Recommended action: Do not release this file without IT/security review.
Why this verdict: One or more stronger indicators were present, such as detection hits, network activity, persistence/service behavior, extracted malware config, or high-risk signatures.
Important: This report should not say a file is absolutely “safe.” A better phrase is: no obvious malicious behavior was observed in this sandbox run.
VirusTotal: Unavailable/error from CAPE: Unable to complete connection to VirusTotal. Status code: 429
Manual lookup: Open SHA256 in VirusTotal
This report only uses VirusTotal detection counts if they are present in the CAPE JSON. A link alone is not the same as a local detection result.
| File name | true |
|---|---|
| File type | ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=def326b154045626150e1bac9a720de16fa2db52, for GNU/Linux 3.2.0, stripped |
| Size | 26936 |
| MD5 | 5f3e9687fd390268d1ca33854127465e |
| SHA1 | f54c0d4f1a5b6ce11b2d926b692fccfe1a4fcd9c |
| SHA256 | 4b5a5694e3c0e8b1d58fc52ac6ef076e55e72c2f53195243ac86d5ff517cc2f6 |
| VirusTotal lookup | Open SHA256 in VirusTotal |
| Task ID | 8 |
|---|---|
| Started | 2026-06-15 18:02:36 |
| Ended | 2026-06-15 18:07:03 |
| Duration | 267 seconds |
| Package | generic |
| Route | false |
| Machine | cuckoo1 |
| CAPE score | 9.0 |
| CAPE status | Malicious |
| Digital signature | No signer data found in CAPE JSON. |
| Severity | Confidence | Signature | Meaning |
|---|---|---|---|
| 3 | 100% | antivm_display | Attempts to query display device information, possibly to determine if the process is running in a virtualized environment |
| 3 | 100% | suspicious_iocontrol_codes | Uses suspicious IO control codes, indicative of disk enumeration or a bootkit/wiper |
| 3 | 100% | infostealer_cookies | Touches a file containing cookies, possibly for information gathering |
| 3 | 100% | interprocess_comms_shared_memory | Inter-process communication via named shared memory (file mappings), possibly for routing local C2 traffic or injection |
| 2 | 80% | privilege_elevation_check | Queries process token information to check for Administrator privileges or UAC elevation status |
| 2 | 20% | mountpoints_volume_discovery | Queries the mount points and then resolves volume paths to enumerate storage devices |
| 2 | 50% | creates_suspended_process | Creates a process in a suspended state, likely for injection |
| 2 | 100% | resumethread_remote_process | Resumed a thread in another process |
| 2 | 100% | stealth_window | A process created a hidden window |
| 2 | 20% | discover_registry_mount_points | Queries registry mount points to identify historical or connected removable/network drives |
| 1 | 100% | antivm_checks_available_memory | Checks available memory |
| 1 | 100% | queries_keyboard_layout | Queries the keyboard layout |
| 1 | 100% | queries_locale_api | Queries the computer locale (possible geofencing) |
| 1 | 40% | antidebug_setunhandledexceptionfilter | SetUnhandledExceptionFilter detected (possible anti-debug) |
| 1 | 100% | language_check_registry | Checks system language via registry key (possible geofencing) |
| Observed item | Count |
|---|---|
| Executed commands / child processes | 10 |
| File writes | 2 |
| File deletes | 0 |
| Registry writes | 8 |
| Created services | 0 |
| Started services | 1 |
| CAPE payload-like items | 0 |
| CAPE extracted configs | 0 |
| Dropped/related files captured | 0 |
C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding\\?\C:\Windows\System32\SecurityHealthHost.exe {08728914-3F57-4D52-9E31-49DAECA5A80A} -Embedding"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding"C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mcawmiadap.exe /F /T /R\\?\C:\WINDOWS\system32\wbem\WMIADAP.EXE wmiadap.exe /F /T /R\Device\VRegDriver\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEMHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypassHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetNameHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFFHKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\WINDOWS\system32\OpenWith.exe.FriendlyAppNameHKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\WINDOWS\system32\OpenWith.exe.ApplicationCompanyHKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults\dataNone observed.
edgeupdateNo CAPE payload-like items were extracted.
None observed.
No network activity recorded in this report.