Recommended action: Verify the download source, file hash, and digital signature. If it came from the official vendor and reputation checks are clean, it is likely acceptable.
Why this verdict: CAPE scored the file highly, but the observed indicators are mostly packaging, UI, locale, or anti-VM style checks, and the behavior side was otherwise quiet.
Important: This report should not say a file is absolutely “safe.” A better phrase is: no obvious malicious behavior was observed in this sandbox run.
VirusTotal: Unavailable/error from CAPE: Unable to complete connection to VirusTotal. Status code: 429
Manual lookup: Open SHA256 in VirusTotal
This report only uses VirusTotal detection counts if they are present in the CAPE JSON. A link alone is not the same as a local detection result.
| File name | notepad__.exe |
|---|---|
| File type | PE32+ executable (GUI) x86-64, for MS Windows |
| Size | 8383104 |
| MD5 | 54cc861ace958d1ff881551230e9fba9 |
| SHA1 | 69cb2179ef777a2e1118fe43c8c67bc75ed10fda |
| SHA256 | a44e2bca325e482a65abc82ee1c8d164ca4e15e0792746876c302d0881335c76 |
| VirusTotal lookup | Open SHA256 in VirusTotal |
| Task ID | 7 |
|---|---|
| Started | 2026-06-15 15:58:31 |
| Ended | 2026-06-15 16:02:37 |
| Duration | 246 seconds |
| Package | exe |
| Route | none |
| Machine | cuckoo1 |
| CAPE score | 7.0 |
| CAPE status | Malicious |
| Digital signature | Guest signer check failed: File not found: C:\Users\IT\AppData\Local\Temp\7\notepad__.exe |
| Severity | Confidence | Signature | Meaning |
|---|---|---|---|
| 3 | 100% | antivm_display | Attempts to query display device information, possibly to determine if the process is running in a virtualized environment |
| 2 | 100% | mouse_movement_detect | Checks for mouse movement |
| 2 | 80% | privilege_elevation_check | Queries process token information to check for Administrator privileges or UAC elevation status |
| 2 | 100% | pe_deep_entrypoint | The PE entry point is located unusually far into section, indicative of an appended packer stub that jumps to the original entry point (OEP) |
| 2 | 100% | packer_unknown_pe_section_name | The binary contains an unknown PE section name indicative of packing |
| 2 | 100% | packer_entropy | The binary likely contains encrypted or compressed data |
| 2 | 100% | contains_pe_overlay | The PE file contains an overlay |
| 1 | 100% | queries_keyboard_layout | Queries the keyboard layout |
| 1 | 100% | queries_locale_api | Queries the computer locale (possible geofencing) |
| 1 | 40% | antidebug_setunhandledexceptionfilter | SetUnhandledExceptionFilter detected (possible anti-debug) |
| 1 | 100% | language_check_registry | Checks system language via registry key (possible geofencing) |
| Observed item | Count |
|---|---|
| Executed commands / child processes | 0 |
| File writes | 5 |
| File deletes | 0 |
| Registry writes | 0 |
| Created services | 0 |
| Started services | 0 |
| CAPE payload-like items | 1 |
| CAPE extracted configs | 0 |
| Dropped/related files captured | 2 |
None observed.
C:\Users\IT\AppData\Roaming\Notepad++\langs.xmlC:\Users\IT\AppData\Roaming\Notepad++\config.xmlC:\Users\IT\AppData\Roaming\Notepad++\stylers.xmlC:\Users\IT\AppData\Roaming\Notepad++\shortcuts.xmlC:\Users\IT\AppData\Roaming\Notepad++\contextMenu.xmlNone observed.
None observed.
None observed.
CAPE extracted 1 payload-like item(s). Review if unexpected.
/opt/CAPEv2/storage/analyses/7/CAPE/62375771444e16f9b2b889ca44474a6af2ae4fa3f15ccd8b1d016ee29beb50f4No network activity recorded in this report.