828d36e4a366a3e2a61337391f0d7599a7558,https://www.virustotal.com/gui/file/9326dd40e37d720f15a0104f89d6e76eb7a75b6e1fad14018326dbaa01681e74/relations,HijackLibs/yml/3rd_party/glorylogic/badata_x64.yml vender.dll,C:\Program Files\ASUS\GPU TweakII*;C:\Program Files\ASUS\VGA COM\*,C:\Program Files\ASUS\GPU TweakII\ASUSGPUFanService.exe,Sideloading,00bfbbe6e9d0c54312de906be79cc1e9f18b2957856a1215eaff1ac7bb20e66f,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/,HijackLibs/yml/3rd_party/asus/vender.yml asio.dll,C:\Program Files\ASUS\AXSP\*,C:\Program Files\ASUS\AXSP\4.02.12\atkexComSvc.exe,Sideloading,12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10,https://www.virustotal.com/gui/file/006f91524d53d483074335f74c2ca2c10cab9b64de86f6151eedfa53174434f2/relations;https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details,HijackLibs/yml/3rd_party/asus/asio.yml asus_wmi.dll,C:\Program Files\ASUS\AXSP\*,C:\Program Files\ASUS\AXSP\*\atkexComSvc.exe,Sideloading,12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10,https://www.virustotal.com/gui/file/006f91524d53d483074335f74c2ca2c10cab9b64de86f6151eedfa53174434f2/relations;https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details,HijackLibs/yml/3rd_party/asus/asus_wmi.yml quickdeskband.dll,,lenovodesk.exe,Sideloading,db0e5a869b63f4ee5ce17e58a35b42ecb9889f9ab4fb7d2d591ff029a0363751,https://twitter.com/StopMalvertisin/status/1722939123470848279;https://twitter.com/RexorVc0/status/1811280904662257907;https://mp.weixin.qq.com/s/IB2w86cXcpmGS8qrOnprKw,HijackLibs/yml/3rd_party/lenovo/quickdeskband.yml commfunc.dll,C:\Program Files\Lenovo\Communications Utility*,cammute.exe,Sideloading,457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba,https://blog.trendmicro.com/trendlabs-security-intelligence/new-wave-of-plugx-targets-legitimate-apps/,HijackLibs/yml/3rd_party/lenovo/commfunc.yml zlibwapi.dll,C:\Program Files\DS Clock*,C:\Program Files\DS Clock\dsclock.exe,Sideloading,f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b,https://twitter.com/malwrhunterteam/status/1859316170773397966;https://www.virustotal.com/gui/file/b8d38fc9f4560719fa64227e4b25b732b22602cb596d44cb38418a196c3340be;https://github.com/Still34/malware-lab/tree/main/reworkshop/2024-11-24,HijackLibs/yml/3rd_party/zlib/zlibwapi.yml mimetools.dll,C:\Program Files\Notepad++\plugins*;C:\Program Files\Notepad++\plugins\mimetools*,C:\Program Files\Notepad++\notepad++.exe,Sideloading,a41ecbdc16f1e893c5f40bae38174e14e3d969408b219f3f87fec2460d9fea40,https://twitter.com/Cryptolaemus1/status/1770507063816241440,HijackLibs/yml/3rd_party/notepad++/mimetools.yml qrt.dll,C:\Program Files\F-Secure\Anti-Virus*,qrtfix.exe,Sideloading,,https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/,HijackLibs/yml/3rd_party/f-secure/qrt.yml calibre-launcher.dll,C:\Program Files\Calibre2*,calibre.exe,Sideloading,735e7b33b97bff3cf6416ed3b8ed7213d7258eec05202cbf8f8f8002c6435fd1,https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders,HijackLibs/yml/3rd_party/calibre/calibre-launcher.yml eacore.dll,C:\Program Files\Electronic Arts\EA Desktop\EA Desktop*,C:\Program Files\Electronic Arts\EA Desktop\EA Desktop\EACoreServer.exe,Sideloading,2c24f443087674a64742d5e63f62b035102314d4431fdb336cbdcb68291454dd,https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/;https://x.com/FatzQatz/status/1883443770819248130;https://www.virustotal.com/gui/file/dc673d59a6a9df3d02e83fd03af80e117bea20954602ae416540870b1b3d13c4,HijackLibs/yml/3rd_party/electronicarts/eacore.yml krpt.dll,C:\Program Files\Kingsoft\WPS Office\*\office6*,C:\Program Files\Kingsoft\WPS Office\*\office6\wpp.exe,Sideloading,,https://www.virustotal.com/gui/file/4957a62e019c30c0a79e4d2d4dd854f6e8f6e0aadb606e157525d98ee0ac5096;https://www.virustotal.com/gui/file/57acd8566e6cc0526e99d0ba450c662b11a5f70b08bcfe0f326654d9f630a1f1,HijackLibs/yml/3rd_party/kingsoft/krpt.yml vftrace.dll,C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32*;C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x64*;C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent*,vf_host.exe,Sideloading,df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348,https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state?web_view=true;https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277b,HijackLibs/yml/3rd_party/cyberark/vftrace.yml mediainfo_i386.dll,C:\Program Files\MediaInfo*,C:\Program Files\MediaInfo\MediaInfo.exe,Sideloading,4fc64e114f80ce755040ac2891bd1fab0492a831177491f3fe1382adf94030f9,https://www.virustotal.com/gui/file/69d9667cfab126f1c473163771511602497e05a908b3dbeaa29d165af879da97,HijackLibs/yml/3rd_party/mediainfo/mediainfo_i386.yml libeay32.dll,C:\Program Files\PSPad editor*,C:\Program Files\PSPad editor\PSPad.exe,Sideloading,0a97c374a6cc14b54b01deb3be77b28e274ced8c0627efba6b84712284332a7a,https://asec.ahnlab.com/en/58319/;https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd;https://www.virustotal.com/gui/file/7add49ed95d6a9e90988dcbfc54cdb727e0c705e3d79879717849798354e3e25;https://www.virustotal.com/gui/file/a13c09f41979df8717a9d39e15e6ce960c1c4ba6af456a563fa3ff1b8b4d388c,HijackLibs/yml/3rd_party/pspad/libeay32.yml nlaapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/nlaapi.yml d3d9.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\magnify.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/d3d9.yml sppcext.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\phoneactivate.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/sppcext.yml cscui.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/cscui.yml xwizards.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\devicepairingwizard.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/xwizards.yml spectrumsyncclient.dll,C:\Windows\System32*,C:\Windows\System32\spectrum.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/spectrumsyncclient.yml defragproxy.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dfrgui.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/defragproxy.yml inproclogger.dll,C:\Windows\System32*,C:\Windows\System32\easpolicymanagerbrokerhost.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/inproclogger.yml uianimation.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cloudnotifications.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/uianimation.yml sspicli.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\at.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/sspicli.yml msdrm.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\gamepanel.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/msdrm.yml winsta.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\change.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://twitter.com/BSummerz/status/1716851156625105342,HijackLibs/yml/microsoft/built-in/winsta.yml msutb.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ctfmon.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/msutb.yml dmenrollengine.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\deviceenroller.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dmenrollengine.yml applicationframe.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\applicationframehost.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/applicationframe.yml mintdh.dll,C:\Windows\System32*,C:\Windows\System32\applytrustoffline.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/mintdh.yml edputil.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\calc.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://twitter.com/Max_Mal_/status/1658566665003585545,HijackLibs/yml/microsoft/built-in/edputil.yml d3d10_1core.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\winsat.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/d3d10_1core.yml wptsextensions.dll,,C:\Windows\System32\svchost.exe,Phantom,,http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html,HijackLibs/yml/microsoft/built-in/wptsextensions.yml wdscore.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://www.hexacorn.com/blog/2023/12/30/1-little-known-secret-of-ieunatt-exe-on-win11/,HijackLibs/yml/microsoft/built-in/wdscore.yml execmodelproxy.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\calc.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/execmodelproxy.yml dui70.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bdeunlock.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dui70.yml hnetmon.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/hnetmon.yml wmiutils.dll,C:\Windows\System32\wbem*;C:\Windows\SysWOW64\wbem*,C:\Windows\System32\stordiag.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/wmiutils.yml wbemcomn.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\Wbem\WmiApSrv.exe,Search Order,,https://gist.github.com/v1stra/7a13f2a27a1c9b97778d12e13a3d53c2,HijackLibs/yml/microsoft/built-in/wbemcomn.yml winbrand.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bdehdcfg.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/winbrand.yml resutils.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dfsdiag.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/resutils.yml rasdlg.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\rasautou.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/rasdlg.yml pcaui.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\pcaui.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/pcaui.yml msacm32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\osk.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/msacm32.yml propsys.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/propsys.yml wkscli.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\djoin.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/wkscli.yml windows.ui.immersive.