CAPE Tech Report - Malicious

How This Was Determined

Malicious Indicators

CAPE malstatus is malicious.
CAPE malscore is high: 7.
CAPE signature: privilege_elevation_check - Queries process token information to check for Administrator privileges or UAC elevation status (severity 2, confidence 80%)
CAPE signature: query_fips_reconnaissance - Queried the FIPS cryptography policy, can be used to adapt C2 network encryption or by legitimate encryption software (severity 2, confidence 50%)
CAPE signature: mountpoints_volume_discovery - Queries the mount points and then resolves volume paths to enumerate storage devices (severity 2, confidence 20%)
CAPE signature: unbacked_process_mitigation_alteration - Manipulated process mitigation policies (CFG/DEP/hard error modes) from dynamically allocated (unbacked) memory (severity 3, confidence 100%)
CAPE signature: unbacked_api_resolution - Manually resolves API addresses from dynamically allocated (unbacked) memory, indicative of shellcode or an unpacker (severity 3, confidence 100%)
CAPE signature: unbacked_memory_protection_alteration - Altered memory protections from dynamically allocated (unbacked) memory, indicative of self-modifying shellcode or memory patching (severity 3, confidence 20%)
CAPE signature: unbacked_crypto_operations - Invoked native Windows cryptographic APIs from dynamically allocated (unbacked) memory, possible encryption/decryption of payloads, c2, files or data (severity 3, confidence 40%)
CAPE signature: unbacked_token_manipulation - Attempted to open, duplicate, or impersonate an access token from dynamically allocated (unbacked) memory, indicative credential theft or lateral movement (severity 3, confidence 100%)
CAPE signature: unbacked_memory_network_connection - Network connection initiated from dynamically allocated (unbacked) memory, indicative of fileless C2 activity (severity 3, confidence 100%)

Possible IOC / Review Indicators

CAPE signature: antivm_checks_available_memory - Checks available memory (severity 1, confidence 100%)
CAPE signature: dead_connect - Attempts to connect to a dead IP:Port (3 unique times) (severity 1, confidence 100%)
CAPE signature: queries_keyboard_layout - Queries the keyboard layout (severity 1, confidence 100%)
CAPE signature: static_pe_pdbpath - The PE file contains a PDB path (severity 1, confidence 80%)
CAPE signature: language_check_registry - Checks system language via registry key (possible geofencing) (severity 1, confidence 100%)
CAPE signature: uiautomationcore_load - Process loads UIAutomationCore.dll, potentially for evasion or execution. (severity 1, confidence 100%)
CAPE signature: antisandbox_sleep - A process attempted to delay the analysis task. (severity 2, confidence 100%)
CAPE signature: registers_vectored_exception_handler - Registers a vectored exception handler (VEH), possibly to hijack execution flow (severity 2, confidence 80%)
CAPE signature: resumethread_remote_process - Resumed a thread in another process (severity 2, confidence 100%)
CAPE signature: contains_pe_overlay - The PE file contains an overlay (severity 2, confidence 100%)
CAPE signature: uses_windows_utilities - Uses Windows utilities for basic functionality (severity 2, confidence 80%)
CAPE signature: antisandbox_unhook - Tries to unhook or modify Windows functions monitored by CAPE (severity 3, confidence 60%)
CAPE signature: antivm_display - Attempts to query display device information, possibly to determine if the process is running in a virtualized environment (severity 3, confidence 100%)
CAPE signature: unbacked_library_load - Loads a new DLL where the caller address originates from dynamically allocated (unbacked) memory (severity 3, confidence 100%)
CAPE signature: unbacked_mutex_creation - Created or queried a mutex from dynamically allocated (unbacked) memory, indicative of a fileless payload checking or creating an infection marker (severity 3, confidence 100%)
CAPE signature: unbacked_com_instantiation - Attempted to use a COM object (CoCreateInstance) from dynamically allocated (unbacked) memory, possibly for WMI reconnaissance or DCOM lateral movement (severity 3, confidence 80%)
CAPE signature: unbacked_file_dropping - Wrote data to the filesystem from dynamically allocated (unbacked) memory (severity 3, confidence 100%)
CAPE signature: unbacked_registry_modification - Attempted to modify the Windows registry from dynamically allocated (unbacked) memory (severity 3, confidence 100%)
CAPE signature: unbacked_service_manipulation - Attempted to interact with the Service Control Manager from dynamically allocated (unbacked) memory (severity 3, confidence 100%)
CAPE signature: unbacked_bind_shell - Bound a network socket to listen for inbound connections from dynamically allocated (unbacked) memory, indicating a fileless TCP bind shell or P2P (severity 3, confidence 100%)
...and 10 more.

Lower-Risk Facts

No YARA hits were recorded.
No CAPE YARA hits were recorded.
No ClamAV detection was recorded.

Important Notes

VirusTotal was unavailable in CAPE: Unable to complete connection to VirusTotal. Status code: 429

VirusTotal

Stored CAPE result: Unable to complete connection to VirusTotal. Status code: 429

Manual lookup: Open SHA256 in VirusTotal

File Details

File name	RealVNC Viewer Installer.exe
File type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Size	1294880
MD5	d9e783f14f5b6fd0d50b3a38cc04d684
SHA1	0bb21ef812674e044e206c8a5ead4c7525214178
SHA256	95da32e16ab3235d7613ebada477a92f56dd1cf1321f0a96548666ad1d177cfa
VirusTotal lookup	Open SHA256 in VirusTotal

Sandbox Run Details

Task ID	26
Started	2026-06-18 12:49:59
Ended	2026-06-18 12:54:37
Duration	278 seconds
Package	exe
Route	internet
Machine	cuckoo1
CAPE score	7.0
CAPE status	Malicious

YARA / AV Indicators

Source	Rule / Detection	Description / Evidence
No YARA hits recorded.
No CAPE YARA hits recorded.
No ClamAV hits recorded.

CAPE Signatures

Severity	Confidence	Signature	Description
3	60%	antisandbox_unhook	Tries to unhook or modify Windows functions monitored by CAPE
3	100%	antivm_display	Attempts to query display device information, possibly to determine if the process is running in a virtualized environment
3	100%	unbacked_process_mitigation_alteration	Manipulated process mitigation policies (CFG/DEP/hard error modes) from dynamically allocated (unbacked) memory
3	100%	unbacked_api_resolution	Manually resolves API addresses from dynamically allocated (unbacked) memory, indicative of shellcode or an unpacker
3	100%	unbacked_library_load	Loads a new DLL where the caller address originates from dynamically allocated (unbacked) memory
3	20%	unbacked_memory_protection_alteration	Altered memory protections from dynamically allocated (unbacked) memory, indicative of self-modifying shellcode or memory patching
3	100%	unbacked_mutex_creation	Created or queried a mutex from dynamically allocated (unbacked) memory, indicative of a fileless payload checking or creating an infection marker
3	80%	unbacked_com_instantiation	Attempted to use a COM object (CoCreateInstance) from dynamically allocated (unbacked) memory, possibly for WMI reconnaissance or DCOM lateral movement
3	40%	unbacked_crypto_operations	Invoked native Windows cryptographic APIs from dynamically allocated (unbacked) memory, possible encryption/decryption of payloads, c2, files or data
3	100%	unbacked_file_dropping	Wrote data to the filesystem from dynamically allocated (unbacked) memory
3	100%	unbacked_registry_modification	Attempted to modify the Windows registry from dynamically allocated (unbacked) memory
3	100%	unbacked_service_manipulation	Attempted to interact with the Service Control Manager from dynamically allocated (unbacked) memory
3	100%	unbacked_token_manipulation	Attempted to open, duplicate, or impersonate an access token from dynamically allocated (unbacked) memory, indicative credential theft or lateral movement
3	100%	unbacked_bind_shell	Bound a network socket to listen for inbound connections from dynamically allocated (unbacked) memory, indicating a fileless TCP bind shell or P2P
3	100%	unbacked_dns_resolution	Attempted to resolve a domain name from dynamically allocated (unbacked) memory
3	100%	unbacked_memory_network_connection	Network connection initiated from dynamically allocated (unbacked) memory, indicative of fileless C2 activity
3	100%	pe_deep_entrypoint	The PE entry point is located unusually far into section, indicative of an appended packer stub that jumps to the original entry point (OEP)
3	80%	static_pe_anomaly	Anomalous binary characteristics
3	100%	pe_compile_timestomping	Binary compilation timestomping detected
2	100%	antisandbox_sleep	A process attempted to delay the analysis task.
2	80%	privilege_elevation_check	Queries process token information to check for Administrator privileges or UAC elevation status
2	50%	query_fips_reconnaissance	Queried the FIPS cryptography policy, can be used to adapt C2 network encryption or by legitimate encryption software
2	20%	mountpoints_volume_discovery	Queries the mount points and then resolves volume paths to enumerate storage devices
2	80%	registers_vectored_exception_handler	Registers a vectored exception handler (VEH), possibly to hijack execution flow
2	50%	creates_suspended_process	Creates a process in a suspended state, likely for injection
2	100%	resumethread_remote_process	Resumed a thread in another process
2	100%	contains_pe_overlay	The PE file contains an overlay
2	20%	discover_registry_mount_points	Queries registry mount points to identify historical or connected removable/network drives
2	50%	injection_rwx	Creates RWX memory
2	80%	uses_windows_utilities	Uses Windows utilities for basic functionality

Behavior Summary

Executed commands / child processes	5
File writes	10
File deletes	6
Registry writes	21
Created services	0
Started services	0
CAPE payload-like items	5
CAPE extracted configs	0
Dropped/related files captured	2
Network indicators	21

Executed Commands / Child Processes

"C:\WINDOWS\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.10120.0_x64__8wekyb3d8bbwe\WindowsPackageManagerServer.exe" -Embedding

"C:\Program Files\WindowsApps\Microsoft.WindowsStore_22604.1401.8.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca

C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding

C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding

File Writes

C:\Users\IT\AppData\Local\Temp\TmpCE7E.tmp

C:\Users\IT\AppData\Local\Temp\TmpCF99.tmp

C:\Users\IT\AppData\Local\Temp\Microsoft.Management.Deployment.winmd

\Device\RasAcd

C:\Users\IT\AppData\Local\Microsoft\Windows\INetCache\IE\WPFDD94.tmp

\??\DamCtrl

C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-3021741035-2986501292-914809479-1000\SystemAppData\Helium\Cache\11c658b040efd7c1.dat

\Device\VRegDriver

\Device\NamedPipe\Sessions\1\AppContainerNamedObjects\S-1-15-2-2473817148-3930944034-1235795307-187980641-3967865409-1804095407-1113801530

C:\Users\IT\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir\WinGetCOM-2026-06-18-12-53-46.550.log

Registry Writes

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\RealVNC Viewer Installer_RASAPI32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RealVNC Viewer Installer_RASAPI32\EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RealVNC Viewer Installer_RASAPI32\EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RealVNC Viewer Installer_RASAPI32\EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RealVNC Viewer Installer_RASAPI32\FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RealVNC Viewer Installer_RASAPI32\ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RealVNC Viewer Installer_RASAPI32\MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RealVNC Viewer Installer_RASAPI32\FileDirectory

...and 9 more.

Created Services

None recorded.

Started Services

None recorded.

CAPE Extracted Items

Payload-like Items

/opt/CAPEv2/storage/analyses/26/CAPE/3a9b566a116f1f2baaa38d03142083aa9b9691d34c676f64331f31307c9974f7

/opt/CAPEv2/storage/analyses/26/CAPE/a8b55b9728d935a026d0513e3ef1c1676b3c694f9f05ade67612e6f13ea04d5c

/opt/CAPEv2/storage/analyses/26/CAPE/df03bf51ea6b69b2f8cc8c86ff0c0d4af376c5dab01a99798454e0e559c246b9

/opt/CAPEv2/storage/analyses/26/CAPE/9eddcf92af646965bac30f3e90ffa90f2009a4a12ee11bd673ea5f60105abe6e

/opt/CAPEv2/storage/analyses/26/CAPE/8a99873e9f8b08aab651e6303c56bc06beba6f8c10bf283fa6fb488fee9b463b

Extracted Configs

None recorded.

Network Activity

Network activity was recorded.

{'ip': '40.126.7.35', 'country_name': 'unknown', 'asn': '', 'asn_name': '', 'hostname': '', 'inaddrarpa': '', 'ports': [443]}

{'ip': '40.126.28.18', 'country_name': 'unknown', 'asn': '', 'asn_name': '', 'hostname': '', 'inaddrarpa': '', 'ports': [443]}

{'ip': '20.190.135.19', 'country_name': 'unknown', 'asn': '', 'asn_name': '', 'hostname': '', 'inaddrarpa': '', 'ports': [443]}

{'ip': '20.190.135.18', 'country_name': 'unknown', 'asn': '', 'asn_name': '', 'hostname': '', 'inaddrarpa': '', 'ports': [443]}

{'ip': '20.190.135.5', 'country_name': 'unknown', 'asn': '', 'asn_name': '', 'hostname': '', 'inaddrarpa': '', 'ports': [443]}

10.10.69.139

20.59.87.227

Generated 2026-06-18T12:55:01 from /opt/CAPEv2/storage/analyses/26/reports/report.json