File name:	Office-2019-Word-Excel-Powerpoint.exe
Full analysis:	https://app.any.run/tasks/8470a07a-523e-4863-8f1b-73a160dafa80
Verdict:	Malicious activity
Threats:	First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	July 02, 2025, 10:40:54
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	loader arch-exec emmenhtal
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	BBCAD7D5B427F0304ADD79D06E33D8D6
SHA1:	F53BE99801D8C727B9DAC59B128BB02B7032972E
SHA256:	AADAEE757A94939101646F1542894A93F56682E6643C06475E987B1E20C66F80
SSDEEP:	196608:hg5UGL8DxLDJjW61Qm6u/O7h/mi7RkGLT26RYKwT4:hg5bLIx3Jjhv6vhPRnZDwc

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2009:08:16 11:05:43+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	48640
InitializedDataSize:	136192
UninitializedDataSize:	-
EntryPoint:	0x912e
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(2808) Office-2019-Word-Excel-Powerpoint.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\OpenWithProgids
Operation:	write	Name:	htafile
Value:
(PID) Process:	(4456) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4456) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4456) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
2808	Office-2019-Word-Excel-Powerpoint.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\Linkf.zip		compressed
		MD5:53E6A02CC1A922184E2E360D254310A5	SHA256:FEAD2F25DE0A845ECD6D468DE45A69DA0A197A482EC317FE6B7810EFD501D6DC
2808	Office-2019-Word-Excel-Powerpoint.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\img\master-logo.png		image
		MD5:DCD58D02C346D2AE1A2E7E783A451692	SHA256:A0545E726904F6C8EA299ED374992A426913981B662160E517785661BA4A4689
2808	Office-2019-Word-Excel-Powerpoint.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\7z.exe		executable
		MD5:2D1C72072FEC74FB0ECA850EF8F9F93E	SHA256:B93149E44239DBDD5E6705C73AE14EE11285923E963E41E8D142E4171F20F4EB
2808	Office-2019-Word-Excel-Powerpoint.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\7z.dll		executable
		MD5:AACD9B8E5E5E369C3518B86486CFC9D4	SHA256:E876CAB250EB2B0AAB976FF9922A3945E2B4724166B0EFB64690B46FE470CD3C
2808	Office-2019-Word-Excel-Powerpoint.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\gtea.vbs		text
		MD5:FD1C46C0CBE4B12C47C35C55058FDC4F	SHA256:162E2C4989DA50FDCB327B1384C1B450EAB42932E2A51C282A24CD736D09E9FF
2808	Office-2019-Word-Excel-Powerpoint.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\gteb.vbs		text
		MD5:A35D8B39A8F2ACAEF3849D7930EDA985	SHA256:7203FA1C184E1B5A42CB1D440461B7107E1B1CFF8CB1D1793E273D4D361576AE
2808	Office-2019-Word-Excel-Powerpoint.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\gtec.vbs		text
		MD5:100DAC90D760FFF0DF7EFE91DC516858	SHA256:5BA9F54CCC7B1E8C309A146A539436934B63E5239BA7D56824281351B541B6C1
2808	Office-2019-Word-Excel-Powerpoint.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\icon.ico		image
		MD5:12D9707D3BD5A5473561249BE43EEF46	SHA256:B450161D99C31A95F2C7F0E912385DC718996E4590526D17CFCF674BAB9C9195
2808	Office-2019-Word-Excel-Powerpoint.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\img\logo-offer.png		image
		MD5:072679C20456E6B83EA3707A7C4E7B6F	SHA256:8A0087C2D38FA04F54E2F8A39310EB6FBDC8849C61A55AE235D4B121052A2E6A
2808	Office-2019-Word-Excel-Powerpoint.exe	C:\Users\admin\AppData\Local\Temp\RarSFX0\img\log-game.png		image
		MD5:0FD141306E06EF59CABCE6F76D4F3D7E	SHA256:F19B0E9FEFD718789D8316566AED028B13F43955071F2A4C422EA5C09FBDBEFA

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2148	RUXIMICS.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2148	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	302	37.9.116.45:443	https://download.yandex.ru/yandex-pack/downloader/downloader.exe	unknown	—	—	—
—	—	GET	200	5.45.200.109:443	https://cloudcdn-fra-02.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=11	unknown	executable	203 Kb	whitelisted
—	—	POST	200	20.190.159.73:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	400	20.190.159.73:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2148	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2148	RUXIMICS.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.14 2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	95.101.149.131 2.23.246.101	whitelisted
download.yandex.ru	37.9.64.225	whitelisted
cloudcdn-fra-02.cdn.yandex.net	5.45.200.109	whitelisted
login.live.com	40.126.31.0 20.190.159.23 20.190.159.130 40.126.31.1 40.126.31.3 20.190.159.75 40.126.31.67 20.190.159.71	whitelisted
nexusrules.officeapps.live.com	52.111.229.43	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO Wget Request for Executable
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO Packed Executable Download

General Info

Office-2019-Word-Excel-Powerpoint.exe

BBCAD7D5B427F0304ADD79D06E33D8D6

F53BE99801D8C727B9DAC59B128BB02B7032972E

AADAEE757A94939101646F1542894A93F56682E6643C06475E987B1E20C66F80

196608:hg5UGL8DxLDJjW61Qm6u/O7h/mi7RkGLT26RYKwT4:hg5bLIx3Jjhv6vhPRnZDwc

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

EMMENHTAL has been detected (YARA)

SUSPICIOUS

Drops 7-zip archiver for unpacking

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Runs shell command (SCRIPT)

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

Reads the computer name

The sample compiled with english language support

Create files in a temporary directory

Process checks computer location settings

Reads Internet Explorer settings

Checks proxy server information

Reads the machine GUID from the registry

The sample compiled with russian language support

Manual execution by a user

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings