Malicious
22 engines flag this signed installer as OfferCore bundler with credential-theft and process-injection behaviour.
5cc02964795e405e5b…919ba434d8The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Strong tier-1 consensus on the bundler family combined with multiple high-severity synthetic heuristics for credential theft and injection outweigh the verified signature. The file contacts 15 IPs directly without DNS and matches prior OfferCore imphashes that received malicious verdicts. YARAify community rules also fired on injection and TLS anomalies. While no malicious dropped children were found, the offensive MITRE techniques and rapid new-file prevalence indicate active distribution of a PUA bundler.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.tier1FamilyConsensus.strong=true (bundler, 3 engines)
behaviour.offensiveTechniques includes T1055, T1555, T1003
similarHashes[0].verdict=malicious (ai:malware_family_offercore)
yaraify.ruleCount=7 with CP_Script_Inject_Detector
triggeredHeuristics: MalwareTips.Synth.BrowserCredentialTheft (high)
- File is Authenticode signed
- No malicious dropped children detected
- No known-malicious hosts contacted
- Tier-1 family consensus on OfferCore bundler
- Process injection and credential-theft MITRE techniques observed
- Direct-IP C2 with zero DNS usage
- 7 YARAify rules matched including injection detectors
- 3 prior imphash matches classified malicious for OfferCore
Block the hash and treat any installation as unwanted software; remove the file and monitor affected systems for credential theft indicators.
offercore corroborated by 3 sources
- 7 YARA rulesBorland, CP_Script_Inject_Detector, HUNTING_SUSP_TLS_SECTION
- VT (73 engines)offercore
- MT AI Engineoffercore
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 13.33.19.213
- 3.170.83.164
- 3.170.73.34
- 32.185.145.248
- 23.218.145.42
- 107.167.125.189
- 107.167.96.44
- 104.18.24.17
- 23.223.131.50
- 32.186.225.164
- http://statusd.digitalcertvalidation.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRNolijWxrE%2B4oss3hMFE8Heagz1AQU9VYiH9m%2Fa1kkUrDhas3A4Vdn6egCEAaV2Cvjf8%2BY2vZ6CGdVSuk%3D
- https://d1dj9aohuk02ls.cloudfront.net/o
- https://d3mq5i5bxc3hns.cloudfront.net/zbd
- https://d1dj9aohuk02ls.cloudfront.net/f/WebAdvisor/images/NEW/EN.png
- https://d1dj9aohuk02ls.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png
- https://d1dj9aohuk02ls.cloudfront.net/f/Opera_new/images/DPS-1954/EN.png
- C:\Users\<USER>\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\metadata
- C:\Users\<USER>\AppData\Local\Temp\is-D33HA1U7HA.tmp\CheatEngine77.tmp
- C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION
- C:\Users\<USER>\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
- C:\Users\<USER>\AppData\Local\Temp\is-LSVX8MQDDN.tmp\CheatEngine77.tmp
Files this sample writes at runtime
This file drops 2 children at runtime. None are currently flagged malicious in our cache.
- 07eea42af4d565d09ce6…d3da42Never scannednever seen before
- 0cced5aee76602d3fd7d…4e3b27Never scannednever seen before
Who this file talks to on the internet
This sample contacts 1 host we've verdicted suspicious in our own URL scanner.
1 corroborating signal from researcher-curated sources
- Borlandby malware-lu
- CP_Script_Inject_Detectorby DiegoAnalyticsDetects attempts to inject code into another process across PE, ELF, Mach-O binaries
- HUNTING_SUSP_TLS_SECTIONby chaosphereDetect PE files with .tls section that can be used for anti-debugging
- pe_detect_tls_callbacks
- PE_Digital_Certificateby albertzsigovits
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
- Borland
- CP_Script_Inject_Detector
- HUNTING_SUSP_TLS_SECTION
- pe_detect_tls_callbacks
- PE_Digital_Certificate
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample accessed browser login databases (Chrome / Firefox / Edge / Opera) or a cryptocurrency wallet file. This is textbook infostealer behaviour — targeting saved passwords, cookies, or wallet keys.
EvidenceC:\Users\<USER>\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\metadataSample contacted 15 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence13.33.19.213 · 3.170.83.164 · 3.170.73.34
22 detections across 73 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Lots of people are uploading this but it's recent — typical of newly-released legitimate software. Low prior for malware.
Forensic fingerprint
- File name
- CheatEngine77.exe
- Size
- 6.56 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 5cc02964795e405e5b5d762548541b46e19d880af4315b9abf8a42919ba434d8
- MD5
- 0de678b499f8fc64f1e8ed8682c5c754
- SHA-1
- b5612f82d10ced60dccc2e47e45fbe29e6ee298b
- PE imphash
- 88016fcdef7f227c62171d0afad9aae4
- First seen (VT)
- 7/8/2026, 8:52:04 AM
- Last analysis (VT)
- 7/8/2026, 11:34:07 AM
- First scan (MalwareTips)
- 7/9/2026, 10:36:49 PM
- Last scan (MalwareTips)
- 7/9/2026, 10:36:49 PM
- Code signer
- Plooto Incverified
- Community reputation
- -1flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.