← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
C2 Widget unsigned, masqueraded Wmiprvse.[exe] * CAPE Sandbox
WHITE msudosos 2026-05-22 Modified: 2026-05-25
128
IOCs
HIGH VOLUME
High-confidence detection of a masqueraded Wmiprvse.exe binary. Despite a 2019 creation timestamp, the file lacks digital signatures and exhibits aggressive (LotL) behaviors including resource hijacking and unauthorized HTTP egress. Domain: Wmiprvse.exe (Masqueraded)Hash (SHA-256): 50994d21e... (Ghost-No Certs / No IP) red flag- lack of digital certificate data. Standard (WMI) binaries are signed by Microsoft. An unsigned version indicates the binary has been modified, hollowed, or replaced. The binary initiates HTTP Comms without resolving to a domain or static IP in the static analysis phase, suggesting it may use (DGA) or hidden (P2P) instructions that only trigger under specific sandbox conditions. 2019- It likely exploits legacy WMI vulnerabilities or utilizes the WMI Event Sub. method to maintain persistence across reboots. Utilizing a 2019, the malware attempts to blend in as an "old, trusted" system file to bypass scanners that prioritize scanning new/recently modified files.
pleasechatcancelemailsorryzendesk chatbacknamechat ratingclickcloseenterprisepremiumlegacyfridayhellomitre attacknetwork infosigmaprogrammid frommemoryoverviewprocesses extraoverview zenboxverdictguest systemnextunicode textutf8 textjavascriptshowstandardstechnologydetailwordpresscveswidget logicinstitutewidget contextrequest forgerywidgetimpactsite requestforgerycsrfcve20267615sliderelementorscriptingmountcve20264341bundlecvecve202620858freeexploitabusedmostvbscriptjscriptwmi trafficremote wmiportdcompowershell
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (5 / 128 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL hostname domain CVE
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c 2026-05-22
FileHash-SHA256 cd9fc3429bc9a7fcadc4d97ce775e18a17a0590d47fbeda5de0d04e22a4416f3 2026-05-22
FileHash-SHA256 ced895017b55c90686add184a27777227a3440269c732511cf3a8bf10662204c 2026-05-22
FileHash-SHA256 df0e80c49d17e002c74f046c6d5633cc34803119d0a482660da39c89ec540b2e 2026-05-22
FileHash-SHA256 f0af51d32b6fbd6f6800c0d5298f1c0f2536c922af29c5eeecf66aa73bb8e930 2026-05-22
References (2)
↗ https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482077&Signature=nJUEiJ6dQ9BpsB0iqcay0woOAG%2Fp%2FZrQWO3F9ECQng4g5IghQMR2UtGHtz69%2BXwm5SmZln9qdlb6k8fO3vZ1i8iYCIYD4to7EkIelW2SmdfX%2FvBT9VAo4l%2B74GtPn32h%2BRAZCfkA%2Fa7jIs%2BL5GfGqOjOyCossQG6h%2FHhJlhOk5%2FEmdR0SPESzQzsQaDNt9eRcjgm4HvCXbbia01tcosvJrvko3cIKinj0xKmSzUI7k ↗ https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482097&Signature=sACP7gBBLJngNhl4IUXtgAiK29nO0W90X4yE9f7kzzAPem3FAhuJfM1VaC4SBLuxW%2FHZBwX1ugrpwkF5q3iP6n9XnEoXtrzlFgd2Y6Q%2FEWrXgE3dKrKOfdT4lLqIJ6Z9gNMupmI84vm5KvS2pvUnuhEc5odbK6Iefl%2Bc8dtZeittEaaKcGiFdYPcEhS%2Fb5Okxu9LLjb%2Fm8u%2BzcrWLWM736OdZwQpDnsmGctSIytTKdxEMUZElJdrtTyd8A