[{"Name":"acrodistdll.dll","Author":"Pokhlebin Maxim","Created":"2023-06-08","Vendor":"Adobe","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Adobe\\Acrobat %VERSION%\\Acrobat"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Adobe\\Acrobat %VERSION%\\Acrobat\\AcroDist.exe","Type":"Sideloading","SHA256":["01b68a0c13032bb59f262ed94d2daf85e50fad7a1502a3097029b66b7eb4f903"]}],"Resources":["https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/adobe/acrodistdll.html"},{"Name":"sqlite.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-15","Vendor":"Adobe","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Adobe\\Acrobat Reader DC\\Reader","%PROGRAMFILES%\\Adobe\\Acrobat DC\\Acrobat"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Adobe\\Acrobat Reader DC\\Reader\\AcroBroker.exe","Type":"Sideloading","SHA256":["1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215"]}],"Resources":["https://asec.ahnlab.com/en/58319/","https://www.virustotal.com/gui/file/802bad293e5d5e75ffac3df3dd5301315a886534011871275a1b41c9cec1f298"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/adobe/sqlite.html"},{"Name":"vcomp100.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-07-09","Vendor":"Adobe","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Adobe\\Adobe Photoshop %VERSION%\\convert.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"SERIALNUMBER=2748129,CN=Adobe Systems Incorporated,OU=\"Photoshop\\, Bridge - SHA256\",O=Adobe Systems Incorporated,L=San Jose,ST=California,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553","Issuer":"CN=Symantec Class 3 Extended Validation Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US","Type":"Authenticode"}],"ExpectedVersionInformation":[{"FileDescription":"ImageMagick Studio library and utility programs","OriginalFilename":"ImageMagick","InternalName":"ImageMagick"}],"SHA256":["db2457caa1ccd65e63718b9e28789a12e17bc7a038975fba4f07dcd9f38e7016"]}],"Resources":["https://www.virustotal.com/gui/file/0ab581841cc19922d424dbc518d279070ea75ec2983334ba1b74c16ca5729bc1/relations","https://www.virustotal.com/gui/file/5a5e1142b50096e3af0f9079c45c84f8a6ca1be60e45dbc489327a2632d73fd5/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/adobe/vcomp100.html"},{"Name":"cc32290mt.dll","Author":"Josh Allman","Created":"2025-02-25","Vendor":"Ahnenblatt","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Ahnenblatt4\\Ahnenblatt4.exe"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Ahnenblatt4\\Ahnenblatt4.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"Ahnenblatt"}],"SHA256":["8f4f53bc02348a549f3437444aacec43eae5f90875ea3c5ec96600ba1cb4a061"]}],"Resources":["https://www.virustotal.com/gui/file/dab744a533bcbc4a2d3f19a54694ceb00587a0ce68d046ca9085d5013321ea5a"],"Acknowledgements":[{"Name":"Josh Allman","Twitter":"@xorjosh","Company":"Huntress"},{"Name":"Amelia Casley","Twitter":"@pe4Chscreeching","Company":"Huntress"},{"Name":"Faith Stratton","Twitter":"@f0xtrot_sierra","Company":"Huntress"}],"url":"https://hijacklibs.net/entries/3rd_party/ahnenblatt/cc32290mt.html"},{"Name":"amindpdfcore.dll","Author":"Still Hsu","Created":"2024-05-26","Vendor":"AmindPDF","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\GeekerPDF\\GeekerPDF"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\GeekerPDF\\GeekerPDF\\GeekerPDF.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"AmindPDF","InternalName":"AmindPDF.exe","OriginalFilename":"AmindPDF.exe","ProductName":"AmindPDF"}],"ExpectedSignatureInformation":[{"Subject":"CN=AmindPDF Limited, O=AmindPDF Limited, STREET=\"RM 802, 8/F IHOME CTR 369 LOCKHART RD\", L=Wan Chai, S=Hong Kong Island, C=HK","Issuer":"CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE","Type":"Authenticode"}],"SHA256":["107ba73ae05ec6ba6d814665923191f14757015557eeeff16206cc957da29be3"]}],"Resources":["https://www.virustotal.com/gui/file/78a60bea5693138c771386b8c22f0adfe6765a6313b80488bd1084bc9ed370bd"],"Acknowledgements":[{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/3rd_party/amindpdf/amindpdfcore.html"},{"Name":"avdevice-54.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-05-06","Vendor":"AnyMP4","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\AnyMP4 Studio\\AnyMP4 Blu-ray Creator"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\AnyMP4 Studio\\AnyMP4 Blu-ray Creator\\AnyMP4 Blu-ray Creator.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"AnyMP4 Blu-ray Creator.exe","InternalName":"AnyMP4 Blu-ray Creator","FileDescription":"AnyMP4 Blu-ray Creator"}],"SHA256":["98c9c45cf18434fe9ab79c9db2e88c1f1db48c95338864421e4d761d71c2fbc6"]}],"Resources":null,"Acknowledgements":[{"Name":"Chad Hudson","Company":"Huntress","Twitter":"@0xBurgers"},{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/anymp4/avdevice-54.html"},{"Name":"duilib_u.dll","Author":"Jose Oregon","Created":"2025-04-29","Vendor":"AnyViewer","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\AnyViewer"],"VulnerableExecutables":[{"Path":"SplashWin.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"AnyViewer","InternalName":"AnyViewer Client","FileDescription":"Splash Window"}],"SHA256":["c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1"]}],"Resources":["https://www.virustotal.com/gui/file/e770be8fba337cc01e24c7f059368526a804d2af64136a39bb84adeebcf9cfbc","https://bazaar.abuse.ch/sample/d99d382868e2e1191c2ac403d9985569d18e534883b3c64606d08847d68a96b6/","https://www.anyviewer.com/download.html"],"Acknowledgements":[{"Name":"Jose Oregon","Company":"Huntress","Twitter":"@amprage_"},{"Name":"Austin Worline","Company":"Huntress","Twitter":"@0xffaraday"}],"url":"https://hijacklibs.net/entries/3rd_party/anyviewer/duilib_u.html"},{"Name":"comn.dll","Author":"Still Hsu","Created":"2025-12-03","Vendor":"AOMEI","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\AOMEI\\AOMEI Backupper\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\AOMEI\\AOMEI Backupper\\%VERSION%\\Abspawnhlp.exe","Type":"Sideloading","SHA256":["ab5b956eca5ce83bf763d5f952316f17ba771adfd5cafd8ca9e262de61de4b4e"],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=COMODO RSA Extended Validation Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB","Issuer":"CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"}]},{"Path":"%PROGRAMFILES%\\AOMEI\\AOMEI Backupper\\%VERSION%\\ABCorehlp.exe","Type":"Sideloading","SHA256":["d8499face4195c362af82d4b847aa6693a6a2dd4ee03db0c2f79ee270e5f082b"],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=COMODO RSA Extended Validation Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB","Issuer":"CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"}]}],"Resources":["https://www.virustotal.com/gui/file/2f5e9ef06c1ae2253a50c9556a8a522eaa5dd1e33d2fdc6930ab3c93ae538240"],"Acknowledgements":[{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/3rd_party/aomei/comn.html"},{"Name":"corefoundation.dll","Author":"Matt Anderson - HuntressLabs","Created":"2024-04-13","Vendor":"Apple","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Common Files\\Apple\\Apple Application Support","%PROGRAMFILES%\\iTunes","%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\iTunes\\ituneshelper.exe","Type":"Sideloading","SHA256":["0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda"]},{"Path":"%PROGRAMFILES%\\QuickTime\\QuickTimePlayer.exe","Type":"Sideloading","SHA256":["b3a7ff97aca1201758c5295afa7d34e8d05f429b7faf707cf4d5740b8c76cb61"]}],"Resources":["https://analyze.intezer.com/analyses/82011cc1-c3df-4c63-9945-8730b0d1cf3e","https://www.virustotal.com/gui/file/ff5e56c20591a9019eb28b3cab88f5a240657c1c360bf01ad3a6d417fa10b7f5","https://www.joesandbox.com/analysis/1394928/0/html","https://discussions.apple.com/thread/2732037?sortBy=best","https://iosninja.io/dll/download/corefoundation-dll"],"Acknowledgements":[{"Name":"Matt Anderson","Company":"Huntress","Twitter":"@nosecurething"}],"url":"https://hijacklibs.net/entries/3rd_party/apple/corefoundation.html"},{"Name":"asio.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-10","Vendor":"Asus","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\ASUS\\AXSP\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\ASUS\\AXSP\\4.02.12\\atkexComSvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.","Issuer":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)","Type":"Authenticode"}],"ExpectedVersionInformation":[{"OriginalFilename":"atkexComSvc.exe","InternalName":"atkexComSvc.exe","FileDescription":"ASUS Com Service"}],"SHA256":["12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10"]}],"Resources":["https://www.virustotal.com/gui/file/006f91524d53d483074335f74c2ca2c10cab9b64de86f6151eedfa53174434f2/relations","https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/asus/asio.html"},{"Name":"asus_wmi.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-10","Vendor":"Asus","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\ASUS\\AXSP\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\ASUS\\AXSP\\%VERSION%\\atkexComSvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.","Issuer":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)","Type":"Authenticode"}],"ExpectedVersionInformation":[{"OriginalFilename":"atkexComSvc.exe","InternalName":"atkexComSvc.exe","FileDescription":"ASUS Com Service"}],"SHA256":["12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10"]}],"Resources":["https://www.virustotal.com/gui/file/006f91524d53d483074335f74c2ca2c10cab9b64de86f6151eedfa53174434f2/relations","https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/asus/asus_wmi.html"},{"Name":"vender.dll","Author":"Wietze Beukema","Created":"2023-04-04","Vendor":"Asus","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\ASUS\\GPU TweakII","%PROGRAMFILES%\\ASUS\\VGA COM\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\ASUS\\GPU TweakII\\ASUSGPUFanService.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=TW, L=Taipei City, O=ASUSTEK COMPUTER INC., CN=ASUSTEK COMPUTER INC.","Issuer":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)","Type":"Authenticode"}],"ExpectedVersionInformation":[{"OriginalFilename":"setfandu.exe","InternalName":"setfandu.exe","FileDescription":"fan control"}],"SHA256":["00bfbbe6e9d0c54312de906be79cc1e9f18b2957856a1215eaff1ac7bb20e66f"]}],"Resources":["https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/asus/vender.html"},{"Name":"dal_keepalives.dll","Author":"Wietze Beukema","Created":"2025-02-15","Vendor":"Audinate","CVE":"CVE-2022-23748","ExpectedLocations":["%PROGRAMFILES%\\audinate\\shared files"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\audinate\\shared files\\mDnsResponder.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"Dante Discovery","InternalName":"mDNSResponder.exe","OriginalFilename":"mDNSResponder.exe","ProductName":"Dante Discovery","FileVersion":"1.3.0.0","LegalCopyright":"© 2013-2014 Audinate Pty Ltd"}],"SHA256":["8360c2391f373c9de46c5b37fef952c2309be34e62127777ad7358ddb1d437ff"]}],"Resources":["https://research.checkpoint.com/2023/stayin-alive-targeted-attacks-against-telecoms-and-government-ministries-in-asia/","https://www.cisa.gov/news-events/alerts/2025/02/06/cisa-adds-five-known-exploited-vulnerabilities-catalog","https://www.virustotal.com/gui/file/d4bd89ff56b75fc617f83eb858b6dbce7b36376889b07fa0c2417322ca361c30"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/audinate/dal_keepalives.html"},{"Name":"wsc.dll","Author":"Matt Green","Created":"2022-08-15","Vendor":"Avast","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\AVAST Software\\Avast","%PROGRAMFILES%\\Norton\\Suite","%PROGRAMFILES%\\AVG\\Antivirus"],"VulnerableExecutables":[{"Path":"wsc_proxy.exe","SHA256":["85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654"],"Type":"Search Order"}],"Resources":["https://github.com/netero1010/Vulnerability-Disclosure/tree/main/CVE-2022-AVAST2","https://securelist.com/cycldek-bridging-the-air-gap/97157/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/avast/wsc.html"},{"Name":"basicnetutils.dll","Author":"Wietze Beukema","Created":"2023-05-03","Vendor":"Baidu","CVE":null,"ExpectedLocations":["%LOCALAPPDATA%\\Temp\\%VERSION%\\Application2","%PROGRAMFILES%\\BAIDU\\BAIDUPINYIN\\%VERSION%"],"VulnerableExecutables":[{"Path":"%LOCALAPPDATA%\\Temp\\%VERSION%\\Application2\\XLGameUpdate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=CN, ST=Beijing, L=Beijing, O='Beijing Baidu Netcom Science and Technology Co.,Ltd', CN='Beijing Baidu Netcom Science and Technology Co.,Ltd'","Issuer":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CodeSigning CA - G3","Type":"Authenticode"}],"SHA256":["769d59d03036af86c7a9950f03ebc7b693a94d3e2f8ecd1d74cf5600ab948105"]}],"Resources":["https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/","https://www.welivesecurity.com/2023/03/16/not-so-private-messaging-trojanized-whatsapp-telegram-cryptocurrency-wallets/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/baidu/basicnetutils.html"},{"Name":"log.dll","Author":"Wietze Beukema","Created":"2022-06-13","Vendor":"BitDefender","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Bitdefender Antivirus Free","%PROGRAMFILES%\\Bitdefender Agent\\%VERSION%","%PROGRAMFILES%\\Bitdefender Agent\\%VERSION%\\x64","%PROGRAMFILES%\\Bitdefender\\Bitdefender Security","%PROGRAMFILES%\\Bitdefender\\Bitdefender Security App"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Bitdefender Antivirus Free\\BDReinit.exe","Type":"Sideloading","SHA256":["386EB7AA33C76CE671D6685F79512597F1FAB28EA46C8EC7D89E58340081E2BD"],"ExpectedSignatureInformation":[{"Issuer":"CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O=\"VeriSign, Inc.\", C=US","Subject":"CN=BitDefender SRL, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=BitDefender SRL, L=Bucharest, S=Bucharest, C=RO","Type":"Authenticode"}]},{"Path":"%PROGRAMFILES%\\Bitdefender Agent\\%VERSION%\\BDReinit.exe","Type":"Sideloading","SHA256":["386EB7AA33C76CE671D6685F79512597F1FAB28EA46C8EC7D89E58340081E2BD"],"ExpectedSignatureInformation":[{"Issuer":"CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O=\"VeriSign, Inc.\", C=US","Subject":"CN=BitDefender SRL, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=BitDefender SRL, L=Bucharest, S=Bucharest, C=RO","Type":"Authenticode"}]},{"Path":"%PROGRAMFILES%\\Bitdefender Agent\\%VERSION%\\x64\\BDReinit.exe","Type":"Sideloading","SHA256":["386EB7AA33C76CE671D6685F79512597F1FAB28EA46C8EC7D89E58340081E2BD"],"ExpectedSignatureInformation":[{"Issuer":"CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O=\"VeriSign, Inc.\", C=US","Subject":"CN=BitDefender SRL, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=BitDefender SRL, L=Bucharest, S=Bucharest, C=RO","Type":"Authenticode"}]},{"Path":"%PROGRAMFILES%\\Bitdefender\\Bitdefender Security\\BDReinit.exe","Type":"Sideloading","SHA256":["386EB7AA33C76CE671D6685F79512597F1FAB28EA46C8EC7D89E58340081E2BD"],"ExpectedSignatureInformation":[{"Issuer":"CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O=\"VeriSign, Inc.\", C=US","Subject":"CN=BitDefender SRL, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=BitDefender SRL, L=Bucharest, S=Bucharest, C=RO","Type":"Authenticode"}]},{"Path":"%PROGRAMFILES%\\Bitdefender\\Bitdefender Security App\\BDReinit.exe","Type":"Sideloading","SHA256":["386EB7AA33C76CE671D6685F79512597F1FAB28EA46C8EC7D89E58340081E2BD"],"ExpectedSignatureInformation":[{"Issuer":"CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O=\"VeriSign, Inc.\", C=US","Subject":"CN=BitDefender SRL, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=BitDefender SRL, L=Bucharest, S=Bucharest, C=RO","Type":"Authenticode"}]},{"Path":"%PROGRAMFILES%\\Bitdefender Antivirus Free\\BDSubWiz.exe","Type":"Sideloading","SHA256":["2DA00DE67720F5F13B17E9D985FE70F10F153DA60C9AB1086FE58F069A156924"]},{"Path":"%PROGRAMFILES%\\Bitdefender Agent\\%VERSION%\\BDSubWiz.exe","Type":"Sideloading","SHA256":["2DA00DE67720F5F13B17E9D985FE70F10F153DA60C9AB1086FE58F069A156924"]},{"Path":"%PROGRAMFILES%\\Bitdefender Agent\\%VERSION%\\x64\\BDSubWiz.exe","Type":"Sideloading","SHA256":["2DA00DE67720F5F13B17E9D985FE70F10F153DA60C9AB1086FE58F069A156924"]},{"Path":"%PROGRAMFILES%\\Bitdefender\\Bitdefender Security\\BDSubWiz.exe","Type":"Sideloading","SHA256":["2DA00DE67720F5F13B17E9D985FE70F10F153DA60C9AB1086FE58F069A156924"]},{"Path":"%PROGRAMFILES%\\Bitdefender\\Bitdefender Security App\\BDSubWiz.exe","Type":"Sideloading","SHA256":["2DA00DE67720F5F13B17E9D985FE70F10F153DA60C9AB1086FE58F069A156924"]}],"Resources":["https://www.secureworks.com/research/shadowpad-malware-analysis","https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/","https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/"],"Acknowledgements":[{"Name":"Daniel Koifman","Company":"CardinalOps","Twitter":"@KoifSec"},{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/3rd_party/bitdefender/log.html"},{"Name":"bugsplat64.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2025-02-27","Vendor":"BugSplat","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Nitro\\PDF Pro\\","%PROGRAMFILES%\\Nitro\\Pro"],"VulnerableExecutables":[{"Path":"BugSplatHD64.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"BugSplatHD.EXE","InternalName":"BugSplatHD.EXE","FileDescription":"Hang detection module, BugSplatHD.EXE","FileVersion":"3.3.1.0"}],"SHA256":["b874075e7bc7c9dbf25fed0d3f54aa694957e5ff57c0ebbcf88c9c277771d37c"]}],"Resources":["https://x.com/ankit_anubhav/status/1895061182689747333","https://bazaar.abuse.ch/sample/97791eba8ac9745155cea4cc1a90e44765a97b840441220ec13c82f719c65f1a/"],"Acknowledgements":[{"Name":"Ankit Anubhav","Twitter":"@ankit_anubhav"},{"Name":"Swachchhanda Shrawan Poudel","Company":"Nextron Systems","Twitter":"@_swachchhanda_"}],"url":"https://hijacklibs.net/entries/3rd_party/bugsplat/bugsplat64.html"},{"Name":"libcares-2.dll","Author":"Wietze Beukema","Created":"2026-02-26","Vendor":"c-ares","CVE":null,"ExpectedLocations":["%LOCALAPPDATA%\\GitKraken\\app-%VERSION%"],"VulnerableExecutables":[{"Path":"ahost.exe","Type":"Sideloading","SHA256":["a52e245dd7937094711b10c479274a2cccea2dfb89f7d4c9f22879214718f92b"]}],"Resources":["https://www.trellix.com/en-us/blogs/research/hiding-in-plain-sight-multi-actor-ahost-exe-attacks/","https://www.virustotal.com/gui/file/7c41ac7b5bf15e34d50d6abbe28254e94e6c21e0ccab9fa68aca05049a515758"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/c-ares/libcares-2.html"},{"Name":"calibre-launcher.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-08-07","Vendor":"Calibre","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Calibre2"],"VulnerableExecutables":[{"Path":"calibre.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"calibre.exe","InternalName":"calibre","FileDescription":"The main calibre program"}],"SHA256":["735e7b33b97bff3cf6416ed3b8ed7213d7258eec05202cbf8f8f8002c6435fd1"]}],"Resources":["https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"},{"Name":"Craig Sweeney","Company":"Huntress","Twitter":"@bumbucha"}],"url":"https://hijacklibs.net/entries/3rd_party/calibre/calibre-launcher.html"},{"Name":"cnmpaui.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2025-09-08","Vendor":"Canon","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Canon\\Canon IJ Printer Assistant Tool\\"],"VulnerableExecutables":[{"Path":"cnmpaui.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"CNMPAUI.EXE","InternalName":"CNMPAUI.EXE","FileDescription":"Canon IJ Printer Assistant Tool","ProductName":"Canon IJ Printer Assistant Tool"}],"SHA256":["4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3"]}],"Resources":["https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/","https://www.virustotal.com/gui/file/e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Company":"Nextron Systems","Twitter":"@_swachchhanda_"}],"url":"https://hijacklibs.net/entries/3rd_party/canon/cnmpaui.html"},{"Name":"relay.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-05-27","Vendor":"Canon","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"UniversalInstaller.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"UniversalInstaller.exe","InternalName":"UniversalInstaller.exe","FileDescription":"Universal Installer Windows"}],"SHA256":["a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3"]}],"Resources":["https://www.virustotal.com/gui/file/6122b4ceb394e4a441b4f7ac92745b1aa64b6c83a4101d6d326e130efa5a5d10/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/canon/relay.html"},{"Name":"avupdate.dll","Author":"Josh Allman","Created":"2025-02-18","Vendor":"Carbon Black","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Confer\\scanner\\upd.exe"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Confer\\scanner\\upd.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"Carbon Black Cloud Sensor AV Update Tool x64"}],"SHA256":["3dfae7b23f6d1fe6e37a19de0e3b1f39249d146a1d21102dcc37861d337a0633"]}],"Resources":["https://blackpointcyber.com/resources/blog/qilin-ransomware-and-the-hidden-dangers-of-byovd/"],"Acknowledgements":[{"Name":"Josh Allman","Company":"Huntress","Twitter":"@xorjosh"}],"url":"https://hijacklibs.net/entries/3rd_party/carbonblack/avupdate.html"},{"Name":"mfc140u.dll","Author":"Jai Minton - HuntressLabs","Created":"2025-02-19","Vendor":"CheckMAL","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\CheckMAL\\AppCheck"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\CheckMAL\\AppCheck\\AppCheck.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"AppCheck.exe","InternalName":"AppCheck.exe","FileDescription":"AppCheck Anti-Ransomware"}],"SHA256":["ea987229c8d4e647e0b5a0d6dd08cce9d15e78f74cb5fb5c86a7e9ea6a5ecc82"]}],"Resources":["https://www.virustotal.com/gui/file/c4c85e98452094c8bd395b19c2afe283a50cdbb651e51e09d3f7b0dfa35fda65/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"},{"Name":"Josh Allman","Company":"Huntress","Twitter":"@xorjosh"}],"url":"https://hijacklibs.net/entries/3rd_party/checkmal/mfc140u.html"},{"Name":"ciscosparklauncher.dll","Author":"Sorina Ionescu","Created":"2022-10-10","Vendor":"Cisco","CVE":null,"ExpectedLocations":["%LOCALAPPDATA%\\CiscoSparkLauncher","%LOCALAPPDATA%\\Programs\\Cisco Spark","%PROGRAMFILES%\\Cisco Spark"],"VulnerableExecutables":[{"Path":"CiscoCollabHost.exe","SHA256":["15bb2d1e81a75a92d0012dcbf47686fa2ab10f2174cda36d7c4b03bfb72313b7","7b301cea1feff0add8de512a93ed7bc1b8330caf0c3a6f1585f9887b88db8efb"],"Type":"Sideloading"}],"Resources":["https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/","https://www.joesandbox.com/analysis/279535/0/html"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/cisco/ciscosparklauncher.html"},{"Name":"wcldll.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-10","Vendor":"Cisco","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Cisco Systems\\Cisco Jabber","%PROGRAMFILES%\\Webex\\Applications","%PROGRAMFILES%\\Webex\\Plugins"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Webex\\Applications\\ptInst.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"ptInst.exe","InternalName":"ptInst","FileDescription":"WebEx PT ptInst Module"}],"SHA256":["bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5"]}],"Resources":["https://www.virustotal.com/gui/file/26227914bdad9baf491a9b966e6301fc997cff35c677dcfd9628654f4f6bc9fc/relations","https://www.virustotal.com/gui/file/fa1443219f210bdcf3a25b311342851f61378536eb11810366468156fbd5c051"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/cisco/wcldll.html"},{"Name":"classicexplorer32.dll","Author":"Pokhlebin Maxim","Created":"2023-06-08","Vendor":"Classic Shell","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Classic Shell","%PROGRAMFILES%\\Open-Shell"],"VulnerableExecutables":[{"Path":"ClassicExplorerSettings.exe","Type":"Sideloading","SHA256":["b44cc792ae7f58e9a12a121c14a067ee1dd380df093339b4bf2b02df5937b2af"]}],"Resources":["https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/classicshell/classicexplorer32.html"},{"Name":"libcurl.dll","Author":"Still Hsu","Created":"2024-05-26","Vendor":"curl","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Notepad++\\updater","%PROGRAMFILES%\\WindowsApps\\MSTeams_%VERSION%","%PROGRAMFILES%\\Coolmuster\\Coolmuster PDF Creator Pro\\%VERSION%\\Bin"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Notepad++\\updater\\GUP.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"WinGup for Notepad++","InternalName":"gup.exe","OriginalFilename":"gup.exe","ProductName":"WinGup for Notepad++"}],"ExpectedSignatureInformation":[{"Subject":"CN=\"Notepad++\", O=\"Notepad++\", L=Saint Cloud, S=Ile-de-France, C=FR","Issuer":"CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=\"DigiCert, Inc.\", C=US","Type":"Authenticode"}],"SHA256":["e5bbbf34414426f63e6cd1354c306405e54bf31279829c7542dccfb7d85af0ec"]},{"Path":"%PROGRAMFILES%\\Coolmuster\\Coolmuster PDF Creator Pro\\%VERSION%\\Bin\\Coolmuster PDF Creator Pro.exe","Type":"Sideloading","SHA256":["777989570e14510d504debc657a24ccd995abb88fe30c5fa71911789b9a47f50"],"ExpectedVersionInformation":[{"FileDescription":"FileProcessManager Module","FileVersion":"1.0.2.1","InternalName":"FileProcessManager","LegalCopyright":"Copyright 2023","OriginalFilename":"FileProcessManager.exe","ProductName":"FileProcessManager Module","ProductVersion":"1.0.2.1"}]}],"Resources":["https://www.virustotal.com/gui/file/d1e44e4224899cb160a92f4c7f4f042b10ae0ee3fc16bbe457ad32e8b1527ed5","https://www.virustotal.com/gui/file/dd0c2d79fef0cf5e2d32dcdd661d6ba0a6e9901ffe047fad2d081bbc28daad2c"],"Acknowledgements":[{"Name":"Still Hsu","Twitter":"@AzakaSekai_"},{"Name":"Jai Minton","Company":"Huntress","Twitter":"@CyberRaiju"}],"url":"https://hijacklibs.net/entries/3rd_party/curl/libcurl.html"},{"Name":"vftrace.dll","Author":"Sorina Ionescu","Created":"2022-10-17","Vendor":"CyberArk","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32","%PROGRAMFILES%\\CyberArk\\Endpoint Privilege Manager\\Agent\\x64","%PROGRAMFILES%\\CyberArk\\Endpoint Privilege Manager\\Agent"],"VulnerableExecutables":[{"Path":"vf_host.exe","SHA256":["df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348"],"Type":"Sideloading"}],"Resources":["https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state?web_view=true","https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277b"],"Acknowledgements":[{"Name":"Threat Hunting Team Symantec"},{"Name":"CISA"}],"url":"https://hijacklibs.net/entries/3rd_party/cyberark/vftrace.html"},{"Name":"ci.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-05-06","Vendor":"Digiarty","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Digiarty\\WinX Blu-ray Decrypter","%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Digiarty\\WinX Blu-ray Decrypter\\WinX Blu-ray Decrypter.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"WinX Blu-ray Decrypter"}],"SHA256":["1fd92aa46464f8453e33dc7461f80ee7b441f9042e9d0110086226c5f725bd9f"]}],"Resources":["https://www.virustotal.com/gui/file/2560b7390da7c7a1d92050d9c1f5e3a8025cd35fff5360fe73583b5e3f48731e","https://www.virustotal.com/gui/file/ae2453d0e03d72759d5239dcfe9518d6a721319006613a41f8bb53d37d4d1391/details","https://www.virustotal.com/gui/file/7306316b53f915aaff06f00896829884db857b7e5c2747188ae080cad5b8c0e1"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/digiarty/ci.html"},{"Name":"goopdate.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-08-08","Vendor":"Dropbox","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Dropbox\\Update","%PROGRAMFILES%\\Dropbox\\Update\\%VERSION%","%LOCALAPPDATA%\\DropboxUpdate\\Update"],"VulnerableExecutables":[{"Path":"DropboxUpdate.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"DropboxUpdate.exe","InternalName":"Dropbox Update","FileDescription":"Dropbox Update"}],"SHA256":["47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc"]},{"Path":"DropboxCrashHandler.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"DropboxUpdate.exe","InternalName":"Dropbox Update","FileDescription":"Dropbox Update"}],"SHA256":["47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc"]}],"Resources":["https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"},{"Name":"Craig Sweeney","Company":"Huntress","Twitter":"@bumbucha"}],"url":"https://hijacklibs.net/entries/3rd_party/dropbox/goopdate.html"},{"Name":"eacore.dll","Author":"Wietze Beukema","Created":"2025-02-15","Vendor":"Electronic Arts","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Electronic Arts\\EA Desktop\\EA Desktop"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Electronic Arts\\EA Desktop\\EA Desktop\\EACoreServer.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=US, ST=CALIFORNIA, L=Redwood City, O='Electronic Arts, Inc.', OU=EAC, CN='Electronic Arts, Inc.'","Type":"Authenticode"}],"SHA256":["2c24f443087674a64742d5e63f62b035102314d4431fdb336cbdcb68291454dd"]}],"Resources":["https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/","https://x.com/FatzQatz/status/1883443770819248130","https://www.virustotal.com/gui/file/dc673d59a6a9df3d02e83fd03af80e117bea20954602ae416540870b1b3d13c4"],"Acknowledgements":[{"Name":"FatzQatz","Twitter":"@FatzQatz"}],"url":"https://hijacklibs.net/entries/3rd_party/electronicarts/eacore.html"},{"Name":"qrt.dll","Author":"Wietze Beukema","Created":"2022-06-13","Vendor":"F-Secure","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\F-Secure\\Anti-Virus"],"VulnerableExecutables":[{"Path":"qrtfix.exe","Type":"Sideloading"}],"Resources":["https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/f-secure/qrt.html"},{"Name":"fnp_act_installer.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-15","Vendor":"Flexera","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\InstallShield\\%VERSION%\\System"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\InstallShield\\%VERSION%\\System\\TSConfig.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"InstallShield Activation Wizard"}],"SHA256":["b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac"]},{"Path":"%PROGRAMFILES%\\InstallShield\\%VERSION%\\System\\ISDbg.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"InstallShield (R) Script Debugger"}],"SHA256":["40c88a5620a651b6af283dff83c4da997782784da7f85b94fc9b6c02a28862e7"],"ExpectedSignatureInformation":[{"Subject":"CN=\"Flexera Software LLC\", O=\"Flexera Software LLC\", L=Unknown, C=Unknown","Issuer":"CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=DigiCert Inc, C=US","Type":"Authenticode"}]}],"Resources":["https://asec.ahnlab.com/en/58319/","https://www.virustotal.com/gui/file/e7b69768215453b2c648d7060161ce9b9eaf1ace631eb2ac11b60a7195e2263e","https://app.any.run/tasks/faf0d668-7e06-4b1c-922b-2bb3a9d81dae"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"},{"Name":"Josh Allman","Company":"Huntress","Twitter":"@xorjosh"}],"url":"https://hijacklibs.net/entries/3rd_party/flexera/fnp_act_installer.html"},{"Name":"avkkid.dll","Author":"Wietze Beukema","Created":"2025-02-15","Vendor":"G DATA","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\G DATA\\TotalSecurity\\avkkid"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\G DATA\\TotalSecurity\\avkkid\\avkkid.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"AVKKid.exe","InternalName":"AVKKid","FileDescription":"G DATA Security Software - KidSafe","ProductName":"G DATA Security Software"}],"SHA256":["388b0714e2a8146c270afe6a4c80d109988ad8dc026a0f260b376d9c35a330ed"]}],"Resources":["https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/","https://www.virustotal.com/gui/file/68eb5590d8ad952215cf54741b0ed6204c19bba4dcb8d704883e007f16de5028"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/gdata/avkkid.html"},{"Name":"ccleanerreactivator.dll","Author":"Still Hsu","Created":"2025-10-20","Vendor":"Gen Digital","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\CCleaner"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\CCleaner\\CCleanerReactivator.exe","Type":"Sideloading","SHA256":["f87381d6c1ba5c8dd3c0fbe113357aea2104938f7a7516f5be120c30a78dab6b","59e5b2a7a3903e4fb9a23174b655adb75eb490625ddb126ef29446e47de4099f"],"ExpectedVersionInformation":[{"CompanyName":"Gen Digital Inc.","FileDescription":"CCleaner Reactivator","InternalName":"CCleanerReactivator","OriginalFilename":"CCleanerReactivator.exe","ProductName":"CCleanerReactivator.exe"}],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB","Issuer":"CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB"}]}],"Resources":["https://www.virustotal.com/gui/file/d665f55555f87b515cb8ef1adce9592a83662a8c4efa34f6ffdd022475bd176a","https://lab52.io/blog/2344-2/"],"Acknowledgements":[{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/3rd_party/gendigital/ccleanerreactivator.html"},{"Name":"badata_x64.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-10","Vendor":"Glorylogic","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\True Burner"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\True Burner\\TrueBurner.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"True Burner"}],"SHA256":["3e190f160218ad78c85c169dfd0828d36e4a366a3e2a61337391f0d7599a7558"]}],"Resources":["https://www.virustotal.com/gui/file/9326dd40e37d720f15a0104f89d6e76eb7a75b6e1fad14018326dbaa01681e74/relations"],"Acknowledgements":[{"Name":"Jai Minton","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/glorylogic/badata_x64.html"},{"Name":"chrome_frame_helper.dll","Author":"Wietze Beukema","Created":"2021-12-08","Vendor":"Google","CVE":null,"ExpectedLocations":["%LOCALAPPDATA%\\Google\\Chrome\\Application","%PROGRAMFILES%\\Google\\Chrome\\Application"],"VulnerableExecutables":[{"Path":"chrome_frame_helper.exe","SHA256":["f95d0ab23f95e169cd2c613a4b8dde731ca6031c5ae11ebf0bdc034db3cc30cd"],"Type":"Sideloading"}],"Resources":["https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/"],"Acknowledgements":[{"Name":"Adam","Twitter":"@hexacorn"}],"url":"https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html"},{"Name":"libcef.dll","Author":"Matt Anderson - HuntressLabs","Created":"2024-04-13","Vendor":"Google","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\NVIDIA Corporation\\NVIDIA GeForce Experience"],"VulnerableExecutables":[{"Path":"%Program Files (x86)\\NVIDIA Corporation\\NVIDIA GeForce Experience\\NVIDA Share.exe","Type":"Sideloading","SHA256":["f1e2f82d5f21fb8169131fedee6704696451f9e28a8705fca5c0dd6dad151d64"]}],"Resources":["https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html","https://analyze.intezer.com/analyses/93e92d7a-9a46-4c1c-8ac0-87b4453beeb8","https://www.virustotal.com/gui/file/64d0fc47fd77eb300942602a912ea9403960acd4f2ed33a8e325594bf700d65f","https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/"],"Acknowledgements":[{"Name":"Matt Anderson","Company":"Huntress","Twitter":"@nosecurething"}],"url":"https://hijacklibs.net/entries/3rd_party/google/libcef.html"},{"Name":"iepdf32.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-07-09","Vendor":"HandySoftware","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Handy Viewer"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Handy Viewer\\hv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=German Gorodokuplya,O=German Gorodokuplya,POSTALCODE=69000,STREET=\"Nyzhnya\\, 3\",L=Zaporizhzhya,ST=Zaporizhka,C=UA","Issuer":"CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB","Type":"Authenticode"}],"ExpectedVersionInformation":[{"FileDescription":"Handy Viewer"}],"SHA256":["6d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2"]}],"Resources":["https://www.virustotal.com/gui/file/b748e5dc64f5ece1b256705b7365a89b3be9284587da5f3abbde4be78864867e/relations","https://www.virustotal.com/gui/file/030ca3bb54a276eea7cdf69d90d04b58a4fa500396e94340895f923d87dc169a/relations"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/handysoftware/iepdf32.html"},{"Name":"hpcustpartui.dll","Author":"Christiaan Beek","Created":"2023-01-10","Vendor":"HP","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\HP"],"VulnerableExecutables":[{"Path":"HPCustParticUI.exe","Type":"Sideloading","SHA256":["8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6"]}],"Resources":["https://www.trellix.com/en-us/about/newsroom/stories/research/operation-harvest-a-deep-dive-into-a-long-term-campaign.html","https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/"],"Acknowledgements":[{"Name":"Christiaan Beek","Twitter":"@ChristiaanBeek"}],"url":"https://hijacklibs.net/entries/3rd_party/hp/hpcustpartui.html"},{"Name":"hpqhvsei.dll","Author":"Wietze Beukema","Created":"2023-02-26","Vendor":"HP","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\HP"],"VulnerableExecutables":[{"Path":"hpqhvind.exe","Type":"Sideloading","SHA256":["404c4ab8ea4d0c05ac78038a7addb045861706832ea3a51dec8c39cfc15017d3"],"ExpectedSignatureInformation":[{"Subject":"CN=Hewlett Packard, OU=Desktop Consumer Solutions, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Hewlett Packard, L=San Diego, S=California, C=US","Issuer":"CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O=\"VeriSign, Inc.