Hi @ll, quite some utilities offered for free by Kaspersky Lab load and execute rogue/bogus DLLs (UXTheme.dll, HNetCfg.dll, RichEd20.dll, RASAdHlp.dll, SetupAPI.dll, ClbCatQ.dll, XPSP2Res.dll, CryptNet.dll, OLEAcc.dll etc.) eventually found in the directory they are started from (the "application directory"). For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see , and for "prior art" about this well-known and well-documented vulnerability. If one of the DLLs named above gets planted in the user's "Downloads" directory per "drive-by download" or "social engineering" this vulnerability becomes a remote code execution. Due to the application manifest embedded in some of the executables which specifies "requireAdministrator" or the installer detection of Windows' user account control theses installers/self-extractors are started with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of any hijacked DLL results in an escalation of privilege! See and plus and the still unfinished for more details and why executable installers (and self-extractors too) are bad and should be dumped. Kaspersky Lab published a security advisory 2015-12-23 after they made updated versions of their utilities available on stay tuned Stefan Kanthak # Iranian Exploit DataBase = http://IeDb.Ir [2016-01-11]