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dmnotificationbroker.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/windows.ui.immersive.yml faultrep.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\werfault.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/faultrep.yml umpdc.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\deviceenroller.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/umpdc.yml mpr.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootcfg.exe,Sideloading,,https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/mpr.yml proximitycommon.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\proximityuxhost.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/proximitycommon.yml omadmapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\deviceenroller.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/omadmapi.yml apphelp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\compmgmtlauncher.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/apphelp.yml npmproxy.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\apphostregistrationverifier.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/npmproxy.yml mfc42u.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\devicepairingwizard.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/mfc42u.yml wwapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wwapi.yml cryptui.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certutil.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/cryptui.yml dot3cfg.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dot3cfg.yml cscobj.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/cscobj.yml mprapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\rasautou.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/mprapi.yml whhelper.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/whhelper.yml wimgapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*;C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\arm64\DISM*,C:\Windows\System32\recoverydrive.exe,Sideloading,,https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/;https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/wimgapi.yml mpsvc.dll,C:\ProgramData\Microsoft\Windows Defender\Platform\*;C:\Program Files\Windows Defender\*,C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exe,Sideloading,,https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/;https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/;https://www.fortinet.com/blog/threat-research/dll-side-loading-technique-used-in-recent-kaseya-ransomware-attack,HijackLibs/yml/microsoft/built-in/mpsvc.yml wer.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dwwin.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wer.yml iumsdk.dll,C:\Windows\System32*,C:\Windows\System32\bioiso.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/iumsdk.yml dsrole.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certutil.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dsrole.yml nlansp_c.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ftp.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/nlansp_c.yml rsaenh.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\compmgmtlauncher.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/rsaenh.yml winsync.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\synchost.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/winsync.yml xpsservices.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\printfilterpipelinesvc.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/xpsservices.yml d3d10core.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\winsat.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/d3d10core.yml msedge.dll,C:\Program Files\Microsoft\Edge\Application\*;C:\Program Files\Microsoft\Edgewebview\Application\*;C:\Program Files\Microsoft\EdgeCore\*,C:\Program Files\Microsoft\Edge\Application\*\cookie_exporter.exe,Sideloading,,https://securelist.com/apt41-in-africa/116986/,HijackLibs/yml/microsoft/built-in/msedge.yml dpx.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\lpksetup.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dpx.yml netjoin.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netdom.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/netjoin.yml winbio.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\securityhealthservice.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/winbio.yml ndfapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\msra.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/ndfapi.yml linkinfo.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/linkinfo.yml cryptdll.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\at.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/cryptdll.yml upshared.dll,C:\Windows\System32*,C:\Windows\System32\musnotification.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/upshared.yml xolehlp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\msdtc.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/xolehlp.yml winnsi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/winnsi.yml eappprxy.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/eappprxy.yml bootmenuux.dll,C:\Windows\System32*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/bootmenuux.yml mswsock.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\alg.exe,Sideloading,,https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/mswsock.yml ssshim.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\sfc.exe,Sideloading,,https://twitter.com/0gtweet/status/1363107343018385410,HijackLibs/yml/microsoft/built-in/ssshim.yml drvstore.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\infdefaultinstall.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://www.microsoft.com/en-us/download/details.aspx?id=105437,HijackLibs/yml/microsoft/built-in/drvstore.yml uxtheme.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\atbroker.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://skr1x.github.io/keepass-dll-hijacking/,HijackLibs/yml/microsoft/built-in/uxtheme.yml rasman.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cmdl32.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/rasman.yml netapi32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\appvclient.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/netapi32.yml msvcp110_win.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\agentactivationruntimestarter.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/msvcp110_win.yml credui.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\efsui.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/credui.yml dmoleaututils.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\omadmclient.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dmoleaututils.yml dwrite.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cttune.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dwrite.yml ntlanman.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/ntlanman.yml coredplus.dll,C:\Windows\System32*,C:\Windows\System32\omadmclient.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/coredplus.yml slc.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\msinfo32.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/slc.yml fastprox.dll,C:\Windows\System32\wbem*;C:\Windows\SysWOW64\wbem*,C:\Windows\System32\cttune.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/fastprox.yml dbgcore.dll,C:\Program Files\windows kits\10\debuggers\arm*;C:\Program Files\windows kits\10\debuggers\arm\srcsrv*;C:\Program Files\windows kits\10\debuggers\arm64*;C:\Program Files\windows kits\10\debuggers\arm64\srcsrv*;C:\Program Files\windows kits\10\debuggers\x64*;C:\Program Files\windows kits\10\debuggers\x64\srcsrv*;C:\Program Files\windows kits\10\debuggers\x86*;C:\Program Files\windows kits\10\debuggers\x86\srcsrv*;C:\Program Files\microsoft office\root\office*;C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\deploymentcsphelper.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dbgcore.yml prvdmofcomp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\register-cimprovider.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/prvdmofcomp.yml mscms.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\colorcpl.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/mscms.yml fhcfg.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\filehistory.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/fhcfg.yml offdmpsvc.dll,,C:\Windows\System32\wermgr.exe,Phantom,,https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/,HijackLibs/yml/microsoft/built-in/offdmpsvc.yml winmm.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mblctr.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securelist.com/wastedlocker-technical-analysis/97944/;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/winmm.yml vsstrace.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/vsstrace.yml mtxclu.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\msdtc.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/mtxclu.yml batmeter.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mblctr.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/batmeter.yml windows.storage.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\calc.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/windows.storage.yml mstracer.dll,,C:\Windows\System32\searchindexer.exe,Phantom,,https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/,HijackLibs/yml/microsoft/built-in/mstracer.yml policymanager.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\displayswitch.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/policymanager.yml opcservices.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\proximityuxhost.