This constellation makes c:\omgwtfbbq == C:\windows for everybody, but the user jonas, for him it resolves to c:\fake\windows This is simplest POC setup, works also with files and any arb resolve paths. Also affect when service impersonates you.

Some #lolbins [likely hw-related] call igc64.dll (Intel Graphics Shader Compiler for Intel(R) Graphics Accelerator), which then tries to LoadLibraryA on rasty_jitter64.dll (obviously from either CWD or %PATH%). Just export JitCreateCompilerData & run phoneactivate.exe toloadurdll

another way to run your exe with an MS-signed #lolbin: wscollect & not-really-reg.exe set windir=C:\whatever and name your payload reg. make sure to have a mutex or some other way of handling multiple instances as %windir%\system32\reg.exe will likely be executed more than once.

Have you ever considered Internet Explorer to be a #lolbin? By navigating to URI: `shell:::{3f6bc534-dfa1-4ab4-ae54-ef25a74e0107}` you can spawn `rstrui.exe` (System Restore). If you modify the `SystemRoot` environment variable and copy over DLLs you can run whatever you like.

cocomelonc.github.io/malware/2023/0… used by Iranian #copykittens #apt in the wild #cybersec #cybersecurity #infosec #malware #malwaredev #malwareanalysis #hacking #redteam #blueteam #purpleteam #winapi #windows #programming #cpp #cybercrime #apt #research