Windows Defender or third-party AVs frequently flag custom game DLLs as “hacktool” or “PUA.”
Given no sample, but based on naming structure, a deep analysis would check for: Skyrim Maxsulframe.dll
| Indicator | Suspicious | Benign |
| :--- | :--- | :--- |
| Exports (dumpbin /exports) | Initialize, DllMain spawning threads or writing to AppData\Local\Temp. | SKSEPlugin_Query, SKSEPlugin_Load. |
| Strings | URLs, IP addresses, CreateRemoteThread, VirtualAllocEx, C:\Windows\System32\cmd.exe. | SkyrimSE.exe, Data\SKSE\Plugins, GetPluginVersion. |
| Digital Signature | None or invalid (expected from amateurs) – but malware often signed with stolen/expired certs. | Must be signed by Nexus Mods or mod author (almost never happens). |
| Import Table | wininet.dll (network), advapi32.dll (registry/process perms), crypt32.dll. | Kernel32.dll, User32.dll (only). |
| Entropy | High entropy (packed/compressed) – common for obfuscated malware. | Low/medium entropy – normal x86/x64 code. | Windows Defender or third-party AVs frequently flag custom
If found in a Skyrim installation, the legitimate (but rare) purposes could be: If found in a Skyrim installation, the legitimate