After Installation of “.NET core” modifies a registry key path that local system calls when different Microsoft default installed services run automatically which goes from user to System Persistence
Path: Computer\HKEY_USERS\.DEFAULT\Environment or hku\.default\Environment
Post explains what “user” .Default is : https://devblogs.microsoft.com/oldnewthing/20070302-00/?p=27783
When a local System service runs and sees the environment variable %USERPROFILE% it knows to navigate to “c:\windows\system32\config\systemprofile\”. Since the path was changed after installing .Net SDK the local system service ends up searching for a missing dll under the user writeable path “C:\users\kool\Appdata\Local\Microsoft\WindowsApps\”.
The path that gets called by different local system services on bootup is
2 Example services that calls this dll on boot:
Before adding the malicious dll (svchost.exe tries to queryopen and createfile a dll that is not there)
Added the malicious dll to the user writeable path