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/opcservices.yml windowscodecsext.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\wfs.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/windowscodecsext.yml sxshared.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\defrag.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/sxshared.yml iumbase.dll,C:\Windows\System32*,C:\Windows\System32\bioiso.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/iumbase.yml mfplat.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mdeserver.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/mfplat.yml newdev.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\infdefaultinstall.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/newdev.yml wldp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mshta.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wldp.yml d3d10.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\winsat.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/d3d10.yml msxml3.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\wordpad.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/msxml3.yml srvcli.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\change.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/srvcli.yml logoncontroller.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\logonui.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/logoncontroller.yml wlanapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\legacynetuxhost.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/wlanapi.yml clipc.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\licensingdiag.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/clipc.yml windowsudk.shellcommon.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\compmgmtlauncher.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/windowsudk.shellcommon.yml dsparse.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dcdiag.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dsparse.yml uireng.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\psr.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/uireng.yml axeonoffhelper.dll,,C:\Windows\System32\wpr.exe,Phantom,,https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/,HijackLibs/yml/microsoft/built-in/axeonoffhelper.yml reagent.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/reagent.yml d3d12.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dxgiadaptercache.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/d3d12.yml p2pnetsh.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/p2pnetsh.yml getuname.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\charmap.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/getuname.yml windowsperformancerecordercontrol.dll,C:\Program Files\windows kits\10\windows performance toolkit*;C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\wpr.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/windowsperformancerecordercontrol.yml deviceassociation.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\eduprintprov.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/deviceassociation.yml clusapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dfsrdiag.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/clusapi.yml msdtctm.dll,C:\Windows\System32*,C:\Windows\System32\msdtc.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/msdtctm.yml comdlg32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/comdlg32.yml rmclient.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/rmclient.yml cryptxml.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\clipup.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/cryptxml.yml rasapi32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cmdl32.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/rasapi32.yml tpmcoreprovisioning.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\tpmtool.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/tpmcoreprovisioning.yml certenroll.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certenrollctrl.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/certenroll.yml dxva2.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dccw.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dxva2.yml dcomp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dataexchangehost.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dcomp.yml coloradapterclient.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\colorcpl.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/coloradapterclient.yml winrnr.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ftp.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/winrnr.yml tquery.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\searchfilterhost.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/tquery.yml maintenanceui.dll,C:\Windows\System32*,C:\Windows\System32\mschedexe.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/maintenanceui.yml netsetupapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\rasphone.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/netsetupapi.yml fwbase.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\checknetisolation.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/fwbase.yml pkeyhelper.dll,C:\Windows\System32*,C:\Windows\System32\sppsvc.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/pkeyhelper.yml msvcp140.dll,C:\Windows\System32*;C:\Windows\SysWOW64*;C:\Program Files*,C:\Program Files\Java\*\bin\jp2launcher.exe,Sideloading,1fc684c5adf02b5a96cc407932429f1c2d3d2e78e3104cfbcf535a9de1ee4921,https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/;https://www.virustotal.com/gui/file/cbaf513e7fd4322b14adcc34b34d793d79076ad310925981548e8d3cff886527,HijackLibs/yml/microsoft/built-in/msvcp140.yml d3dx9_43.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Users\*\AppData\Local\Temp\HPDIAGS\0699814c-9c5f-46ad-8c9d-a1c61a163f2b\d3dim9.exe,Sideloading,a8a09d4e1ddbe4de188100b285a53b53b10677e4fbc93014e07211cdaf532e7b,https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/,HijackLibs/yml/microsoft/built-in/d3dx9_43.yml bcp47mrm.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mcbuilder.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/bcp47mrm.yml wbemprox.dll,C:\Windows\System32\wbem*;C:\Windows\SysWOW64\wbem*,C:\Windows\System32\cttune.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/wbemprox.yml ieadvpack.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ie4uinit.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/ieadvpack.yml ssp.exe_rsaenh.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\rmactivate,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/ssp.exe_rsaenh.yml netplwiz.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netplwiz.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/netplwiz.yml colorui.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\colorcpl.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/colorui.yml winsqlite3.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\browserexport.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/winsqlite3.yml nshhttp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/nshhttp.yml tsworkspace.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\wkspbroker.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/tsworkspace.yml sensapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Program Files\Minecraft Launcher\MinecraftLauncher.exe,Sideloading,6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495,https://twitter.com/AndrewOliveau/status/1682185200862625792;https://www.fortinet.com/blog/threat-research/nailaolocker-ransomware-cheese,HijackLibs/yml/microsoft/built-in/sensapi.yml microsoft.ui.xaml.xamltypeinfo.dll,,C:\Users\*\AppData\Local\microsoft\onedrive\onedrive.exe,Phantom,,https://twitter.com/Octoberfest73/status/1631021071951437827/photo/1,HijackLibs/yml/microsoft/built-in/microsoft.ui.xaml.xamltypeinfo.yml rasgcw.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\rasphone.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/rasgcw.yml rtutils.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dialer.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/rtutils.yml wmiclnt.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dispdiag.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wmiclnt.yml p2p.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/p2p.yml iscsiexe.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\iscsicpl.exe,Search Order,,https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC;https://twitter.com/hackerfantastic/status/1547412574404214784,HijackLibs/yml/microsoft/built-in/iscsiexe.yml dmenterprisediagnostics.dll,C:\Windows\System32*,C:\Windows\System32\deviceenroller.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dmenterprisediagnostics.yml flightsettings.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\devicecensus.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/flightsettings.yml utildll.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\change.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/utildll.yml bcrypt.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\shellappruntime.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/bcrypt.yml wmpdui.dll,C:\Windows\System32*,C:\Windows\System32\wmpdmc.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wmpdui.yml ncrypt.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Sideloading,,https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/ncrypt.yml secur32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\appvclient.