File name:	f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe
Full analysis:	https://app.any.run/tasks/ddb88f70-710d-4005-945b-24f131d19737
Verdict:	Malicious activity
Threats:	Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. Agent Tesla ist eine Spyware, die Informationen über die Aktionen ihrer Opfer sammelt, indem sie Tastatureingaben und Benutzerinteraktionen aufzeichnet. Sie wird auf der speziellen Website, auf der diese Malware verkauft wird, fälschlicherweise als legitime Software vermarktet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 10, 2026, 07:17:18
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer evasion ultravnc rmm-tool phishing agenttesla netreactor
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	450FDCD9A7481E9097C13284A2B58CBB
SHA1:	CEA614F6077F99764BBE575CFCEB92B2639810FB
SHA256:	F8E2282FA9F27288DFAC1B1E555CC65FA3070837A86EA5FB939D7A371F1607CB
SSDEEP:	24576:g7ee/O43yjERvNjUNt+bMonjqjfhhCc63v0Q/hEu/fk5/oH1U+9kg9Bad+a7PNmk:g7ee/O43yjERvNjUNt+bMonjqjfhhCcv

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:11:26 06:31:15+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	48
CodeSize:	773632
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0xbeb0a
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	Gioco Sudoku - Progetto Universitario
CompanyName:	-
FileDescription:	SudokuPlay
FileVersion:	1.0.0.0
InternalName:	pOjqJr.exe
LegalCopyright:	Copyright © 2025
LegalTrademarks:	-
OriginalFileName:	pOjqJr.exe
ProductName:	SudokuPlay
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(2204) f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2204) f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(2204) f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2204) f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(2204) f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(2204) f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(2204) f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(2204) f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2204) f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(2204) f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	20.73.194.208:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
4212	svchost.exe	GET	200	23.216.77.18:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
4212	svchost.exe	GET	200	23.58.106.108:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
3280	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl	US	binary	400 b	whitelisted
3280	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	US	binary	813 b	whitelisted
3280	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	US	binary	813 b	whitelisted
2204	f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	GET	200	208.95.112.1:80	http://ip-api.com/line/?fields=hosting	US	text	6 b	malicious
3280	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	US	binary	814 b	whitelisted
3280	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	US	binary	400 b	whitelisted
3280	svchost.exe	GET	200	23.216.77.11:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	NL	binary	824 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
4212	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	48.192.1.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	184.86.251.14:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
4212	svchost.exe	23.216.77.18:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
4212	svchost.exe	23.58.106.108:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4212	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
www.bing.com	184.86.251.14 184.86.251.8 184.86.251.15 184.86.251.11 184.86.251.16 184.86.251.9 184.86.251.13 184.86.251.10 184.86.251.12	whitelisted
google.com	142.251.110.101 142.251.110.113 142.251.110.100 142.251.110.102 142.251.110.138 142.251.110.139	whitelisted
crl.microsoft.com	23.216.77.18 23.216.77.37 23.216.77.43 23.216.77.25 23.216.77.27 23.216.77.15 23.216.77.21 23.216.77.11 23.216.77.26 23.216.77.8 23.216.77.23 23.216.77.19	whitelisted
www.microsoft.com	23.58.106.108 23.59.18.102	whitelisted
ip-api.com	208.95.112.1	whitelisted
mail.mbarieservicesltd.com	199.79.62.115	malicious
self.events.data.microsoft.com	52.182.143.208	whitelisted

PID	Process	Class	Message
5276	MoUsoCoreWorker.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2232	svchost.exe	Misc activity	INFO [ANY.RUN] External IP Check (ip-api .com)
2232	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2204	f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	A Network Trojan was detected	ET MALWARE Common Stealer Behavior - Source IP Associated with Hosting Provider Check via ip.api .com
2204	f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External Hosting Lookup by ip-api
2232	svchost.exe	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing Domain (.mbarieservicesltd .com)

General Info

f8e2282fa9f27288dfac1b1e555cc65fa3070837a86ea5fb939d7a371f1607cb.exe

450FDCD9A7481E9097C13284A2B58CBB

CEA614F6077F99764BBE575CFCEB92B2639810FB

F8E2282FA9F27288DFAC1B1E555CC65FA3070837A86EA5FB939D7A371F1607CB

24576:g7ee/O43yjERvNjUNt+bMonjqjfhhCc63v0Q/hEu/fk5/oH1U+9kg9Bad+a7PNmk:g7ee/O43yjERvNjUNt+bMonjqjfhhCcv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

PHISHING has been detected (SURICATA)

AGENTTESLA has been detected (YARA)

SUSPICIOUS

Application launched itself

Possible stealing from browsers

Possible stealing of email data

Possible stealing of FTP data

Possible stealing of VPN data

Checks for external IP

Connects to SMTP port

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Disables trace logs

ULTRAVNC has been detected

.NET Reactor protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings