File verdict·Decided by the MT AI Engine
Our call

Malicious

Unsigned installer exhibiting process injection, credential dumping, and direct-IP C2 contact; imphash matches prior OfferCore verdicts.

OfferCore
Trust score18High risk
MT AI confidence · 72%
PlayTorrio-Windows-Setup.exe
33.5 MB
6cddf04c16cc7dd018c16b5f2714
Antivirus engines
1 of 74 flagged
Code signing
Unsigned
Age
First seen 4 days ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

72%Confidence
High
Reasoning

This unsigned installer triggered three high/medium-severity heuristics: process injection (T1055), credential dumping (LSASS targeting), and direct-IP C2 contact without DNS resolution. While only Trapmine (low-trust) flagged it with a generic ML label, the sandbox-observed behaviour is concrete and offensive. Critically, our historical analysis of the same imphash (88016fcdef7f227c62171d0afad9aae4) shows 3 prior verdicts as 'malicious' OfferCore PUA, all signed by SOFTONIC and exhibiting similar injection/credential patterns. The 2 'suspicious' verdicts on the same imphash suggest borderline cases, but the malicious majority and consistent family naming strengthen the call. The direct-IP C2 contact (162.159.36.2, no domains) is a strong malware indicator because it bypasses reputation systems. No malicious children were confirmed, but the parent's offensive profile is sufficient.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines: 1/70 malicious (Trapmine, low-trust); tier1Malicious=0; label='suspicious.low.ml.score' (generic ML heuristic, no named family)

  2. triggeredHeuristics: ProcessInjection (T1055), CredentialDumper (LSASS targeting), DirectIpC2 (contacted 162.159.36.2, zero DNS) — all high/medium severity

  3. similarHashes: 3/5 prior verdicts 'malicious' (OfferCore family, imphash match); 2/5 'suspicious' — consistent malicious cluster on same imphash

  4. behaviour: sandbox observed process injection into Explorer, LSASS credential access, direct-IP C2 contact; 10 dropped children (all unknown verdict, none confirmed malicious)

  5. file: unsigned, 4 days old, medium prevalence (31 submitters); filename 'PlayTorrio-Windows-Setup.exe' matches installer pattern; no brand mismatch or adversarial input

Points in its favour
  • All 17 tier-1 antivirus engines reported clean
  • No malicious children confirmed (10 dropped files all unknown verdict)
  • No malicious sandbox verdict recorded
  • No contacted hosts in our malicious cache
Points against
  • Process injection into legitimate process (Explorer.exe) to evade AV hooks
  • LSASS credential-store access (Mimikatz-shape behaviour)
  • Direct-IP C2 contact (162.159.36.2) without DNS resolution
  • Unsigned executable with no publisher history
  • Imphash matches 3 prior OfferCore malicious verdicts
  • Medium prevalence (31 submitters, 36 submissions) suggests active distribution
What to do

Block execution and quarantine. The combination of offensive heuristics (process injection, credential dumping, direct-IP C2), unsigned status, and imphash match to prior OfferCore verdicts indicates PUA/malware intent. If this file was downloaded, assume credential compromise and initiate incident response.

Threat family attribution

OfferCore corroborated by 1 source

  • MT AI Engine
    OfferCore
Sources disagree

1 contradiction resolved by the scoring engine

Only low-trust / heuristic engines flagged this file
1 engine from the heuristic / generic-AI set flagged it. No tier-1 engine agreed.
Detection weight reduced in scoring.
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
10

