Malicious
Unsigned installer exhibiting process injection, credential dumping, and direct-IP C2 contact; imphash matches prior OfferCore verdicts.
6cddf04c16cc7dd018…c16b5f2714The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
This unsigned installer triggered three high/medium-severity heuristics: process injection (T1055), credential dumping (LSASS targeting), and direct-IP C2 contact without DNS resolution. While only Trapmine (low-trust) flagged it with a generic ML label, the sandbox-observed behaviour is concrete and offensive. Critically, our historical analysis of the same imphash (88016fcdef7f227c62171d0afad9aae4) shows 3 prior verdicts as 'malicious' OfferCore PUA, all signed by SOFTONIC and exhibiting similar injection/credential patterns. The 2 'suspicious' verdicts on the same imphash suggest borderline cases, but the malicious majority and consistent family naming strengthen the call. The direct-IP C2 contact (162.159.36.2, no domains) is a strong malware indicator because it bypasses reputation systems. No malicious children were confirmed, but the parent's offensive profile is sufficient.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 1/70 malicious (Trapmine, low-trust); tier1Malicious=0; label='suspicious.low.ml.score' (generic ML heuristic, no named family)
triggeredHeuristics: ProcessInjection (T1055), CredentialDumper (LSASS targeting), DirectIpC2 (contacted 162.159.36.2, zero DNS) — all high/medium severity
similarHashes: 3/5 prior verdicts 'malicious' (OfferCore family, imphash match); 2/5 'suspicious' — consistent malicious cluster on same imphash
behaviour: sandbox observed process injection into Explorer, LSASS credential access, direct-IP C2 contact; 10 dropped children (all unknown verdict, none confirmed malicious)
file: unsigned, 4 days old, medium prevalence (31 submitters); filename 'PlayTorrio-Windows-Setup.exe' matches installer pattern; no brand mismatch or adversarial input
- All 17 tier-1 antivirus engines reported clean
- No malicious children confirmed (10 dropped files all unknown verdict)
- No malicious sandbox verdict recorded
- No contacted hosts in our malicious cache
- Process injection into legitimate process (Explorer.exe) to evade AV hooks
- LSASS credential-store access (Mimikatz-shape behaviour)
- Direct-IP C2 contact (162.159.36.2) without DNS resolution
- Unsigned executable with no publisher history
- Imphash matches 3 prior OfferCore malicious verdicts
- Medium prevalence (31 submitters, 36 submissions) suggests active distribution
Block execution and quarantine. The combination of offensive heuristics (process injection, credential dumping, direct-IP C2), unsigned status, and imphash match to prior OfferCore verdicts indicates PUA/malware intent. If this file was downloaded, assume credential compromise and initiate incident response.
OfferCore corroborated by 1 source
- MT AI EngineOfferCore
1 contradiction resolved by the scoring engine
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- C:\Users\<USER>\AppData\Local\Temp\is-SMGRUC2QCT.tmp\PlayTorrio-1.4.0.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-FBGZI5IRNO.tmp\_isetup\_setup64.tmp
- C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
- C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
- C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
- C:\Users\<USER>\AppData\Local\Programs\PlayTorrio\is-J04K2UFBS0.tmp
- C:\Users\<USER>\AppData\Local\Programs\PlayTorrio\is-3MR3FZEJIM.tmp
- C:\Users\<USER>\AppData\Local\Programs\PlayTorrio\is-NFDA3Y2DUU.tmp
- C:\Users\<USER>\AppData\Local\Programs\PlayTorrio\is-AH8LRIGZR1.tmp
- C:\Users\<USER>\AppData\Local\Programs\PlayTorrio\is-ROZF3P0XNA.tmp
- cversions.3.m
- Global\OneSettingQueryMutex+compat+encapsulation
- \Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
- \Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
- \Sessions\1\BaseNamedObjects\Global\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwWriterMutex
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 2342b2ad1fc345be4ca8…915be8Never scannednever seen before
- 0455d6b32e7d8c6e8f60…68c2abNever scannednever seen before
- 56f9a69200863c2dcd2f…a65fd5Never scannednever seen before
- b2590bd0692f0381fc45…c4eaacNever scannednever seen before
- d315c2cc92f610b48d16…cf2026Never scannednever seen before
- 36687bd9d5a48f1f0799…c2ea29Never scannednever seen before
- 3701a12b2456565cbec5…722a25Never scannednever seen before
- 9baee42d66f715bba878…b40256Never scannednever seen before
- e2051274a1d7599d131d…3d3b4bNever scannednever seen before
- 6666877419d4d46ef3d6…43954bNever scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\Explorer.EXESandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
1 detection across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- PlayTorrio-Windows-Setup.exe
- Size
- 33.53 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- 6cddf04c16cc7dd018335857755c83d72150da280c6e7993e30df1c16b5f2714
- MD5
- 6248d2b523db4f529bc06e9210c3d355
- SHA-1
- a0b059f71ca61d25e94bb60d013d197d13e64aa2
- PE imphash
- 88016fcdef7f227c62171d0afad9aae4
- First seen (VT)
- 7/1/2026, 11:18:57 AM
- Last analysis (VT)
- 7/4/2026, 1:26:17 PM
- First scan (MalwareTips)
- 7/5/2026, 1:10:47 AM
- Last scan (MalwareTips)
- 7/5/2026, 1:10:47 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.