(Google Chrome, for instance, does this). The logic being that an application installed this way can be updated without requiring elevation or admin level access. Since Microsoft has straightened the default permissions on the Program Files folder, many developers have turned to AppData as an alternative location for their code. dll files in system32, as an indicator of compromise? dll files that are found in AppData and appear to be copies of. dlls be found in an user's AppData folder for any reason other than malware or poor programming? dll files with the same name as standard system32. My question is twofold is there a scenario where. I asked about this in chat and was told that the only real credible explanation for this behaviour would be malware (as it was in this instance) or very bad programming practice, and even in that case it is a scenario that is rare. dlls was part of the malware's normal process. I know that in this specific instance this was definitely malware and the unpacking of the rogue. dlls normally found in system32, e.g cryptbase.dll. I recently had to read over some malware reports and associated logs for a confirmed malware detection and subsequent infection of a Windows asset.