Malicious
Unsigned installer matching OfferCore bundler imphash; 3/5 prior verdicts malicious; exhibits process injection, data destruction, and direct-IP C2.
a092da5c6df6c6be43…7457824ac4The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The low-trust-only flagging (Trapmine) would normally suggest a false positive, but the RAG grounding is decisive: the identical imphash (88016fcdef7f227c62171d0afad9aae4) has 3 prior malicious verdicts for OfferCore and 2 suspicious verdicts. This is not a coincidence. The behavioral profile — process injection, data destruction, privilege escalation, and direct-IP C2 without DNS — matches OfferCore's known payload. The file is an unsigned installer, consistent with OfferCore's distribution method of bundling with legitimate software. Tier-1 engines may not have OfferCore signatures, but the convergence of RAG history, behavioral techniques, and direct-IP C2 contact strongly indicates this is a known bundler.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
similarHashes shows 3/5 prior verdicts 'malicious' for imphash 88016fcdef7f227c62171d0afad9aae4 (matchKind=imphash), all OfferCore family
Trapmine (low-trust) flagged 'suspicious.low.ml.score'; tier1Malicious=0 but tier1ReportedClean=14 — low-trust-only shape contradicted by RAG history
behaviour: T1055 (Process Injection into Explorer.exe), T1485 (Data Destruction), T1548 (Privilege Escalation) + direct-IP C2 (104.26.10.81, 188.72.103.3) with zero DNS queries
triggeredHeuristics: MalwareTips.Synth.ProcessInjection [high] and MalwareTips.Synth.DirectIpC2 [medium] both fired — process injection + no-DNS direct-IP are OfferCore hallmarks
file: unsigned installer, filename 'LegacyLauncher.exe' matches legitimate TLauncher product but payload exhibits bundler + C2 behavior consistent with OfferCore
- Filename matches legitimate TLauncher product (decade-old Minecraft launcher)
- No malicious sandbox verdict recorded
- No malicious contacted hosts in our URL cache
- 10 dropped children inspected; none verdicted malicious (though all unknown)
- Process injection into legitimate system process (Explorer.exe) — technique used to evade detection
- Direct-IP C2 contact without DNS — bypasses domain-based reputation blocklists
- Data destruction technique (T1485) — ransomware-class capability
- Privilege escalation attempt (T1548) — indicates intent to gain elevated access
- Unsigned installer — no publisher accountability
- RAG history: 3/5 prior verdicts malicious for identical imphash
Block execution of this file. The convergence of RAG history (3/5 prior malicious verdicts for OfferCore), process injection, data destruction, and direct-IP C2 contact strongly indicate this is an OfferCore bundler installer. If you need a Minecraft launcher, use the official Mojang launcher or verified alternatives like PolyMC.
OfferCore corroborated by 1 source
- MT AI EngineOfferCore
1 contradiction resolved by the scoring engine
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 104.26.10.81
- 188.72.103.3
- C:\Users\<USER>\AppData\Local\Temp\is-H3WOZGZMG3.tmp\LegacyLauncher.tmp
- C:\Users\<USER>\AppData\Local\Temp\is-7P3BLKKW1H.tmp\_isetup\_setup64.tmp
- C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
- C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
- C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
- C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\XboxLive\AuthStateCache.dat
- C:\Users\<USER>\AppData\Local\Microsoft\XboxLive\AuthStateCache.dat
- C:\Users\<USER>\AppData\Roaming\.tlauncher\legacy\Minecraft\is-J1PQRIRBOE.tmp
- C:\Users\<USER>\AppData\Roaming\.tlauncher\legacy\Minecraft\is-M9BQ8954G5.tmp
- C:\Users\<USER>\AppData\Roaming\.tlauncher\legacy\Minecraft\is-XJZDWZR74N.tmp
- cversions.3.m
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- 7cc60f1f36f6a1ed8218…3c871aNever scannednever seen before
- 8a8f81cf9b359e3f6dfa…8e8064Never scannednever seen before
- bbb82aadb5e4209527c1…c538e8Never scannednever seen before
- dc1a95e73eb04db93451…b3d30eNever scannednever seen before
- 52c220c2520acce9b79c…302819Never scannednever seen before
- a56e782b5b50811ac204…660fccNever scannednever seen before
- 6f1fd322c52bef87a624…f787ffNever scannednever seen before
- f5f8ef90609e64fec82e…de4dfbNever scannednever seen before
- 1f11fe54a7dfb0e410e2…770787Never scannednever seen before
- 09ba7517c8a9b30780ff…4b6c4eNever scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\Explorer.EXESample contacted 2 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence104.26.10.81 · 188.72.103.3
1 detection across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- LegacyLauncher.exe
- Size
- 111.85 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- a092da5c6df6c6be4341846f43425006ee0da2ce96953cf98a4b947457824ac4
- MD5
- 326cd698c88f262d42e83ba62036070b
- SHA-1
- 9ea8a0630dc8570769afe39f5a56af3d17ec520d
- PE imphash
- 88016fcdef7f227c62171d0afad9aae4
- First seen (VT)
- 5/13/2026, 5:37:17 PM
- Last analysis (VT)
- 7/5/2026, 4:47:17 AM
- First scan (MalwareTips)
- 7/5/2026, 5:15:51 AM
- Last scan (MalwareTips)
- 7/5/2026, 5:15:51 AM
- Community reputation
- +2trusted
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.