File verdict·Decided by the MT AI Engine
Our call

Malicious

Unsigned installer matching OfferCore bundler imphash; 3/5 prior verdicts malicious; exhibits process injection, data destruction, and direct-IP C2.

OfferCore
Trust score18High risk
MT AI confidence · 72%
LegacyLauncher.exe
111.9 MB
a092da5c6df6c6be437457824ac4
Antivirus engines
1 of 74 flagged
Code signing
Unsigned
Age
First seen 2mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

72%Confidence
High
Reasoning

The low-trust-only flagging (Trapmine) would normally suggest a false positive, but the RAG grounding is decisive: the identical imphash (88016fcdef7f227c62171d0afad9aae4) has 3 prior malicious verdicts for OfferCore and 2 suspicious verdicts. This is not a coincidence. The behavioral profile — process injection, data destruction, privilege escalation, and direct-IP C2 without DNS — matches OfferCore's known payload. The file is an unsigned installer, consistent with OfferCore's distribution method of bundling with legitimate software. Tier-1 engines may not have OfferCore signatures, but the convergence of RAG history, behavioral techniques, and direct-IP C2 contact strongly indicates this is a known bundler.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. similarHashes shows 3/5 prior verdicts 'malicious' for imphash 88016fcdef7f227c62171d0afad9aae4 (matchKind=imphash), all OfferCore family

  2. Trapmine (low-trust) flagged 'suspicious.low.ml.score'; tier1Malicious=0 but tier1ReportedClean=14 — low-trust-only shape contradicted by RAG history

  3. behaviour: T1055 (Process Injection into Explorer.exe), T1485 (Data Destruction), T1548 (Privilege Escalation) + direct-IP C2 (104.26.10.81, 188.72.103.3) with zero DNS queries

  4. triggeredHeuristics: MalwareTips.Synth.ProcessInjection [high] and MalwareTips.Synth.DirectIpC2 [medium] both fired — process injection + no-DNS direct-IP are OfferCore hallmarks

  5. file: unsigned installer, filename 'LegacyLauncher.exe' matches legitimate TLauncher product but payload exhibits bundler + C2 behavior consistent with OfferCore

Points in its favour
  • Filename matches legitimate TLauncher product (decade-old Minecraft launcher)
  • No malicious sandbox verdict recorded
  • No malicious contacted hosts in our URL cache
  • 10 dropped children inspected; none verdicted malicious (though all unknown)
Points against
  • Process injection into legitimate system process (Explorer.exe) — technique used to evade detection
  • Direct-IP C2 contact without DNS — bypasses domain-based reputation blocklists
  • Data destruction technique (T1485) — ransomware-class capability
  • Privilege escalation attempt (T1548) — indicates intent to gain elevated access
  • Unsigned installer — no publisher accountability
  • RAG history: 3/5 prior verdicts malicious for identical imphash
What to do

Block execution of this file. The convergence of RAG history (3/5 prior malicious verdicts for OfferCore), process injection, data destruction, and direct-IP C2 contact strongly indicate this is an OfferCore bundler installer. If you need a Minecraft launcher, use the official Mojang launcher or verified alternatives like PolyMC.

Threat family attribution

OfferCore corroborated by 1 source

  • MT AI Engine
    OfferCore
Sources disagree

1 contradiction resolved by the scoring engine

Only low-trust / heuristic engines flagged this file
1 engine from the heuristic / generic-AI set flagged it. No tier-1 engine agreed.
Detection weight reduced in scoring.
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
22

Adversary techniques mapped to the MITRE ATT&CK framework.