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://www.secureworks.com/research/shadowpad-malware-analysis;https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/;https://twitter.com/hackerfantastic/status/1657549979840307203;https://github.com/hackerhouse-opensource/CompMgmtLauncher_DLL_UACBypass,HijackLibs/yml/microsoft/built-in/secur32.yml wpdshext.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/wpdshext.yml wlbsctrl.dll,,C:\Windows\System32\svchost.exe,Phantom,,https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992;https://www.youtube.com/watch?v=MZ8fgAN2As8;https://www.crowdstrike.com/blog/4-ways-adversaries-hijack-dlls/,HijackLibs/yml/microsoft/built-in/wlbsctrl.yml d2d1.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dataexchangehost.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/d2d1.yml netprovfw.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\djoin.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/netprovfw.yml ktmw32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ktmutil.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/ktmw32.yml unattend.dll,C:\Windows\System32*,C:\Windows\System32\recoverydrive.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/unattend.yml spp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\rstrui.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/spp.yml mobilenetworking.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mbaeparsertask.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/mobilenetworking.yml fxsst.dll,C:\Windows\System32*,C:\Windows\explorer.exe,Search Order,,https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html/,HijackLibs/yml/microsoft/built-in/fxsst.yml drprov.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/drprov.yml oci.dll,,C:\Windows\System32\msdtc.exe,Phantom,,https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/;https://www.crowdstrike.com/blog/4-ways-adversaries-hijack-dlls/,HijackLibs/yml/microsoft/built-in/oci.yml reseteng.dll,C:\Windows\System32*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/reseteng.yml configmanager2.dll,C:\Windows\System32*,C:\Windows\System32\hvsievaluator.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/configmanager2.yml radcui.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\wkspbroker.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/radcui.yml aclui.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\shrpubw.exe,Sideloading,,https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/;https://www.contextis.com/en/blog/dll-search-order-hijacking;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/aclui.yml shell32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/shell32.yml cryptsp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bcdedit.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/cryptsp.yml eappcfg.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/eappcfg.yml iernonce.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\SysWOW64\runonce.exe,Sideloading,,https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/,HijackLibs/yml/microsoft/built-in/iernonce.yml devobj.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bthudtask.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/devobj.yml networkexplorer.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/networkexplorer.yml mswb7.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\control.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/mswb7.yml dismapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dismapi.yml cfgmgr32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\write.exe,Sideloading,,,HijackLibs/yml/microsoft/built-in/cfgmgr32.yml efsutil.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cipher.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/efsutil.yml cryptnet.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Program Files\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe,Sideloading,,https://twitter.com/BSummerz/status/1860045985919205645,HijackLibs/yml/microsoft/built-in/cryptnet.yml esent.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dfsrdiag.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/esent.yml d3d10_1.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\winsat.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/d3d10_1.yml dmcommandlineutils.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\provtool.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dmcommandlineutils.yml authfwcfg.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/authfwcfg.yml vssapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/,HijackLibs/yml/microsoft/built-in/vssapi.yml mbaexmlparser.dll,C:\Windows\System32*,C:\Windows\System32\mbaeparsertask.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/mbaexmlparser.yml ttdrecord.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\tttracer.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/ttdrecord.yml netutils.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\at.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/netutils.yml osuninst.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\convert.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/osuninst.yml miutils.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\register-cimprovider.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/miutils.yml lpksetupproxyserv.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\lpksetup.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/lpksetupproxyserv.yml tapi32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dialer.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/tapi32.yml msedge_elf.dll,C:\Program Files\Microsoft\Edge\Application\*;C:\Program Files\Microsoft\EdgeCore\*;C:\Program Files\Microsoft\EdgeWebView\*,C:\Program Files\Microsoft\Edge\Application\*,Sideloading,7914d38736f3ce4f89432e15816711fffdfd9002fa50ce7205c1176af9142ab4,https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/,HijackLibs/yml/microsoft/built-in/msedge_elf.yml midimap.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\osk.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/midimap.yml rjvplatform.dll,C:\Windows\System32\SystemResetPlatform*;C:\Windows\SysWOW64\SystemResetPlatform*,C:\Windows\System32\SystemResetPlatform\SystemResetPlatform.exe,Sideloading,,https://twitter.com/0gtweet/status/1666716511988330499,HijackLibs/yml/microsoft/built-in/rjvplatform.yml gpapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\gpapi.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/gpapi.yml version.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\agentservice.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://twitter.com/an0n_r0/status/1544472352657915904;https://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/;https://www.virustotal.com/gui/file/96480ef5ccfa8fcb0646538c440103d97ab741ed83f4c2bcb7b4717569f88770/community,HijackLibs/yml/microsoft/built-in/version.yml fwpuclnt.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\checknetisolation.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/fwpuclnt.yml mpclient.dll,C:\Program Files\Windows Defender*;C:\ProgramData\Microsoft\Windows Defender\Platform\*,C:\Program Files\Windows Defender\mpcmdrun.exe,Sideloading,,https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/;https://twitter.com/Sh0ckFR/status/1554021948967079936,HijackLibs/yml/microsoft/built-in/mpclient.yml sppc.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\msinfo32.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/sppc.yml ntlmshared.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\at.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/ntlmshared.yml srpapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\appidpolicyconverter.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/srpapi.yml winmde.dll,C:\Windows\System32*,C:\Windows\System32\mdeserver.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/winmde.yml isv.exe_rsaenh.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\rmactivate,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/isv.exe_rsaenh.yml dsprop.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dsquery.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dsprop.yml logoncli.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certutil.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/logoncli.yml fvewiz.dll,C:\Windows\System32*,C:\Windows\System32\bitlockerwizard.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/fvewiz.yml srmtrace.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dirquota.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/srmtrace.yml edgeiso.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\microsoftedgebchost.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/edgeiso.yml miracastview.dll,C:\Windows\Miracast*,C:\Windows\MiraCast\MiracastView.exe,Sideloading,,https://news.sophos.com/en-us/2025/04/29/finding-minhook-in-a-sideloading-attack-and-sweden-too/;https://x.com/fromCharCode/status/1030107346230423554,HijackLibs/yml/microsoft/built-in/miracastview.yml regapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\change.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/regapi.yml msedgeupdate.dll,C:\Program Files\Microsoft\EdgeUpdate\*;C:\Program Files\Microsoft\Temp\*;C:\Users\*\AppData\Local\Microsoft\EdgeUpdate\*,C:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe,Sideloading,,,HijackLibs/yml/microsoft/built-in/msedgeupdate.yml cmutil.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cmstp.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/cmutil.yml dsclient.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dmcfghost.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dsclient.yml samlib.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dpapimig.