1# DLL Hijack Locations 2 3name: DLLHijackLocations 4doc: DLL search order hijacking locations collected from base Windows 7. 5urls: ['https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html'] 6sources: 7- type: FILE 8 attributes: 9 paths: 10 - '%%environ_windir%%\EXPLORERFRAME.dll' 11 - '%%environ_windir%%\DUser.dll' 12 - '%%environ_windir%%\DUI70.dll' 13 - '%%environ_windir%%\UxTheme.dll' 14 - '%%environ_windir%%\POWRPROF.dll' 15 - '%%environ_windir%%\dwmapi.dll' 16 - '%%environ_windir%%\slc.dll' 17 - '%%environ_windir%%\gdiplus.dll' 18 - '%%environ_windir%%\Secur32.dll' 19 - '%%environ_windir%%\SSPICLI.dll' 20 - '%%environ_windir%%\PROPSYS.dll' 21 - '%%environ_windir%%\WINSTA.dll' 22 - '%%environ_windir%%\CRYPTBASE.dll' 23 - '%%environ_windir%%\WindowsCodecs.dll' 24 - '%%environ_windir%%\profapi.dll' 25 - '%%environ_windir%%\apphelp.dll' 26 - '%%environ_windir%%\EhStorShell.dll' 27 - '%%environ_windir%%\cscui.dll' 28 - '%%environ_windir%%\CSCDLL.dll' 29 - '%%environ_windir%%\CSCAPI.dll' 30 - '%%environ_windir%%\ntshrui.dll' 31 - '%%environ_windir%%\srvcli.dll' 32 - '%%environ_windir%%\IconCodecService.dll' 33 - '%%environ_windir%%\CRYPTSP.dll' 34 - '%%environ_windir%%\rsaenh.dll' 35 - '%%environ_windir%%\RpcRtRemote.dll' 36 - '%%environ_windir%%\SndVolSSO.dll' 37 - '%%environ_windir%%\HID.dll' 38 - '%%environ_windir%%\MMDevApi.dll' 39 - '%%environ_windir%%\timedate.cpl' 40 - '%%environ_windir%%\ATL.dll' 41 - '%%environ_windir%%\actxprxy.dll' 42 - '%%environ_windir%%\ntmarta.dll' 43 - '%%environ_windir%%\shdocvw.dll' 44 - '%%environ_windir%%\LINKINFO.dll' 45 - '%%environ_windir%%\USERENV.dll' 46 - '%%environ_windir%%\shacct.dll' 47 - '%%environ_windir%%\gameux.dll' 48 - '%%environ_windir%%\XmlLite.dll' 49 - '%%environ_windir%%\wer.dll' 50 - '%%environ_windir%%\SAMLIB.dll' 51 - '%%environ_windir%%\msls31.dll' 52 - '%%environ_windir%%\tiptsf.dll' 53 - '%%environ_windir%%\authui.dll' 54 - '%%environ_windir%%\CRYPTUI.dll' 55 - '%%environ_windir%%\msiltcfg.dll' 56 - '%%environ_windir%%\VERSION.dll' 57 - '%%environ_windir%%\msi.dll' 58 - '%%environ_windir%%\NetworkExplorer.dll' 59 - '%%environ_windir%%\WINMM.dll' 60 - '%%environ_windir%%\wdmaud.drv' 61 - '%%environ_windir%%\ksuser.dll' 62 - '%%environ_windir%%\AVRT.dll' 63 - '%%environ_windir%%\AUDIOSES.dll' 64 - '%%environ_windir%%\msacm32.drv' 65 - '%%environ_windir%%\MSACM32.dll' 66 - '%%environ_windir%%\midimap.dll' 67 - '%%environ_windir%%\netutils.dll' 68 - '%%environ_windir%%\stobject.dll' 69 - '%%environ_windir%%\BatMeter.dll' 70 - '%%environ_windir%%\WTSAPI32.dll' 71 - '%%environ_windir%%\es.dll' 72 - '%%environ_windir%%\prnfldr.dll' 73 - '%%environ_windir%%\WINSPOOL.DRV' 74 - '%%environ_windir%%\dxp.dll' 75 - '%%environ_windir%%\Syncreg.dll' 76 - '%%environ_windir%%\netshell.dll' 77 - '%%environ_windir%%\IPHLPAPI.dll' 78 - '%%environ_windir%%\WINNSI.dll' 79 - '%%environ_windir%%\nlaapi.dll' 80 - '%%environ_windir%%\AltTab.dll' 81 - '%%environ_windir%%\pnidui.dll' 82 - '%%environ_windir%%\QUtil.dll' 83 - '%%environ_windir%%\wevtapi.dll' 84 - '%%environ_windir%%\dhcpcsvc6.dll' 85 - '%%environ_windir%%\dhcpcsvc.dll' 86 - '%%environ_windir%%\credssp.dll' 87 - '%%environ_windir%%\npmproxy.dll' 88 - '%%environ_windir%%\cscobj.dll' 89 - '%%environ_windir%%\Wlanapi.dll' 90 - '%%environ_windir%%\wlanutil.dll' 91 - '%%environ_windir%%\wwanapi.dll' 92 - '%%environ_windir%%\wwapi.dll' 93 - '%%environ_windir%%\QAgent.dll' 94 - '%%environ_windir%%\srchadmin.dll' 95 - '%%environ_windir%%\mssprxy.dll' 96 - '%%environ_windir%%\bthprops.cpl' 97 - '%%environ_windir%%\ieframe.dll' 98 - '%%environ_windir%%\OLEACC.dll' 99 - '%%environ_windir%%\SyncCenter.dll' 100 - '%%environ_windir%%\Actioncenter.dll' 101 - '%%environ_windir%%\imapi2.dll' 102 - '%%environ_windir%%\SXS.dll' 103 - '%%environ_windir%%\hgcpl.dll' 104 - '%%environ_windir%%\provsvc.dll' 105 - '%%environ_windir%%\wkscli.dll' 106 - '%%environ_windir%%\fxsst.dll' 107 - '%%environ_windir%%\FXSAPI.dll' 108 - '%%environ_windir%%\FXSRESM.dll' 109 - '%%environ_windir%%\ieproxy.dll' 110 - '%%environ_windir%%\thumbcache.dll' 111 - '%%environ_windir%%\rasadhlp.dll' 112 - '%%environ_windir%%\MPR.dll' 113 - '%%environ_windir%%\vmhgfs.dll' 114 - '%%environ_windir%%\drprov.dll' 115 - '%%environ_windir%%\ntlanman.dll' 116 - '%%environ_windir%%\davclnt.dll' 117 - '%%environ_windir%%\DAVHLPR.dll' 118 - '%%environ_windir%%\StructuredQuery.dll' 119 - '%%environ_windir%%\UIAnimation.dll' 120 - '%%environ_windir%%\DEVRTL.dll' 121 - '%%environ_windir%%\MLANG.dll' 122 - '%%environ_windir%%\wscinterop.dll' 123 - '%%environ_windir%%\WSCAPI.dll' 124 - '%%environ_windir%%\wscui.cpl' 125 - '%%environ_windir%%\werconcpl.dll' 126 - '%%environ_windir%%\framedynos.dll' 127 - '%%environ_windir%%\wercplsupport.dll' 128 - '%%environ_windir%%\msxml6.dll' 129 - '%%environ_windir%%\hcproviders.dll' 130 - '%%environ_windir%%\zipfldr.dll' 131 - '%%environ_windir%%\rarext.dll' 132 - '%%environ_windir%%\7-zip.dll' 133 - '%%environ_windir%%\twext.dll' 134 - '%%environ_windir%%\WinCDEmuContextMenu.dll' 135 - '%%environ_windir%%\syncui.dll' 136 - '%%environ_windir%%\SYNCENG.dll' 137 - '%%environ_windir%%\shlext010.dll' 138 - '%%environ_windir%%\ATL90.dll' 139 - '%%environ_windir%%\acppage.dll' 140 - '%%environ_windir%%\sfc.dll' 141 - '%%environ_windir%%\sfc_os.dll' 142 - '%%environ_windir%%\dsrole.dll' 143 - '%%environ_windir%%\ACLUI.dll' 144 - '%%environ_windir%%\NTDSAPI.dll' 145 - '%%environ_windir%%\PhotoBase.dll' 146 - '%%environ_windir%%\sbdrop.dll' 147 - '%%environ_windir%%\tquery.dll' 148 - '%%environ_windir%%\EhStorAPI.dll' 149 - '%%environ_windir%%\SearchFolder.dll' 150 - '%%environ_windir%%\NaturalLanguage6.dll' 151 - '%%environ_windir%%\NLSData0009.dll' 152 - '%%environ_windir%%\NLSLexicons0009.dll' 153 - '%%environ_windir%%\MsftEdit.dll' 154 - '%%environ_windir%%\dnsapi.dll' 155 - '%%environ_windir%%\RASAPI32.dll' 156 - '%%environ_windir%%\rasman.dll' 157 - '%%environ_windir%%\rtutils.dll' 158 - '%%environ_windir%%\sensapi.dll' 159 separator: '\' 160supported_os: [Windows] 161