\", C=US","Type":"Authenticode"}]}],"Resources":["https://www.secureworks.com/research/shadowpad-malware-analysis","https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/","https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/"],"Acknowledgements":[{"Name":"Adam","Twitter":"@Hexacorn"}],"url":"https://hijacklibs.net/entries/3rd_party/hp/hpqhvsei.html"},{"Name":"liteskinutils.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-05-06","Vendor":"ICQ","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\ICQLite"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\ICQLite\\ICQLite.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"ICQLite.exe","InternalName":"ICQ Lite","FileDescription":"ICQLite"}],"SHA256":["e6baea057b35e495a3fc3cdf3b95d503c3abc63c371fbb0067f1052798ce3601"]}],"Resources":["https://www.virustotal.com/gui/file/e5e53392b29b74545e463b65052e0b6b07e8299d709f07501fb0f31b97a679ab/details","https://www.virustotal.com/gui/file/a278d5604a93e93a5580845da93af6c316a37a4cd35c1fc9348958ae1bebdb90/details","https://www.virustotal.com/gui/file/104ca4690b0ff17eb55e1330c5baf5580a731b6834f0716c483e646d6030855c/relations","https://www.virustotal.com/gui/file/010f55aef8ccba2ea1307d934decd577a08fa21547d1db30e01f3ae5ff1cce07/relations"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/icq/liteskinutils.html"},{"Name":"skinutils.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-05-06","Vendor":"ICQ","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\ICQLite"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\ICQLite\\ICQLite.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"ICQLite.exe","InternalName":"ICQ Lite","FileDescription":"ICQLite"}],"SHA256":["e6baea057b35e495a3fc3cdf3b95d503c3abc63c371fbb0067f1052798ce3601"]}],"Resources":["https://www.virustotal.com/gui/file/e5e53392b29b74545e463b65052e0b6b07e8299d709f07501fb0f31b97a679ab/details","https://www.virustotal.com/gui/file/a278d5604a93e93a5580845da93af6c316a37a4cd35c1fc9348958ae1bebdb90/details","https://www.virustotal.com/gui/file/104ca4690b0ff17eb55e1330c5baf5580a731b6834f0716c483e646d6030855c/relations","https://www.virustotal.com/gui/file/010f55aef8ccba2ea1307d934decd577a08fa21547d1db30e01f3ae5ff1cce07/relations"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/icq/skinutils.html"},{"Name":"crashrpt.dll","Author":"Still Hsu","Created":"2026-01-09","Vendor":"Idol","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\MPC-HC\\CrashReporter"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\MPC-HC\\mpc-hc.exe","Type":"Sideloading","SHA256":["a61260a5fae6e2cf0c103956df895359ab92f201f5b039cf09b5f8f6260d1fa5"],"ExpectedVersionInformation":[{"CompanyName":"MPC-HC Team","FileDescription":"MPC-HC","InternalName":"mpc-hc","OriginalFilename":"mpc-hc.exe","ProductName":"MPC-HC"}]},{"Path":"%PROGRAMFILES%\\MPC-HC\\mpc-hc64.exe","Type":"Sideloading","SHA256":["f45eeaad935066a5a7f9a105e7464bf198d323cbf21b4ff5ccab3edb8b28c36d"],"ExpectedVersionInformation":[{"CompanyName":"MPC-HC Team","FileDescription":"MPC-HC","InternalName":"mpc-hc","OriginalFilename":"mpc-hc64.exe","ProductName":"MPC-HC"}]}],"Resources":["https://www.virustotal.com/gui/file/db35155d33b616d4f7c268e78c8179eb84378778a4b195df09a8c36f2e5eb38b"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/idol/crashrpt.html"},{"Name":"tbb.dll","Author":"Jai Minton","Created":"2025-06-24","Vendor":"Intel","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Adobe\\Adobe Photoshop CC %VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Adobe\\Adobe Photoshop CC %VERSION%\\AGF3DPrinterDriver.exe","Type":"Sideloading","SHA256":["6a7a23891816196fa6a6966886bc14edf6cd1f1cc9d865e8dbed8b59adc7c7c2"]}],"Resources":["https://www.virustotal.com/gui/file/d6ca9b88d5eb884a761a068700b8bbb509b01bba322ce6086e500e4e6f332adf/detection"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@CyberRaiju"}],"url":"https://hijacklibs.net/entries/3rd_party/intel/tbb.html"},{"Name":"register.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-05-06","Vendor":"IObit","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\IObit\\Driver Booster\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\IObit\\Driver Booster\\%VERSION%\\DriverBooster.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"RttHlp.exe","InternalName":"RttHlp.exe","FileDescription":"IObit RttHlp"}],"SHA256":["8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473"]}],"Resources":["https://www.virustotal.com/gui/file/0500e5ad7e344d32ee26da988aeb30f6344a0c89a68eacce5d6a5683d1fee0e1/relations","https://www.virustotal.com/gui/file/cdfe0f80cd3dc1914c7ad1a6305c0c1116168a37c5cfe8ff51650e2ac814b818/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/iobit/register.html"},{"Name":"common.dll","Author":"Jai Minton","Created":"2025-05-05","Vendor":"iroot","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\iroot"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\iroot\\romasterconnection.exe","Type":"Sideloading","SHA256":["12cbaa57e3241d9f997c41a171ff40cf37ee8ab421fa1f35d2354891bf51815c"],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=WoSign Time Stamping Signer,O=WoSign CA Limited,C=CN","Issuer":"CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN"}]}],"Resources":["https://www.herdprotect.com/romasterconnection.exe-61602b5ec9ff4f651e87c9c4a15a7e4cc7c733aa.aspx","https://www.virustotal.com/gui/file/5aef5d7e917612b6390904f6468c3d0dbcf30345277b3ad0fe79e62fa8003c5b"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@CyberRaiju"}],"url":"https://hijacklibs.net/entries/3rd_party/iroot/common.html"},{"Name":"rtl120.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-06-14","Vendor":"iTop","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\DualSafe Password Manager"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\DualSafe Password Manager\\DPMInit.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"DualSafe Password Manager","OriginalFilename":"DPMInit.exe"}],"SHA256":["26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616"]}],"Resources":["https://www.virustotal.com/gui/file/0e93a41edf1ca3e1723e5e0d73f3e0f54d6d672606b9dc0cda745f87e3fd0339/relations","https://www.virustotal.com/gui/file/6028d64b53880676fcd62b445fd71952f9141b8ac0e60329b15cf9e04e437cea/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/itop/rtl120.html"},{"Name":"webui.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-08-30","Vendor":"iTop","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\iTop Screen Recorder"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\iTop Screen Recorder\\iScrPaint.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"iScrPaint.exe","InternalName":"iScrPaint.exe","FileDescription":"iTop Screen Recorder"}],"SHA256":["46afbf1cbd2e1b5e108c133d4079faddc7347231b0c48566fd967a3070745e7f"]}],"Resources":["https://www.virustotal.com/gui/file/063d2c12aa8316b242c5beb9dbbf934be7cee9df93b1612de9aa2f1f3084f0da/relations","https://www.virustotal.com/gui/file/521c0de9a7b2db7d9a65b443dd630a28e2b4e33f8c56336e7630c646aa2cf280/detection"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/itop/webui.html"},{"Name":"jrtools.dll","Author":"Rick Gatenby","Created":"2026-02-03","Vendor":"JRiver","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\J River\\Media Center %VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\J River\\Media Center %VERSION%\\JRService.exe","Type":"Sideloading","SHA256":["2965b9b76bd62fc7ca9e977b09793f37241bf2bf27fe6ced55a3bc569d345038"]}],"Resources":["https://ventdrop.github.io/posts/jriver/"],"Acknowledgements":[{"Name":"Rick Gatenby","Company":"CyberCX"}],"url":"https://hijacklibs.net/entries/3rd_party/jriver/jrtools.html"},{"Name":"krpt.dll","Author":"Still Hsu","Created":"2024-11-09","Vendor":"Kingsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Kingsoft\\WPS Office\\%VERSION%\\office6"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Kingsoft\\WPS Office\\%VERSION%\\office6\\wpp.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"WPS Presentation","OriginalFilename":"wpp.exe","ProductName":"WPS Office"}],"ExpectedSignatureInformation":[{"Subject":"CN=\"Zhuhai Kingsoft Office Software Co., Ltd.\", O=\"Zhuhai Kingsoft Office Software Co., Ltd.\", L=Zhuhai, S=Guangdong, C=CN","Issuer":"CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US","Type":"Authenticode"}]}],"Resources":["https://www.virustotal.com/gui/file/4957a62e019c30c0a79e4d2d4dd854f6e8f6e0aadb606e157525d98ee0ac5096","https://www.virustotal.com/gui/file/57acd8566e6cc0526e99d0ba450c662b11a5f70b08bcfe0f326654d9f630a1f1"],"Acknowledgements":[{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/3rd_party/kingsoft/krpt.html"},{"Name":"dsp_bridge_x64.dll","Author":"Zhangir Ospanov","Created":"2026-01-06","Vendor":"KuGou","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"bridge_plugin_host_x64.exe","Type":"Sideloading","SHA256":["7a54eb34d2b408e1b1491f13ed608eba573cd7ea07045da28223b624fcfed964"],"ExpectedVersionInformation":[{"LegalCopyright":"Copyright 2025 KuGou-Inc.All Rights Reserved","ProductName":"Copyright 2025 KuGou-Inc.All Rights Reserved","FileDescription":"音效插件宿主程序"}],"ExpectedSignatureInformation":[{"Issuer":"CN=Guangzhou Kugou Technology Co., Ltd.","Subject":"CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1","Type":"Authenticode"}]}],"Resources":["https://x.com/s0ld133rr/status/2008531599626055984"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/kugou/dsp_bridge_x64.html"},{"Name":"commfunc.dll","Author":"Wietze Beukema","Created":"2021-12-08","Vendor":"Lenovo","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Lenovo\\Communications Utility"],"VulnerableExecutables":[{"Path":"cammute.exe","SHA256":["457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba"],"Type":"Sideloading"}],"Resources":["https://blog.trendmicro.com/trendlabs-security-intelligence/new-wave-of-plugx-targets-legitimate-apps/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/lenovo/commfunc.html"},{"Name":"quickdeskband.dll","Author":"Wietze Beukema","Created":"2024-07-15","Vendor":"Lenovo","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"lenovodesk.exe","Type":"Sideloading","ExpectedVersionInformation":[{"LegalCopyright":"Lenovo All rights reserved","FileDescription":"Showdesk","InternalName":"ShowDesk.exe","OriginalFilename":"ShowDesk.exe","ProductName":"ShowDesk"}],"SHA256":["db0e5a869b63f4ee5ce17e58a35b42ecb9889f9ab4fb7d2d591ff029a0363751"]}],"Resources":["https://twitter.com/StopMalvertisin/status/1722939123470848279","https://twitter.com/RexorVc0/status/1811280904662257907","https://mp.weixin.qq.com/s/IB2w86cXcpmGS8qrOnprKw"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/lenovo/quickdeskband.html"},{"Name":"tts.dll","Author":"Walter Gordillo","Created":"2025-03-14","Vendor":"LeppSoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Soundpad"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Soundpad\\Soundpad.exe","Type":"Sideloading","SHA256":["9B17717DFC9852E2C7B730CCE4B8058528667D0B484BB936D3CE07B66AB50D72"]}],"Resources":["https://www.virustotal.com/gui/file/9f45aadddaae7ad3076e0591fa4ccce302248c079dc07f5c9e3da788bdae0292/relations","https://www.virustotal.com/gui/file/af328ef3ae2c81a0ad5937cb186bb45d3190dbee390e180240e0a0218a1bce98"],"Acknowledgements":[{"Name":"Walter Gordillo","Twitter":"@n0tspam","Company":"Praetorian"}],"url":"https://hijacklibs.net/entries/3rd_party/leppsoft/tts.html"},{"Name":"lmiguardiandll.dll","Author":"Christiaan Beek","Created":"2023-01-11","Vendor":"LogMeIn","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\LogMeIn","%PROGRAMFILES%\\LogMeIn\\x86","%PROGRAMFILES%\\LogMeIn\\x64"],"VulnerableExecutables":[{"Path":"LMIGuardianSvc.exe","Type":"Sideloading","SHA256":["26C855264896DB95ED46E502F2D318E5F2AD25B59BDC47BD7FFE92646102AE0D"]}],"Resources":["https://twitter.com/StopMalvertisin/status/1610961056163311619","https://blog.osarmor.com/311/lmiguardiansvc-exe-logmein-abused-to-sideload-malicious-dll/"],"Acknowledgements":[{"Name":"Kimberly","Twitter":"@StopMalvertisin"}],"url":"https://hijacklibs.net/entries/3rd_party/logmein/lmiguardiandll.html"},{"Name":"facesdk.dll","Author":"Wietze Beukema","Created":"2023-04-04","Vendor":"Luxand","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\luxand\\facesdk\\bin\\win64"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\luxand\\facesdk\\bin\\win64\\FacialFeatureDemo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=US, ST=Virginia, L=Alexandria, O='Luxand, Inc.', CN='Luxand, Inc.'","Issuer":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA","Type":"Authenticode"}],"SHA256":["0d243cbcd1c3654ca318d2d6d08f4e9d293fc85a68d751a52c23b04314c67b99"]}],"Resources":["https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/luxand/facesdk.html"},{"Name":"ashldres.dll","Author":"Wietze Beukema","Created":"2021-12-08","Vendor":"McAfee","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\McAfee.com\\VSO"],"VulnerableExecutables":[{"Path":"mcvsshld.exe","SHA256":["4512d852cad65ab6bee423619ed32188e444ee5518f51adc5502961724af62e7"],"Type":"Sideloading"}],"Resources":["https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-tomato-campaign.pdf"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/mcafee/ashldres.html"},{"Name":"lockdown.dll","Author":"Wietze Beukema","Created":"2022-06-13","Vendor":"McAfee","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\McAfee\\VirusScan Enterprise"],"VulnerableExecutables":[{"Path":"mfeann.exe","SHA256":["07bbd8a80b5377723b13dbb40a01ca44cbc203369f5e5652a25b448e27ca108c"],"Type":"Sideloading"}],"Resources":["https://twitter.com/thepacketrat/status/1520878930449817600","https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/"],"Acknowledgements":[{"Name":"Sean Gallagher","Twitter":"@thepacketrat"}],"url":"https://hijacklibs.net/entries/3rd_party/mcafee/lockdown.html"},{"Name":"mcutil.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-08-07","Vendor":"McAfee","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\McAfee Inc.\\McAfee Total Protection 2009"],"VulnerableExecutables":[{"Path":"mcoemcpy.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"mcoemcpy.exe","InternalName":"mcoemcpy","FileDescription":"McAfee OEM Info Copy Files"}],"SHA256":["3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe"]}],"Resources":["https://www.virustotal.com/gui/file/3bcb28d19a779b6da0c42c1506cd1908f9bcceeffff45f572677e032551f9a96/relations","https://www.virustotal.com/gui/file/b0263de0622050091a0fbf06428229e5da291b87926ca29c8ee3b01a2a514e4f/detection","https://web-assets.esetstatic.com/wls/2018/03/ESET_OceanLotus.pdf","https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"},{"Name":"Craig Sweeney","Company":"Huntress","Twitter":"@bumbucha"}],"url":"https://hijacklibs.net/entries/3rd_party/mcafee/mcutil.html"},{"Name":"siteadv.dll","Author":"Christiaan Beek","Created":"2023-01-16","Vendor":"McAfee","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\SiteAdvisor\\%VERSION%"],"VulnerableExecutables":[{"Path":"sideadv.exe","SHA256":["d3a50abae9ab782b293d7e06c7cd518bbcec16df867f2bdcc106dec1e75dc80b"],"Type":"Sideloading"}],"Resources":["https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf","https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/"],"Acknowledgements":[{"Name":"Christiaan Beek","Twitter":"@ChristiaanBeek"}],"url":"https://hijacklibs.net/entries/3rd_party/mcafee/siteadv.html"},{"Name":"vsodscpl.dll","Author":"Wietze Beukema","Created":"2022-06-13","Vendor":"McAfee","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\McAfee\\VirusScan Enterprise"],"VulnerableExecutables":[{"Path":"scncfg32.exe","SHA256":["8374046690b8bb2468cfa636ebbe731ea79103825d2450057338214d3112909f"],"Type":"Sideloading"}],"Resources":["https://eiploader.wordpress.com/2011/03/28/digitally-signed-malware-without-stealing-certificates/"],"Acknowledgements":[{"Name":"Sean Gallagher","Twitter":"@thepacketrat"}],"url":"https://hijacklibs.net/entries/3rd_party/mcafee/vsodscpl.html"},{"Name":"mediainfo_i386.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-06-13","Vendor":"MediaInfo","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\MediaInfo"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\MediaInfo\\MediaInfo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=FR, S='Auvergne-Rhône-Alpes', L=Curienne, O=MEDIAAREA.NET, CN=MEDIAAREA.NET","Issuer":"C=US, S=Texas, L=Houston, O=SSL Corp, CN=SSL.com Code Signing Intermediate CA RSA R1","Type":"Authenticode"}],"ExpectedVersionInformation":[{"FileDescription":"MediaInfo"}],"SHA256":["4fc64e114f80ce755040ac2891bd1fab0492a831177491f3fe1382adf94030f9"]}],"Resources":["https://www.virustotal.com/gui/file/69d9667cfab126f1c473163771511602497e05a908b3dbeaa29d165af879da97"],"Acknowledgements":[{"Name":"Michael Elford","Company":"Huntress"},{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/mediainfo/mediainfo_i386.html"},{"Name":"tutil32.dll","Author":"Jai Minton","Created":"2025-05-06","Vendor":"mitec","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\PDE"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\PDE\\PDE.exe","Type":"Sideloading","SHA256":["6243d4d73e8d43dd2d4dd7dc3ef761d7c23581ee7f3d047699d894b01bc022d6"],"ExpectedVersionInformation":[{"CompanyName":"MiTeC","FileDescription":"Paradox Data Editor","FileVersion":"3.7.0.0","LegalCopyright":"Copyright (c) 2001-2023, Michal Mutl","OriginalFilename":"PDE.exe","ProductName":"Paradox Data Editor","ProductVersion":"3.0.0.0"}]}],"Resources":["https://www.mitec.cz/pde.html"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@CyberRaiju"}],"url":"https://hijacklibs.net/entries/3rd_party/mitec/tutil32.html"},{"Name":"libxfont-1.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-05-10","Vendor":"Mobatek","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Mobatek\\MobaXterm Personal Edition","%PROGRAMFILES%\\Mobatek\\MobaXterm"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Mobatek\\MobaXterm Personal Edition\\MobaXterm.exe","Type":"Sideloading","SHA256":["35132e05638b942403b8a813925de7b54e2e2e35b6ba7a8a081e8b96edd4c0aa"]},{"Path":"%PROGRAMFILES%\\Mobatek\\MobaXterm\\MobaXterm.exe","Type":"Sideloading","SHA256":["35132e05638b942403b8a813925de7b54e2e2e35b6ba7a8a081e8b96edd4c0aa"]}],"Resources":["https://www.virustotal.com/gui/file/b99bd7ffb7634749487570d0b3a7e423047de4ab13a10c2d912660aec322618e/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/mobatek/libxfont-1.html"},{"Name":"mozglue.dll","Author":"Wietze Beukema","Created":"2022-09-26","Vendor":"Mozilla","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\SeaMonkey","%PROGRAMFILES%\\Mozilla Firefox","%PROGRAMFILES%\\Mozilla Thunderbird"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\SeaMonkey\\seamonkey.exe","Type":"Sideloading"}],"Resources":["https://twitter.com/SBousseaden/status/1530595156055011330"],"Acknowledgements":[{"Name":"Samir","Twitter":"@sbousseaden"}],"url":"https://hijacklibs.net/entries/3rd_party/mozilla/mozglue.html"},{"Name":"mimetools.dll","Author":"Wietze Beukema","Created":"2024-03-31","Vendor":"Notepad++","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Notepad++\\plugins","%PROGRAMFILES%\\Notepad++\\plugins\\mimetools"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Notepad++\\notepad++.exe","Type":"Sideloading","ExpectedVersionInformation":[{"CompanyName":"Don HO don.h@free.fr","FileDescription":"Notepad++","InternalName":"notepad++.exe","OriginalFilename":"notepad++.exe","ProductName":"Notepad++"}],"ExpectedSignatureInformation":[{"Subject":"CN=\"Notepad++\", O=\"Notepad++\", L=Saint Cloud, S=Ile-de-France, C=FR","Issuer":"CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=\"DigiCert, Inc.\", C=US","Type":"Authenticode"}],"SHA256":["a41ecbdc16f1e893c5f40bae38174e14e3d969408b219f3f87fec2460d9fea40"]}],"Resources":["https://twitter.com/Cryptolaemus1/status/1770507063816241440"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/notepad++/mimetools.html"},{"Name":"providers.dll","Author":"Wietze Beukema","Created":"2022-08-01","Vendor":"npm","CVE":"CVE-2022-32223","ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\nodejs\\node.exe","Condition":"Node.js versions earlier than 16.16.0 (LTS) and 14.20.0 on Windows","Type":"Phantom"}],"Resources":["https://blog.aquasec.com/cve-2022-32223-dll-hijacking"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/npm/providers.html"},{"Name":"nvsmartmax.dll","Author":"Wietze Beukema","Created":"2023-09-04","Vendor":"Nvidia","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\NVIDIA Corporation\\Display"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\NVIDIA Corporation\\Display\\nvSmartEx.exe","Type":"Sideloading","SHA256":["523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256"]}],"Resources":["https://www.cybereason.com/blog/research/deadringer-exposing-chinese-threat-actors-targeting-major-telcos","https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/nvidia/nvsmartmax.html"},{"Name":"opera_elf.dll","Author":"Wietze Beukema","Created":"2023-07-28","Vendor":"Opera","CVE":null,"ExpectedLocations":["%LOCALAPPDATA%\\Programs\\Opera\\%VERSION%","%LOCALAPPDATA%\\Programs\\Opera GX\\%VERSION%","%PROGRAMFILES%\\Opera\\%VERSION%"],"VulnerableExecutables":[{"Path":"%LOCALAPPDATA%\\programs\\opera\\%VERSION%\\opera.exe","Type":"Sideloading","SHA256":["97b2a5f2a7e7b8048162ef93c932e0ffafdd875d54c026524fc3e340d70e4991"],"ExpectedVersionInformation":[{"FileDescription":"Opera Internet Browser","InternalName":"Opera","ProductName":"Opera Internet Browser"}],"ExpectedSignatureInformation":[{"Subject":"CN=Opera Norway AS, O=Opera Norway AS, L=Oslo, S=Oslo, C=NO, SERIALNUMBER=916 368 127","Issuer":"CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=\"DigiCert, Inc.\", C=US","Type":"Authenticode"}]}],"Resources":["https://twitter.com/ShitSecure/status/1566127363389329412"],"Acknowledgements":[{"Name":"S3cur3Th1sSh1t","Twitter":"@ShitSecure"}],"url":"https://hijacklibs.net/entries/3rd_party/opera/opera_elf.html"},{"Name":"jli.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2025-07-09","Vendor":"Oracle","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Java\\%VERSION%\\bin","%PROGRAMFILES%\\%VERSION%\\jre\\bin","%LOCALAPPDATA%\\Temp\\%VERSION%\\bin"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Java\\%VERSION%\\bin\\jsadebugd.exe","Type":"Sideloading","SHA256":["76618263ac3d71779c18526c5ecc75a025ad0c78212b6a2bc089b22a1b8ca567"],"ExpectedVersionInformation":[{"FileVersion":"8.0.2910.9 ","ProductName":"Java(TM) Platform SE 8","InternalName":"jsadebugd"}]},{"Path":"%PROGRAMFILES%\\Java\\%VERSION%\\bin\\java.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Java\\%VERSION%\\bin\\javaw.exe","Type":"Sideloading"}],"Resources":["https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/","https://www.virustotal.com/gui/file/18e3d1542d9d375f2e1d4631e03e9874fca9a1655ee6d01121d0c94e138be174","https://securelist.com/apt41-in-africa/116986/","https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Company":"Nextron Systems","Twitter":"@_swachchhanda_"}],"url":"https://hijacklibs.net/entries/3rd_party/oracle/jli.html"},{"Name":"launcher.dll","Author":"Jai Minton","Created":"2025-05-07","Vendor":"Oracle","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\SQL Developer\\ide\\bin","%PROGRAMFILES%\\sqldeveloper\\ide\\bin"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\SQL Developer\\sqldeveloper.exe","Type":"Search Order","SHA256":["8ceb437a7a38f035587d2e67a2e9d231552680ac34822f9d9e61b7b978160741"],"ExpectedVersionInformation":[{"CompanyName":"Oracle","FileVersion":"22.2.1.234.1810","ProductName":" Oracle SQL Developer","ProductVersion":"22.2.1"}]}],"Resources":["https://www.virustotal.com/gui/file/c3b48c62b34510e2328b790f9fabed994a91998f36c0c40bcf628b93f40d8ae5/relations"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@CyberRaiju"}],"url":"https://hijacklibs.net/entries/3rd_party/oracle/launcher.html"},{"Name":"qtcorevbox4.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-15","Vendor":"Oracle","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Oracle\\VirtualBox"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Oracle\\VirtualBox\\VBoxTestOGL.exe","Type":"Sideloading","SHA256":["e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f"]}],"Resources":["https://asec.ahnlab.com/en/58319/","https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd","https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/oracle/qtcorevbox4.html"},{"Name":"vboxrt.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-15","Vendor":"Oracle","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Oracle\\VirtualBox"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Oracle\\VirtualBox\\VBoxSVC.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"VirtualBox Interface"}],"SHA256":["448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4"]}],"Resources":["https://asec.ahnlab.com/en/58319/","https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/oracle/vboxrt.html"},{"Name":"winutils.dll","Author":"Wietze Beukema","Created":"2023-04-04","Vendor":"Palo Alto","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Palo Alto Networks\\Traps"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Palo Alto Networks\\Traps\\cydump.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=NL, ST=Noord-Holland, L=Amsterdam, O=Palo Alto Networks (Netherlands) B.V., CN=Palo Alto Networks (Netherlands) B.V.","Issuer":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA","Type":"Authenticode"}],"SHA256":["4874d336c5c7c2f558cfd5954655cacfc85bcfcb512a45fb0ff461ce9c38b86d"],"Condition":"Cortex XDR Dump Service Tool (cydump.exe) version 7.3.0.16740 and before"}],"Resources":["https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/","https://security.paloaltonetworks.com/PAN-SA-2023-0002"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/paloalto/winutils.html"},{"Name":"libeay32.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-15","Vendor":"PSPad","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\PSPad editor"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\PSPad editor\\PSPad.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"Text editor"}],"SHA256":["0a97c374a6cc14b54b01deb3be77b28e274ced8c0627efba6b84712284332a7a"]}],"Resources":["https://asec.ahnlab.com/en/58319/","https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd","https://www.virustotal.com/gui/file/7add49ed95d6a9e90988dcbfc54cdb727e0c705e3d79879717849798354e3e25","https://www.virustotal.com/gui/file/a13c09f41979df8717a9d39e15e6ce960c1c4ba6af456a563fa3ff1b8b4d388c"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/pspad/libeay32.html"},{"Name":"python310.dll","Author":"Jai Minton","Created":"2024-05-08","Vendor":"Python","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Python310","%LOCALAPPDATA%\\Temp\\%VERSION%","%PROGRAMFILES%\\DWAgent\\runtime","%USERPROFILE%\\anaconda3"],"VulnerableExecutables":[{"Path":"pythonw.exe","Type":"Sideloading"},{"Path":"dwagent.exe","Type":"Sideloading"}],"Resources":["https://www.virustotal.com/gui/file/115fba7a9ea7d2e38d042c7fa5f81209e0d712c107ceb2eafe2f27f94c8f6054/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/python/python310.html"},{"Name":"python311.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2024-10-02","Vendor":"Python","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Python311","%LOCALAPPDATA%\\Programs\\Python\\Python311"],"VulnerableExecutables":[{"Path":"pythonw.exe","Type":"Sideloading","SHA256":["24385D352B83222DC5AB92FA57B6649854ECD74DE378E279D8AC20A0B3B16009"],"ExpectedVersionInformation":[{"OriginalFilename":"pythonw.exe","ProductName":"Python","InternalName":"Python Application","CompanyName":"Python Software Foundation","FileDescription":"Python"}]}],"Resources":["https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/","https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/","https://www.virustotal.com/gui/file/9514035fea8000a664799e369ae6d3af6abfe8e5cda23cdafbede83051692e63","https://www.rapid7.com/blog/post/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Twitter":"@_swachchhanda_"}],"url":"https://hijacklibs.net/entries/3rd_party/python/python311.html"},{"Name":"python39.dll","Author":"Wietze Beukema","Created":"2022-09-26","Vendor":"Python","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Python39","%LOCALAPPDATA%\\Temp\\%VERSION%","%PROGRAMFILES%\\Microsoft Visual Studio\\2022\\Community\\Common7\\IDE\\CommonExtensions\\Microsoft\\VC\\SecurityIssueAnalysis\\python","%USERPROFILE%\\anaconda3"],"VulnerableExecutables":[{"Path":"python39.exe","Type":"Sideloading"}],"Resources":["https://twitter.com/SBousseaden/status/1530595156055011330"],"Acknowledgements":[{"Name":"Samir","Twitter":"@sbousseaden"}],"url":"https://hijacklibs.net/entries/3rd_party/python/python39.html"},{"Name":"keyscramblerie.dll","Author":"Matt Anderson - HuntressLabs, Swachchhanda Shrawan Poudel","Created":"2024-04-15","Vendor":"QFX","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\KeyScrambler"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\KeyScrambler\\KeyScrambler.exe","Type":"Sideloading","SHA256":["f1575259753f52aaabbd6baad3069605d764761c1da92e402f3e781ed3cf7cea","fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1"]}],"Resources":["https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html","https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/","https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/","https://twitter.com/Max_Mal_/status/1775222576639291859","https://twitter.com/DTCERT/status/1712785426895839339","https://www.virustotal.com/gui/file/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/details","https://www.virustotal.com/gui/file/9cfdc3fe2a10fe2b514fc224c9c8740e1de039d90b9c17f85b64ff29d4a4ebb1"],"Acknowledgements":[{"Name":"Matt Anderson","Company":"Huntress","Twitter":"@nosecurething"},{"Name":"Swachchhanda Shrawan Poudel","Twitter":"@_swachchhanda_"}],"url":"https://hijacklibs.net/entries/3rd_party/qfx/keyscramblerie.html"},{"Name":"qt5core.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-06-13","Vendor":"Qt","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Electronic Arts\\EA Desktop\\EA Desktop","%PROGRAMFILES%\\Microsoft Onedrive\\%VERSION%","%LOCALAPPDATA%\\Microsoft\\Onedrive\\%VERSION%","%PROGRAMFILES%\\Dropbox\\Client\\%VERSION%","%PROGRAMFILES%\\LogiOptionsPlus"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Electronic Arts\\EA Desktop\\EA Desktop\\EASteamProxy.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=US, ST=CALIFORNIA, L=Redwood City, O='Electronic Arts, Inc.', OU=EAC, CN='Electronic Arts, Inc.'","Issuer":"C=US, O='DigiCert, Inc.', CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1","Type":"Authenticode"}],"SHA256":["4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e"]}],"Resources":["https://www.virustotal.com/gui/file/2251e6582a12427b9b70d0e9ec7c8c27debe22b0a08b6ff6be46f4fb8914338c","https://www.virustotal.com/gui/file/173e138d5cf12f7eb55a67bcf3afc97ac1d7598fe4290ca4f125f28692e90fed"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/qt/qt5core.html"},{"Name":"qt5network.dll","Author":"Jai Minton","Created":"2025-05-09","Vendor":"Qt","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\LSoft Technologies\\Active@ Data Studio","%PROGRAMFILES%\\LSoft Technologies\\Active@ File Recovery","%PROGRAMFILES%\\LSoft Technologies\\Active@ Disk Editor","%PROGRAMFILES%\\LSoft Technologies\\Active@ Password Changer","%PROGRAMFILES%\\LSoft Technologies\\Active@ ISO Manager","%PROGRAMFILES%\\LSoft Technologies\\Active@ UNERASER","%PROGRAMFILES%\\LSoft Technologies\\Active@ KillDisk 25","%PROGRAMFILES%\\LSoft Technologies\\Active@ UNDELETE","%PROGRAMFILES%\\LSoft Technologies\\Active@ Disk Monitor","%PROGRAMFILES%\\LSoft Technologies\\Active@ Partition Manager"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\LSoft Technologies\\Active@ Password Changer\\PasswordChanger.exe","Type":"Sideloading","SHA256":["6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2"],"ExpectedVersionInformation":[{"CompanyName":"LSoft Technologies Inc.","FileDescription":"Active@ Password Changer","FileVersion":"24.0.1.0","InternalName":"PasswordChanger","LegalCopyright":"Copyright (c) 1999-2024 LSoft Technologies Inc.","OriginalFilename":"PasswordChanger.exe","ProductName":"Active@ Password Changer","ProductVersion":"24.0.1.0"}],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US","Issuer":"CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA"}]}],"Resources":["https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/","https://www.virustotal.com/gui/file/dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250"],"Acknowledgements":[{"Name":"Micah Babinski"},{"Name":"Jai Minton","Company":"Huntress","Twitter":"@CyberRaiju"}],"url":"https://hijacklibs.net/entries/3rd_party/qt/qt5network.html"},{"Name":"qtgui4.dll","Author":"Jai Minton - HuntressLabs","Created":"2025-04-10","Vendor":"Qt","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Audacity","%PROGRAMFILES%\\AOMEI\\AOMEI Backupper\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Audacity\\crashreporter.exe","Type":"Sideloading","SHA256":["51de0b104e9ced3028a41d01dedf735809eb7f60888621027c7f00f0fcf9c834"]},{"Path":"%PROGRAMFILES%\\AOMEI\\AOMEI Backupper\\%VERSION%\\ShortcutTaskAgent.exe","Type":"Sideloading","SHA256":["7e6b2664f4417f5a8f981ced5f2eef867cb72bca990fe3864d76d878ff62cf52"]}],"Resources":["https://www.virustotal.com/gui/file/dbdf5e11ec81ed1d941ec16fc7b94ab65f814ceb1e7fb524f2c64cbb422f7382/details","https://forum.eset.com/topic/44610-im-afraid-i-did-something-stupid-and-im-usually-very-careful-i-keep-getting-an-address-has-been-blocked-message/page/2/"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/qt/qtgui4.html"},{"Name":"asfbncor.dll","Author":"Jai Minton","Created":"2025-05-06","Vendor":"Radioactive","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Replay Media Splitter"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Replay Media Splitter\\ReplayMediaSplitter.exe","Type":"Sideloading","SHA256":["74b86605a3a2100a9c80bfabc84d22f69b2123ae0a942a1b9a3c4ed050186e0c"],"ExpectedVersionInformation":[{"FileDescription":"Replay Media Splitter","FileVersion":"5.0.2402.6","InternalName":"ReplayMediaSplitter","OriginalFilename":"ReplayMediaSplitter.exe","ProductName":"Replay Media Splitter","ProductVersion":"5.0.2402.6"}]}],"Resources":["https://www.virustotal.com/gui/file/d1d824fc5f3354f68324a319026d089926655b6ce25538279e26c0986374026b/relations"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@CyberRaiju"}],"url":"https://hijacklibs.net/entries/3rd_party/radioactive/asfbncor.html"},{"Name":"rzlog4cpp_logger.dll","Author":"Wietze Beukema","Created":"2023-04-03","Vendor":"Razer","CVE":null,"ExpectedLocations":["%LOCALAPPDATA%\\razer\\InGameEngine\\cache\\RzFpsApplet"],"VulnerableExecutables":[{"Path":"%LOCALAPPDATA%\\razer\\InGameEngine\\cache\\RzFpsApplet\\RzCefRenderProcess.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=US, ST=California, L=Irvine, O=Razer USA Ltd., CN=Razer USA Ltd.","Issuer":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA","Type":"Authenticode"}],"SHA256":["fb5edfcba99e2df2b7f6f40e8615f5cb247803180464e584161c7c91405aae4a"]}],"Resources":["https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia","https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/razer/rzlog4cpp_logger.html"},{"Name":"flutter_gpu_texture_renderer_plugin.dll","Author":"Wietze Beukema","Created":"2025-02-15","Vendor":"Rustdesk","CVE":null,"ExpectedLocations":["%LOCALAPPDATA%\\rustdesk","%PROGRAMFILES%\\RustDesk"],"VulnerableExecutables":[{"Path":"%LOCALAPPDATA%\\rustdesk\\rustdesk.exe","Type":"Sideloading","ExpectedVersionInformation":[{"CompanyName":"Purslane Ltd","FileDescription":"RustDesk Remote Desktop","InternalName":"rustdesk","OriginalFilename":"rustdesk.exe","ProductName":"RustDesk"}],"ExpectedSignatureInformation":[{"Subject":"CN=PURSLANE, O=PURSLANE, S=North West, C=SG, SERIALNUMBER=53481265A","Issuer":"CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB","Type":"Authenticode"}],"SHA256":["8128917d9f3e7ecabbc39f4c221afdf9171ee8b71b2c0ef11fce8e14c13c91fe"]}],"Resources":["https://www.trendmicro.com/en_us/research/25/a/how-cracks-and-installers-bring-malware-to-your-device.html","https://www.virustotal.com/gui/file/857e4cb0b41f7aac5494c8554601888c1c82202de3dab7258b2ff322bc94ca43"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/rustdesk/flutter_gpu_texture_renderer_plugin.html"},{"Name":"libngs.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2026-01-28","Vendor":"Sangfor","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Sangfor\\SSL\\RemoteAppClient\\"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Sangfor\\SSL\\RemoteAppClient\\SRAPSession.exe","Type":"Sideloading","SHA256":["7b89e772d2c2ba49faa113ea1431a08103c8cec06015e141f2422c1a82690c15"]}],"Resources":["https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Company":"Nextron Systems","Twitter":"@_swachchhanda_"}],"url":"https://hijacklibs.net/entries/3rd_party/sangfor/libngs.html"},{"Name":"epnsm.dll","Author":"Jai Minton","Created":"2025-05-06","Vendor":"seiko","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Epson Software\\Document Capture Server","%PROGRAMFILES%\\Epson Software\\Event Manager"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Epson Software\\Document Capture Server\\EEventManager.exe","Type":"Sideloading","SHA256":["88760201ada655d230fb40988bb50fdd46b152c9407565d0a4081d4540c0ac01"],"ExpectedVersionInformation":[{"CompanyName":"Seiko Epson Corporation","FileDescription":"Epson Event Manager","FileVersion":"3.11.58.0","InternalName":"EEventManager","LegalCopyright":"Copyright (C) Seiko Epson Corporation 2003-2022, All rights reserved.","OriginalFilename":"EEventManager.EXE","ProductName":"Epson Event Manager","ProductVersion":"3.11.58.0"}],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=SEIKO EPSON CORPORATION,O=SEIKO EPSON CORPORATION,L=Suwa-Shi,ST=Nagano,C=JP","Issuer":"CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\\, Inc.,C=US"}]}],"Resources":["https://www.virustotal.com/gui/file/d70cd4df89b101f34ea6b17bc07a88b096bae2220fb04e200443b09a2b681091/relations","https://www.virustotal.com/gui/file/8313f3970982cbd425a0c769c8a690fef456d31d321c7de1e588e572948afed9/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@CyberRaiju"}],"url":"https://hijacklibs.net/entries/3rd_party/seiko/epnsm.html"},{"Name":"sentinelagentcore.dll","Author":"Amelia Casley","Created":"2025-08-13","Vendor":"SentinelOne","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\SentinelOne\\Sentinel Agent %VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\SentinelOne\\Sentinel Agent %VERSION%\\SentinelBrowserNativeHost.exe","Type":"Sideloading","SHA256":["0d9dfc113712054d8595b50975efd9c68f4cb8960eca010076b46d2fba3d2754"],"ExpectedVersionInformation":[{"CompanyName":"SentinelOne, Inc.","FileDescription":"SentinelBrowserNativeHost","FileVersion":"24.1.5.277","InternalName":"SentinelBrowserNativeHost","LegalCopyright":"SentinelOne, Inc.","OriginalFilename":"SentinelBrowserNativeHost.exe","ProductName":"Sentinel Agent","ProductVersion":"24.1.5.277"}]},{"Path":"%PROGRAMFILES%\\SentinelOne\\Sentinel Agent %VERSION%\\SentinelAgentWorker.exe","Type":"Sideloading","SHA256":["be754c0950c015d5136029e05db65aca19952c51101554391b04ace47d2c82df"],"ExpectedVersionInformation":[{"CompanyName":"SentinelOne, Inc.","FileDescription":"Sentinel Agent Worker","InternalName":"SentinelAgentWorker","LegalCopyright":"SentinelOne, Inc.","OriginalFilename":"SentinelAgentWorker.exe","ProductName":"Sentinel Agent"}]}],"Resources":["https://twitter.com/pe4Chscreeching/status/1955624714241810488"],"Acknowledgements":[{"Name":"Amelia Casley","Company":"Huntress Labs","Twitter":"@pe4Chscreeching"},{"Name":"Tanner Filip","Company":"Huntress Labs","Twitter":"@wbmmfq"}],"url":"https://hijacklibs.net/entries/3rd_party/sentinelone/sentinelagentcore.html"},{"Name":"roboform-x64.dll","Author":"Rick Gatenby","Created":"2026-02-03","Vendor":"Siber Systems","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Siber Systems\\AI RoboForm\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Siber Systems\\AI RoboForm\\%VERSION%\\robotaskbaricon-x64.exe","Type":"Sideloading","SHA256":["4f0d9b837001893dc083bcc77c709ea07ad1d0a48657c154760f996d16155f08"]}],"Resources":["https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html","https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_side_load_robform.yml"],"Acknowledgements":[{"Name":"Rick Gatenby","Company":"CyberCX"}],"url":"https://hijacklibs.net/entries/3rd_party/sibersystems/roboform-x64.html"},{"Name":"roboform.dll","Author":"Rick Gatenby","Created":"2026-02-03","Vendor":"Siber Systems","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Siber Systems\\AI RoboForm"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe","Type":"Sideloading","SHA256":["aa1233393dded792b74e334c50849c477c4b86838b32ef45d6ab0dc36b4511e3"]}],"Resources":["https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html","https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_side_load_robform.yml"],"Acknowledgements":[{"Name":"Rick Gatenby","Company":"CyberCX"}],"url":"https://hijacklibs.net/entries/3rd_party/sibersystems/roboform.html"},{"Name":"smadhook32c.dll","Author":"Wietze Beukema","Created":"2023-04-04","Vendor":"Smadav","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Smadav"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Smadav\\SmadHook.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=ID, L=Palangkaraya, O=Zainuddin Nafarin, CN=Zainuddin Nafarin","Issuer":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA","Type":"Authenticode"}],"SHA256":["4f54a6555a7a3bec84e8193d2ff9ae75eb7f06110505e78337fa2f515790a562"]}],"Resources":["https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/smadav/smadhook32c.html"},{"Name":"sqlite.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-05-06","Vendor":"SoftPerfect","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\NetWorx"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\NetWorx\\networx.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"NetWorx Application (64-bit)"}],"SHA256":["29345d9c6ff0106c9032b15e2c88f17bc8972ed843d1b5c044cf17d00f1d45c5"]}],"Resources":["https://www.virustotal.com/gui/file/0271e401ca9e430868f45148a04680295929450aecc537285359a28605645daf","https://www.virustotal.com/gui/file/4489bffe08dcbd1e9741f9b66f8ba10b7526318a1dc8d190aef13bbc1599b0f7/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/softperfect/sqlite.html"},{"Name":"safestore32.dll","Author":"Wietze Beukema","Created":"2023-09-04","Vendor":"Sophos","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Sophos\\Sophos Anti-Virus"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Sophos\\Sophos Anti-Virus\\ssr32.exe","Type":"Sideloading","Condition":"Assumes version 1.3.0.1 or before, included in Sophos Endpoint installations prior to version 2021.3"}],"Resources":["https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/sophos/safestore32.html"},{"Name":"libsqlite3-0.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2025-07-12","Vendor":"SQLite","CVE":null,"ExpectedLocations":["%PROGRAMFILES%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\FileZilla FTP Client\\filezilla.exe","Type":"Sideloading","SHA256":["ab3a652984d875269b7e7487d38852cd8301d5d4c57030b9640f097549fd6d8b"],"ExpectedVersionInformation":[{"FileDescription":"FileZilla FTP Client","FileVersion":"3, 68, 1, 0","InternalName":"FileZilla 3","OriginalFilename":"filezilla.exe","ProductName":"FileZilla"}]}],"Resources":["https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/","https://www.virustotal.com/gui/file/506ab08d0a71610793ae2a5c4c26b1eb35fd9e3c8749cd63877b03c205feb48a/details"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Company":"Nextron Systems","Twitter":"@_swachchhanda_"}],"url":"https://hijacklibs.net/entries/3rd_party/sqlite/libsqlite3-0.html"},{"Name":"ldvpocx.ocx","Author":"Wietze Beukema","Created":"2023-04-22","Vendor":"Symantec","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Symantec_Client_Security\\Symantec AntiVirus","%PROGRAMFILES%\\Symantec AntiVirus"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Symantec_Client_Security\\Symantec AntiVirus\\ldvpreg.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=US, ST=California, L=Santa Monica, O=Symantec Corporation, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Symantec Research Labs, CN=Symantec Corporation","Issuer":"C=US, O='VeriSign, Inc.', OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA","Type":"Authenticode"}],"SHA256":["61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde"]}],"Resources":["https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox","https://github.com/RedDrip7/APT_Digital_Weapon/blob/master/APT27/APT27_hash.md","https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/symantec/ldvpocx.html"},{"Name":"rastls.dll","Author":"Wietze Beukema","Created":"2023-02-26","Vendor":"Symantec","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Symantec\\Network Connected Devices Auto Setup","%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Symantec\\Network Connected Devices Auto Setup\\rastlsc.exe","Type":"Sideloading","SHA256":["f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68"],"ExpectedSignatureInformation":[{"Issuer":"CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O=\"VeriSign, Inc.\", C=US","Subject":"CN=Symantec Corporation, OU=Symantec Research Labs, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Symantec Corporation, L=Santa Monica, S=California, C=US","Type":"Authenticode"}]}],"Resources":["https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf","https://vms.drweb.com/virus/?i=21995051","https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/"],"Acknowledgements":[{"Name":"Adam","Twitter":"@Hexacorn"}],"url":"https://hijacklibs.net/entries/3rd_party/symantec/rastls.html"},{"Name":"shellsel.ocx","Author":"Wietze Beukema","Created":"2023-04-04","Vendor":"Symantec","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"symantec.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=US, ST=California, L=Santa Monica, O=Symantec Corporation, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Symantec Research Labs, CN=Symantec Corporation","Issuer":"C=US, O='VeriSign, Inc.', OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA","Type":"Authenticode"}],"SHA256":["61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde"]}],"Resources":["https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/","https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/symantec/shellsel.html"},{"Name":"madhcnet32.dll","Author":"Jai Minton - HuntressLabs","Created":"2025-04-10","Vendor":"Systemsoftware Mathias Rauen","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Multimedia\\K-Lite Codec Pack\\Filters\\madVR","%PROGRAMFILES%\\K-Lite Codec Pack\\Filters\\madVR"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\K-Lite Codec Pack\\Filters\\madVR\\madHcCtrl.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"madHcCtrl.exe","FileDescription":"mad* home cinema control"}],"SHA256":["69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699"]}],"Resources":["https://www.virustotal.com/gui/file/d98677d4cf165a8885dc16e8a8411b36bfe39b10e188c6277253173b3ff73346/relations"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/systemsoftwaremathiasrauen/madhcnet32.html"},{"Name":"mfcu100u.dll","Author":"Josh Allman","Created":"2025-02-28","Vendor":"Tech Smith","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\TechSmith\\Camtasia Studio 8"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\TechSmith\\Camtasia Studio 8\\CamMenuMaker.exe","Type":"Sideloading","SHA256":["88a1f9a40eb7ece8999092b2872b6afde0fb3776e29384c5b00631bb0fca34d1"]}],"Resources":["https://www.virustotal.com/gui/file/73670defa750d0a09470356279494a0c947245229d283c42e7ef0f2b8427b847"],"Acknowledgements":[{"Name":"Josh Allman","Twitter":"@xorjosh","Company":"Huntress"},{"Name":"Dipo R","Twitter":"@dipotwb","Company":"Huntress"}],"url":"https://hijacklibs.net/entries/3rd_party/techsmith/mfcu100u.html"},{"Name":"tpsvc.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-15","Vendor":"ThinPrint","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\VMWare\\VMWare Tools","%PROGRAMFILES%\\Common Files\\ThinPrint"],"VulnerableExecutables":[{"Path":"TPAutoConnect.exe","Type":"Sideloading","SHA256":["e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f"]}],"Resources":["https://asec.ahnlab.com/en/58319/","https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd","https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/thinprint/tpsvc.html"},{"Name":"cc3260mt.dll","Author":"Jai Minton - HuntressLabs","Created":"2025-02-19","Vendor":"TiVo","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\TiVo\\Desktop"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\TiVo\\Desktop\\TiVoServer.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"TiVoServer.exe","InternalName":"TiVoServer.exe","FileDescription":"TiVo Server Service Process"}],"SHA256":["482ec2cfaba9e58435c807cf43f6cfa3eff0093d0128b066378e103e6ddf69ec"]}],"Resources":["https://www.virustotal.com/gui/file/3d8181ea38667550d141f813372b2d7bae7b7f43cdc17e24688d72be97751505/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"},{"Name":"Josh Allman","Company":"Huntress","Twitter":"@xorjosh"}],"url":"https://hijacklibs.net/entries/3rd_party/tivo/cc3260mt.html"},{"Name":"tosbtkbd.dll","Author":"Wietze Beukema","Created":"2022-06-14","Vendor":"Toshiba","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Toshiba\\Bluetooth Toshiba Stack"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Toshiba\\Bluetooth Toshiba Stack\\TosBtKbd.exe","Type":"Sideloading"}],"Resources":["https://www.secureworks.com/research/shadowpad-malware-analysis","https://vms.drweb.com/virus/?i=21995048","https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/toshiba/tosbtkbd.html"},{"Name":"tmdbg64.dll","Author":"Still Hsu","Created":"2025-11-05","Vendor":"Trend Micro","CVE":null,"ExpectedLocations":["%LOCALAPPDATA%\\Temp\\ClnExtor\\PCCNT","%PROGRAMFILES%\\Trend Micro\\Security Agent"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Trend Micro\\Security Agent\\TmPfw.exe","Type":"Sideloading","SHA256":["d54232565d5ed24955a9e7dbed5322ff4df26fa49bc5aff5cee698bb3608609f"],"ExpectedVersionInformation":[{"CompanyName":"Trend Micro Inc.","FileDescription":"Trend Micro Personal Firewall Service","FileVersion":"5.83.0.1060","InternalName":"TmPfw","LegalCopyright":"Copyright (C) 2015-2018 Trend Micro Incorporated. All rights reserved.","OriginalFilename":"TmPfw.exe","ProductName":"Trend Micro Network Security Components","ProductVersion":"5.83"}],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US","Issuer":"CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA"}]}],"Resources":["https://www.virustotal.com/gui/file/5ee36bf41e2604db18a46515139d0c7bee9a6665e968d4b281cac329e26163d0"],"Acknowledgements":[{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/3rd_party/trendmicro/tmdbg64.html"},{"Name":"tmdbglog.dll","Author":"Christiaan Beek","Created":"2023-01-16","Vendor":"Trend Micro","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Trend Micro\\Titanium"],"VulnerableExecutables":[{"Path":"PtWatchDog.exe","SHA256":["75f2e752983a9f46082e7b35820f23db577a5aff9ad946b05b0d3871a9df686b"],"Type":"Sideloading"}],"Resources":["https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/"],"Acknowledgements":[{"Name":"Christiaan Beek","Twitter":"@ChristiaanBeek"}],"url":"https://hijacklibs.net/entries/3rd_party/trendmicro/tmdbglog.html"},{"Name":"tmtap.dll","Author":"Wietze Beukema","Created":"2022-05-26","Vendor":"Trend Micro","CVE":"CVE-2019-14687","ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\trend micro\\passwordmanager\\pwmsvc.exe","Type":"Phantom","Condition":"Trend Micro Password Manager <=5.0.0.1058","PrivilegeEscalation":true}],"Resources":["https://medium.com/@infiniti_css/trend-micro-password-manager-dll-hijack-fa839acaad59"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/trendmicro/tmtap.html"},{"Name":"utiluniclient.dll","Author":"Wietze Beukema","Created":"2021-02-28","Vendor":"Trend Micro","CVE":"CVE-2019-15628","ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\trend micro\\amsp\\coreserviceshell.exe","Type":"Phantom","Condition":"Trend Micro Maximum Security <=16.0.1221","PrivilegeEscalation":true}],"Resources":["https://safebreach.com/blog/2019/trend-micro-security-16-dll-search-order-hijacking-and-potential-abuses/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/trendmicro/utiluniclient.html"},{"Name":"unityplayer.dll","Author":"Wietze Beukema","Created":"2023-05-03","Vendor":"Unity","CVE":null,"ExpectedLocations":["%LOCALAPPDATA%\\Temp\\%VERSION%\\Windows"],"VulnerableExecutables":[{"Path":"KingdomTwoCrowns.exe","Type":"Sideloading","SHA256":["03b1df2b08999262c772b67a7bd65e9e8f6058036b5e7a382f06d3aa672854d0"]}],"Resources":["https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/unity/unityplayer.html"},{"Name":"crashhandler.dll","Author":"Still Hsu","Created":"2025-11-20","Vendor":"Valve","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Steam"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Steam\\bin\\steam_monitor.exe","Type":"Sideloading","SHA256":["8c0051a83b3611ff2b669b670aa005633f3d9e844454a112b31d2a4bc944a234"],"ExpectedVersionInformation":[{"CompanyName":"Valve Corporation","FileDescription":"steam_monitor.exe","FileVersion":"09.86.62.31","InternalName":"steam_monitor.exe (buildbot_steam-relclient-w32.build.valve.org_steam_rel_client_win32@steam-relclient-w32)","LegalCopyright":"Copyright (C) 2016 Valve Corporation","OriginalFilename":"steam_monitor.exe","ProductName":"Steam","ProductVersion":"01.00.00.01"}],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US","Issuer":"CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"}]}],"Resources":["https://x.com/AzakaSekai_/status/1991358486912069774","https://www.virustotal.com/gui/file/c4e3c29367426fe4ed718ab448fbdf2cf8690c81ea539805569cdff88317db9f"],"Acknowledgements":[{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/3rd_party/valve/crashhandler.html"},{"Name":"vstdlib_s64.dll","Author":"Still Hsu","Created":"2024-09-24","Vendor":"Valve","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Steam"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Steam\\steamerrorreporter64.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"steamerrorreporter.exe","InternalName":"steamerrorreporter.exe","OriginalFilename":"steamerrorreporter.exe","ProductName":"Steam"}],"ExpectedSignatureInformation":[{"Subject":"CN=Valve Corp., O=Valve Corp., L=Bellevue, S=Washington, C=US","Issuer":"CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA, O=\"DigiCert, Inc.\", C=US","Type":"Authenticode"}],"SHA256":["0a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba"]}],"Resources":["https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-09-19-IOCs-for-file-downloader-to-Lumma-Stealer.txt","https://twitter.com/Unit42_Intel/status/1837137726409158770"],"Acknowledgements":[{"Name":"Unit 42","Twitter":"@Unit42_Intel"}],"url":"https://hijacklibs.net/entries/3rd_party/valve/vstdlib_s64.html"},{"Name":"vntfxf32.dll","Author":"Wietze Beukema","Created":"2023-04-04","Vendor":"VentaFax","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Venta\\VentaFax & Voice"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Venta\\VentaFax & Voice\\spoololk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=RU, ST=St. Petersburg, L=St. Petersburg, O=Venta Association, CN=Venta Association","Issuer":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA","Type":"Authenticode"}],"SHA256":["390d75e6c7fc1cf258145dc712c1fac1eb183efccee1b03c058cec1d790e46b1"]}],"Resources":["https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/ventafax/vntfxf32.html"},{"Name":"vivaldi_elf.dll","Author":"Wietze Beukema","Created":"2023-04-22","Vendor":"Vivaldi","CVE":null,"ExpectedLocations":["%LOCALAPPDATA%\\Vivaldi\\Application","%LOCALAPPDATA%\\Vivaldi\\Application\\%VERSION%","%LOCALAPPDATA%\\Programs\\Vivaldi\\Application\\%VERSION%"],"VulnerableExecutables":[{"Path":"%LOCALAPPDATA%\\Vivaldi\\Application\\vivaldi.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"serialNumber=912 309 975, C=NO, ST=Oslo, L=Oslo, street=Mølleparken 6, O=Vivaldi Technologies AS, CN=Vivaldi Technologies AS","Issuer":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R45 EV CodeSigning CA 2020","Type":"Authenticode"}],"SHA256":["58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494"]}],"Resources":["https://securityintelligence.com/posts/vizom-malware-targets-brazilian-bank-customers-remote-overlay/","https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/vivaldi/vivaldi_elf.html"},{"Name":"libvlc.dll","Author":"Wietze Beukema","Created":"2022-11-18","Vendor":"VLC","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\VideoLAN\\VLC"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\VideoLAN\\VLC\\vlc.exe","Type":"Sideloading","SHA256":["6f924de3f160984740fbac66cf9546125330fc00f4f5d2dbf05601d9d930b7d9"]}],"Resources":["https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/","https://www.microsoft.com/en-us/security/blog/2018/11/08/attack-uses-malicious-inpage-document-and-outdated-vlc-media-player-to-give-attackers-backdoor-access-to-targets/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html"},{"Name":"libvlccore.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-15","Vendor":"VLC","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\VideoLAN\\VLC"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\VideoLAN\\VLC\\vlc.exe","Type":"Sideloading","SHA256":["1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937"]}],"Resources":["https://asec.ahnlab.com/en/58319/","https://www.virustotal.com/gui/file/33c08eeaff6e9aa686a14144cb84d1895f260d28b767a0d2a10dbe427a65d7c0"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/vlc/libvlccore.html"},{"Name":"glib-2.0.dll","Author":"Wietze Beukema","Created":"2023-04-03","Vendor":"VMWare","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\VMware\\VMware Tools","%PROGRAMFILES%\\VMware\\VMware Workstation","%PROGRAMFILES%\\VMware\\VMware Player"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\VMware\\VMware Tools\\VMwareXferlogs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=US, ST=California, L=Palo Alto, O='VMware, Inc.', CN='VMware, Inc.'","Issuer":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA-1","Type":"Authenticode"}],"SHA256":["935e10f5169397a67f4c36bffbc3ba46c3957b7521edd3fa83bd975157b79bd8"]}],"Resources":["https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/vmware/glib-2.0.html"},{"Name":"shfolder.dll","Author":"Wietze Beukema","Created":"2021-11-21","Vendor":"VMWare","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\VMNat.exe","Type":"Sideloading"}],"Resources":["https://twitter.com/dissectmalware/status/978017957480628226"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/vmware/shfolder.html"},{"Name":"vmtools.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-05-27","Vendor":"VMWare","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\VMware\\VMware Tools","%PROGRAMFILES%\\VMware\\VMware Workstation","%PROGRAMFILES%\\VMware\\VMware Player"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\VMware\\VMware Tools\\rvmSetup.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"rvmSetup.exe","InternalName":"rvmSetup","FileDescription":"VMware RVM Setup Service"}],"SHA256":["0e6f5eaa2cd91747213f6aec05e3de6fb46ea2b7cf4d5f3ac267128abc784d00"]}],"Resources":["https://www.virustotal.com/gui/file/a3d340480fc015cd7c548fccad9218222c37178af95727b612d768d8e4b24964/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/vmware/vmtools.html"},{"Name":"avutil.dll","Author":"Wietze Beukema","Created":"2024-07-01","Vendor":"VSO Software","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\VSO\\ConvertX\\7","%PROGRAMFILES%\\VSO\\convertXtoDVD","%PROGRAMFILES%\\Common Files\\Oracle\\Java\\javapath"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\VSO\\ConvertX\\7\\ConvertXToDVD.exe","Type":"Sideloading","ExpectedVersionInformation":[{"CompanyName":"VSO Software SARL","FileDescription":"Converter from almost all type of video/audio file to DVD that can be played on every standalone DVD players","InternalName":"ConvertXToDVD 7","LegalCopyright":"Copyright © 2006-2023 VSO Software SARL","OriginalFilename":"ConvertXToDVD.exe","ProductName":"ConvertXToDVD 7","ProductVersion":"7.0"}],"ExpectedSignatureInformation":[{"Subject":"CN=VSO SOFTWARE, O=VSO SOFTWARE, S=Occitanie, C=FR","Issuer":"CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB","Type":"Authenticode"}],"SHA256":["ba4612db8ce37b8e64d163a4c8e236b0ad2ddc223b91383f270924846394bf95","7dd16890875b1bd76d94fcea709019f1125c7eb1ffd7203ff5436ac1f7430bac"]}],"Resources":["https://twitter.com/Tac_Mangusta/status/1807778398887928313","https://www.joesandbox.com/analysis/1357123/0/html"],"Acknowledgements":[{"Name":"Mangusta","Twitter":"@Tac_Mangusta"}],"url":"https://hijacklibs.net/entries/3rd_party/vsosoftware/avutil.html"},{"Name":"libglib-2.0-0.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-15","Vendor":"Wireshark","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Wireshark"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Wireshark\\Mergecap.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"Mergecap"}],"SHA256":["ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da"]}],"Resources":["https://asec.ahnlab.com/en/58319/","https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/wireshark/libglib-2.0-0.html"},{"Name":"libwsutil.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-15","Vendor":"Wireshark","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Wireshark"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Wireshark\\Mergecap.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"Mergecap"}],"SHA256":["ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da"]}],"Resources":["https://asec.ahnlab.com/en/58319/","https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289","https://www.virustotal.com/gui/file/e91c4f990c1b0b58d69f3c3e80916463e5cc87011fd418d610c5264f7d5ecc9b"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/wireshark/libwsutil.html"},{"Name":"wxmsw313u_aui_vc_custom.dll","Author":"Jai Minton","Created":"2025-05-06","Vendor":"wxWidgets","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Audacity"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Audacity\\audacity.exe","Type":"Sideloading","SHA256":["7677111340eea8915dd609236febf14f9a4d4416a2a33fd11daf505ab5bc7867"],"ExpectedVersionInformation":[{"CompanyName":"Audacity Team","FileDescription":"Audacity","FileVersion":"3,7,3,0","InternalName":"Audacity","LegalCopyright":"Copyright © 2024. All rights reserved.","OriginalFilename":"Audacity.exe","ProductName":"Audacity","ProductVersion":"3,7,3,0"}],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=Musecy SM ltd.,O=Musecy SM ltd.,S=Lemesos, C=CY","Issuer":"CN=Sectigo Public Code Signing CA R36,O=Sectico Limited,C=GB"}]}],"Resources":["https://x.com/CyberRaiju/status/1914454438116540702"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@CyberRaiju"}],"url":"https://hijacklibs.net/entries/3rd_party/wxwidgets/wxmsw313u_aui_vc_custom.html"},{"Name":"x32bridge.dll","Author":"Wietze Beukema","Created":"2023-03-01","Vendor":"x64dbg","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"x32dbg.exe","Type":"Sideloading","SHA256":["ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15"],"ExpectedVersionInformation":[{"LegalCopyright":"x64dbg.com","ProductName":"x64dbg","FileDescription":"x64dbg"}],"ExpectedSignatureInformation":[{"Issuer":"CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB","Subject":"CN=Duncan Ogilvie, O=Duncan Ogilvie, L=Wrocław, S=Dolnośląskie, C=PL","Type":"Authenticode"}]}],"Resources":["https://www.trendmicro.com/en_th/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html","https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/?cmp=30728","https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/3rd_party/x64dbg/x32bridge.html"},{"Name":"atl71.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-08-30","Vendor":"Xunlei","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Common Files\\Thunder Network\\TP\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Common Files\\Thunder Network\\TP\\%VERSION%\\XLBugReport.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"XLBugReport.exe","InternalName":"XLBugReport.exe","FileDescription":"迅雷错误报告"}],"SHA256":["64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0"]}],"Resources":["https://www.virustotal.com/gui/file/07ff27bfc879ad9f4d90f17c755c89d2fc3a84994c2304ee3cd79eb84674b9c0/relations","https://www.virustotal.com/gui/file/d42dc50226c59ab41afb691a0d94fa4e141702b678d8bd2fdaaaecb43a8e5b4b/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/3rd_party/xunlei/atl71.html"},{"Name":"zlibwapi.dll","Author":"Still Hsu","Created":"2024-11-24","Vendor":"zlib","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\DS Clock"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\DS Clock\\dsclock.exe","Type":"Sideloading","ExpectedVersionInformation":[{"FileDescription":"DS Clock","LegalCopyright":"Copyright 2001-2023 Duality Software. All rights reserved. Developed by Vladimir Kulemin.","InternalName":"dsclock.exe","OriginalFilename":"dsclock.exe","ProductName":"DS Clock","ProductVersion":"5.1.2.0"}],"ExpectedSignatureInformation":[{"Subject":"CN=Duality Software LLC, O=Duality Software LLC, L=Saint Petersburg, S=Saint Petersburg, C=RU","Issuer":"CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE","Type":"Authenticode"}],"SHA256":["f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b"]}],"Resources":["https://twitter.com/malwrhunterteam/status/1859316170773397966","https://www.virustotal.com/gui/file/b8d38fc9f4560719fa64227e4b25b732b22602cb596d44cb38418a196c3340be","https://github.com/Still34/malware-lab/tree/main/reworkshop/2024-11-24"],"Acknowledgements":[{"Name":"MalwareHunterTeam","Twitter":"@malwrhunterteam"},{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/3rd_party/zlib/zlibwapi.html"},{"Name":"aclui.dll","Author":"Wietze Beukema","Created":"2021-12-07","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\shrpubw.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\bin\\%VERSION%\\x86\\oleview.exe","Type":"Sideloading"}],"Resources":["https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/","https://www.contextis.com/en/blog/dll-search-order-hijacking","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Adam","Twitter":"@hexacorn"},{"Name":"Lampros Noutsos","Twitter":"@lampnout"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/aclui.html"},{"Name":"activeds.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\applysettingstemplatecatalog.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\agentservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsadd.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsget.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsmod.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsrm.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\gpfixup.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/activeds.html"},{"Name":"adsldpc.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\agentservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sppextcomobj.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/adsldpc.html"},{"Name":"aepic.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\psr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/aepic.html"},{"Name":"apphelp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdbinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%WINDIR%\\explorer.exe","Type":"Search Order"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/apphelp.html"},{"Name":"applicationframe.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\applicationframehost.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/applicationframe.html"},{"Name":"appvpolicy.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%PROGRAMFILES%\\Common Files\\Microsoft Shared\\ClickToRun"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\appvclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/appvpolicy.html"},{"Name":"appwiz.cpl","Author":"Wietze Beukema","Created":"2024-01-11","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\fondue.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/"],"Acknowledgements":[{"Name":"Adam","Twitter":"@hexacorn"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/appwiz.html"},{"Name":"appxalluserstore.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\lpremove.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/appxalluserstore.html"},{"Name":"appxdeploymentclient.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\lpremove.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/appxdeploymentclient.html"},{"Name":"archiveint.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\tar.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/archiveint.html"},{"Name":"atl.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dsquery.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\filescrn.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\msconfig.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msinfo32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\perfmon.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\storrept.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\vds.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vdsldr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vssadmin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wfs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/atl.html"},{"Name":"audioses.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/audioses.html"},{"Name":"auditpolcore.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\auditpol.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/auditpolcore.html"},{"Name":"authfwcfg.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/authfwcfg.html"},{"Name":"authz.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\easinvoker.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\whoami.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/authz.html"},{"Name":"avrt.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/avrt.html"},{"Name":"axeonoffhelper.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2025-06-18","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wpr.exe","Type":"Phantom","Condition":"Triggers via `wpr -boottrace -stopboot foo`; put malicious DLL in C:\\Windows\\System32","ExpectedVersionInformation":[{"CompanyName":"Microsoft Corporation","FileDescription":"Microsoft Windows Performance Recorder","InternalName":"WPR.exe","LegalCopyright":"© Microsoft Corporation. All rights reserved.","OriginalFilename":"WPR.exe","ProductName":"Microsoft® Windows® Operating System"}]}],"Resources":["https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/"],"Acknowledgements":[{"Name":"Adam","Twitter":"@Hexacorn"},{"Name":"Swachchhanda Shrawan Poudel","Company":"Nextron Systems","Twitter":"@_swachchhanda_"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/axeonoffhelper.html"},{"Name":"batmeter.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mblctr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/batmeter.html"},{"Name":"bcd.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cidiag.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\genvalobj.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdsched.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msconfig.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\recdisc.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\recoverydrive.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rstrui.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\srtasks.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesadvanced.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiescomputername.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesdataexecutionprevention.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertieshardware.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesprotection.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesremote.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vds.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vdsldr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/bcd.html"},{"Name":"bcp47langs.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\lpremove.