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/samlib.yml authz.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\easinvoker.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/authz.yml dusmapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\datausagelivetiletask.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dusmapi.yml lockhostingframework.dll,C:\Windows\System32*,C:\Windows\System32\lockapphost.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/lockhostingframework.yml fxsapi.dll,C:\Windows\System32*;C:\Windows\System32\driverstore\filerepository\prnms002.inf_*\amd64*;C:\Windows\SysWOW64*,C:\Windows\System32\fxsunatd.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/fxsapi.yml auditpolcore.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\auditpol.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/auditpolcore.yml dataexchange.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/dataexchange.yml peerdistsh.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/peerdistsh.yml dhcpcmonitor.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dhcpcmonitor.yml desktopshellext.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\sihost.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/desktopshellext.yml tdh.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\plasrv.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/tdh.yml sas.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\quickassist.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/sas.yml dwmcore.dll,C:\Windows\System32*,C:\Windows\System32\dwm.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dwmcore.yml puiapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\printui.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/puiapi.yml structuredquery.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/structuredquery.yml msvcr100.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Program Files\Java\jre*\bin\javacpl.exe,Sideloading,,https://twitter.com/SBousseaden/status/1530595156055011330;https://twitter.com/sbousseaden/status/1604934564614381571;https://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries,HijackLibs/yml/microsoft/built-in/msvcr100.yml wcnnetsh.dll,C:\Windows\System32*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wcnnetsh.yml sti.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Program Files\Windows Photo Viewer\ImagingDevices.exe,Sideloading,,https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/,HijackLibs/yml/microsoft/built-in/sti.yml xmllite.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/xmllite.yml dmcmnutils.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\deviceenroller.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dmcmnutils.yml d3d10warp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\slidetoshutdown.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/d3d10warp.yml msasn1.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,winbox64.exe,Sideloading,,https://ice-wzl.medium.com/mikrotik-winbox-dll-side-loading-vulnerability-9ed9420bd4d7;https://github.com/pbatard/rufus/issues/1877,HijackLibs/yml/microsoft/built-in/msasn1.yml wcmapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wcmapi.yml icmp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\nlbmgr.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/icmp.yml cabinet.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/cabinet.yml samcli.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certutil.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/samcli.yml ntmarta.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cacls.exe,Sideloading,,https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/ntmarta.yml wlidprov.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\devicecensus.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/wlidprov.yml profapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://twitter.com/BSummerz/status/1860045985919205645,HijackLibs/yml/microsoft/built-in/profapi.yml dbgmodel.dll,C:\Windows\System32*;C:\Windows\SysWOW64*;C:\Program Files\Windows Kits\10\Debuggers\*,C:\Program Files\Windows Kits\10\Debuggers\*\ntsd.exe,Sideloading,,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/,HijackLibs/yml/microsoft/built-in/dbgmodel.yml schedcli.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\at.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/schedcli.yml dmpushproxy.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dmcfghost.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dmpushproxy.yml mapistub.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\fixmapi.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/mapistub.yml wscapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\wscadminui.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/wscapi.yml netiohlp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/netiohlp.yml nettrace.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/nettrace.yml feclient.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cipher.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/feclient.yml wtsapi32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\appvclient.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/wtsapi32.yml windows.storage.search.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/windows.storage.search.yml firewallapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\checknetisolation.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/firewallapi.yml mdmdiagnostics.dll,C:\Windows\System32*,C:\Windows\System32\mdmdiagnosticstool.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/mdmdiagnostics.yml cldapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\compmgmtlauncher.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/cldapi.yml winipsec.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/winipsec.yml iedkcs32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ie4uinit.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/iedkcs32.yml dmxmlhelputils.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dmcfghost.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dmxmlhelputils.yml wwancfg.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wwancfg.yml ninput.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\multidigimon.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/ninput.yml rtworkq.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mdeserver.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/rtworkq.yml dynamoapi.dll,C:\Windows\System32*,C:\Windows\System32\mdmdiagnosticstool.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dynamoapi.yml playsndsrv.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\sethc.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/playsndsrv.yml cryptbase.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\alg.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://twitter.com/AndrewOliveau/status/1682185200862625792;https://twitter.com/BSummerz/status/1860045985919205645;https://ice-wzl.medium.com/mikrotik-winbox-dll-side-loading-vulnerability-x2-413d371ff5f0,HijackLibs/yml/microsoft/built-in/cryptbase.yml virtdisk.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/virtdisk.yml appvpolicy.dll,C:\Windows\System32*;C:\Program Files\Common Files\Microsoft Shared\ClickToRun*,C:\Windows\System32\appvclient.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/appvpolicy.yml fxstiff.dll,C:\Windows\System32*;C:\Windows\System32\driverstore\filerepository\prnms002.inf_*\amd64*,C:\Windows\System32\fxssvc.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/fxstiff.yml wsmsvc.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\winrs.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/wsmsvc.yml cabview.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\notepad.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/cabview.yml mmdevapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\audiodg.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/mmdevapi.yml msiso.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\browserexport.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/msiso.yml polstore.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/polstore.yml ifsutil.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\convert.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/ifsutil.yml d3d11.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dataexchangehost.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://blog.amartinsec.com/blog/dllhijacking/,HijackLibs/yml/microsoft/built-in/d3d11.yml cscapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/cscapi.yml xwtpw32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\devicepairingwizard.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/xwtpw32.yml netshell.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/netshell.yml wshbth.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ftp.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/wshbth.yml security.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\telnet.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/security.yml mi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\winrs.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://asec.ahnlab.com/en/39828/,HijackLibs/yml/microsoft/built-in/mi.yml dmprocessxmlfiltered.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dmomacpmo.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dmprocessxmlfiltered.yml connect.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\rasphone.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/connect.yml avrt.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\osk.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/avrt.yml dhcpcsvc6.