– A legit signed vscapi.dll can be loaded from a non-standard path if an attacker places their own vscapi.dll in the same folder as a vulnerable application that searches the current directory before system paths. Example: placing a malicious vscapi.dll next to winword.exe in a network share.