Trojan.Agent.MPSO
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 27,336 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 1 |
| First Seen: | June 13, 2026 |
| Last Seen: | June 22, 2026 |
| OS(es) Affected: | Windows |
Security researchers have identified a threat detected as Trojan.Agent.MPSO. This detection flag is applied to a suspicious Windows PE executable that lacks a valid digital signature. Because the file is unsigned and operates as a standard executable, it falls outside the boundaries of trusted, verified software. Users are strongly advised to treat this detection seriously and take appropriate steps to identify and remove the associated files from their systems.
Table of Contents
What Is Trojan.Agent.MPSO?
Trojan.Agent.MPSO is a detection name used for a Windows PE executable that exhibits behavior or characteristics consistent with trojan activity. A Windows PE (Portable Executable) file is a standard format for executables, DLLs, and other core components in the Windows operating system. In the context of this threat, the file is not accompanied by a digital signature. A digital signature is typically used by legitimate software developers to verify the publisher and ensure that the file has not been tampered with since its creation. The absence of a signature means the file cannot be cryptographically tied to a known, trusted developer, which is a common trait among unauthorized or malicious software.
How Trojan.Agent.MPSO Operates
As a Windows PE executable, Trojan.Agent.MPSO relies on being executed directly by the user or through another process on the system. Once launched, trojans of this classification generally attempt to perform unauthorized actions beneath the visible desktop environment. Because the file is unsigned, the operating system's native security mechanisms cannot verify its origin, allowing it to operate under the guise of a standard application.
Typical operational patterns for executables flagged under this detection include establishing persistence mechanisms to survive system reboots, modifying system configurations, or attempting to communicate with remote servers. Without a verified publisher, the executable operates with whatever privileges are granted to the user who launched it, potentially allowing it to alter system settings, interact with other processes, or facilitate the deployment of additional unauthorized payloads.
Symptoms of Infection
Identifying a Trojan.Agent.MPSO infection can be challenging because trojans are designed to operate quietly. However, users may notice several general indicators of compromise:
- Unexpected system slowdowns or high resource usage when no visible applications are running.
- Unrecognized processes appearing in the system task manager.
- Unprompted modifications to system settings or the creation of new startup entries.
- Unusual network activity or unexpected requests for network permissions.
- Security software generating alerts regarding an unsigned executable attempting to run or make changes to the system.
How to Remove Trojan.Agent.MPSO
To effectively remove Trojan.Agent.MPSO from an affected system, users should follow a structured removal process to ensure all associated components are eliminated:
- Boot the computer into Safe Mode with Networking to limit the trojan's ability to execute and interfere with the removal process.
- Run a full system scan with a reputable anti-malware tool such as SpyHunter to detect and quarantine the unsigned executable and any related threats.
- Uninstall any suspicious or unrecognized programs from the system's control panel, particularly any software that may have been installed around the same time the detection occurred.
- Reset the Chrome, Firefox, and Edge browsers to default settings to clear any unauthorized extensions, search providers, or startup pages that the trojan may have introduced.
- Reboot the system normally and run a second scan with the anti-malware tool to confirm that the threat has been completely removed and no traces remain.
Conclusion
The detection of Trojan.Agent.MPSO serves as a reminder of the risks associated with executing unsigned Windows PE files. Because this threat lacks a valid digital signature, its origin and intent cannot be verified, making it a potential risk to system integrity and user privacy. By understanding how this executable operates and following a thorough removal process, users can effectively mitigate the threat. Maintaining a proactive security posture, including the use of reputable anti-malware tools and scrutinizing unsigned executables, remains essential for keeping systems secure.
Analysis Report
General information
| Family Name: | Trojan.Agent.MPSO |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
bc3a4c8f13b0c170f1adc72c30ece0df
SHA1:
84be87f8d82a95af36d19e0358102346a8dcd180
SHA256:
561E2EFEDE32AE7D5D31249373ACAB0CBDF83E5CA15CBF5989D1C09C80110DF2
File Size:
868.35 KB, 868352 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Traits
- dll
- HighEntropy
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 516 |
|---|---|
| Potentially Malicious Blocks: | 10 |
| Whitelisted Blocks: | 506 |
| Unknown Blocks: | 0 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.MPSO
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | �m tX �v�Z����(�*J1�1HO @V� G�IH[uH�p_�zb"hk�ql(�q�X{b��P� ��� ������m� ����$�8წ���&M �=�SB1_ T�Vw���%������ �AE��D��&��$���L | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|