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ipconfig.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dhcpcsvc6.yml bcd.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/bcd.yml devicepairing.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\devicepairingwizard.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/devicepairing.yml userenv.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\appidpolicyconverter.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/userenv.yml srcore.dll,C:\Windows\System32*,C:\Windows\System32\rstrui.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/srcore.yml appwiz.cpl,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\fondue.exe,Sideloading,,https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/,HijackLibs/yml/microsoft/built-in/appwiz.yml winscard.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\immersivetpmvscmgrsvr.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/winscard.yml duser.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bdeunlock.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://twitter.com/0xcarnage/status/1203882560176218113;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/duser.yml mfcore.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mfpmp.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/mfcore.yml wow64log.dll,,cmder.exe,Phantom,6F35596886C21C661972FCF117DC9BC392E49B164D86EC1F1DB7AAAAC82DFB24,https://waleedassar.blogspot.com/2013/01/wow64logdll.html;https://github.com/ice-wzl/Cmder_DLL_Side-Loading/blob/main/README.md,HijackLibs/yml/microsoft/built-in/wow64log.yml uxinit.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\winlogon.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/uxinit.yml p9np.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/p9np.yml magnification.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\magnify.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/magnification.yml wlancfg.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wlancfg.yml timesync.dll,C:\Windows\System32*,C:\Windows\System32\systemsettingsadminflows.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/timesync.yml dot3api.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dot3api.yml adsldpc.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\agentservice.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/adsldpc.yml pnrpnsp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ftp.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/pnrpnsp.yml coremessaging.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dwm.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/coremessaging.yml idstore.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\devicecensus.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/idstore.yml osksupport.dll,C:\Windows\System32*,C:\Windows\System32\osk.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/osksupport.yml wsdapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Program Files\Windows Kits\10\bin\*\x64\wsddebug_host.exe,Sideloading,,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/,HijackLibs/yml/microsoft/built-in/wsdapi.yml davclnt.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/davclnt.yml twinui.appcore.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\calc.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/twinui.appcore.yml winhttp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cmdl32.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://twitter.com/AndrewOliveau/status/1682185200862625792,HijackLibs/yml/microsoft/built-in/winhttp.yml resetengine.dll,C:\Windows\System32*,C:\Windows\System32\resetengine.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/resetengine.yml scecli.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\convert.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/scecli.yml devicecredential.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\devicecredentialdeployment.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/devicecredential.yml pdh.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\plasrv.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/pdh.yml windowscodecs.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/windowscodecs.yml uiribbon.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\wordpad.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/uiribbon.yml iphlpapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\arp.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://twitter.com/SBousseaden/status/1550903546916311043;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://twitter.com/AndrewOliveau/status/1682185200862625792;https://x00.zip/playing-with-process-handles/;https://twitter.com/BSummerz/status/1860045985919205645,HijackLibs/yml/microsoft/built-in/iphlpapi.yml msi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dxpserver.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/msi.yml powrprof.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\fsquirt.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/powrprof.yml wshelper.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wshelper.yml osbaseln.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\fondue.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/osbaseln.yml ntdsapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certutil.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/ntdsapi.yml bootux.dll,C:\Windows\System32*,C:\Windows\System32\bootim.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/bootux.yml bcp47langs.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\lpremove.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/bcp47langs.yml twext.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\compmgmtlauncher.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/twext.yml cmpbk32.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cmdl32.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/cmpbk32.yml msctf.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\conhost.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/msctf.yml urlmon.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bytecodegenerator.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/urlmon.yml licensemanagerapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\wsreset.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/licensemanagerapi.yml textshaping.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Program Files\Windows Kits\10\Debuggers\x64\logger.exe,Sideloading,,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/,HijackLibs/yml/microsoft/built-in/textshaping.yml iscsium.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\iscsicli.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/iscsium.yml aepic.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\psr.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/aepic.yml shellchromeapi.dll,,C:\Windows\System32\DeviceEnroller.exe,Phantom,,https://dennisbabkin.com/blog/?t=pwning-windows-updates-dll-hijacking-through-orphaned-dll;https://twitter.com/0gtweet/status/1564131230941122561,HijackLibs/yml/microsoft/built-in/shellchromeapi.yml bderepair.dll,C:\Windows\System32*,C:\Windows\System32\repair-bde.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/bderepair.yml efsadu.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\efsui.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/efsadu.yml netid.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\systempropertiesadvanced.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/netid.yml wofutil.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\recoverydrive.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/wofutil.yml fwcfg.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/fwcfg.yml fltlib.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\agentservice.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/fltlib.yml kdstub.dll,C:\Windows\System32*,C:\Windows\System32\hvax64.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/kdstub.yml explorerframe.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/explorerframe.yml dbghelp.dll,C:\Program Files\windows kits\10\debuggers\arm*;C:\Program Files\windows kits\10\debuggers\arm\srcsrv*;C:\Program Files\windows kits\10\debuggers\arm64*;C:\Program Files\windows kits\10\debuggers\arm64\srcsrv*;C:\Program Files\windows kits\10\debuggers\x64*;C:\Program Files\windows kits\10\debuggers\x64\srcsrv*;C:\Program Files\windows kits\10\debuggers\x86*;C:\Program Files\windows kits\10\debuggers\x86\srcsrv*;C:\Program Files\cisco systems\cisco jabber*;C:\Program Files\microsoft office\root\office*;C:\Program Files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140*;C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dbghelp.yml appxdeploymentclient.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\lpremove.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/appxdeploymentclient.yml wmidcom.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\stordiag.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/wmidcom.yml dmiso8601utils.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mdmdiagnosticstool.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dmiso8601utils.yml httpapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/httpapi.yml licensingdiagspp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\licensingdiag.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/licensingdiagspp.yml rasmontr.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/rasmontr.yml vdsutil.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\vdsldr.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/vdsutil.yml atl.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dsquery.