← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
C2 Widget unsigned, masqueraded Wmiprvse.[exe] * CAPE Sandbox
WHITE msudosos 2026-05-22 Modified: 2026-05-25
128
IOCs
HIGH VOLUME
High-confidence detection of a masqueraded Wmiprvse.exe binary. Despite a 2019 creation timestamp, the file lacks digital signatures and exhibits aggressive (LotL) behaviors including resource hijacking and unauthorized HTTP egress. Domain: Wmiprvse.exe (Masqueraded)Hash (SHA-256): 50994d21e... (Ghost-No Certs / No IP) red flag- lack of digital certificate data. Standard (WMI) binaries are signed by Microsoft. An unsigned version indicates the binary has been modified, hollowed, or replaced. The binary initiates HTTP Comms without resolving to a domain or static IP in the static analysis phase, suggesting it may use (DGA) or hidden (P2P) instructions that only trigger under specific sandbox conditions. 2019- It likely exploits legacy WMI vulnerabilities or utilizes the WMI Event Sub. method to maintain persistence across reboots. Utilizing a 2019, the malware attempts to blend in as an "old, trusted" system file to bypass scanners that prioritize scanning new/recently modified files.
pleasechatcancelemailsorryzendesk chatbacknamechat ratingclickcloseenterprisepremiumlegacyfridayhellomitre attacknetwork infosigmaprogrammid frommemoryoverviewprocesses extraoverview zenboxverdictguest systemnextunicode textutf8 textjavascriptshowstandardstechnologydetailwordpresscveswidget logicinstitutewidget contextrequest forgerywidgetimpactsite requestforgerycsrfcve20267615sliderelementorscriptingmountcve20264341bundlecvecve202620858freeexploitabusedmostvbscriptjscriptwmi trafficremote wmiportdcompowershell
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (3 / 128 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL hostname domain CVE
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 64efec9f0dd2955de50c14dacfe76f41 2026-05-22
FileHash-MD5 fe5388b55b7eca33d4988296072cf31b 2026-05-22
FileHash-MD5 6902377f105c6ad254fa36d5d757504a 2026-05-22
References (2)
↗ https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482077&Signature=nJUEiJ6dQ9BpsB0iqcay0woOAG%2Fp%2FZrQWO3F9ECQng4g5IghQMR2UtGHtz69%2BXwm5SmZln9qdlb6k8fO3vZ1i8iYCIYD4to7EkIelW2SmdfX%2FvBT9VAo4l%2B74GtPn32h%2BRAZCfkA%2Fa7jIs%2BL5GfGqOjOyCossQG6h%2FHhJlhOk5%2FEmdR0SPESzQzsQaDNt9eRcjgm4HvCXbbia01tcosvJrvko3cIKinj0xKmSzUI7k ↗ https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482097&Signature=sACP7gBBLJngNhl4IUXtgAiK29nO0W90X4yE9f7kzzAPem3FAhuJfM1VaC4SBLuxW%2FHZBwX1ugrpwkF5q3iP6n9XnEoXtrzlFgd2Y6Q%2FEWrXgE3dKrKOfdT4lLqIJ6Z9gNMupmI84vm5KvS2pvUnuhEc5odbK6Iefl%2Bc8dtZeittEaaKcGiFdYPcEhS%2Fb5Okxu9LLjb%2Fm8u%2BzcrWLWM736OdZwQpDnsmGctSIytTKdxEMUZElJdrtTyd8A