How does the CLR backdoor technique hijack .NET programs without requiring administrator privileges?

The technique sets two environment variables (`COR_ENABLE_PROFILING=1` and `COR_PROFILER` with a specific CLSID) for the current user via `wmic ENVIRONMENT`, and creates a registry key under `HKEY_CURRENT_USER\Software\Classes\CLSID\{CLSID}\InProcServer32` pointing to a malicious DLL. Since these changes are per-user, no admin rights are needed, and any .NET program launched (like powershell.exe) will load the attacker's DLL. For more details, see Use CLR to maintain persistence.