High Risk / Review Required

Recommended action: Do not release this file without IT/security review.

Important: This report should not say a file is absolutely “safe.” A better phrase is: no obvious malicious behavior was observed in this sandbox run.

Quick Notes

No network activity was recorded.
No YARA hits were recorded.
No ClamAV detection was recorded.
No dropped files were recorded.
Started services were observed.
Child process or command execution was observed.

File Details

File name	calc.exe
File type	PE32+ executable (GUI) x86-64, for MS Windows
Size	49152
MD5	18e5b970eab39020b7e53aa81c371287
SHA1	dfaa2584f5c12a9a329e41e141dd4e8d986c620a
SHA256	621ba3934afc45c35a4ee16386f4da30119f39fa243e8dc8fef3491a76f829d8

Sandbox Run Details

Task ID	5
Started	2026-06-11 18:33:07
Ended	2026-06-11 18:37:14
Duration	247
Package	exe
Route	none
Machine	cuckoo1
CAPE score	8.0
CAPE status	Malicious

Top CAPE Signatures

Severity	Confidence	Signature	Meaning
3	100%	`infostealer_cookies`	Touches a file containing cookies, possibly for information gathering
3	100%	`pe_compile_timestomping`	Binary compilation timestomping detected
2	80%	`privilege_elevation_check`	Queries process token information to check for Administrator privileges or UAC elevation status
2	50%	`creates_suspended_process`	Creates a process in a suspended state, likely for injection
2	100%	`resumethread_remote_process`	Resumed a thread in another process
2	100%	`packer_unknown_pe_section_name`	The binary contains an unknown PE section name indicative of packing
1	100%	`antivm_checks_available_memory`	Checks available memory
1	100%	`queries_keyboard_layout`	Queries the keyboard layout
1	80%	`static_pe_pdbpath`	The PE file contains a PDB path
1	40%	`antidebug_setunhandledexceptionfilter`	SetUnhandledExceptionFilter detected (possible anti-debug)
1	100%	`language_check_registry`	Checks system language via registry key (possible geofencing)

Observed Behavior

Executed Commands / Child Processes

"C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
"C:\WINDOWS\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}
\\?\C:\Windows\System32\SecurityHealthHost.exe {08728914-3F57-4D52-9E31-49DAECA5A80A} -Embedding
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
C:\Windows\System32\RuntimeBroker.exe -Embedding

Registry Writes

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXp8e2ntvbtget7f2fw6qec3j54vhd14m4_ms-calculator

Created Services

None observed.

Started Services

WaaSMedicSvc

Network Activity

No network activity recorded in this report.

Generated 2026-06-15T15:24:50 from /opt/CAPEv2/storage/analyses/5/reports/report.json