The AppInit_DLLs feature in Windows provides a way to load custom DLLs into the address space of every interactive application. Once a DLL is loaded into the address space of any process, it can run within the context of that process and can hook well-known APIs to implement an alternate functionality. An attacker can achieve persistence for their malicious DLL by setting the AppInit_DLLs value in the following registry key. This value typically contains space or comma-delimited list of DLLs. All the DLLs specified here are loaded into every process that loads User32.dll. Since User32.dll is loaded by almost all of the processes, this technique enables the attacker to load their malicious DLL into most of the processes and ...