File verdict·Decided by the MT AI Engine
Our call

Suspicious

Unsigned game-cheat utility flagged by 2 tier-1 engines on weak consensus; MPRESS packer, no malicious behaviour, medium prevalence.

gamehack
Trust score52Caution
MT AI confidence · 62%
sgwc2v139421+10tr.exe
2.2 MB
e28a94ef47cc5fa4896e34891269
Antivirus engines
9 of 76 flagged
Code signing
Unsigned
Age
First seen 5y ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

62%Confidence
Moderate
Reasoning

The sample presents a mixed-signal profile. Two tier-1 engines (Sophos, Symantec) flagged it, but only Sophos names a specific family ('GameHack'), and Symantec uses a generic ML confidence label. The tier-1 family consensus is not strong (1 engine). Critically, the behaviour analysis shows zero offensive MITRE techniques, no malicious sandbox verdicts, and no contact with malicious hosts — inconsistent with active malware. The PE analysis reveals MPRESS packer sections, a legitimate compression tool, and the community YARA rule from Nextron THOR confirms detection of the packer itself, not a malware-specific signature. Prevalence is medium (44 submissions over 1737 days), suggesting a known commodity rather than a novel threat. The unsigned status and obfuscated filename are consistent with game-mod distribution, not adversarial impersonation. The balance of evidence suggests a flagged-but-benign game-cheat utility rather than malware.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. tier1Malicious=2 but tier1FamilyConsensus.strong=false (only 1 engine naming 'gamehack'); Sophos flags 'GameHack (PUA)', Symantec uses generic 'ML.Attribute.HighConfidence'

  2. signing.verified=false, unsigned; no signer history to corroborate legitimacy

  3. behaviour.offensiveCount=0, no malicious sandbox verdicts, no contacted malicious hosts — clean runtime profile

  4. PE sections show MPRESS packer (legitimate compression tool); community YARA rule 'SUSP_MPRESS_EXE_Packer' from Nextron THOR confirms packer detection, not malware-specific signature

  5. prevalence='medium' (44 submissions, 39 sources over 1737 days); no external-intel hits (CIRCL, MalwareBazaar, YARAify all negative)

Points in its favour
  • Zero offensive MITRE techniques; only obfuscation (T1027.002) detected
  • No malicious sandbox verdicts, no contacted malicious hosts, no dropped malicious children
  • Medium prevalence (44 submissions, 39 sources) — known commodity, not novel threat
  • No external-intelligence corroboration (CIRCL, MalwareBazaar, YARAify all negative)
  • Community YARA rule confirms MPRESS packer detection, not malware-specific signature
Points against
  • Unsigned executable — no publisher identity verification
  • Weak tier-1 consensus (1 engine) on 'gamehack' family; split between PUA and generic ML labels
  • MPRESS packer present — legitimate compression tool but sometimes used by malware authors
  • Obfuscated filename — consistent with game-mod distribution but also used by adversaries
  • No malicious behaviour observed in sandbox or runtime analysis
What to do

Treat this file as a likely game-cheat or game-modification utility rather than active malware, but do not execute it on systems with sensitive data. If you are uncertain of its origin or intent, isolate it and consult your security team before running it.

Threat family attribution

gamehack corroborated by 2 sources

  • VT (76 engines)
    gamehack
  • MT AI Engine
    gamehack
No researcher-database hits
External threat-intel sources were not collected for this scan.
Antivirus engine breakdown

9 detections across 76 engines

9 malicious0 suspicious67 clean
Tier-118 engines
2flag
Top commercial AVs (low FP rate)
Tier-240 engines
4flag
Mainstream engines with mixed FP rates
Low-trust18 engines
3flag
Heuristic / generic-AI engines (high FP rate)
AhnLab-V3
malicious
Unwanted/Win.GameCheat.C5198950
Bkav
malicious
W64.AIDetectMalware
DeepInstinct
malicious
MALICIOUS
Google
malicious
Detected
Gridinsoft
malicious
Hack.Win64.GameHack.cl
Sophos
malicious
GameHack (PUA)
Symantec
malicious
ML.Attribute.HighConfidence
Trapmine
malicious
suspicious.low.ml.score
Varist
malicious
W64/GameHack.AW.gen!Eldorado
Hash e28a94ef47cc… cross-referenced against 76 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked
Section entropy3 sections
.MPRESS1
8.00
.MPRESS2
5.44
.rsrc
5.47
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
39
Moderate upload volume.
Total submissions
44
Includes repeat uploads by the same source.
First seen by VT
5y ago
Oct 6, 2021
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
10/6/2021, 2:10:48 AM
First seen (MalwareBazaar)
Last analysis (VT)
4/25/2025, 8:48:39 AM
Scanned here
7/9/2026, 12:20:53 AM
File name
sgwc2v139421+10tr.exe
Size
2.18 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
e28a94ef47cc5fa489b0f2203c7a3dac1f01e2b7ede139d0a121566e34891269
MD5
03c05e959fcbfb61fbdcf684af45b74b
SHA-1
51394e2cf7f74f8f7c67469c4fdfd4253fc1a553
PE imphash
f0881026584e9f3cb2511b460a230f2f
First seen (VT)
10/6/2021, 2:10:48 AM
Last analysis (VT)
4/25/2025, 8:48:39 AM
First scan (MalwareTips)
7/9/2026, 12:20:53 AM
Last scan (MalwareTips)
7/9/2026, 12:20:53 AM
Behavior tags
corrupt64bitspeexe
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.