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/bcp47langs.html"},{"Name":"bcp47mrm.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mcbuilder.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/bcp47mrm.html"},{"Name":"bcrypt.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\shellappruntime.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wordpad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/bcrypt.html"},{"Name":"bderepair.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\repair-bde.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/bderepair.html"},{"Name":"bootmenuux.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/bootmenuux.html"},{"Name":"bootux.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/bootux.html"},{"Name":"bthprops.cpl","Author":"Swachchhanda Shrawan Poudel","Created":"2026-02-05","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%","%WINDIR%\\Prefetch"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\fsquirt.exe","Type":"Sideloading","SHA256":["7B9FD75D899E115FFB258E5FC92E99D5A0860153C1E4C9AFD6A406DD6B42345E"]}],"Resources":["https://github.com/mhaskar/FsquirtCPLPoC","https://securelist.com/sidewinder-apt/114089/"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Company":"Nextron Systems","Twitter":"@_swachchhanda_"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/bthprops.html"},{"Name":"cabinet.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cmdl32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\expand.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\extrac32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\iesettingsync.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\licensingdiag.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\makecab.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotification.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotificationux.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\plasrv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pnputil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\reagentc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\recdisc.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\relpost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sihclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\usocoreworker.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\wextract.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wimserv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wpnpinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\logman.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cabinet.html"},{"Name":"cabview.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cabview.html"},{"Name":"cdpsgshims.dll","Author":"k4nfr3","Created":"2022-08-15","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%SYSTEM32%\\svchost.exe","Type":"Phantom","PrivilegeEscalation":true,"Condition":"CDPSvc runs within a shared process by default only if the machine has less than 3.5GB of RAM","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://itm4n.github.io/cdpsvc-dll-hijacking/"],"Acknowledgements":[{"Name":"itm4n","Twitter":"@itm4n"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cdpsgshims.html"},{"Name":"certcli.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\repadmin.exe","Type":"Sideloading"}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/certcli.html"},{"Name":"certenroll.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certenrollctrl.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmcertinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/certenroll.html"},{"Name":"cfgmgr32.dll","Author":"Wietze Beukema","Created":"2023-05-19","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\write.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":null,"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cfgmgr32.html"},{"Name":"cldapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dpiscaling.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\psr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resmon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\slui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cldapi.html"},{"Name":"clipc.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\licensingdiag.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/clipc.html"},{"Name":"clusapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dfsrdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\msdtc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tieringengineservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/clusapi.html"},{"Name":"cmpbk32.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cmdl32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cmpbk32.html"},{"Name":"cmutil.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cmstp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cmutil.html"},{"Name":"coloradapterclient.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\colorcpl.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dccw.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/coloradapterclient.html"},{"Name":"colorui.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\colorcpl.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/colorui.html"},{"Name":"comdlg32.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/comdlg32.html"},{"Name":"configmanager2.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\hvsievaluator.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/configmanager2.html"},{"Name":"connect.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/connect.html"},{"Name":"coredplus.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/coredplus.html"},{"Name":"coremessaging.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dwm.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sihost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/coremessaging.html"},{"Name":"coreuicomponents.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dwm.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/coreuicomponents.html"},{"Name":"credui.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\efsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fxssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gpfixup.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\licmgr.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\nlbmgr.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\perfmon.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rpcping.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\runas.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesadvanced.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskmgr.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbadmin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wfs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wkspbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/credui.html"},{"Name":"cryptbase.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\alg.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\calc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\computerdefaults.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\disksnapshot.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dpiscaling.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\efsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fodhelper.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ie4uinit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\lpksetup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mfpmp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mshta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\net1.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netplwiz.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\presentationhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resmon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rmactivate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rmactivate_ssp_isv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\slui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sppextcomobj.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tzsync.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\uevappmonitor.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\useraccountcontrolsettings.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wscadminui.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Minecraft Launcher\\MinecraftLauncher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Mojang AB, O=Mojang AB, L=Stockholm, C=SE","Issuer":"CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=\"DigiCert, Inc.\", C=US","Type":"Authenticode"}],"SHA256":["6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495"]},{"Path":"%PROGRAMFILES%\\Microsoft Deployment Toolkit\\Bin\\Microsoft.BDD.Catalog35.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"winbox64.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=SIA \"Mikrotīkls\" O=SIA \"Mikrotīkls\" L=Riga C=LV","Issuer":"CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 O=DigiCert, Inc. C=US","Type":"Catalog"}],"SHA256":["8BC3ECF1F35952600ECB1A380C38C88E9D63C081A32204FD094D588230070BF6"]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://twitter.com/AndrewOliveau/status/1682185200862625792","https://twitter.com/BSummerz/status/1860045985919205645","https://ice-wzl.medium.com/mikrotik-winbox-dll-side-loading-vulnerability-x2-413d371ff5f0"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Andrew Oliveau","Twitter":"@AndrewOliveau"},{"Name":"Will Summerhill","Twitter":"@BSummerz"},{"Name":"ice-wzl","Twitter":"@ice_wzl_cyber"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cryptbase.html"},{"Name":"cryptdll.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\at.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cryptdll.html"},{"Name":"cryptnet.dll","Author":"Will Summerhill","Created":"2024-11-22","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Microsoft Deployment Toolkit\\Bin\\Microsoft.BDD.Catalog35.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://twitter.com/BSummerz/status/1860045985919205645"],"Acknowledgements":[{"Name":"Will Summerhill","Twitter":"@BSummerz"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cryptnet.html"},{"Name":"cryptsp.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bcdedit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\disksnapshot.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\genvalobj.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rmactivate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rmactivate_isv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rmactivate_ssp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rmactivate_ssp_isv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\werfault.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cryptsp.html"},{"Name":"cryptui.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\efsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cryptui.html"},{"Name":"cryptxml.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\clipup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sppsvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cryptxml.html"},{"Name":"cscapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoft.uev.cscunpintool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cscapi.html"},{"Name":"cscobj.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cscobj.html"},{"Name":"cscui.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\explorer.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/cscui.html"},{"Name":"d2d1.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dataexchangehost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dwm.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\eoaexperiences.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gamepanel.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vsgraphicsdesktopengine.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\vsgraphicsremoteengine.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/d2d1.html"},{"Name":"d3d10.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\winsat.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/d3d10.html"},{"Name":"d3d10_1.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\winsat.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/d3d10_1.html"},{"Name":"d3d10_1core.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\winsat.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/d3d10_1core.html"},{"Name":"d3d10core.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\winsat.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/d3d10core.html"},{"Name":"d3d10warp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\slidetoshutdown.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/d3d10warp.html"},{"Name":"d3d11.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dataexchangehost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dwm.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dxcap.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dxgiadaptercache.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gamepanel.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdeserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskmgr.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vsgraphicsdesktopengine.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\vsgraphicsremoteengine.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\winsat.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Steam\\steamapps\\common\\wallpaper_engine\\wallpaper32.exe","Type":"Sideloading","SHA256":["1b0d67730ad59a49715e39f904f4f59ea9e81a54ea51ab20e6ec473546708aa7"],"ExpectedSignatureInformation":[{"Subject":"CN=\"Skutta, Kristjan\", O=\"Skutta, Kristjan\", L=Berlin, C=DE","Issuer":"CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US","Type":"Authenticode"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://blog.amartinsec.com/blog/dllhijacking/"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Josh Allman","Company":"Huntress","Twitter":"@xorjosh"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/d3d11.html"},{"Name":"d3d12.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dxgiadaptercache.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskmgr.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/d3d12.html"},{"Name":"d3d9.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\magnify.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/d3d9.html"},{"Name":"d3dcompiler_47.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\windows kits\\10\\bin\\%VERSION%\\x64","%PROGRAMFILES%\\windows kits\\10\\bin\\%VERSION%\\x86","%PROGRAMFILES%\\windows kits\\10\\redist\\d3d\\x64","%PROGRAMFILES%\\windows kits\\10\\redist\\d3d\\x86","%PROGRAMFILES%\\wireshark","%PROGRAMFILES%\\LogiOptionsPlus","%PROGRAMFILES%\\cisco systems\\cisco jabber","%PROGRAMFILES%\\microsoft\\edge\\application\\%VERSION%","%PROGRAMFILES%\\microsoft\\edgewebview\\application\\%VERSION%","%PROGRAMFILES%\\microsoft\\edgecore\\application\\%VERSION%","%PROGRAMFILES%\\Google\\Chrome\\Application\\%VERSION%","%PROGRAMFILES%\\Island\\Island\\Application\\%VERSION%","%PROGRAMFILES%\\Zoom\\bin","%APPDATA%\\Zoom\\bin","%LOCALAPPDATA%\\microsoft\\teams\\stage","%LOCALAPPDATA%\\Programs\\Microsoft VS Code","%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dwm.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/d3dcompiler_47.html"},{"Name":"d3dx9_43.dll","Author":"Wietze Beukema","Created":"2023-05-03","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%LOCALAPPDATA%\\Temp\\HPDIAGS\\0699814c-9c5f-46ad-8c9d-a1c61a163f2b\\d3dim9.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=US, ST=California, L=Palo Alto, O=HP Inc., OU=HP Cybersecurity, CN=HP Inc.","Issuer":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA","Type":"Authenticode"}],"SHA256":["a8a09d4e1ddbe4de188100b285a53b53b10677e4fbc93014e07211cdaf532e7b"]}],"Resources":["https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/d3dx9_43.html"},{"Name":"dataexchange.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\charmap.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wordpad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Google\\Chrome\\Application\\chrome.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Mozilla Firefox\\firefox.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\EdgeWebView\\Application\\%VERSION%\\msedgewebview2.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dataexchange.html"},{"Name":"davclnt.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\powershell.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tabcal.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\verifier.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/davclnt.html"},{"Name":"dbgcore.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\windows kits\\10\\debuggers\\arm","%PROGRAMFILES%\\windows kits\\10\\debuggers\\arm\\srcsrv","%PROGRAMFILES%\\windows kits\\10\\debuggers\\arm64","%PROGRAMFILES%\\windows kits\\10\\debuggers\\arm64\\srcsrv","%PROGRAMFILES%\\windows kits\\10\\debuggers\\x64","%PROGRAMFILES%\\windows kits\\10\\debuggers\\x64\\srcsrv","%PROGRAMFILES%\\windows kits\\10\\debuggers\\x86","%PROGRAMFILES%\\windows kits\\10\\debuggers\\x86\\srcsrv","%PROGRAMFILES%\\microsoft office\\root\\office%VERSION%","%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\deploymentcsphelper.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\djoin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dnscacheugc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ieunatt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\muiunattend.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netbtugc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netiougc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pnpunattend.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\setupugc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\werfault.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\werfaultsecure.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dbgcore.html"},{"Name":"dbghelp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\windows kits\\10\\debuggers\\arm","%PROGRAMFILES%\\windows kits\\10\\debuggers\\arm\\srcsrv","%PROGRAMFILES%\\windows kits\\10\\debuggers\\arm64","%PROGRAMFILES%\\windows kits\\10\\debuggers\\arm64\\srcsrv","%PROGRAMFILES%\\windows kits\\10\\debuggers\\x64","%PROGRAMFILES%\\windows kits\\10\\debuggers\\x64\\srcsrv","%PROGRAMFILES%\\windows kits\\10\\debuggers\\x86","%PROGRAMFILES%\\windows kits\\10\\debuggers\\x86\\srcsrv","%PROGRAMFILES%\\cisco systems\\cisco jabber","%PROGRAMFILES%\\microsoft office\\root\\office%VERSION%","%PROGRAMFILES%\\microsoft office\\root\\vfs\\programfilesx86\\microsoft analysis services\\as oledb\\140","%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dxcap.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\taskkill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tasklist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tracerpt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\werfault.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\bdehdcfg.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\deploymentcsphelper.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\djoin.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dnscacheugc.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ieunatt.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\muiunattend.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netbtugc.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netiougc.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pnpunattend.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\reagentc.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\setupugc.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dbghelp.html"},{"Name":"dbgmodel.dll","Author":"Gary Lobermier","Created":"2023-05-22","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%","%PROGRAMFILES%\\Windows Kits\\10\\Debuggers\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\Debuggers\\%VERSION%\\ntsd.exe","Type":"Sideloading"}],"Resources":["https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html"},{"Name":"dcntel.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dcntel.html"},{"Name":"dcomp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dataexchangehost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gamepanel.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dcomp.html"},{"Name":"defragproxy.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dfrgui.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/defragproxy.html"},{"Name":"desktopshellext.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\sihost.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/desktopshellext.html"},{"Name":"deviceassociation.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\eduprintprov.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\proximityuxhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/deviceassociation.html"},{"Name":"devicecredential.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\devicecredentialdeployment.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/devicecredential.html"},{"Name":"devicepairing.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\devicepairingwizard.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/devicepairing.html"},{"Name":"devobj.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bthudtask.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chkdsk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chkntfs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dispdiag.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmomacpmo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\drvinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fsavailux.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fsquirt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\immersivetpmvscmgrsvr.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\iscsicli.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\label.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmappinstaller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pnputil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\recover.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rmttpmvscmgrsvr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tabcal.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vsgraphicsdesktopengine.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\vssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/devobj.html"},{"Name":"devrtl.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\drvinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pnpunattend.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wowreg32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/devrtl.html"},{"Name":"dhcpcmonitor.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dhcpcmonitor.html"},{"Name":"dhcpcsvc.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ipconfig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netiougc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dhcpcsvc.html"},{"Name":"dhcpcsvc6.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ipconfig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dhcpcsvc6.html"},{"Name":"directmanipulation.dll","Author":"Wietze Beukema","Created":"2022-08-14","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excelcnv.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/directmanipulation.html"},{"Name":"dismapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\deploymentcsphelper.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\directxdatabaseupdater.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hvsievaluator.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dismapi.html"},{"Name":"dismcore.dll","Author":"Wietze Beukema","Created":"2021-02-28","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%\\dism","%SYSWOW64%\\dism"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dism.exe","Type":"Search Order","Condition":"Windows 7","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://cofense.com/exploiting-unpatched-vulnerability-ave_maria-malware-not-full-grace/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/dismcore.html"},{"Name":"dmcfgutils.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dmcfgutils.html"},{"Name":"dmcmnutils.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmcertinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmcfghost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmnotificationbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmomacpmo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\edpcleanup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hvsievaluator.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmappinstaller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mousocoreworker.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\musnotificationux.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotifyicon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\upgraderesultsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\usocoreworker.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dmcmnutils.html"},{"Name":"dmcommandlineutils.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\provtool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dmcommandlineutils.html"},{"Name":"dmenrollengine.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmomacpmo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmagent.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmappinstaller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dmenrollengine.html"},{"Name":"dmenterprisediagnostics.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dmenterprisediagnostics.html"},{"Name":"dmiso8601utils.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mousocoreworker.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\usocoreworker.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dmiso8601utils.html"},{"Name":"dmoleaututils.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\usocoreworker.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dmoleaututils.html"},{"Name":"dmprocessxmlfiltered.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dmomacpmo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dmprocessxmlfiltered.html"},{"Name":"dmpushproxy.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dmcfghost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmrpc.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dmpushproxy.html"},{"Name":"dmxmlhelputils.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dmcfghost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dmxmlhelputils.html"},{"Name":"dnsapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\checknetisolation.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dcdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dnscmd.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\edpcleanup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ipconfig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\lpremove.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdtc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\nslookup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rendom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\repadmin.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\securityhealthservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\setupugc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sihclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\spoolsv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sppextcomobj.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesadvanced.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tieringengineservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wkspbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dnsapi.html"},{"Name":"dot3api.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dot3api.html"},{"Name":"dot3cfg.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dot3cfg.html"},{"Name":"dpx.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\lpksetup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wusa.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dpx.html"},{"Name":"drprov.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\powershell.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tabcal.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\verifier.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/drprov.html"},{"Name":"drvstore.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\infdefaultinstall.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\securityhealthservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"hvciscan_amd64.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://www.microsoft.com/en-us/download/details.aspx?id=105437"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/drvstore.html"},{"Name":"dsclient.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dmcfghost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmomacpmo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dstokenclean.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dsclient.html"},{"Name":"dsparse.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dcdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dfsrdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dmcertinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\rendom.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dsparse.html"},{"Name":"dsprop.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dsquery.exe","Type":"Sideloading"}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dsprop.html"},{"Name":"dsreg.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bitlockerdeviceencryption.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsregcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dsreg.html"},{"Name":"dsrole.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cipher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\csvde.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dcdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsdbutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\efsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gpfixup.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\net1.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\netplwiz.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ntdsutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\repadmin.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\systempropertiesadvanced.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\winrs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wsmanhttpconfig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wsmprovhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dsrole.html"},{"Name":"dui70.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bdeunlock.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\camerasettings.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmnotificationbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dpapimig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\licensingui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\optionalfeatures.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\passwordonwakesettingflyout.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\phoneactivate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\proximityuxhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sessionmsg.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sethc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sysreseterr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsremovedevice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\utilman.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\windowsactiondialog.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wlrmdr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dui70.html"},{"Name":"duser.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bdeunlock.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\displayswitch.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\easeofaccessdialog.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\lockscreencontentserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mmc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sessionmsg.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskmgr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\utilman.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://twitter.com/0xcarnage/status/1203882560176218113","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/duser.html"},{"Name":"dusmapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\datausagelivetiletask.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dusmapi.html"},{"Name":"dwmapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\devicepairingwizard.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\displayswitch.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dxpserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fsquirt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gamepanel.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\lockscreencontentserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mblctr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\proximityuxhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpshell.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdvghelper.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\sndvol.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\snippingtool.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\wmpdmc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dwmapi.html"},{"Name":"dwmcore.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dwm.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dwmcore.html"},{"Name":"dwrite.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cttune.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dataexchangehost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gamepanel.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dwrite.html"},{"Name":"dxcore.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\taskmgr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dxcore.html"},{"Name":"dxgi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\applicationframehost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dataexchangehost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dwm.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dxgiadaptercache.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gamepanel.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdeserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskmgr.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vsgraphicsremoteengine.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\winsat.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dxgi.html"},{"Name":"dxva2.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dccw.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dispdiag.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dxva2.html"},{"Name":"dynamoapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/dynamoapi.html"},{"Name":"eappcfg.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/eappcfg.html"},{"Name":"eappprxy.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/eappprxy.html"},{"Name":"edgeiso.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\microsoftedgebchost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoftedgecp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoftedgedevtools.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoftedgesh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/edgeiso.html"},{"Name":"edputil.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\calc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\computerdefaults.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dpiscaling.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fodhelper.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mobsync.