rlmp32wlve.dll

First submission 2023-03-16 10:05:10

File details

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File type:	14135.0 KB (14474240 bytes)
Compile time:	2023-03-06 21:23:43
MD5:	aa02006f20beeb7a075d7cc333b5de9d
SHA1:	c9323badb179a3bb1485104f2fbd0573178d2ea1
SHA256:	ec70a42d8ad7f3ec75d9d6cf4ae08618965f8c0bcf5fc2973617d0117bf73c57
Import Hash :	4d147297460e61fba7528ef681749c95
Sections 8	]uO=c)J` ?[b%1i5N @-Awf[*$ 5S\zfVj9 BX!hs=P' 6le-4uf? d^;xd;Hr \'%'hu%y
Directories 4	relocation resource export import
Virus Total:	24/68 VT report date: 2023-03-15 16:35:59

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://167.235.240.0/rlmp32wlve.dll	167.235.240.0	2023-03-16 10:05:10

PE Sections 6 suspicious

Name	VAddress	VSize	Size	SHA1	MD5	Suspicious
]uO=c)J`	0x1000	0x21278	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
?[b%1i5N	0x23000	0xdd34	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
@-Awf[*$	0x31000	0x1adc	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
5S\zfVj9	0x33000	0x726335	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
BX!hs=P'	0x75a000	0x4d0	1536	6ff84dedc23fe21fd858e09252c88b3a089ccabf	7d29e9748d3a431cd41774258a7bd7db
6le-4uf?	0x75b000	0xd836b0	14170112	8b0fe3da84e59d02f5a741d283c6159f0345bbc9	18a37cba46534cf417ca5c18c9382372
d^;xd;Hr	0x14df000	0x6ec	2048	5a7c9aa2ec8e6c867c2940b8b362ea51c5e0fd30	5c9efb39de8689dc3b88efdb7bbbc0f6
\'%'hu%y	0x14e0000	0x49059	299520	a3b347630d989bbaab4376edbbbaf15572b268ee	fc9cf5d9d7088b0088c0786a4de6e90d

PE Resources 4

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_DEFAULT	0x15287b4	1128	PE Resource: RT_ICON - Data ( @eeeeeeeeeeeeeeeeeee{$9eeeeee~*{$eeeeee}']eeeeW0eeee-}'eBpeelEew{$ee3Egeegx?<eeecggoeeeeeigj reeeeeeeegj eeeeeeeeeegieeeeeeeeegiseeeeeZig`eee-Kxj eej rB0eey!0e9seep3e-ueeeewleeee`{$eeeeee{$<eeeeee}'y!eeeeeeeeeeeeeeeeeee
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_DEFAULT	0x1528c1c	118
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1528c94	820	PE Resource: RT_VERSION - Data 44VS_VERSION_INFO?StringFileInfon040904b08CompanyNameCaphyon LTD.FileDescriptionCustom actions that registers games in system2 FileVersion20.2.1.06InternalNameGameUX.dllp&LegalCopyright(c) Caphyon LTD. All rights reserved.>OriginalFilenameGameUX.dllFProductNameAdvanced Installer6 ProductVersion20.2.1.0DVarFileInfo$Translation
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1528fc8	145

Meta infos 9

FileDescription:	Custom actions that registers games in system
LegalCopyright:	(c) Caphyon LTD. All rights reserved.
Translation:	0x0409 0x04b0
InternalName:	GameUX.dll
ProductName:	Advanced Installer
CompanyName:	Caphyon LTD
FileVersion:	20.2.1.0
OriginalFilename:	GameUX.dll
ProductVersion:	20.2.1.0

Strings analysis - File found

Executable
B?.SO
Library
USER32.dll
KERNEL32.dll
ADVAPI32.dll
WININET.dll
ClipperDLL.dll
gameux.dll

Import functions

ADVAPI32.dll 1 KERNEL32.dll 8 USER32.dll 2 WININET.dll 1

Function	Address	Souspicious	Anti Debug
GetUserNameA	0x1075a010

Function	Address	Souspicious	Anti Debug
GlobalUnlock	0x1075a000
GetSystemTimeAsFileTime	0x1075a020
HeapAlloc	0x1075a030
HeapFree	0x1075a034
ExitProcess	0x1075a038
LoadLibraryA	0x1075a03c
GetModuleHandleA	0x1075a040
GetProcAddress	0x1075a044

Function	Address	Souspicious	Anti Debug
EmptyClipboard	0x1075a008
CharUpperBuffW	0x1075a028

Function	Address	Souspicious	Anti Debug
InternetConnectA	0x1075a018

PE Exports 1 suspicious

Function	Address
Entry	0x100026d0