Suspicious
Unsigned game-cheat utility flagged by 2 tier-1 engines on weak consensus; MPRESS packer, no malicious behaviour, medium prevalence.
e28a94ef47cc5fa489…6e34891269The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The sample presents a mixed-signal profile. Two tier-1 engines (Sophos, Symantec) flagged it, but only Sophos names a specific family ('GameHack'), and Symantec uses a generic ML confidence label. The tier-1 family consensus is not strong (1 engine). Critically, the behaviour analysis shows zero offensive MITRE techniques, no malicious sandbox verdicts, and no contact with malicious hosts — inconsistent with active malware. The PE analysis reveals MPRESS packer sections, a legitimate compression tool, and the community YARA rule from Nextron THOR confirms detection of the packer itself, not a malware-specific signature. Prevalence is medium (44 submissions over 1737 days), suggesting a known commodity rather than a novel threat. The unsigned status and obfuscated filename are consistent with game-mod distribution, not adversarial impersonation. The balance of evidence suggests a flagged-but-benign game-cheat utility rather than malware.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
tier1Malicious=2 but tier1FamilyConsensus.strong=false (only 1 engine naming 'gamehack'); Sophos flags 'GameHack (PUA)', Symantec uses generic 'ML.Attribute.HighConfidence'
signing.verified=false, unsigned; no signer history to corroborate legitimacy
behaviour.offensiveCount=0, no malicious sandbox verdicts, no contacted malicious hosts — clean runtime profile
PE sections show MPRESS packer (legitimate compression tool); community YARA rule 'SUSP_MPRESS_EXE_Packer' from Nextron THOR confirms packer detection, not malware-specific signature
prevalence='medium' (44 submissions, 39 sources over 1737 days); no external-intel hits (CIRCL, MalwareBazaar, YARAify all negative)
- Zero offensive MITRE techniques; only obfuscation (T1027.002) detected
- No malicious sandbox verdicts, no contacted malicious hosts, no dropped malicious children
- Medium prevalence (44 submissions, 39 sources) — known commodity, not novel threat
- No external-intelligence corroboration (CIRCL, MalwareBazaar, YARAify all negative)
- Community YARA rule confirms MPRESS packer detection, not malware-specific signature
- Unsigned executable — no publisher identity verification
- Weak tier-1 consensus (1 engine) on 'gamehack' family; split between PUA and generic ML labels
- MPRESS packer present — legitimate compression tool but sometimes used by malware authors
- Obfuscated filename — consistent with game-mod distribution but also used by adversaries
- No malicious behaviour observed in sandbox or runtime analysis
Treat this file as a likely game-cheat or game-modification utility rather than active malware, but do not execute it on systems with sensitive data. If you are uncertain of its origin or intent, isolate it and consult your security team before running it.
gamehack corroborated by 2 sources
- VT (76 engines)gamehack
- MT AI Enginegamehack
9 detections across 76 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- sgwc2v139421+10tr.exe
- Size
- 2.18 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- e28a94ef47cc5fa489b0f2203c7a3dac1f01e2b7ede139d0a121566e34891269
- MD5
- 03c05e959fcbfb61fbdcf684af45b74b
- SHA-1
- 51394e2cf7f74f8f7c67469c4fdfd4253fc1a553
- PE imphash
- f0881026584e9f3cb2511b460a230f2f
- First seen (VT)
- 10/6/2021, 2:10:48 AM
- Last analysis (VT)
- 4/25/2025, 8:48:39 AM
- First scan (MalwareTips)
- 7/9/2026, 12:20:53 AM
- Last scan (MalwareTips)
- 7/9/2026, 12:20:53 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.