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/atl.yml msftedit.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\charmap.exe,Sideloading,,https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/;https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/msftedit.yml pla.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\logman.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/pla.yml netprofm.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\fxscover.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/netprofm.yml updatepolicy.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mousocoreworker.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/updatepolicy.yml dsreg.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bitlockerdeviceencryption.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dsreg.yml d3dcompiler_47.dll,C:\Program Files\windows kits\10\bin\*\x64*;C:\Program Files\windows kits\10\bin\*\x86*;C:\Program Files\windows kits\10\redist\d3d\x64*;C:\Program Files\windows kits\10\redist\d3d\x86*;C:\Program Files\wireshark*;C:\Program Files\LogiOptionsPlus*;C:\Program Files\cisco systems\cisco jabber*;C:\Program Files\microsoft\edge\application\*;C:\Program Files\microsoft\edgewebview\application\*;C:\Program Files\microsoft\edgecore\application\*;C:\Program Files\Google\Chrome\Application\*;C:\Program Files\Island\Island\Application\*;C:\Program Files\Zoom\bin*;%APPDATA%\Zoom\bin*;C:\Users\*\AppData\Local\microsoft\teams\stage*;C:\Users\*\AppData\Local\Programs\Microsoft VS Code*;C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dwm.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/d3dcompiler_47.yml wininet.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\appvclient.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/wininet.yml webservices.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\clipup.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/webservices.yml wecapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\wecutil.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wecapi.yml dxcore.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\taskmgr.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dxcore.yml tbs.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/tbs.yml sapi_onecore.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\devicecensus.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/sapi_onecore.yml rpcnsh.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/rpcnsh.yml mscorsvc.dll,C:\Windows\Microsoft.NET\Framework\v*;C:\Windows\Microsoft.NET\Framework64\v*,C:\Windows\Microsoft.NET\Framework\v*\mscorsvw.exe,Sideloading,,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/;https://www.securityjoes.com/post/hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout,HijackLibs/yml/microsoft/built-in/mscorsvc.yml appxalluserstore.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\lpremove.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/appxalluserstore.yml prntvpt.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\printfilterpipelinesvc.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/prntvpt.yml framedynos.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dfsrdiag.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/framedynos.yml printui.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\printui.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/printui.yml oleacc.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\bootim.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/oleacc.yml cdpsgshims.dll,,C:\Windows\System32\svchost.exe,Phantom,,https://itm4n.github.io/cdpsvc-dll-hijacking/,HijackLibs/yml/microsoft/built-in/cdpsgshims.yml dmcfgutils.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\omadmclient.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dmcfgutils.yml hid.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\psr.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://github.com/netero1010/ServiceMove-BOF;https://www.virustotal.com/gui/file/30fbf917d0a510b8dac3bacb0f4948f9d55bbfb0fa960b07f0af20ba4f18fc19/,HijackLibs/yml/microsoft/built-in/hid.yml dnsapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\checknetisolation.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dnsapi.yml iri.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\deviceenroller.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/iri.yml fddevquery.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ddodiag.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/fddevquery.yml napinsp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ftp.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/napinsp.yml staterepository.core.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\applytrustoffline.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/staterepository.core.yml lrwizdll.dll,C:\Windows\System32*,C:\Windows\System32\licmgr.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/lrwizdll.yml dhcpcsvc.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\ipconfig.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dhcpcsvc.yml ifmon.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/ifmon.yml wmsgapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\osk.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/wmsgapi.yml onex.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/onex.yml iertutil.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\browserexport.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/iertutil.yml activeds.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\applysettingstemplatecatalog.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/activeds.yml ssp_isv.exe_rsaenh.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\rmactivate,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/ssp_isv.exe_rsaenh.yml fhsvcctl.dll,C:\Windows\System32*,C:\Windows\System32\fhmanagew.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/fhsvcctl.yml mlang.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\calc.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/mlang.yml fveapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\baaupdate.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/fveapi.yml dwmapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dwmapi.yml nshwfp.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/nshwfp.yml coreuicomponents.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dwm.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/coreuicomponents.yml wevtapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cidiag.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/wevtapi.yml joinutil.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\djoin.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/joinutil.yml srclient.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\srtasks.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://blog.vonahi.io/srclient-dll-hijacking/,HijackLibs/yml/microsoft/built-in/srclient.yml vaultcli.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cipher.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/vaultcli.yml loadperf.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\unlodctr.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/loadperf.yml snmpapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\arp.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/snmpapi.yml wbemsvc.dll,C:\Windows\System32\wbem*;C:\Windows\SysWOW64\wbem*,C:\Windows\System32\cttune.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/wbemsvc.yml ksuser.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mfpmp.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/ksuser.yml systemsettingsthresholdadminflowui.dll,C:\Windows\System32*,C:\Windows\System32\systemsettingsadminflows.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/systemsettingsthresholdadminflowui.yml audioses.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\osk.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/audioses.yml fveskybackup.dll,C:\Windows\System32*,C:\Windows\System32\bitlockerdeviceencryption.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/fveskybackup.yml dcntel.dll,C:\Windows\System32*,C:\Windows\System32\devicecensus.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/dcntel.yml iscsidsc.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\iscsicli.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/iscsidsc.yml certcli.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\certreq.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/certcli.yml directmanipulation.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Program Files\Microsoft Office\root\Office*\excel.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/directmanipulation.yml mrmcorer.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\mcbuilder.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/mrmcorer.yml fwpolicyiomgr.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/fwpolicyiomgr.yml proximityservicepal.dll,C:\Windows\System32*,C:\Windows\System32\proximityuxhost.exe,Sideloading,,https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/proximityservicepal.yml wdi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\cofire.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/wdi.yml archiveint.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\tar.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/archiveint.yml scansetting.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\wiaacmgr.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/scansetting.yml mscoree.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\aitstatic.