← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
C2 Widget unsigned, masqueraded Wmiprvse.[exe] * CAPE Sandbox
WHITE msudosos 2026-05-22 Modified: 2026-05-25
128
IOCs
HIGH VOLUME
High-confidence detection of a masqueraded Wmiprvse.exe binary. Despite a 2019 creation timestamp, the file lacks digital signatures and exhibits aggressive (LotL) behaviors including resource hijacking and unauthorized HTTP egress. Domain: Wmiprvse.exe (Masqueraded)Hash (SHA-256): 50994d21e... (Ghost-No Certs / No IP) red flag- lack of digital certificate data. Standard (WMI) binaries are signed by Microsoft. An unsigned version indicates the binary has been modified, hollowed, or replaced. The binary initiates HTTP Comms without resolving to a domain or static IP in the static analysis phase, suggesting it may use (DGA) or hidden (P2P) instructions that only trigger under specific sandbox conditions. 2019- It likely exploits legacy WMI vulnerabilities or utilizes the WMI Event Sub. method to maintain persistence across reboots. Utilizing a 2019, the malware attempts to blend in as an "old, trusted" system file to bypass scanners that prioritize scanning new/recently modified files.
pleasechatcancelemailsorryzendesk chatbacknamechat ratingclickcloseenterprisepremiumlegacyfridayhellomitre attacknetwork infosigmaprogrammid frommemoryoverviewprocesses extraoverview zenboxverdictguest systemnextunicode textutf8 textjavascriptshowstandardstechnologydetailwordpresscveswidget logicinstitutewidget contextrequest forgerywidgetimpactsite requestforgerycsrfcve20267615sliderelementorscriptingmountcve20264341bundlecvecve202620858freeexploitabusedmostvbscriptjscriptwmi trafficremote wmiportdcompowershell
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (2 / 128 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL hostname domain CVE
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 25a30d3b9014bda2933eb16986ff012634673fef 2026-05-22
FileHash-SHA1 9a44ff2f2e2b727eba16dc31e4fc4936429cecc7 2026-05-22
References (2)
↗ https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482077&Signature=nJUEiJ6dQ9BpsB0iqcay0woOAG%2Fp%2FZrQWO3F9ECQng4g5IghQMR2UtGHtz69%2BXwm5SmZln9qdlb6k8fO3vZ1i8iYCIYD4to7EkIelW2SmdfX%2FvBT9VAo4l%2B74GtPn32h%2BRAZCfkA%2Fa7jIs%2BL5GfGqOjOyCossQG6h%2FHhJlhOk5%2FEmdR0SPESzQzsQaDNt9eRcjgm4HvCXbbia01tcosvJrvko3cIKinj0xKmSzUI7k ↗ https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482097&Signature=sACP7gBBLJngNhl4IUXtgAiK29nO0W90X4yE9f7kzzAPem3FAhuJfM1VaC4SBLuxW%2FHZBwX1ugrpwkF5q3iP6n9XnEoXtrzlFgd2Y6Q%2FEWrXgE3dKrKOfdT4lLqIJ6Z9gNMupmI84vm5KvS2pvUnuhEc5odbK6Iefl%2Bc8dtZeittEaaKcGiFdYPcEhS%2Fb5Okxu9LLjb%2Fm8u%2BzcrWLWM736OdZwQpDnsmGctSIytTKdxEMUZElJdrtTyd8A