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resmon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\slui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://twitter.com/Max_Mal_/status/1658566665003585545"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/edputil.html"},{"Name":"efsadu.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\efsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/efsadu.html"},{"Name":"efsutil.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cipher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\efsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/efsutil.html"},{"Name":"esent.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dfsrdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsdbutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\esentutl.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tieringengineservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ntdsutil.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/esent.html"},{"Name":"execmodelproxy.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\calc.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/execmodelproxy.html"},{"Name":"explorerframe.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\control.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\explorer.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Google\\Chrome\\Application\\chrome.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Mozilla Firefox\\firefox.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/explorerframe.html"},{"Name":"fastprox.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%\\wbem","%SYSWOW64%\\wbem"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cttune.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\driverquery.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\getmac.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\licensingdiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msinfo32.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systeminfo.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tasklist.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excelcnv.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msaccess.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\onenote.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\outlook.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\scanpst.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fastprox.html"},{"Name":"faultrep.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\werfault.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\werfaultsecure.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/faultrep.html"},{"Name":"fddevquery.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ddodiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fddevquery.html"},{"Name":"feclient.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cipher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\efsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/feclient.html"},{"Name":"fhcfg.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fhcfg.html"},{"Name":"fhsvcctl.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\fhmanagew.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fhsvcctl.html"},{"Name":"firewallapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\checknetisolation.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\edpcleanup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\lpremove.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\securityhealthservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/firewallapi.html"},{"Name":"flightsettings.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/flightsettings.html"},{"Name":"fltlib.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\agentservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dpiscaling.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dfsrdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\fltmc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\psr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resmon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\slui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fltlib.html"},{"Name":"framedynos.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dfsrdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\driverquery.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\getmac.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\openfiles.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskkill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/framedynos.html"},{"Name":"fveapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\baaupdate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\bdechangepin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fvenotify.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fveprompt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fveapi.html"},{"Name":"fveskybackup.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bitlockerdeviceencryption.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fveskybackup.html"},{"Name":"fvewiz.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bitlockerwizard.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\bitlockerwizardelev.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fvewiz.html"},{"Name":"fwbase.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\checknetisolation.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\edpcleanup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\lpremove.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\securityhealthservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fwbase.html"},{"Name":"fwcfg.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fwcfg.html"},{"Name":"fwpolicyiomgr.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fwpolicyiomgr.html"},{"Name":"fwpuclnt.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\checknetisolation.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fwpuclnt.html"},{"Name":"fxsapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSTEM32%\\driverstore\\filerepository\\prnms002.inf_%VERSION%\\amd64","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\fxsunatd.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fxsapi.html"},{"Name":"fxsst.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%WINDIR%\\explorer.exe","Type":"Search Order"}],"Resources":["https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/fxsst.html"},{"Name":"fxstiff.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSTEM32%\\driverstore\\filerepository\\prnms002.inf_%VERSION%\\amd64"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\fxssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/fxstiff.html"},{"Name":"getuname.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\charmap.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/getuname.html"},{"Name":"gpapi.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\gpapi.exe","Type":"Sideloading"}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/gpapi.html"},{"Name":"hid.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\psr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tabcal.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\PerceptionSimulation\\PerceptionSimulationService.exe","Type":"Search Order","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Logitech\\SetPointP\\LDeviceDetectionHelper.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Logitech, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Logitech, L=Newark, S=California, C=US","Issuer":"CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O=\"VeriSign, Inc.\", C=US","Type":"Authenticode"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://github.com/netero1010/ServiceMove-BOF","https://www.virustotal.com/gui/file/30fbf917d0a510b8dac3bacb0f4948f9d55bbfb0fa960b07f0af20ba4f18fc19/"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"v1stra","Twitter":"@_v1stra"},{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/hid.html"},{"Name":"hnetmon.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/hnetmon.html"},{"Name":"httpapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wifitask.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wsmanhttpconfig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/httpapi.html"},{"Name":"icmp.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\nlbmgr.exe","Type":"Sideloading"}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/icmp.html"},{"Name":"idstore.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\shellappruntime.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/idstore.html"},{"Name":"ieadvpack.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ie4uinit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ieadvpack.html"},{"Name":"iedkcs32.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ie4uinit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/iedkcs32.html"},{"Name":"iernonce.dll","Author":"Wietze Beukema","Created":"2024-01-11","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSWOW64%\\runonce.exe","Type":"Sideloading","Condition":"SYSWOW64 version only; requires command-line argument '/RunOnceEx6432'","ExpectedVersionInformation":[{"CompanyName":"Microsoft Corporation","FileDescription":"Extended RunOnce processing with UI","InternalName":"IERNONCE.DLL","LegalCopyright":"© Microsoft Corporation. All rights reserved.","OriginalFilename":"IERNONCE.DLL.MUI","ProductName":"Internet Explorer"}],"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/"],"Acknowledgements":[{"Name":"Adam","Twitter":"@hexacorn"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/iernonce.html"},{"Name":"iertutil.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\browserexport.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cipher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\iesettingsync.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\launchwinapp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoftedgebchost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoftedgecp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoftedgedevtools.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoftedgesh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wwahost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/iertutil.html"},{"Name":"ifmon.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ifmon.html"},{"Name":"ifsutil.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\convert.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fsavailux.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\label.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\recover.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\xcopy.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ifsutil.html"},{"Name":"inproclogger.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\easpolicymanagerbrokerhost.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/inproclogger.html"},{"Name":"iphlpapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\arp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\colorcpl.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\datausagelivetiletask.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dcdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dnscacheugc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fxscover.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fxssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fxsunatd.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ipconfig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mousocoreworker.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\msra.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\nbtstat.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\net.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netbtugc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netiougc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netstat.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pathping.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\printbrmui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\printui.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\route.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tracert.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\w32tm.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wfs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wifitask.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wpnpinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%LOCALAPPDATA%\\microsoft\\onedrive\\onedrive.exe","Type":"Search Order"},{"Path":"%LOCALAPPDATA%\\microsoft\\onedrive\\OneDriveStandaloneUpdater.exe","Type":"Search Order"},{"Path":"%LOCALAPPDATA%\\microsoft\\teams\\current\\teams.exe","Type":"Search Order"},{"Path":"%SYSTEM32%\\dpiscaling.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\slui.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Minecraft Launcher\\MinecraftLauncher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Mojang AB, O=Mojang AB, L=Stockholm, C=SE","Issuer":"CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=\"DigiCert, Inc.\", C=US","Type":"Authenticode"}],"SHA256":["6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495"]},{"Path":"%PROGRAMFILES%\\Microsoft Deployment Toolkit\\Bin\\Microsoft.BDD.Catalog35.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://twitter.com/SBousseaden/status/1550903546916311043","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://twitter.com/AndrewOliveau/status/1682185200862625792","https://x00.zip/playing-with-process-handles/","https://twitter.com/BSummerz/status/1860045985919205645"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Samir","Twitter":"@sbousseaden"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Andrew Oliveau","Twitter":"@AndrewOliveau"},{"Name":"Tim Peck","Twitter":"@B0bby_Tablez"},{"Name":"Will Summerhill","Twitter":"@BSummerz"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/iphlpapi.html"},{"Name":"iri.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmcertinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmcfghost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmomacpmo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hvsievaluator.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmappinstaller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\usocoreworker.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/iri.html"},{"Name":"iscsidsc.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\iscsicli.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/iscsidsc.html"},{"Name":"iscsiexe.dll","Author":"Wietze Beukema","Created":"2023-05-15","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\iscsicpl.exe","Type":"Search Order","AutoElevate":true}],"Resources":["https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC","https://twitter.com/hackerfantastic/status/1547412574404214784"],"Acknowledgements":[{"Name":"Matthew Hickey","Twitter":"@hackerfantastic"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/iscsiexe.html"},{"Name":"iscsium.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\iscsicli.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/iscsium.html"},{"Name":"isv.exe_rsaenh.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\rmactivate","Type":"Environment Variable","Variable":"SYSTEMROOT"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/isv.exe_rsaenh.html"},{"Name":"iumbase.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bioiso.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fsiso.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ngciso.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/iumbase.html"},{"Name":"iumsdk.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bioiso.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fsiso.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ngciso.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/iumsdk.html"},{"Name":"joinutil.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\djoin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/joinutil.html"},{"Name":"kdstub.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\hvax64.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hvix64.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/kdstub.html"},{"Name":"ksuser.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mfpmp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ksuser.html"},{"Name":"ktmw32.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ktmutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdtc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rstrui.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\srtasks.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wkspbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ktmw32.html"},{"Name":"libsmartscreenn.dll","Author":"Still Hsu","Created":"2025-12-12","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\WindowsApps\\Microsoft.DesktopAppInstaller_%VERSION%_x64__8wekyb3d8bbwe"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\WindowsApps\\Microsoft.DesktopAppInstaller_%VERSION%_x64__8wekyb3d8bbwe\\AppInstaller.exe","Type":"Sideloading","SHA256":["e67659cec3aaac0edc4fb12ac80da5bfb0ab8a104f6cdfd96c62db475bc96e6b"],"ExpectedVersionInformation":[{"CompanyName":"Microsoft Corporation","FileDescription":"AppInstaller.exe","FileVersion":"1.27.350.00000","InternalName":"AppInstaller","LegalCopyright":"©Microsoft Corporation.  All rights reserved.","OriginalFilename":"AppInstaller.exe","ProductName":"Microsoft Desktop App Installer","ProductVersion":"1.27.350.0"}],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US","Issuer":"CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US"}]}],"Resources":["https://www.virustotal.com/gui/file/ead3b69fb1c4a8a7db7d89af55c75820ef76fce0d2fd341d5b2ea61b320f8821","https://www.virustotal.com/gui/file/ab89866a6c74eaee542e28b9401aa674ff2e7f73547cfa98eb685830d8b94887/relations"],"Acknowledgements":[{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/libsmartscreenn.html"},{"Name":"licensemanagerapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wsreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/licensemanagerapi.html"},{"Name":"licensingdiagspp.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\licensingdiag.exe","Type":"Environment Variable","Variable":"WINDIR","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/licensingdiagspp.html"},{"Name":"linkinfo.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/linkinfo.html"},{"Name":"loadperf.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\unlodctr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/loadperf.html"},{"Name":"lockhostingframework.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\lockapphost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/lockhostingframework.html"},{"Name":"logoncli.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\change.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chglogon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chgport.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\csvde.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\djoin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsacls.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsmgmt.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsregcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\efsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gpfixup.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\gpresult.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\klist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ksetup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ldifde.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\net1.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\nltest.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\ntdsutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\query.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quser.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\qwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\redircmp.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\redirusr.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rendom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\repadmin.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\reset.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\setspn.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesadvanced.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tscon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tskill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\w32tm.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/logoncli.html"},{"Name":"logoncontroller.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\logonui.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/logoncontroller.html"},{"Name":"lpksetupproxyserv.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\lpksetup.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/lpksetupproxyserv.html"},{"Name":"lrwizdll.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\licmgr.exe","Type":"Sideloading"}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/lrwizdll.html"},{"Name":"magnification.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\magnify.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/magnification.html"},{"Name":"maintenanceui.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mschedexe.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/maintenanceui.html"},{"Name":"mapistub.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\fixmapi.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mapistub.html"},{"Name":"mbaexmlparser.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mbaeparsertask.exe","Type":"Sideloading"}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mbaexmlparser.html"},{"Name":"mdmdiagnostics.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mdmdiagnostics.html"},{"Name":"mfc42u.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\devicepairingwizard.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dirquota.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\eudcedit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filescrn.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\ldp.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\msconfig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msinfo32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mspaint.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\nlbmgr.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\shrpubw.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\storrept.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\verifiergui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wfs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mfc42u.html"},{"Name":"mfcore.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mfpmp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mfcore.html"},{"Name":"mfplat.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mdeserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mfpmp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mfplat.html"},{"Name":"mi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\winrs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wsmanhttpconfig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wsmprovhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://asec.ahnlab.com/en/39828/"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mi.html"},{"Name":"microsoft.ui.xaml.xamltypeinfo.dll","Author":"Wietze Beukema","Created":"2023-04-03","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%LOCALAPPDATA%\\microsoft\\onedrive\\onedrive.exe","Type":"Phantom"}],"Resources":["https://twitter.com/Octoberfest73/status/1631021071951437827/photo/1"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/microsoft.ui.xaml.xamltypeinfo.html"},{"Name":"midimap.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/midimap.html"},{"Name":"mintdh.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\applytrustoffline.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pktmon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\plasrv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mintdh.html"},{"Name":"miracastview.dll","Author":"Wietze Beukema","Created":"2025-05-24","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%WINDIR%\\Miracast"],"VulnerableExecutables":[{"Path":"%WINDIR%\\MiraCast\\MiracastView.exe","Type":"Sideloading"}],"Resources":["https://news.sophos.com/en-us/2025/04/29/finding-minhook-in-a-sideloading-attack-and-sweden-too/","https://x.com/fromCharCode/status/1030107346230423554"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/miracastview.html"},{"Name":"miutils.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\register-cimprovider.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\winrs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wsmanhttpconfig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wsmprovhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/miutils.html"},{"Name":"mlang.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\calc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\computerdefaults.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fodhelper.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ie4uinit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mlang.html"},{"Name":"mmdevapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\audiodg.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mblctr.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\presentationsettings.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sndvol.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mmdevapi.html"},{"Name":"mobilenetworking.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mbaeparsertask.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mobilenetworking.html"},{"Name":"mpclient.dll","Author":"Wietze Beukema","Created":"2022-08-01","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Windows Defender","%PROGRAMDATA%\\Microsoft\\Windows Defender\\Platform\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Windows Defender\\mpcmdrun.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Windows Defender\\nissrv.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Windows Defender\\dlpuseragent.exe","Type":"Sideloading"}],"Resources":["https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/","https://twitter.com/Sh0ckFR/status/1554021948967079936"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/mpclient.html"},{"Name":"mpr.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootcfg.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dcdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dfsrdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\driverquery.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsmgmt.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\eventcreate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\getmac.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gpresult.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\iesettingsync.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\net.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ntdsutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\openfiles.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pnpunattend.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\repadmin.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\setupugc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systeminfo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskkill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\waitfor.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mpr.html"},{"Name":"mprapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\rasautou.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mprapi.html"},{"Name":"mpsvc.dll","Author":"Wietze Beukema","Created":"2021-12-07","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMDATA%\\Microsoft\\Windows Defender\\Platform\\%VERSION%","%PROGRAMFILES%\\Windows Defender\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMDATA%\\Microsoft\\Windows Defender\\Platform\\%VERSION%\\MsMpEng.exe","Type":"Sideloading"}],"Resources":["https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/","https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/","https://www.fortinet.com/blog/threat-research/dll-side-loading-technique-used-in-recent-kaseya-ransomware-attack"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html"},{"Name":"mrmcorer.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mcbuilder.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mrmcorer.html"},{"Name":"msacm32.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msacm32.html"},{"Name":"msasn1.dll","Author":"ice-wzl","Created":"2025-04-04","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"winbox64.exe","Type":"Sideloading","Condition":"version >= 3.41"},{"Path":"winbox.exe","Type":"Sideloading","Condition":"version >= 3.41"}],"Resources":["https://ice-wzl.medium.com/mikrotik-winbox-dll-side-loading-vulnerability-9ed9420bd4d7","https://github.com/pbatard/rufus/issues/1877"],"Acknowledgements":[{"Name":"ice-wzl","Twitter":"@ice_wzl_cyber"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msasn1.html"},{"Name":"mscms.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\colorcpl.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dccw.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mscms.html"},{"Name":"mscoree.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\aitstatic.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\presentationhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%WINDIR%\\Microsoft.NET\\Framework\\v%VERSION%\\applaunch.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://www.secureworks.com/research/shadowpad-malware-analysis","https://www.crowdstrike.com/blog/4-ways-adversaries-hijack-dlls/"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mscoree.html"},{"Name":"mscorsvc.dll","Author":"Wietze Beukema","Created":"2023-04-04","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%WINDIR%\\Microsoft.NET\\Framework\\v%VERSION%","%WINDIR%\\Microsoft.NET\\Framework64\\v%VERSION%"],"VulnerableExecutables":[{"Path":"%WINDIR%\\Microsoft.NET\\Framework\\v%VERSION%\\mscorsvw.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Corporation","Issuer":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA","Type":"Catalog"}]},{"Path":"%WINDIR%\\WinSxS\\amd64_netfx4-ngentask_exe_%VERSION%\\ngentask.exe","Type":"Phantom","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/","https://www.securityjoes.com/post/hide-and-seek-in-windows-closet-unmasking-the-winsxs-hijacking-hideout"],"Acknowledgements":[{"Name":"Michał Kucharski","Twitter":"@Kucharskov"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html"},{"Name":"msctf.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\conhost.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wordpad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\outlook.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\EdgeWebView\\Application\\%VERSION%\\msedgewebview2.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msctf.html"},{"Name":"msctfmonitor.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\credwiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ctfmon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msctfmonitor.html"},{"Name":"msdrm.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\gamepanel.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\psr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rmactivate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rmactivate_isv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\snippingtool.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msdrm.html"},{"Name":"msdtctm.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\msdtc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msdtctm.html"},{"Name":"msedge.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2024-07-25","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Microsoft\\Edge\\Application\\%VERSION%","%PROGRAMFILES%\\Microsoft\\Edgewebview\\Application\\%VERSION%","%PROGRAMFILES%\\Microsoft\\EdgeCore\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\%VERSION%\\cookie_exporter.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Authenticode"}],"ExpectedVersionInformation":[{"OriginalFilename":"cookie_exporter.exe","FileDescription":"Microsoft Edge"}]}],"Resources":["https://securelist.com/apt41-in-africa/116986/"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Twitter":"@_swachchhanda_","Company":"Nextron Systems"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msedge.html"},{"Name":"msedge_elf.dll","Author":"Still Hsu","Created":"2024-07-10","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Microsoft\\Edge\\Application\\%VERSION%","%PROGRAMFILES%\\Microsoft\\EdgeCore\\%VERSION%","%PROGRAMFILES%\\Microsoft\\EdgeWebView\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\%VERSION%","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Authenticode"}],"SHA256":["7914d38736f3ce4f89432e15816711fffdfd9002fa50ce7205c1176af9142ab4"]}],"Resources":["https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/"],"Acknowledgements":[{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msedge_elf.html"},{"Name":"msedgeupdate.dll","Author":"Still Hsu","Created":"2024-05-26","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Microsoft\\EdgeUpdate\\%VERSION%","%PROGRAMFILES%\\Microsoft\\Temp\\%VERSION%","%LOCALAPPDATA%\\Microsoft\\EdgeUpdate\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Authenticode"}]}],"Resources":null,"Acknowledgements":[{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msedgeupdate.html"},{"Name":"msftedit.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\charmap.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mspaint.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\searchindexer.exe","Type":"Phantom","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\searchprotocolhost.exe","Type":"Phantom","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/","https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Adam","Twitter":"@hexacorn"},{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msftedit.html"},{"Name":"msi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dxpserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fondue.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmappinstaller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msiexec.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\optionalfeatures.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\packageinspector.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msi.html"},{"Name":"msiso.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\browserexport.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msiso.html"},{"Name":"mstracer.dll","Author":"Wietze Beukema","Created":"2021-12-08","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%SYSTEM32%\\searchindexer.exe","Type":"Phantom","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\searchprotocolhost.exe","Type":"Phantom","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/"],"Acknowledgements":[{"Name":"Adam","Twitter":"@hexacorn"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mstracer.html"},{"Name":"msutb.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ctfmon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msutb.html"},{"Name":"msvcp110_win.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\agentactivationruntimestarter.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\appidpolicyconverter.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmcertinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmomacpmo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\locationnotificationwindows.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmagent.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmappinstaller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\provlaunch.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\provtool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\windowsactiondialog.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msvcp110_win.html"},{"Name":"msvcp140.