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH;https://www.secureworks.com/research/shadowpad-malware-analysis;https://www.crowdstrike.com/blog/4-ways-adversaries-hijack-dlls/,HijackLibs/yml/microsoft/built-in/mscoree.yml uiautomationcore.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\gamepanel.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/uiautomationcore.yml twinapi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\dataexchangehost.exe,Sideloading,,https://wietze.github.io/blog/save-the-environment-variables;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/twinapi.yml ntshrui.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\compmgmtlauncher.exe,Environment Variable,,https://wietze.github.io/blog/save-the-environment-variables,HijackLibs/yml/microsoft/built-in/ntshrui.yml msctfmonitor.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\credwiz.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/msctfmonitor.yml nshipsec.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\netsh.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/nshipsec.yml devrtl.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\drvinst.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows,HijackLibs/yml/microsoft/built-in/devrtl.yml dismcore.dll,C:\Windows\System32\dism*;C:\Windows\SysWOW64\dism*,C:\Windows\System32\dism.exe,Search Order,,https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/,HijackLibs/yml/microsoft/built-in/dismcore.yml dxgi.dll,C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Windows\System32\applicationframehost.exe,Sideloading,,https://wietze.github.io/blog/hijacking-dlls-in-windows;https://securityintelligence.com/posts/windows-features-dll-sideloading/;https://github.com/xforcered/WFH,HijackLibs/yml/microsoft/built-in/dxgi.yml uxcore.dll,C:\Program Files\windows live\installer*,C:\Program Files\windows live\installer\Dashboard.exe,Sideloading,8cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e,https://www.virustotal.com/gui/file/016468b087cdbe5123189b68965cb65dc95ba1a59fc3ed32144b92d1274d13b6/relations;https://www.virustotal.com/gui/file/23c3fec8dc60c06caadecb31e2d770212e70faf0de866cb5878622f077d4fe2a,HijackLibs/yml/microsoft/external/uxcore.yml formdll.dll,C:\Program Files\Common Files\Microsoft Shared\NoteSync Forms*,C:\Program Files\Common Files\Microsoft Shared\NoteSync Forms\inkform.exe,Sideloading,0e545a54f3cfef84bb59be1a95453ae4b34b5464b0f5ca618a0da2e4c97c7526,https://any.run/report/d9c7f6d4ec08d961c20dac1b6422b3fbec5c6a8d9dc67d1f604835b36c5f224e/ae068531-92db-497d-b0cb-c0b1af5476f1,HijackLibs/yml/microsoft/external/formdll.yml windowsperformancerecorderui.dll,C:\Program Files\Windows Kits\10\Windows Performance Toolkit*,C:\Program Files\Windows Kits\10\Windows Performance Toolkit\WPRUI.exe,Sideloading,,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/,HijackLibs/yml/microsoft/external/windowsperformancerecorderui.yml tedutil.dll,C:\Program Files\Microsoft SDKs\Windows\*\Bin*,C:\Program Files\Microsoft SDKs\Windows\*\Bin\TopoEdit.exe,Sideloading,b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c,https://asec.ahnlab.com/en/58319/;https://www.virustotal.com/gui/file/eb014e37fdcaf42c93f606058896ccb47eed56be5e1701c7b9744bac0003a8e8/details;https://learn.microsoft.com/en-us/windows/win32/medfound/topoedit-modules,HijackLibs/yml/microsoft/external/tedutil.yml outllib.dll,C:\Program Files\Microsoft Office\OFFICE*;C:\Program Files\Microsoft Office\Root\OFFICE*;C:\Program Files\Microsoft Office *\ClientX86\Root\Office*;C:\Program Files\Microsoft Office *\ClientX64\Root\Office*,C:\Program Files\Microsoft Office\OFFICE*\outlook.exe,Sideloading,,https://medium.com/insomniacs/analysis-walkthrough-fun-clientrun-part-1-b2509344ebe6,HijackLibs/yml/microsoft/external/outllib.yml imjp14k.dll,C:\Windows\System32*;C:\Windows\SysWOW64*;C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED*,C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\imecmnt.exe,Sideloading,80a7ff01de553cb099452cb9fac5762caf96c0c3cd9c5ad229739da7f2a2ca72,https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/;https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/,HijackLibs/yml/microsoft/external/imjp14k.yml gflagsui.dll,C:\Program Files\Windows Kits\10\Debuggers\*,C:\Program Files\Windows Kits\10\Debuggers\*\gflags.exe,Sideloading,,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/,HijackLibs/yml/microsoft/external/gflagsui.yml mspgimme.dll,C:\Program Files\Common Files\Microsoft Shared\MODI\11.0*,C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPSCAN.EXE,Sideloading,99f193b6479bfa3e127c9c7209716ae0adbf0d782d51fb0faff016544dd70819,,HijackLibs/yml/microsoft/external/mspgimme.yml dbgeng.dll,C:\Program Files\Windows Kits\*\Debuggers\x86*;C:\Program Files\Windows Kits\*\Debuggers\x64*;C:\Program Files\Windows Kits\*\Debuggers\arm*;C:\Program Files\Windows Kits\*\Debuggers\arm64*;C:\Windows\System32*;C:\Windows\SysWOW64*,windbg.exe,Sideloading,,https://twitter.com/mrexodia/status/1630320327967252483,HijackLibs/yml/microsoft/external/dbgeng.yml concrt140.dll,C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\VC\vcpackages*;C:\Program Files\Microsoft Visual Studio\*\BuildTools\Common7\IDE\VC\vcpackages*;C:\Program Files\Microsoft Visual Studio\*\BuildTools\Common7\IDE*;C:\Program Files\Microsoft Intune Management Extension*;C:\Program Files\Microsoft\Edge\Application\*;C:\Program Files\Microsoft\EdgeWebView\Application\*;C:\Program Files\microsoft\edgewebview\application\*;C:\Program Files\Microsoft RDInfra\RDMonitoringAgent_*\Agent*;C:\Program Files\WindowsApps\Microsoft.VCLibs.*;C:\Program Files\WindowsApps\Microsoft.OutlookForWindows_*;C:\Windows\System32*;C:\Windows\SysWOW64*,vcpkgsrv.exe,Sideloading,a5c5487194f761dac90e178c9c1753c0f47b041f3168b5c23a587f33f69e5089,https://www.youtube.com/watch?v=uTQIIWsUSHA;https://www.virustotal.com/gui/file/119910bd40da350fe61397b7eb8b6bc4c1280ff130129b4f5046d7f460c62fac,HijackLibs/yml/microsoft/external/concrt140.yml ppcore.dll,C:\Program Files\Microsoft Office\OFFICE*;C:\Program Files\Microsoft Office\Root\OFFICE*;C:\Program Files\Microsoft Office *\ClientX86\Root\Office*;C:\Program Files\Microsoft Office *\ClientX64\Root\Office*,C:\Program Files\Microsoft Office\OFFICE*\Powerpnt.exe,Sideloading,,https://research.checkpoint.com/2025/apt29-phishing-campaign/;https://www.virustotal.com/gui/file/d931078b63d94726d4be5dc1a00324275b53b935b77d3eed1712461f0c180164,HijackLibs/yml/microsoft/external/ppcore.yml msidcrl40.dll,C:\Program Files\msn messenger*,C:\Program Files\msn messenger\livecall.exe,Sideloading,63ec17feda1f0ea80e0dd7b7938fbf7354aedf8d9f4041543afca9a35337f7bf,https://www.virustotal.com/gui/file/e2787ddbbf2a7304827a17d698f7cede17edbf0633d36f39f4c020ee8f37ccd1;https://www.virustotal.com/gui/file/448bfca5913e45ec36863ec2e72d959bd1f8ac30e0c794b708b3a6f45a050ef4,HijackLibs/yml/microsoft/external/msidcrl40.yml iviewers.dll,C:\Program Files\Windows Kits\10\bin\*\x86*;C:\Program Files\Windows Kits\10\bin\*\x64*;C:\Program Files\Windows Kits\10\bin\*\arm*;C:\Program Files\Windows Kits\10\bin\*\arm64*,C:\Program Files\Windows Kits\10\bin\*\x86\oleview.exe,Sideloading,,https://www.secureworks.com/research/shadowpad-malware-analysis;https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html,HijackLibs/yml/microsoft/external/iviewers.yml mpgear.dll,C:\Program Files\Windows Defender Advanced Threat Protection\Classification*;C:\Windows\System32\MRT\*,C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe,Sideloading,8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab,https://asec.ahnlab.com/en/58319/;https://www.virustotal.com/gui/file/1643a9c54e5d730fb0ebf4ab49e6c1d3a09dcd2c3a0282674330346d90990ab0;https://www.virustotal.com/gui/file/e1316301e7904a415fdd2a1707d1a48220cce055aab17b36a48e67bf0369edba,HijackLibs/yml/microsoft/external/mpgear.yml hha.dll,C:\Windows\System32*;C:\Windows\SysWOW64*;C:\Program Files\HTML Help Workshop*,C:\Program Files\HTML Help Workshop\hhc.exe,Sideloading,3e96894609819ae3d595ff6e0fbe9ce6c9ac17bdeda256b994831992f668cb99,https://blog.trendmicro.com/trendlabs-security-intelligence/new-wave-of-plugx-targets-legitimate-apps/;https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/,HijackLibs/yml/microsoft/external/hha.yml atltracetoolui.dll,C:\Program Files\Microsoft Visual Studio 11.0\Common7\Tools*,C:\Program Files\Microsoft Visual Studio 11.0\Common7\Tools\ATLTraceTool8.exe,Sideloading,197d0ad8e3f6591e4493daaee9e52e53ecf192e32f9d167c67f2ffb408c76f2c,https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/,HijackLibs/yml/microsoft/external/atltracetoolui.yml wmicodegen.dll,C:\Program Files\windows kits\*\bin\*,C:\Program Files\windows kits\*\bin\*\convert-moftoprovider.exe,Sideloading,0C14A5E99C861E3A393A78E23D85DA1AACD43AB29FE017EB56BABD3BF447DBFA,https://securelist.com/apt41-in-africa/116986/,HijackLibs/yml/microsoft/external/wmicodegen.yml rcdll.dll,C:\Program Files\Windows Kits\10\bin\*\*,C:\Program Files\Windows Kits\10\bin\*\*\rc.exe,Sideloading,,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/,HijackLibs/yml/microsoft/external/rcdll.yml msimg32.dll,C:\Program Files\Haihaisoft PDF Reader*;C:\Windows\System32*;C:\Windows\SysWOW64*,C:\Program Files\Haihaisoft PDF Reader\hpreader.exe,Sideloading,2f9be76319a2441d14e7e10239373f053f05f3c1ca2056babb58db50ebe8c5c7;08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2,https://www.virustotal.com/gui/file/2f08e2316a38da2d39d31131a0e3314024ab80756050624afafc1e17b0562d5e/details,HijackLibs/yml/microsoft/external/msimg32.yml symsrv.dll,C:\Program Files\Windows Kits\10\Debuggers\*,C:\Program Files\Windows Kits\10\Debuggers\*\symstore.exe,Sideloading,,https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/,HijackLibs/yml/microsoft/external/symsrv.yml