T1033T1036T1047T1055T1059T1070T1071T1074T1082T1105T1106T1112T1129T1485T1497T1518T1548T1562T1564T1564.003T1568T1574
Spawned processes
11
$(unnamed)
C:\Windows\system32\services.exe
$(unnamed)
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
$(unnamed)
"C:\Users\<USER>\Desktop\LegacyLauncher.exe"
$(unnamed)
"C:\Users\<USER>\AppData\Local\Temp\is-H3WOZGZMG3.tmp\LegacyLauncher.tmp" /SL5="$12003E,115006833,1320448,C:\Users\<USER>\Desktop\LegacyLauncher.exe"
$(unnamed)
C:\Windows\Explorer.EXE
$(unnamed)
"C:\Users\<USER>\AppData\Roaming\.tlauncher\legacy\Minecraft\LL.exe"
$(unnamed)
C:\Users\<USER>\AppData\Roaming\.tlauncher\legacy\Minecraft\jre\x64\bin\java.exe -Dtlauncher.bootstrap.restartExec=LL.exe -Xmx64M -jar launcher/bootstrap.jar
$(unnamed)
C:\Users\<USER>\AppData\Roaming\.tlauncher\legacy\Minecraft\jre\x64\bin\javaw.exe -Xmx256m -Dfile.encoding=UTF-8 -Djava.net.useSystemProxies=true -Dtlauncher.systemCharset=UTF-8 -Dtlauncher.logFolder=C:\Users\<USER>\AppData\Roaming\.tlaunch…
+3 more processes captured.
Network activity
2
IP addresses2
  • 104.26.10.81
  • 188.72.103.3
Filesystem & mutexes
31
Files written15
  • C:\Users\<USER>\AppData\Local\Temp\is-H3WOZGZMG3.tmp\LegacyLauncher.tmp
  • C:\Users\<USER>\AppData\Local\Temp\is-7P3BLKKW1H.tmp\_isetup\_setup64.tmp
  • C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
  • C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
  • C:\Users\<USER>\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
+10 more
Files deleted15
  • C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\XboxLive\AuthStateCache.dat
  • C:\Users\<USER>\AppData\Local\Microsoft\XboxLive\AuthStateCache.dat
  • C:\Users\<USER>\AppData\Roaming\.tlauncher\legacy\Minecraft\is-J1PQRIRBOE.tmp
  • C:\Users\<USER>\AppData\Roaming\.tlauncher\legacy\Minecraft\is-M9BQ8954G5.tmp
  • C:\Users\<USER>\AppData\Roaming\.tlauncher\legacy\Minecraft\is-XJZDWZR74N.tmp
+10 more
Mutexes created1
  • cversions.3.m
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • 7cc60f1f36f6a1ed82183c871aNever scanned
    never seen before
  • 8a8f81cf9b359e3f6dfa8e8064Never scanned
    never seen before
  • bbb82aadb5e4209527c1c538e8Never scanned
    never seen before
  • dc1a95e73eb04db93451b3d30eNever scanned
    never seen before
  • 52c220c2520acce9b79c302819Never scanned
    never seen before
  • a56e782b5b50811ac204660fccNever scanned
    never seen before
  • 6f1fd322c52bef87a624f787ffNever scanned
    never seen before
  • f5f8ef90609e64fec82ede4dfbNever scanned
    never seen before
  • 1f11fe54a7dfb0e410e2770787Never scanned
    never seen before
  • 09ba7517c8a9b30780ff4b6c4eNever scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

2 synthesis
MITRE ATT&CK profile
Defense evasion× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    C:\Windows\Explorer.EXE
  • DirectIpC2medium

    Sample contacted 2 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    104.26.10.81 · 188.72.103.3
Antivirus engine breakdown

1 detection across 74 engines

1 malicious0 suspicious73 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-238 engines
0flag
Mainstream engines with mixed FP rates
Low-trust19 engines
1flag
Heuristic / generic-AI engines (high FP rate)
Trapmine
malicious
suspicious.low.ml.score
Hash a092da5c6df6… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 8.00Unpacked
Section entropy10 sections
.text
6.38
.itext
6.04
.data
5.18
.bss
0.00
.idata
4.82
.didata
2.76
.edata
1.34
.tls
0.00
.rdata
1.38
.reloc
6.70
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Moderate prevalence — neither rare nor common. No strong prior applies.

Medium
Unique uploaders
3,729
Hundreds of people have uploaded this — common.
Total submissions
22,543
Includes repeat uploads by the same source.
First seen by VT
2mo ago
May 13, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
5/13/2026, 5:37:17 PM
First seen (MalwareBazaar)
Last analysis (VT)
7/5/2026, 4:47:17 AM
Scanned here
7/5/2026, 5:15:51 AM
File name
LegacyLauncher.exe
Size
111.85 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
a092da5c6df6c6be4341846f43425006ee0da2ce96953cf98a4b947457824ac4
MD5
326cd698c88f262d42e83ba62036070b
SHA-1
9ea8a0630dc8570769afe39f5a56af3d17ec520d
PE imphash
88016fcdef7f227c62171d0afad9aae4
First seen (VT)
5/13/2026, 5:37:17 PM
Last analysis (VT)
7/5/2026, 4:47:17 AM
First scan (MalwareTips)
7/5/2026, 5:15:51 AM
Last scan (MalwareTips)
7/5/2026, 5:15:51 AM
Community reputation
+2trusted
Behavior tags
overlaypeexe
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Scanned by
pennies
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.