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1033T1055T1070T1071T1082T1129T1485T1497
Spawned processes
15
$(unnamed)
"C:\Users\<USER>\Desktop\PlayTorrio-1.4.0.exe"
$(unnamed)
"C:\Users\<USER>\AppData\Local\Temp\is-SMGRUC2QCT.tmp\PlayTorrio-1.4.0.tmp" /SL5="$2015C,33960956,840704,C:\Users\<USER>\Desktop\PlayTorrio-1.4.0.exe"
$(unnamed)
C:\Windows\Explorer.EXE
$(unnamed)
"C:\Users\<USER>\AppData\Local\Programs\PlayTorrio\PlayTorrio.exe"
$(unnamed)
C:\Windows\system32\services.exe
$(unnamed)
C:\Windows\System32\svchost.exe -k NetworkService -p
$(unnamed)
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
$(unnamed)
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
+7 more processes captured.
Network activity
1
IP addresses1
  • 162.159.36.2
Filesystem & mutexes
40
Files written15
  • C:\Users\<USER>\AppData\Local\Temp\is-SMGRUC2QCT.tmp\PlayTorrio-1.4.0.tmp
  • C:\Users\<USER>\AppData\Local\Temp\is-FBGZI5IRNO.tmp\_isetup\_setup64.tmp
  • C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
  • C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
  • C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
+10 more
Files deleted15
  • C:\Users\<USER>\AppData\Local\Programs\PlayTorrio\is-J04K2UFBS0.tmp
  • C:\Users\<USER>\AppData\Local\Programs\PlayTorrio\is-3MR3FZEJIM.tmp
  • C:\Users\<USER>\AppData\Local\Programs\PlayTorrio\is-NFDA3Y2DUU.tmp
  • C:\Users\<USER>\AppData\Local\Programs\PlayTorrio\is-AH8LRIGZR1.tmp
  • C:\Users\<USER>\AppData\Local\Programs\PlayTorrio\is-ROZF3P0XNA.tmp
+10 more
Mutexes created10
  • cversions.3.m
  • Global\OneSettingQueryMutex+compat+encapsulation
  • \Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
  • \Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
  • \Sessions\1\BaseNamedObjects\Global\C::Users:user:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwWriterMutex
+5 more
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • 2342b2ad1fc345be4ca8915be8Never scanned
    never seen before
  • 0455d6b32e7d8c6e8f6068c2abNever scanned
    never seen before
  • 56f9a69200863c2dcd2fa65fd5Never scanned
    never seen before
  • b2590bd0692f0381fc45c4eaacNever scanned
    never seen before
  • d315c2cc92f610b48d16cf2026Never scanned
    never seen before
  • 36687bd9d5a48f1f0799c2ea29Never scanned
    never seen before
  • 3701a12b2456565cbec5722a25Never scanned
    never seen before
  • 9baee42d66f715bba878b40256Never scanned
    never seen before
  • e2051274a1d7599d131d3d3b4bNever scanned
    never seen before
  • 6666877419d4d46ef3d643954bNever scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

3 synthesis
MITRE ATT&CK profile
Defense evasion× 1Cred access× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    C:\Windows\Explorer.EXE
  • CredentialDumpermedium

    Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.

    Evidence
    C:\Windows\system32\lsass.exe
  • DirectIpC2medium

    Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    162.159.36.2
Antivirus engine breakdown

1 detection across 74 engines

1 malicious0 suspicious73 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust19 engines
1flag
Heuristic / generic-AI engines (high FP rate)
Trapmine
malicious
suspicious.low.ml.score
Hash 6cddf04c16cc… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 8.00Unpacked
Section entropy10 sections
.text
6.38
.itext
6.04
.data
5.18
.bss
0.00
.idata
4.82
.didata
2.76
.edata
1.34
.tls
0.00
.rdata
1.38
.reloc
6.70
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
31
Moderate upload volume.
Total submissions
36
Includes repeat uploads by the same source.
First seen by VT
3d ago
Jul 1, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
7/1/2026, 11:18:57 AM
First seen (MalwareBazaar)
Last analysis (VT)
7/4/2026, 1:26:17 PM
Scanned here
7/5/2026, 1:10:47 AM
File name
PlayTorrio-Windows-Setup.exe
Size
33.53 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
6cddf04c16cc7dd018335857755c83d72150da280c6e7993e30df1c16b5f2714
MD5
6248d2b523db4f529bc06e9210c3d355
SHA-1
a0b059f71ca61d25e94bb60d013d197d13e64aa2
PE imphash
88016fcdef7f227c62171d0afad9aae4
First seen (VT)
7/1/2026, 11:18:57 AM
Last analysis (VT)
7/4/2026, 1:26:17 PM
First scan (MalwareTips)
7/5/2026, 1:10:47 AM
Last scan (MalwareTips)
7/5/2026, 1:10:47 AM
Behavior tags
peexeoverlay
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.