Extensive library of System32 binary metadata to help threat hunters recognize malicious DLL behavior, masquerading, and more.. One manifestation of that technique involves moving legit system binaries into unusual directories along with malicious dynamic link libraries (DLL), effectively gaming the natural DLL search order (more on this in a moment). Adversaries would frequently switch up the binaries they were abusing, subverting detection logic built around our expectations about those binaries, and resulting in a cat-and-mouse game.

https://redcanary.com/blog/system32-binaries/