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2025-07-12","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%","%PROGRAMFILES%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Java\\%VERSION%\\bin\\jp2launcher.exe","Type":"Sideloading","SHA256":["1fc684c5adf02b5a96cc407932429f1c2d3d2e78e3104cfbcf535a9de1ee4921"],"ExpectedVersionInformation":[{"FileVersion":"11.451.0.10","ProductName":"Java(TM) Platform SE 8 U451","InternalName":"Java(TM) Web Launcher","OriginalFilename":"jp2launcher.exe"}]}],"Resources":["https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/","https://www.virustotal.com/gui/file/cbaf513e7fd4322b14adcc34b34d793d79076ad310925981548e8d3cff886527"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Company":"Nextron Systems","Twitter":"@_swachchhanda_"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msvcp140.html"},{"Name":"msvcr100.dll","Author":"Wietze Beukema","Created":"2022-09-26","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Java\\jre%VERSION%\\bin\\javacpl.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","SHA256":["16f099aaff99f981741e299be6aff43f2e53b189481a08582e3b2a04e934aa0a"],"Type":"Sideloading"},{"Path":"cleanospp_64.exe","SHA256":["edf85f4e2ef1a427b34265a22f261d664ec78de90c3b5da4174ef28558c8522a"],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US","Issuer":"CN=Microsoft Root Authority,OU=Microsoft Corporation,OU=Copyright (c) 1997 Microsoft Corp."}],"Type":"Search Order"}],"Resources":["https://twitter.com/SBousseaden/status/1530595156055011330","https://twitter.com/sbousseaden/status/1604934564614381571","https://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries"],"Acknowledgements":[{"Name":"Samir","Twitter":"@sbousseaden"},{"Name":"kinako","Twitter":"@kinako_software"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msvcr100.html"},{"Name":"mswb7.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\control.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\explorer.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mswb7.html"},{"Name":"mswsock.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\alg.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\curl.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\finger.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fsquirt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ftp.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hostname.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\nbtstat.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\nslookup.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rpcping.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Google\\Chrome\\Application\\chrome.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Mozilla Firefox\\firefox.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\outlook.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%APPDATA%\\Zoom\\bin\\zoom.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\WindowsApps\\MicrosoftTeams%VERSION%\\msteams.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\EdgeWebView\\Application\\%VERSION%\\msedgewebview2.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msaccess.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\onenote.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\scanpst.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\sdxhelper.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mswsock.html"},{"Name":"msxml3.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wordpad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/msxml3.html"},{"Name":"mtxclu.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\msdtc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/mtxclu.html"},{"Name":"napinsp.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ftp.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hostname.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/napinsp.html"},{"Name":"ncrypt.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\clipup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmcertinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dnscmd.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsregcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sgrmbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ncrypt.html"},{"Name":"ndfapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\msra.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dpiscaling.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\slui.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ndfapi.html"},{"Name":"netapi32.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\appvclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\bootcfg.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dcdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dfscmd.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dfsdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dfsrdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dfsutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dnscmd.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsadd.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsget.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsquery.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\ie4uinit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\qappsrv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\spaceagent.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/netapi32.html"},{"Name":"netid.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\systempropertiesadvanced.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/netid.html"},{"Name":"netiohlp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/netiohlp.html"},{"Name":"netjoin.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/netjoin.html"},{"Name":"netplwiz.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netplwiz.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/netplwiz.html"},{"Name":"netprofm.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\fxscover.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wordpad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Mozilla Firefox\\firefox.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\outlook.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\WindowsApps\\MicrosoftTeams%VERSION%\\msteams.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\clview.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\cnfnot32.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excelcnv.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\graph.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msaccess.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msoia.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msosrec.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msqry32.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\namecontrolserver.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\onenote.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\protocolhandler.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\scanpst.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\sdxhelper.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\setlang.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/netprofm.html"},{"Name":"netprovfw.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\djoin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/netprovfw.html"},{"Name":"netsetupapi.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/netsetupapi.html"},{"Name":"netshell.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/netshell.html"},{"Name":"nettrace.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/nettrace.html"},{"Name":"netutils.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\at.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\change.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chglogon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chgport.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\credwiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\csvde.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dcdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\djoin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dpapimig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\driverquery.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsacls.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsdbutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsmgmt.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsregcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\easinvoker.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\edpcleanup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\efsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\eventcreate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\getmac.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gpfixup.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\gpresult.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ie4uinit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\klist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ksetup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ldifde.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\mshta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\net.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\net1.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\netplwiz.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\nltest.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ntdsutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\openfiles.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\query.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quser.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\qwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\raserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\redircmp.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\redirusr.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rendom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\repadmin.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\reset.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\runas.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\setspn.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\shrpubw.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\spaceagent.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesadvanced.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskkill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tasklist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tscon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tskill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\w32tm.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\waitfor.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\whoami.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/netutils.html"},{"Name":"networkexplorer.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/networkexplorer.html"},{"Name":"newdev.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\infdefaultinstall.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pnpunattend.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/newdev.html"},{"Name":"ninput.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\multidigimon.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tabcal.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ninput.html"},{"Name":"nlaapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/nlaapi.html"},{"Name":"nlansp_c.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ftp.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hostname.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/nlansp_c.html"},{"Name":"npmproxy.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\apphostregistrationverifier.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\directxdatabaseupdater.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fxscover.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoft.uev.synccontroller.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wordpad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\outlook.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\clview.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\cnfnot32.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excelcnv.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\graph.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msaccess.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msoia.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msosrec.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msqry32.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\namecontrolserver.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\onenote.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\protocolhandler.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\scanpst.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\sdxhelper.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\setlang.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/npmproxy.html"},{"Name":"nshhttp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/nshhttp.html"},{"Name":"nshipsec.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/nshipsec.html"},{"Name":"nshwfp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/nshwfp.html"},{"Name":"ntdsapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cipher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dcdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dfsrdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dnscmd.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsacls.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsadd.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsdbutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsget.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsmgmt.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsquery.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\gpresult.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\licmgr.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\nltest.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ntdsutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\rendom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\repadmin.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\setspn.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\w32tm.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ntdsapi.html"},{"Name":"ntlanman.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\powershell.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tabcal.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\verifier.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ntlanman.html"},{"Name":"ntlmshared.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\at.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ntlmshared.html"},{"Name":"ntmarta.dll","Author":"Wietze Beukema","Created":"2022-08-14","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cacls.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Google\\Chrome\\Application\\chrome.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\EdgeWebView\\Application\\%VERSION%\\msedgewebview2.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ntmarta.html"},{"Name":"ntprint.dll","Author":"SanSan","Created":"2026-03-06","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ntprint.exe","Type":"Search Order","Condition":"Trigger via `ntprint.exe PSetupElevatedLegacyPrintDriverInstallW {}`","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://www.hexacorn.com/blog/2025/10/06/ntprint-exe-lolbin/"],"Acknowledgements":[{"Name":"Adam","Twitter":"@hexacorn"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ntprint.html"},{"Name":"ntshrui.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ntshrui.html"},{"Name":"oci.dll","Author":"Wietze Beukema","Created":"2022-06-12","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%SYSTEM32%\\msdtc.exe","Type":"Phantom","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/","https://www.crowdstrike.com/blog/4-ways-adversaries-hijack-dlls/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/oci.html"},{"Name":"offdmpsvc.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2025-06-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wermgr.exe","Type":"Phantom","Condition":"Triggers via `wermgr -boot`; malicious DLL should be present in C:\\Windows\\System32","ExpectedVersionInformation":[{"CompanyName":"Microsoft Corporation","FileDescription":"Windows Problem Reporting","InternalName":"WerMgr","LegalCopyright":"© Microsoft Corporation. All rights reserved.","OriginalFilename":"WerMgr","ProductName":"Microsoft® Windows® Operating System"}]}],"Resources":["https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/"],"Acknowledgements":[{"Name":"Hexacorn","Twitter":"@Hexacorn"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/offdmpsvc.html"},{"Name":"oleacc.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cttune.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\devicepairingwizard.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\easeofaccessdialog.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fsquirt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\magnify.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\optionalfeatures.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\psr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sethc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\snippingtool.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\utilman.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wmpdmc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/oleacc.html"},{"Name":"omadmapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmcertinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmcfghost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmomacpmo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hvsievaluator.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmagent.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmappinstaller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmrpc.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\usocoreworker.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/omadmapi.html"},{"Name":"onex.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/onex.html"},{"Name":"opcservices.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\proximityuxhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/opcservices.html"},{"Name":"osbaseln.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\fondue.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\optionalfeatures.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/osbaseln.html"},{"Name":"osksupport.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/osksupport.html"},{"Name":"osuninst.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\convert.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vds.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/osuninst.html"},{"Name":"p2p.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/p2p.html"},{"Name":"p2pnetsh.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/p2pnetsh.html"},{"Name":"p9np.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\powershell.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tabcal.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\verifier.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/p9np.html"},{"Name":"pcaui.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\pcaui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pcalua.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/pcaui.html"},{"Name":"pdh.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\plasrv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\relog.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskmgr.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tracerpt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\typeperf.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\logman.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/pdh.html"},{"Name":"peerdistsh.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/peerdistsh.html"},{"Name":"pkeyhelper.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\sppsvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/pkeyhelper.html"},{"Name":"pla.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\logman.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/pla.html"},{"Name":"playsndsrv.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\sethc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/playsndsrv.html"},{"Name":"pnrpnsp.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ftp.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hostname.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/pnrpnsp.html"},{"Name":"policymanager.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\displayswitch.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\easpolicymanagerbrokerhost.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\edpcleanup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\eduprintprov.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hvsievaluator.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\settingsynchost.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/policymanager.html"},{"Name":"polstore.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/polstore.html"},{"Name":"powrprof.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\fsquirt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msinfo32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\printfilterpipelinesvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sfc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/powrprof.html"},{"Name":"printui.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\printui.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/printui.html"},{"Name":"prntvpt.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\printfilterpipelinesvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/prntvpt.html"},{"Name":"profapi.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\edpcleanup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\immersivetpmvscmgrsvr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\manage-bde.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mousocoreworker.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\provtool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rmttpmvscmgrsvr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tpmvscmgrsvr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\usocoreworker.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\wwahost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Microsoft Deployment Toolkit\\Bin\\Microsoft.BDD.Catalog35.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://twitter.com/BSummerz/status/1860045985919205645"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Will Summerhill","Twitter":"@BSummerz"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/profapi.html"},{"Name":"propsys.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\calc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\colorcpl.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\computerdefaults.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\customshellhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dpiscaling.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsregcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dxpserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fodhelper.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fondue.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fxssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fxsunatd.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mobsync.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mspaint.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\netplwiz.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\optionalfeatures.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pinenrollmentbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\printbrmui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\printui.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\proximityuxhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resmon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\settingsynchost.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\slui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\synchost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wfs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wkspbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wpnpinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cleanmgr.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\control.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ddodiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dfrgui.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\explorer.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fxscover.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\licensingdiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\powershell.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%SYSTEM32%\\presentationsettings.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tabcal.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\verifier.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Google\\Chrome\\Application\\chrome.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Mozilla Firefox\\firefox.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%APPDATA%\\Zoom\\bin\\zoom.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\WindowsApps\\MicrosoftTeams%VERSION%\\msteams.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\graph.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msoev.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msotd.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\onenote.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\outlook.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/propsys.html"},{"Name":"proximitycommon.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\proximityuxhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/proximitycommon.html"},{"Name":"proximityservicepal.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\proximityuxhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/proximityservicepal.html"},{"Name":"prvdmofcomp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\register-cimprovider.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/prvdmofcomp.html"},{"Name":"puiapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\printui.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/puiapi.html"},{"Name":"radcui.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wkspbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/radcui.html"},{"Name":"rasapi32.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cmdl32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\nethost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasdial.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/rasapi32.html"},{"Name":"rasdlg.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\rasautou.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/rasdlg.html"},{"Name":"rasgcw.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/rasgcw.html"},{"Name":"rasman.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cmdl32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\nethost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasautou.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasdial.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/rasman.html"},{"Name":"rasmontr.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/rasmontr.html"},{"Name":"reagent.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\reagentc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\recdisc.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\recoverydrive.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\relpost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/reagent.html"},{"Name":"regapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\change.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chglogon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\query.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\reset.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/regapi.html"},{"Name":"reseteng.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/reseteng.html"},{"Name":"resetengine.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/resetengine.html"},{"Name":"resutils.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dfsdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\msdtc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/resutils.html"},{"Name":"rjvplatform.dll","Author":"Wietze Beukema","Created":"2023-07-28","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%\\SystemResetPlatform","%SYSWOW64%\\SystemResetPlatform"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\SystemResetPlatform\\SystemResetPlatform.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}],"Condition":"DLL should be placed in 'c:\\$sysreset\\framework\\stack\\'."}],"Resources":["https://twitter.com/0gtweet/status/1666716511988330499"],"Acknowledgements":[{"Name":"Grzegorz Tworek","Twitter":"@0gtweet"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/rjvplatform.html"},{"Name":"rmclient.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\runtimebroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/rmclient.html"},{"Name":"rpcnsh.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/rpcnsh.html"},{"Name":"rsaenh.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\disksnapshot.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\licensingdiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\lpksetup.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoft.uev.synccontroller.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\phoneactivate.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\powershell.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%SYSTEM32%\\rmactivate.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\scriptrunner.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sppextcomobj.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tzsync.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\uevappmonitor.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\useraccountcontrolsettings.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Mozilla Firefox\\firefox.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\outlook.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%APPDATA%\\Zoom\\bin\\zoom.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msaccess.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msoadfsb.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\namecontrolserver.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\onenote.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/rsaenh.html"},{"Name":"rtutils.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dialer.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\nethost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasautou.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasdial.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/rtutils.html"},{"Name":"rtworkq.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mdeserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mfpmp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/rtworkq.html"},{"Name":"samcli.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\change.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chglogon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chgport.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\credwiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dcdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dpapimig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\easinvoker.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\net.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\net1.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\netplwiz.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\query.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quser.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\qwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\raserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\reset.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tscon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tskill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wpcmon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/samcli.html"},{"Name":"samlib.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dpapimig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsmgmt.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\easinvoker.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netplwiz.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ntdsutil.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/samlib.html"},{"Name":"sapi_onecore.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/sapi_onecore.html"},{"Name":"sas.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/sas.html"},{"Name":"scansetting.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wiaacmgr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wiawow64.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/scansetting.html"},{"Name":"scecli.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\convert.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\secedit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/scecli.html"},{"Name":"schedcli.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\at.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/schedcli.html"},{"Name":"secur32.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\appvclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\calc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\computerdefaults.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dfsrdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsregcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsrm.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\fodhelper.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gpresult.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\klist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\repadmin.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\consent.exe","Type":"Sideloading","SHA256":["24fa7502ba1933278e34fe0af4105d7fd997bdf2ceee440a9ff776c3186c285f"]},{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Search Order","Condition":"OneDrive is required. Additionally this can be used for AutoElevate on some Windows 10 versions only."},{"Path":"%LOCALAPPDATA%\\microsoft\\onedrive\\%VERSION%\\microsoft.sharepoint.exe","Type":"Search Order"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://www.secureworks.com/research/shadowpad-malware-analysis","https://www.hexacorn.com/blog/2023/02/25/beyond-good-ol-run-key-part-141/","https://twitter.com/hackerfantastic/status/1657549979840307203","https://github.com/hackerhouse-opensource/CompMgmtLauncher_DLL_UACBypass"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Matthew Hickey","Twitter":"@hackerfantastic"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/secur32.html"},{"Name":"security.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\telnet.exe","Type":"Sideloading"}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/security.html"},{"Name":"sensapi.dll","Author":"Wietze Beukema","Created":"2023-07-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Minecraft Launcher\\MinecraftLauncher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Mojang AB, O=Mojang AB, L=Stockholm, C=SE","Issuer":"CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=\"DigiCert, Inc.\", C=US","Type":"Authenticode"}],"SHA256":["6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495"]},{"Path":"usysdiag.exe","Type":"Sideloading","SHA256":["90040340ee101cac7831d7035230ac8ad4224d432e5636f34f13aa1c4a0c2041"]}],"Resources":["https://twitter.com/AndrewOliveau/status/1682185200862625792","https://www.fortinet.com/blog/threat-research/nailaolocker-ransomware-cheese"],"Acknowledgements":[{"Name":"Andrew Oliveau","Twitter":"@AndrewOliveau"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/sensapi.html"},{"Name":"shell32.