How does DLL hijacking factor into this UAC bypass technique?

Once the auto-elevating executable (e.g., `winsat.exe`) runs, it searches for required DLLs in its own directory first. By placing a malicious DLL such as `VERSION.dll` in `c:\windows \system32\`, the executable loads the attacker's DLL instead of the legitimate one from `c:\windows\system32`. This DLL hijack executes the payload with elevated privileges, effectively bypassing UAC. The same principle is used in Office backdoor implemented using VSTO where trusted applications load malicious components.