Hexacorn

1 little known secret of sti_ci.dll

adam · 2026-02-21 · Read original ↗

ATT&CK techniques detected

2 predictions

T1218.011Rundll32

100%

“1 little known secret of sti _ ci. dll in 2017 i posted about sideloading of sti _ ci. dll. and it ’ s that dll itself that executes the installwiadevice installation command mentioned in that post … how? via its export function called … installwiadevice. it turns out that we can…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1218.010Regsvr32

66%

“##x. dll regsvr32. exe / s photowiz. dll regsvr32. exe / s wiavusd. dll regsvr32. exe / s wiasf. ax obviously, this creates a number of new possible lolbin opportunities. the only challenge is that since the rundll32. exe is executed from the system32 directory, the program will …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

In 2017 I posted about sideloading of sti_ci.dll. And it’s that DLL itself that executes the InstallWiaDevice installation command mentioned in that post… How? Via its export function called… InstallWiaDevice. It turns out that we can launch this API directly … Continue reading →