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\control.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dpiscaling.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mobsync.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\presentationsettings.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\shellappruntime.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wallpaperhost.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/shell32.html"},{"Name":"shellchromeapi.dll","Author":"Wietze Beukema","Created":"2023-07-28","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%SYSTEM32%\\DeviceEnroller.exe","Type":"Phantom","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}],"Condition":"DLL should be located c:\\Windows\\System32; this typically requires elevated privileges."}],"Resources":["https://dennisbabkin.com/blog/?t=pwning-windows-updates-dll-hijacking-through-orphaned-dll","https://twitter.com/0gtweet/status/1564131230941122561"],"Acknowledgements":[{"Name":"Grzegorz Tworek","Twitter":"@0gtweet"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/shellchromeapi.html"},{"Name":"slc.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\msinfo32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\packageinspector.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\phoneactivate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\slui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/slc.html"},{"Name":"snmpapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\arp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netstat.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/snmpapi.html"},{"Name":"spectrumsyncclient.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\spectrum.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/spectrumsyncclient.html"},{"Name":"spp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\rstrui.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\srtasks.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/spp.html"},{"Name":"sppc.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\msinfo32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\packageinspector.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\slui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/sppc.html"},{"Name":"sppcext.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\phoneactivate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/sppcext.html"},{"Name":"srclient.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\srtasks.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tiworker.exe","Type":"Sideloading","Condition":"Windows Server 2012"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://blog.vonahi.io/srclient-dll-hijacking/"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/srclient.html"},{"Name":"srcore.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\rstrui.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\srtasks.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/srcore.html"},{"Name":"srmtrace.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dirquota.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\filescrn.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\storrept.exe","Type":"Sideloading"}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/srmtrace.html"},{"Name":"srpapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\appidpolicyconverter.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mshta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/srpapi.html"},{"Name":"srvcli.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\change.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chglogon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chgport.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dcdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dsdbutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\driverquery.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\eventcreate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\getmac.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gpresult.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ksetup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\net.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\net1.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\ntdsutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\openfiles.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\query.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quser.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\qwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\reset.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\shrpubw.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\spaceagent.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesadvanced.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskkill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tasklist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tscon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tskill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\waitfor.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/srvcli.html"},{"Name":"ssp.exe_rsaenh.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\rmactivate","Type":"Environment Variable","Variable":"SYSTEMROOT"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ssp.exe_rsaenh.html"},{"Name":"ssp_isv.exe_rsaenh.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\rmactivate","Type":"Environment Variable","Variable":"SYSTEMROOT"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ssp_isv.exe_rsaenh.html"},{"Name":"sspicli.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\at.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\bitsadmin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\bootcfg.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\calc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\computerdefaults.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\credentialenrollmentmanager.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\customshellhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dialer.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\driverquery.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsregcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\edpcleanup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\eduprintprov.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\eventcreate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fodhelper.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ftp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\getmac.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gpresult.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\iesettingsync.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\klist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ksetup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ldp.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\logman.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdeserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mshta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msra.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mtstocom.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\muiunattend.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\openfiles.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\perfmon.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pinenrollmentbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\presentationsettings.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\psr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpsa.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rpcping.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\runas.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\setx.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\shutdown.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systeminfo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\takeown.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskkill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tasklist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\waitfor.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\whoami.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wkspbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wlrmdr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%LOCALAPPDATA%\\Microsoft\\OneDrive\\OneDrive.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Code Signing PCA 2024, O=Microsoft Corporation, C=US","Type":"Authenticode"}]},{"Path":"%PROGRAMFILES%\\Microsoft OneDrive\\OneDrive.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Code Signing PCA 2024, O=Microsoft Corporation, C=US","Type":"Authenticode"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/","https://www.legit4n6.com/OneDrive-SSPICLI-dll-Side-Loading-Proof-of-Concept-264d60e66daf80caa347f437baf5edf3"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Terry Liggett","Twitter":"@legit4n6"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/sspicli.html"},{"Name":"ssshim.dll","Author":"Wietze Beukema","Created":"2021-02-28","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\sfc.exe","Type":"Sideloading","AutoElevate":true,"Condition":"Parameters of `/scanfile=`, `/offbootdir` and `/offwindir` required","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://twitter.com/0gtweet/status/1363107343018385410"],"Acknowledgements":[{"Name":"Grzegorz Tworek","Twitter":"@0gtweet"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ssshim.html"},{"Name":"staterepository.core.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\applytrustoffline.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\lpremove.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/staterepository.core.html"},{"Name":"sti.dll","Author":"Tim Baker","Created":"2024-11-09","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Windows Photo Viewer\\ImagingDevices.exe","Type":"Sideloading","ExpectedVersionInformation":[{"CompanyName":"Microsoft Corporation","FileDescription":"Imaging Devices Control Panel","InternalName":"ImagingDevices.cpl","LegalCopyright":"© Microsoft Corporation. All rights reserved.","OriginalFilename":"ImagingDevices.cpl.mui","ProductName":"Microsoft® Windows® Operating System"}],"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/"],"Acknowledgements":[{"Name":"Tim Baker","Company":"DotSec (https://www.dotsec.com)"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/sti.html"},{"Name":"structuredquery.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\control.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\explorer.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/structuredquery.html"},{"Name":"sxshared.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\defrag.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dfrgui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/sxshared.html"},{"Name":"systemsettingsthresholdadminflowui.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/systemsettingsthresholdadminflowui.html"},{"Name":"tapi32.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dialer.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fxssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tcmsetup.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/tapi32.html"},{"Name":"tbs.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sgrmbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tpmtool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/tbs.html"},{"Name":"tdh.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\plasrv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/tdh.html"},{"Name":"textshaping.dll","Author":"Gary Lobermier","Created":"2023-05-22","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\Debuggers\\x64\\logger.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\Debuggers\\x64\\logviewer.exe","Type":"Sideloading"}],"Resources":["https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/textshaping.html"},{"Name":"timesync.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/timesync.html"},{"Name":"tpmcoreprovisioning.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\tpmtool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/tpmcoreprovisioning.html"},{"Name":"tquery.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\searchfilterhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\searchprotocolhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/tquery.html"},{"Name":"tsmsisrv.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2025-09-05","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%SYSTEM32%\\svchost.exe","Condition":"DLL has to be placed in %SystemRoot%\\System32; loading can be triggered by execution of \"SessionEnv\" service","Type":"Phantom"}],"Resources":["https://www.gendigital.com/blog/insights/research/png-steganography-hides-backdoor"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Twitter":"@_swachchhanda_","Company":"Nextron Systems"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/tsmsisrv.html"},{"Name":"tsvipsrv.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2025-09-05","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%SYSTEM32%\\svchost.exe","Condition":"DLL has to be placed in %SystemRoot%\\System32; loading can be triggered by execution of \"SessionEnv\" service","Type":"Phantom"}],"Resources":["https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/","https://www.gendigital.com/blog/insights/research/png-steganography-hides-backdoor"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Twitter":"@_swachchhanda_","Company":"Nextron Systems"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/tsvipsrv.html"},{"Name":"tsworkspace.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wkspbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/tsworkspace.html"},{"Name":"ttdrecord.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\tttracer.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/ttdrecord.html"},{"Name":"twext.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/twext.html"},{"Name":"twinapi.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dataexchangehost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msaccess.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/twinapi.html"},{"Name":"twinui.appcore.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\calc.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/twinui.appcore.html"},{"Name":"uianimation.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cloudnotifications.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gamepanel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/uianimation.html"},{"Name":"uiautomationcore.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\gamepanel.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\magnify.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/uiautomationcore.html"},{"Name":"uireng.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\psr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/uireng.html"},{"Name":"uiribbon.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wordpad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/uiribbon.html"},{"Name":"umpdc.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmcertinst.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\iesettingsync.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mousocoreworker.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\netevtfwdr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\settingsynchost.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\usocoreworker.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\wifitask.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\runtimebroker.exe","Type":"Sideloading","Condition":"Works on Windows 10 and Windows Server 2016","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Michał Kucharski","Twitter":"@Kucharskov"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/umpdc.html"},{"Name":"unattend.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\recoverydrive.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/unattend.html"},{"Name":"updatepolicy.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mousocoreworker.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\musnotification.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotificationux.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\usoclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\usocoreworker.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/updatepolicy.html"},{"Name":"upshared.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\musnotification.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotificationux.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotifyicon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/upshared.html"},{"Name":"urlmon.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bytecodegenerator.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ie4uinit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ldifde.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\presentationhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/urlmon.html"},{"Name":"userenv.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\appidpolicyconverter.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\appvclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\appvshnotify.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\bdeuisrv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\colorcpl.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\customshellhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dccw.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmomacpmo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsregcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\efsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gpupdate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmappinstaller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoftedgebchost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoftedgecp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\microsoftedgesh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mrt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msra.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotification.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotificationux.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\proquota.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\runexehelper.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\securityhealthservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\settingsynchost.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tttracer.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\utcdecoderhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vaultcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wpcmon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/userenv.html"},{"Name":"utildll.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\change.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chglogon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chgport.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\query.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quser.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\qprocess.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\qwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\reset.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tscon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tskill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/utildll.html"},{"Name":"uxinit.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\winlogon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/uxinit.html"},{"Name":"uxtheme.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\atbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cloudnotifications.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cttune.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\displayswitch.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ehstorauthn.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gamepanel.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\isoburn.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mblctr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mmc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msra.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotifyicon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\passwordonwakesettingflyout.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\recoverydrive.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sethc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sndvol.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\snippingtool.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\taskmgr.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wfs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wiaacmgr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wiawow64.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wmpdmc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\KeePass Password Safe 2\\KeePass.exe","Type":"Search Order"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://skr1x.github.io/keepass-dll-hijacking/"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Skrix","Twitter":"@skr1x_"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/uxtheme.html"},{"Name":"vaultcli.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cipher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\efsui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rekeywiz.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vaultcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/vaultcli.html"},{"Name":"vcruntime140.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2026-01-06","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Microsoft SQL Server\\%VERSION%\\Shared\\sqlwriter.exe","Type":"Sideloading","SHA256":["8d1d449a0bd5b2085c52e4662e5999d2163f8e2b7a73874329fb4f01a397d7ab"]},{"Path":"%PROGRAMFILES%\\Microsoft SQL Server\\%VERSION%\\Shared\\SqlDumper.exe","Type":"Sideloading","SHA256":["116866708b5c22d643427203e7b0b023ccee8effeec8801638421bf96e569813"]}],"Resources":["https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-apt29-cozy-bear-wineloader","https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Twitter":"@_swachchhanda_","Company":"Nextron Systems"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/vcruntime140.html"},{"Name":"vdsutil.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\vdsldr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/vdsutil.html"},{"Name":"version.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\agentservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\choice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\clip.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cmstp.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cofire.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cscript.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\diskpart.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\diskraid.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dism.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\driverquery.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\forfiles.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fxssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ie4ushowie.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\iexpress.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msconfig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\openfiles.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\presentationhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\psr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\RelPost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sfc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sigverif.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systeminfo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskkill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tasklist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\timeout.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\unregmp2.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\verifiergui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vsgraphicsdesktopengine.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\waitfor.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wextract.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\where.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\whoami.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\winsat.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wscript.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%APPDATA%\\Zoom\\bin\\Zoom.exe","Condition":"Zoom for Windows <= 5.11.1 (6602)","Type":"Sideloading"},{"Path":"%SYSTEM32%\\icardagt.exe","Type":"Sideloading","SHA256":["473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7"],"ExpectedVersionInformation":[{"CompanyName":"Microsoft Corporation","FileDescription":"Windows CardSpace User Interface Agent","FileVersion":"3.0.4506.4926 (NetFXw7.030729-4900)","InternalName":"icardagt.exe","LegalCopyright":"© Microsoft Corporation.  All rights reserved.","OriginalFilename":"icardagt.exe","ProductName":"Microsoft® .NET Framework","ProductVersion":"3.0.4506.4926"}],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US","Issuer":"CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://twitter.com/an0n_r0/status/1544472352657915904","https://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/","https://www.virustotal.com/gui/file/96480ef5ccfa8fcb0646538c440103d97ab741ed83f4c2bcb7b4717569f88770/community"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"an0n","Twitter":"@an0n_r0"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/version.html"},{"Name":"virtdisk.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/virtdisk.html"},{"Name":"vssapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\cleanmgr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsdbutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\ntdsutil.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\recoverydrive.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rstrui.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\srtasks.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vssadmin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Avira\\Antivirus\\avshadow.exe","Type":"Sideloading","SHA256":["292e3528a0aa6bf45ecdab5e1d32e5ddd92123e6fd77271b39ba616fbb88faaf"]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/vssapi.html"},{"Name":"vsstrace.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rstrui.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\srtasks.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vssadmin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vssvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/vsstrace.html"},{"Name":"wbemcomn.dll","Author":"v1stra","Created":"2024-12-12","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\Wbem\\WmiApSrv.exe","Type":"Search Order"}],"Resources":["https://gist.github.com/v1stra/7a13f2a27a1c9b97778d12e13a3d53c2"],"Acknowledgements":[{"Name":"v1stra","Twitter":"@_v1stra"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wbemcomn.html"},{"Name":"wbemprox.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%\\wbem","%SYSWOW64%\\wbem"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cttune.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\driverquery.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\getmac.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gpresult.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\licensingdiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msinfo32.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systeminfo.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\taskkill.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tasklist.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excelcnv.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msaccess.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\onenote.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\outlook.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\scanpst.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wbemprox.html"},{"Name":"wbemsvc.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%\\wbem","%SYSWOW64%\\wbem"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cttune.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\driverquery.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\getmac.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\licensingdiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msinfo32.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systeminfo.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tasklist.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excelcnv.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msaccess.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\onenote.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\outlook.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\scanpst.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wbemsvc.html"},{"Name":"wcmapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wcmapi.html"},{"Name":"wcnnetsh.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wcnnetsh.html"},{"Name":"wdi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cofire.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msra.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dpiscaling.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\slui.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wdi.html"},{"Name":"wdscore.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bootim.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\deploymentcsphelper.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\djoin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dnscacheugc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\muiunattend.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netbtugc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netiougc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pnpunattend.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\recoverydrive.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\setupugc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sysreseterr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tapiunattend.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ieunatt.exe","Type":"Sideloading","Condition":"On Windows 11 and higher","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://www.hexacorn.com/blog/2023/12/30/1-little-known-secret-of-ieunatt-exe-on-win11/"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Adam","Twitter":"@hexacorn"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wdscore.html"},{"Name":"webservices.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\clipup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sppsvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\vsgraphicsdesktopengine.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\vsgraphicsremoteengine.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\wifitask.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wksprt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/webservices.html"},{"Name":"wecapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wecutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wecapi.html"},{"Name":"wer.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dwwin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pcalua.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\relpost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rstrui.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\srtasks.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\werfault.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\werfaultsecure.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wermgr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wer.html"},{"Name":"wevtapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cidiag.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dcdiag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\gpupdate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mbaeparsertask.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\nlb.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\packageinspector.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\plasrv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tracerpt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wecutil.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wlbs.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\wsreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\logman.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wevtapi.html"},{"Name":"whhelper.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/whhelper.html"},{"Name":"wimgapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%","%PROGRAMFILES%\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\arm64\\DISM"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\recoverydrive.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dism.exe","Type":"Phantom","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/","https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Adam","Twitter":"@hexacorn"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wimgapi.html"},{"Name":"winbio.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\securityhealthservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winbio.html"},{"Name":"winbrand.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\bdehdcfg.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\licensediag.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\slui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesadvanced.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winbrand.html"},{"Name":"windows.storage.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\calc.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\control.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dfrgui.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\explorer.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\licensingdiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\powershell.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%SYSTEM32%\\presentationsettings.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tabcal.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\verifier.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wfs.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\workfolders.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wscollect.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Google\\Chrome\\Application\\chrome.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Mozilla Firefox\\firefox.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\outlook.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%APPDATA%\\Zoom\\bin\\zoom.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\WindowsApps\\MicrosoftTeams%VERSION%\\msteams.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msaccess.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msoev.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msotd.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\onenote.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/windows.storage.html"},{"Name":"windows.storage.search.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\control.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\explorer.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/windows.storage.search.html"},{"Name":"windows.ui.immersive.dll","Author":"Chris Spehn","Created":"2021-08-16","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dmnotificationbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\phoneactivate.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/windows.ui.immersive.html"},{"Name":"windowscodecs.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wmpdmc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dfrgui.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\explorer.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\gamepanel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\presentationsettings.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wfs.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\winver.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wordpad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%SYSTEM32%\\wscollect.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\excel.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\outlook.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\msaccess.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\mspub.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","Condition":"Tested against Microsoft Office 2021"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/windowscodecs.html"},{"Name":"windowscodecsext.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wfs.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/windowscodecsext.html"},{"Name":"windowsperformancerecordercontrol.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\windows kits\\10\\windows performance toolkit","%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wpr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/windowsperformancerecordercontrol.html"},{"Name":"windowsudk.shellcommon.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\explorer.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/windowsudk.shellcommon.html"},{"Name":"winhttp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\cmdl32.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsregcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msdt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mshta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotification.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotificationux.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotifyicon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\pacjsworker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\recoverydrive.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rpcping.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sgrmlpac.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sihclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wkspbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Minecraft Launcher\\MinecraftLauncher.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Mojang AB, O=Mojang AB, L=Stockholm, C=SE","Issuer":"CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=\"DigiCert, Inc.\", C=US","Type":"Authenticode"}],"SHA256":["6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495"]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://twitter.com/AndrewOliveau/status/1682185200862625792"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Andrew Oliveau","Twitter":"@AndrewOliveau"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winhttp.html"},{"Name":"wininet.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\appvclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\browserexport.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\calc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\computerdefaults.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsregcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\fodhelper.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ie4uinit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\logagent.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\presentationhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quickassist.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tokenbrokercookies.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wkspbroker.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wksprt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wininet.html"},{"Name":"winipsec.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winipsec.html"},{"Name":"winmde.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mdeserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winmde.html"},{"Name":"winmm.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mblctr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mspaint.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\presentationsettings.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\proximityuxhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wfs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\winsat.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securelist.com/wastedlocker-technical-analysis/97944/","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winmm.html"},{"Name":"winnsi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winnsi.html"},{"Name":"winrnr.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ftp.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hostname.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Mozilla Firefox\\firefox.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winrnr.html"},{"Name":"winscard.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\immersivetpmvscmgrsvr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rmttpmvscmgrsvr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tpmvscmgrsvr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winscard.html"},{"Name":"winsqlite3.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\browserexport.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mousocoreworker.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winsqlite3.html"},{"Name":"winsta.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\change.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chglogon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\chgport.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ctfmon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\displayswitch.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\msg.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotification.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\query.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\quser.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\qprocess.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\qwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpinput.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpsa.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpsauachelper.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpshell.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdvghelper.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\reset.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rwinsta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesadvanced.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiescomputername.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesdataexecutionprevention.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertieshardware.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesprotection.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesremote.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tscon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tsdiscon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tskill.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\DriverStore\\FileRepository\\%VERSION%\\igfxSDK.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Intel(R) pGFX 2020, O=Intel Corporation, L=Santa Clara, S=CA, C=US","Issuer":"CN=Intel External Issuing CA 7B, O=Intel Corporation, L=Santa Clara, S=CA, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH","https://twitter.com/BSummerz/status/1716851156625105342"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Will Summerhill","Twitter":"@BSummerz"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winsta.html"},{"Name":"winsync.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\synchost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/winsync.html"},{"Name":"wkscli.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\djoin.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dsregcmd.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\edpcleanup.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\getmac.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ie4uinit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mshta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mstsc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\net.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\net1.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netdom.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\secinit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systempropertiesadvanced.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\whoami.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wkscli.html"},{"Name":"wlanapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\legacynetuxhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wifitask.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wlanapi.html"},{"Name":"wlancfg.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wlancfg.html"},{"Name":"wlbsctrl.dll","Author":"Wietze Beukema","Created":"2022-06-12","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%SYSTEM32%\\svchost.exe","Condition":"IKEEXT Service on Windows <=8","Type":"Phantom","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992","https://www.youtube.com/watch?v=MZ8fgAN2As8","https://www.crowdstrike.com/blog/4-ways-adversaries-hijack-dlls/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/wlbsctrl.html"},{"Name":"wldp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\mshta.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\securityhealthservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\write.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wldp.html"},{"Name":"wlidprov.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\devicecensus.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\shellappruntime.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wlidprov.html"},{"Name":"wmiclnt.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\dispdiag.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\iscsicli.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wmiclnt.html"},{"Name":"wmidcom.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wmidcom.html"},{"Name":"wmiutils.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%\\wbem","%SYSWOW64%\\wbem"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tasklist.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wmiutils.html"},{"Name":"wmpdui.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wmpdmc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wmpdui.html"},{"Name":"wmsgapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\osk.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wmsgapi.html"},{"Name":"wofutil.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\recoverydrive.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wofutil.html"},{"Name":"wow64log.dll","Author":"ice-wzl","Created":"2025-01-01","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"cmder.exe","Type":"Phantom","SHA256":["6F35596886C21C661972FCF117DC9BC392E49B164D86EC1F1DB7AAAAC82DFB24"]}],"Resources":["https://waleedassar.blogspot.com/2013/01/wow64logdll.html","https://github.com/ice-wzl/Cmder_DLL_Side-Loading/blob/main/README.md"],"Acknowledgements":[{"Name":"ice-wzl","Twitter":"@ice_wzl_cyber"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wow64log.html"},{"Name":"wpdshext.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\notepad.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wpdshext.html"},{"Name":"wptsextensions.dll","Author":"k4nfr3","Created":"2022-08-15","Vendor":"Microsoft","CVE":null,"ExpectedLocations":null,"VulnerableExecutables":[{"Path":"%SYSTEM32%\\svchost.exe","Type":"Phantom","PrivilegeEscalation":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html"],"Acknowledgements":[{"Name":"itm4n","Twitter":"@itm4n"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wptsextensions.html"},{"Name":"wscapi.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\wscadminui.exe","Type":"Sideloading"}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wscapi.html"},{"Name":"wsdapi.dll","Author":"Gary Lobermier","Created":"2023-05-22","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\bin\\%VERSION%\\x64\\wsddebug_host.exe","Type":"Sideloading"}],"Resources":["https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/built-in/wsdapi.html"},{"Name":"wshbth.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\ftp.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\hostname.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\stordiag.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wshbth.html"},{"Name":"wshelper.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wshelper.html"},{"Name":"wsmsvc.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\winrs.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wsmanhttpconfig.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wsmprovhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wsmsvc.html"},{"Name":"wtsapi32.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\appvclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\bdeuisrv.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\customshellhost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\magnify.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mblctr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmappinstaller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\raserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpclip.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpinput.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpinit.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdpshell.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rdvghelper.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\sdclt.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\securityhealthservice.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sethc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\slui.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemsettingsadminflows.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\wusa.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Austin Worline","Company":"Huntress","Twitter":"@0xffaraday"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wtsapi32.html"},{"Name":"wwancfg.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wwancfg.html"},{"Name":"wwapi.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\netsh.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/wwapi.html"},{"Name":"xmllite.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\certreq.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\ddodiag.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\deviceenroller.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmcfghost.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dmomacpmo.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\dxcap.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\dxpserver.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mdmdiagnosticstool.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\mousocoreworker.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\musnotificationux.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\musnotifyicon.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\omadmclient.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\psr.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\resetengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\sppsvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\systemreset.exe","Type":"Sideloading","AutoElevate":true,"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\tracerpt.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\upfc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\usocoreworker.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\vsgraphicsdesktopengine.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\vsgraphicsremoteengine.exe","Type":"Sideloading"},{"Path":"%SYSTEM32%\\wbengine.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\compmgmtlauncher.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\explorer.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\filehistory.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%PROGRAMFILES%\\Microsoft\\Edge\\Application\\msedge.exe","Type":"Environment Variable","Variable":"SYSTEMROOT"},{"Path":"%PROGRAMFILES%\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe","Type":"Sideloading"}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows","https://wietze.github.io/blog/save-the-environment-variables","https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"},{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"},{"Name":"Michał Kucharski","Twitter":"@Kucharskov"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/xmllite.html"},{"Name":"xolehlp.dll","Author":"Wietze Beukema","Created":"2021-02-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\msdtc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/hijacking-dlls-in-windows"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/xolehlp.html"},{"Name":"xpsservices.dll","Author":"Chris Spehn","Created":"2021-08-17","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\printfilterpipelinesvc.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://securityintelligence.com/posts/windows-features-dll-sideloading/","https://github.com/xforcered/WFH"],"Acknowledgements":[{"Name":"Chris Spehn","Twitter":"@ConsciousHacker"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/xpsservices.html"},{"Name":"xwizards.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\devicepairingwizard.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/xwizards.html"},{"Name":"xwtpw32.dll","Author":"Wietze Beukema","Created":"2022-05-21","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%SYSTEM32%\\devicepairingwizard.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]},{"Path":"%SYSTEM32%\\rasphone.exe","Type":"Environment Variable","Variable":"SYSTEMROOT","ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Catalog"}]}],"Resources":["https://wietze.github.io/blog/save-the-environment-variables"],"Acknowledgements":[{"Name":"Wietze","Twitter":"@wietze"}],"url":"https://hijacklibs.net/entries/microsoft/built-in/xwtpw32.html"},{"Name":"appvisvsubsystems64.dll","Author":"Still Hsu","Created":"2025-10-20","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Common Files\\microsoft shared\\ClickToRun","%PROGRAMFILES%\\Common Files\\microsoft shared\\ClickToRun\\Updates\\%VERSION%","%PROGRAMFILES%\\Microsoft Office\\root\\Client","%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%","%PROGRAMFILES%\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Office%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\winword.exe","Type":"Sideloading","SHA256":["341ba8a556f4ac503ab23d9e5d2114261afd24aed332f2e404705b522afd5998","6c55195f025fb895f9d0ec3edbf58bc0aa46c43eeb246cfb88eef1ae051171b3"],"ExpectedVersionInformation":[{"CompanyName":"Microsoft Corporation","FileDescription":"Microsoft Word","FileVersion":"16.0.18730.20168","InternalName":"WinWord","OriginalFilename":"WinWord.exe","ProductName":"Microsoft Office","ProductVersion":"16.0.18730.20168"}],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"}]},{"Path":"%PROGRAMFILES%\\Microsoft Office\\root\\Office%VERSION%\\powerpnt.exe","Type":"Sideloading","SHA256":["420d20cddfaada4e96824a9184ac695800764961bad7654a6a6c3fe9b1b74b9a"],"ExpectedVersionInformation":[{"FileDescription":"Microsoft PowerPoint","FileVersion":"16.0.14430.20306","InternalName":"POWERPNT","OriginalFilename":"POWERPNT.EXE","ProductName":"Microsoft Office"}],"ExpectedSignatureInformation":[{"Type":"Authenticode","Subject":"CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"}]}],"Resources":["https://research.checkpoint.com/2025/apt29-phishing-campaign/","https://lab52.io/blog/2162-2/","https://www.virustotal.com/gui/file/b0ecfe94a829ef82819a5bec168d313a55e07544c3e20e252239679b2e0f46c9"],"Acknowledgements":[{"Name":"Still Hsu","Twitter":"@AzakaSekai_"}],"url":"https://hijacklibs.net/entries/microsoft/external/appvisvsubsystems64.html"},{"Name":"atltracetoolui.dll","Author":"Wietze Beukema","Created":"2023-04-04","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Microsoft Visual Studio 11.0\\Common7\\Tools"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Microsoft Visual Studio 11.0\\Common7\\Tools\\ATLTraceTool8.exe","Type":"Sideloading","ExpectedSignatureInformation":[{"Subject":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Corporation","Issuer":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA","Type":"Authenticode"}],"SHA256":["197d0ad8e3f6591e4493daaee9e52e53ecf192e32f9d167c67f2ffb408c76f2c"]}],"Resources":["https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/external/atltracetoolui.html"},{"Name":"concrt140.dll","Author":"Austin Worline","Created":"2025-04-06","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Microsoft Visual Studio\\%VERSION%\\Community\\Common7\\IDE\\VC\\vcpackages","%PROGRAMFILES%\\Microsoft Visual Studio\\%VERSION%\\BuildTools\\Common7\\IDE\\VC\\vcpackages","%PROGRAMFILES%\\Microsoft Visual Studio\\%VERSION%\\BuildTools\\Common7\\IDE","%PROGRAMFILES%\\Microsoft Intune Management Extension","%PROGRAMFILES%\\Microsoft\\Edge\\Application\\%VERSION%","%PROGRAMFILES%\\Microsoft\\EdgeWebView\\Application\\%VERSION%","%PROGRAMFILES%\\microsoft\\edgewebview\\application\\%VERSION%","%PROGRAMFILES%\\Microsoft RDInfra\\RDMonitoringAgent_%VERSION%\\Agent","%PROGRAMFILES%\\WindowsApps\\Microsoft.VCLibs.%VERSION%","%PROGRAMFILES%\\WindowsApps\\Microsoft.OutlookForWindows_%VERSION%","%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"vcpkgsrv.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"VCPkgSrv.exe","InternalName":"VCPkgSrv.exe","FileDescription":"Microsoft (R) Visual C++ Package Server"}],"SHA256":["a5c5487194f761dac90e178c9c1753c0f47b041f3168b5c23a587f33f69e5089"]}],"Resources":["https://www.youtube.com/watch?v=uTQIIWsUSHA","https://www.virustotal.com/gui/file/119910bd40da350fe61397b7eb8b6bc4c1280ff130129b4f5046d7f460c62fac"],"Acknowledgements":[{"Name":"Austin Worline","Company":"Huntress","Twitter":"@0xffaraday"}],"url":"https://hijacklibs.net/entries/microsoft/external/concrt140.html"},{"Name":"dbgeng.dll","Author":"Wietze Beukema","Created":"2023-03-01","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Windows Kits\\%VERSION%\\Debuggers\\x86","%PROGRAMFILES%\\Windows Kits\\%VERSION%\\Debuggers\\x64","%PROGRAMFILES%\\Windows Kits\\%VERSION%\\Debuggers\\arm","%PROGRAMFILES%\\Windows Kits\\%VERSION%\\Debuggers\\arm64","%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"windbg.exe","Type":"Sideloading"}],"Resources":["https://twitter.com/mrexodia/status/1630320327967252483"],"Acknowledgements":[{"Name":"Duncan Ogilvie","Twitter":"@mrexodia"}],"url":"https://hijacklibs.net/entries/microsoft/external/dbgeng.html"},{"Name":"formdll.dll","Author":"Wietze Beukema","Created":"2023-09-04","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Common Files\\Microsoft Shared\\NoteSync Forms"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Common Files\\Microsoft Shared\\NoteSync Forms\\inkform.exe","Type":"Sideloading","SHA256":["0e545a54f3cfef84bb59be1a95453ae4b34b5464b0f5ca618a0da2e4c97c7526"]}],"Resources":["https://any.run/report/d9c7f6d4ec08d961c20dac1b6422b3fbec5c6a8d9dc67d1f604835b36c5f224e/ae068531-92db-497d-b0cb-c0b1af5476f1"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/external/formdll.html"},{"Name":"gflagsui.dll","Author":"Gary Lobermier","Created":"2023-05-22","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Windows Kits\\10\\Debuggers\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\Debuggers\\%VERSION%\\gflags.exe","Type":"Sideloading","AutoElevate":true}],"Resources":["https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/external/gflagsui.html"},{"Name":"hha.dll","Author":"Wietze Beukema","Created":"2021-12-08","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%","%PROGRAMFILES%\\HTML Help Workshop"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\HTML Help Workshop\\hhc.exe","Type":"Sideloading","SHA256":["3e96894609819ae3d595ff6e0fbe9ce6c9ac17bdeda256b994831992f668cb99"]}],"Resources":["https://blog.trendmicro.com/trendlabs-security-intelligence/new-wave-of-plugx-targets-legitimate-apps/","https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/"],"Acknowledgements":[{"Name":"Adam","Twitter":"@hexacorn"}],"url":"https://hijacklibs.net/entries/microsoft/external/hha.html"},{"Name":"imjp14k.dll","Author":"Wietze Beukema","Created":"2024-09-08","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%SYSTEM32%","%SYSWOW64%","%PROGRAMFILES%\\Common Files\\Microsoft Shared\\IME14\\SHARED"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Common Files\\Microsoft Shared\\IME14\\SHARED\\imecmnt.exe","Type":"Sideloading","ExpectedVersionInformation":[{"CompanyName":"Microsoft Corporation","FileDescription":"Microsoft Office IME 2010","FileVersion":"14.0.4734.1000","InternalName":"imecmnt.exe","LegalCopyright":"© 2010 Microsoft Corporation.\nAll rights reserved.","OriginalFilename":"imecmnt.exe","ProductName":"Microsoft Office IME 2010","ProductVersion":"14.0.4734.1000"}],"ExpectedSignatureInformation":[{"Subject":"CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Issuer":"CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US","Type":"Authenticode"}],"SHA256":["80a7ff01de553cb099452cb9fac5762caf96c0c3cd9c5ad229739da7f2a2ca72"]}],"Resources":["https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/","https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/external/imjp14k.html"},{"Name":"iviewers.dll","Author":"Wietze Beukema","Created":"2022-06-14","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Windows Kits\\10\\bin\\%VERSION%\\x86","%PROGRAMFILES%\\Windows Kits\\10\\bin\\%VERSION%\\x64","%PROGRAMFILES%\\Windows Kits\\10\\bin\\%VERSION%\\arm","%PROGRAMFILES%\\Windows Kits\\10\\bin\\%VERSION%\\arm64"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\bin\\%VERSION%\\x86\\oleview.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\bin\\%VERSION%\\x64\\oleview.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\bin\\%VERSION%\\arm64\\oleview.exe","Type":"Sideloading"}],"Resources":["https://www.secureworks.com/research/shadowpad-malware-analysis","https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/external/iviewers.html"},{"Name":"midlrtmd.dll","Author":"Rick Gatenby","Created":"2026-02-03","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Windows Kits\\%VERSION%\\bin\\%VERSION%\\x64\\mdmerge.exe","%PROGRAMFILES%\\Windows Kits\\%VERSION%\\bin\\%VERSION%\\x86\\mdmerge.exe"],"VulnerableExecutables":[{"Path":"mdmerge.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"mdmerge.exe","FileDescription":"Microsoft MDMERGE Utility"}],"SHA256":["ac9f2ae9de5126691b9391c990f9d4f1c25afa912fbfda2d4abfe9f9057bdd8c"]}],"Resources":["https://www.crowdstrike.com/en-us/blog/new-supply-chain-attack-leverages-comm100-chat-installer","https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_7_hara_nakajima_kawakami_en.pdf","https://x.com/Cyberteam008/status/1858703453981450712"],"Acknowledgements":[{"Name":"Rick Gatenby","Company":"CyberCX"}],"url":"https://hijacklibs.net/entries/microsoft/external/midlrtmd.html"},{"Name":"mpgear.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-15","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Windows Defender Advanced Threat Protection\\Classification","%SYSTEM32%\\MRT\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Windows Defender Advanced Threat Protection\\Classification\\SenseCE.exe","Type":"Sideloading","SHA256":["8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab"]}],"Resources":["https://asec.ahnlab.com/en/58319/","https://www.virustotal.com/gui/file/1643a9c54e5d730fb0ebf4ab49e6c1d3a09dcd2c3a0282674330346d90990ab0","https://www.virustotal.com/gui/file/e1316301e7904a415fdd2a1707d1a48220cce055aab17b36a48e67bf0369edba"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/microsoft/external/mpgear.html"},{"Name":"msidcrl40.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-05-29","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\msn messenger"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\msn messenger\\livecall.exe","Type":"Sideloading","SHA256":["63ec17feda1f0ea80e0dd7b7938fbf7354aedf8d9f4041543afca9a35337f7bf"]}],"Resources":["https://www.virustotal.com/gui/file/e2787ddbbf2a7304827a17d698f7cede17edbf0633d36f39f4c020ee8f37ccd1","https://www.virustotal.com/gui/file/448bfca5913e45ec36863ec2e72d959bd1f8ac30e0c794b708b3a6f45a050ef4"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/microsoft/external/msidcrl40.html"},{"Name":"msimg32.dll","Author":"Jai Minton - HuntressLabs","Created":"2025-04-10","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Haihaisoft PDF Reader","%SYSTEM32%","%SYSWOW64%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Haihaisoft PDF Reader\\hpreader.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"hpreader.exe","InternalName":"hpreader.exe","FileDescription":"Haihaisoft PDF Reader"}],"ExpectedSignatureInformation":[{"Subject":"C=HK,1.2.840.113549.1.9.1=#0c156a6f7365706840686169686169736f66742e636f6d, L=Hong Kong,ST=Hong Kong, O=Haihaisoft Limited, CN=Haihaisoft Limited","Issuer":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CodeSigning CA - SHA256 - G3","Type":"Authenticode"}],"SHA256":["2f9be76319a2441d14e7e10239373f053f05f3c1ca2056babb58db50ebe8c5c7","08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2"]}],"Resources":["https://www.virustotal.com/gui/file/2f08e2316a38da2d39d31131a0e3314024ab80756050624afafc1e17b0562d5e/details"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/microsoft/external/msimg32.html"},{"Name":"mspgimme.dll","Author":"Josh Allman","Created":"2025-03-27","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Common Files\\Microsoft Shared\\MODI\\11.0"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Common Files\\Microsoft Shared\\MODI\\11.0\\MSPSCAN.EXE","Type":"Sideloading","SHA256":["99f193b6479bfa3e127c9c7209716ae0adbf0d782d51fb0faff016544dd70819"]}],"Resources":null,"Acknowledgements":[{"Name":"Josh Allman","Twitter":"@xorjosh","Company":"Huntress"},{"Name":"Jamie Dumas","Twitter":"@encapsulateJ","Company":"Huntress"},{"Name":"Jevon Ang","Twitter":"@Jev_3ng","Company":"Huntress"}],"url":"https://hijacklibs.net/entries/microsoft/external/mspgimme.html"},{"Name":"outllib.dll","Author":"Wietze Beukema","Created":"2022-06-13","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Microsoft Office\\OFFICE%VERSION%","%PROGRAMFILES%\\Microsoft Office\\Root\\OFFICE%VERSION%","%PROGRAMFILES%\\Microsoft Office %VERSION%\\ClientX86\\Root\\Office%VERSION%","%PROGRAMFILES%\\Microsoft Office %VERSION%\\ClientX64\\Root\\Office%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Microsoft Office\\OFFICE%VERSION%\\outlook.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\Root\\OFFICE%VERSION%\\outlook.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Microsoft Office %VERSION%\\ClientX86\\Root\\Office%VERSION%\\outlook.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Microsoft Office %VERSION%\\ClientX64\\Root\\Office%VERSION%\\outlook.exe","Type":"Sideloading"}],"Resources":["https://medium.com/insomniacs/analysis-walkthrough-fun-clientrun-part-1-b2509344ebe6"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/external/outllib.html"},{"Name":"ppcore.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2025-04-23","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Microsoft Office\\OFFICE%VERSION%","%PROGRAMFILES%\\Microsoft Office\\Root\\OFFICE%VERSION%","%PROGRAMFILES%\\Microsoft Office %VERSION%\\ClientX86\\Root\\Office%VERSION%","%PROGRAMFILES%\\Microsoft Office %VERSION%\\ClientX64\\Root\\Office%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Microsoft Office\\OFFICE%VERSION%\\Powerpnt.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Microsoft Office\\Root\\OFFICE%VERSION%\\Powerpnt.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Microsoft Office %VERSION%\\ClientX86\\Root\\Office%VERSION%\\Powerpnt.exe","Type":"Sideloading"},{"Path":"%PROGRAMFILES%\\Microsoft Office %VERSION%\\ClientX64\\Root\\Office%VERSION%\\Powerpnt.exe","Type":"Sideloading"}],"Resources":["https://research.checkpoint.com/2025/apt29-phishing-campaign/","https://www.virustotal.com/gui/file/d931078b63d94726d4be5dc1a00324275b53b935b77d3eed1712461f0c180164"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Twitter":"@_swachchhanda_","Company":"Nextron Systems"}],"url":"https://hijacklibs.net/entries/microsoft/external/ppcore.html"},{"Name":"rcdll.dll","Author":"Gary Lobermier","Created":"2023-05-22","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Windows Kits\\10\\bin\\%VERSION%\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\bin\\%VERSION%\\%VERSION%\\rc.exe","Type":"Sideloading"}],"Resources":["https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/external/rcdll.html"},{"Name":"symsrv.dll","Author":"Gary Lobermier","Created":"2023-05-22","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Windows Kits\\10\\Debuggers\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\Debuggers\\%VERSION%\\symstore.exe","Type":"Sideloading"}],"Resources":["https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/external/symsrv.html"},{"Name":"tedutil.dll","Author":"Jai Minton - HuntressLabs","Created":"2024-04-15","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Microsoft SDKs\\Windows\\%VERSION%\\Bin"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Microsoft SDKs\\Windows\\%VERSION%\\Bin\\TopoEdit.exe","Type":"Sideloading","SHA256":["b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c"]}],"Resources":["https://asec.ahnlab.com/en/58319/","https://www.virustotal.com/gui/file/eb014e37fdcaf42c93f606058896ccb47eed56be5e1701c7b9744bac0003a8e8/details","https://learn.microsoft.com/en-us/windows/win32/medfound/topoedit-modules"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/microsoft/external/tedutil.html"},{"Name":"uxcore.dll","Author":"Jai Minton - HuntressLabs","Created":"2025-01-22","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\windows live\\installer"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\windows live\\installer\\Dashboard.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"Dashboard.exe","InternalName":"Dashboard.exe","FileDescription":"Windows Live installer client executable"}],"SHA256":["8cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e"]}],"Resources":["https://www.virustotal.com/gui/file/016468b087cdbe5123189b68965cb65dc95ba1a59fc3ed32144b92d1274d13b6/relations","https://www.virustotal.com/gui/file/23c3fec8dc60c06caadecb31e2d770212e70faf0de866cb5878622f077d4fe2a"],"Acknowledgements":[{"Name":"Jai Minton","Company":"Huntress","Twitter":"@cyberrraiju"}],"url":"https://hijacklibs.net/entries/microsoft/external/uxcore.html"},{"Name":"windowsperformancerecorderui.dll","Author":"Gary Lobermier","Created":"2023-05-22","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\Windows Kits\\10\\Windows Performance Toolkit"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\Windows Kits\\10\\Windows Performance Toolkit\\WPRUI.exe","Type":"Sideloading","AutoElevate":true}],"Resources":["https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/"],"Acknowledgements":null,"url":"https://hijacklibs.net/entries/microsoft/external/windowsperformancerecorderui.html"},{"Name":"wmicodegen.dll","Author":"Swachchhanda Shrawan Poudel","Created":"2024-07-25","Vendor":"Microsoft","CVE":null,"ExpectedLocations":["%PROGRAMFILES%\\windows kits\\%VERSION%\\bin\\%VERSION%"],"VulnerableExecutables":[{"Path":"%PROGRAMFILES%\\windows kits\\%VERSION%\\bin\\%VERSION%\\convert-moftoprovider.exe","Type":"Sideloading","ExpectedVersionInformation":[{"OriginalFilename":"convert-moftoprovider.exe","FileDescription":"WMI V2 provider code generation tool"}],"SHA256":["0C14A5E99C861E3A393A78E23D85DA1AACD43AB29FE017EB56BABD3BF447DBFA"]}],"Resources":["https://securelist.com/apt41-in-africa/116986/"],"Acknowledgements":[{"Name":"Swachchhanda Shrawan Poudel","Company":"Nextron Systems","Twitter":"@_swachchhanda_"}],"url":"https://hijacklibs.net/entries/microsoft/external/wmicodegen.html"}]