← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
C2 Widget unsigned, masqueraded Wmiprvse.[exe] * CAPE Sandbox
WHITE msudosos 2026-05-22 Modified: 2026-05-25
128
IOCs
HIGH VOLUME
High-confidence detection of a masqueraded Wmiprvse.exe binary. Despite a 2019 creation timestamp, the file lacks digital signatures and exhibits aggressive (LotL) behaviors including resource hijacking and unauthorized HTTP egress. Domain: Wmiprvse.exe (Masqueraded)Hash (SHA-256): 50994d21e... (Ghost-No Certs / No IP) red flag- lack of digital certificate data. Standard (WMI) binaries are signed by Microsoft. An unsigned version indicates the binary has been modified, hollowed, or replaced. The binary initiates HTTP Comms without resolving to a domain or static IP in the static analysis phase, suggesting it may use (DGA) or hidden (P2P) instructions that only trigger under specific sandbox conditions. 2019- It likely exploits legacy WMI vulnerabilities or utilizes the WMI Event Sub. method to maintain persistence across reboots. Utilizing a 2019, the malware attempts to blend in as an "old, trusted" system file to bypass scanners that prioritize scanning new/recently modified files.
pleasechatcancelemailsorryzendesk chatbacknamechat ratingclickcloseenterprisepremiumlegacyfridayhellomitre attacknetwork infosigmaprogrammid frommemoryoverviewprocesses extraoverview zenboxverdictguest systemnextunicode textutf8 textjavascriptshowstandardstechnologydetailwordpresscveswidget logicinstitutewidget contextrequest forgerywidgetimpactsite requestforgerycsrfcve20267615sliderelementorscriptingmountcve20264341bundlecvecve202620858freeexploitabusedmostvbscriptjscriptwmi trafficremote wmiportdcompowershell
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (30 / 128 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL hostname domain CVE
TYPEINDICATORDESCRIPTIONCREATED
URL http://20.190.157.0 2026-05-22
URL http://131.107.255.255 2026-05-22
URL http://disallowedcertstl.cab?486a59f4ce44caaa 2026-05-22
URL http://disallowedcertstl.cab?e6f4d7546acd297b 2026-05-22
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?486a59f4ce44caaa 2026-05-22
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e6f4d7546acd297b 2026-05-22
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?7bb5bf7dc4b5a9eb 2026-05-22
URL http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsMayxGaRewR3PGR9SvwMg%3D 2026-05-22
URL http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D 2026-05-22
URL http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAFUWohyJgUzPcAAAAAAAU%3D 2026-05-22
URL http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D 2026-05-22
URL http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBR0TBEVYklX7A9yLoLD9hqmCWDxFgQU3pGGSLehMVkx8UtfB6nciHnaqHYCEzMAAAAMSWShb0QgOyIAAAAAAAw%3D 2026-05-22
URL http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBR0TBEVYklX7A9yLoLD9hqmCWDxFgQU3pGGSLehMVkx8UtfB6nciHnaqHYCEzMAAAAPMyBlN%2B5Crk8AAAAAAA8%3D 2026-05-22
URL http://zop.im/prem-offline-form 2026-05-22
URL http://pinrulesstl.cab?7bb5bf7dc4b5a9eb 2026-05-22
URL http://api.zopim.com/ 2026-05-22
URL http://bit.ly/raven-secret-key 2026-05-22
URL https://m.me/ 2026-05-22
URL https://twitter.com/messages/compose?recipient_id= 2026-05-22
URL https://use.typekit.net 2026-05-22
URL https://v2.zopim.com 2026-05-22
URL https://v2.zopim.com/widget 2026-05-22
URL https://v2.zopim.com/widget/fonts 2026-05-22
URL https://v2.zopim.com/widget/sounds 2026-05-22
URL https://www.zendesk.com/embeddables/?utm_source=webwidgetchat&utm_medium=poweredbyzendesk&utm_campai 2026-05-22
URL https://www.zendesk.com/privacy 2026-05-22
URL https://www.zopim.com 2026-05-22
URL https://www.zopim.com/auth/$NAME/$KEY-$MID 2026-05-22
URL https://www.zopim.com/auth/logout/$KEY-$MID 2026-05-22
URL https://www.zopim.com/privacy#cookie 2026-05-22
References (2)
↗ https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482077&Signature=nJUEiJ6dQ9BpsB0iqcay0woOAG%2Fp%2FZrQWO3F9ECQng4g5IghQMR2UtGHtz69%2BXwm5SmZln9qdlb6k8fO3vZ1i8iYCIYD4to7EkIelW2SmdfX%2FvBT9VAo4l%2B74GtPn32h%2BRAZCfkA%2Fa7jIs%2BL5GfGqOjOyCossQG6h%2FHhJlhOk5%2FEmdR0SPESzQzsQaDNt9eRcjgm4HvCXbbia01tcosvJrvko3cIKinj0xKmSzUI7k ↗ https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482097&Signature=sACP7gBBLJngNhl4IUXtgAiK29nO0W90X4yE9f7kzzAPem3FAhuJfM1VaC4SBLuxW%2FHZBwX1ugrpwkF5q3iP6n9XnEoXtrzlFgd2Y6Q%2FEWrXgE3dKrKOfdT4lLqIJ6Z9gNMupmI84vm5KvS2pvUnuhEc5odbK6Iefl%2Bc8dtZeittEaaKcGiFdYPcEhS%2Fb5Okxu9LLjb%2Fm8u%2BzcrWLWM736OdZwQpDnsmGctSIytTKdxEMUZElJdrtTyd8A