The FlashUtil.dll (3.TMP) is trying to load system dll Msimg32.dll (GDIEXT Client DLL) without giving full path to it. 
					
										
																														 
					 
					 LoadLibraryW("Msimg32.dll") called from "3.TMP" at address 0x10012AE3.According to LoadLibrary API documented behavior it firstly looks for dlls in current directory. So Adobe loads rootkit dll on execution instead of system file.
Loaded "MSIMG32.DLL" at address 0x76350000. Successfully hooked module.
Ring0 - the source of inspiration
					 						
            
 
										

