Recommended action: Verify source, signer, and reputation before approving.
Why this verdict: CAPE assigned a moderate to high score, but this report did not find strong behavior-based indicators.
Important: This report should not say a file is absolutely safe. A better phrase is: no obvious malicious behavior was observed in this sandbox run.
VirusTotal: Unavailable/error from CAPE: Unable to complete connection to VirusTotal. Status code: 429
Manual lookup: Open SHA256 in VirusTotal
This report only uses VirusTotal detection counts if they are present in the CAPE JSON. A link alone is not the same as a local detection result.
| File name | pbe-remote-help.msi |
|---|---|
| File type | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: PBE-Remote-Help Installer, Author: PURSLANE, Keywords: Installer, Comments: This installer database contains the logic and data required to install PBE-Remote-Help., Template: x64;1033, Revision Number: {4B986941-1D3F-4C19-B6EB-734021E08AE7}, Create Time/Date: Mon May 4 17:02:28 2026, Last Saved Time/Date: Mon May 4 17:02:28 2026, Number of Pages: 500, Number of Words: 2, Name of Creating Application: WiX Toolset (4.0.5.0), Security: 2 |
| Size | 24948736 |
| MD5 | 3dbb7964296f631bb3288c2e81f34ec5 |
| SHA1 | e5f822056e1c892ab7c1d2c4bb5e78825c52ca03 |
| SHA256 | a4d98e1ebc0671ab75bfd7202cca24d9afdc2793e69a6f2ca924ff5446a18a7d |
| VirusTotal lookup | Open SHA256 in VirusTotal |
| Task ID | 12 |
|---|---|
| Started | 2026-06-15 19:08:30 |
| Ended | 2026-06-15 19:11:43 |
| Duration | 193 seconds |
| Package | msi |
| Route | none |
| Machine | cuckoo1 |
| CAPE score | 5.9 |
| CAPE status | |
| Digital signature | No signer data found in CAPE JSON. |
| Severity | Confidence | Signature | Meaning |
|---|---|---|---|
| 2 | 80% | privilege_elevation_check | Queries process token information to check for Administrator privileges or UAC elevation status |
| 2 | 20% | mountpoints_volume_discovery | Queries the mount points and then resolves volume paths to enumerate storage devices |
| 2 | 50% | creates_suspended_process | Creates a process in a suspended state, likely for injection |
| 2 | 100% | resumethread_remote_process | Resumed a thread in another process |
| 2 | 100% | network_connection_via_suspicious_process | Attempts to make a network connection via suspicious process |
| 2 | 20% | discover_registry_mount_points | Queries registry mount points to identify historical or connected removable/network drives |
| 2 | 80% | uses_windows_utilities | Uses Windows utilities for basic functionality |
| 1 | 100% | queries_keyboard_layout | Queries the keyboard layout |
| 1 | 40% | antidebug_setunhandledexceptionfilter | SetUnhandledExceptionFilter detected (possible anti-debug) |
| 1 | 40% | stealth_timeout | Possible date expiration check, exits too soon after checking local time |
| 1 | 100% | language_check_registry | Checks system language via registry key (possible geofencing) |
| Observed item | Count |
|---|---|
| Executed commands / child processes | 5 |
| File writes | 7 |
| File deletes | 4 |
| Registry writes | 0 |
| Created services | 0 |
| Started services | 1 |
| CAPE payload-like items | 0 |
| CAPE extracted configs | 0 |
| Dropped/related files captured | 1 |
No CAPE payload-like items were extracted.
None observed.No network activity recorded in this report.
Generated 2026-06-15T19:12:02 from /opt/CAPEv2/storage/analyses/12/reports/report.json