← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
C2 Widget unsigned, masqueraded Wmiprvse.[exe] * CAPE Sandbox
WHITE msudosos 2026-05-22 Modified: 2026-05-25
128
IOCs
HIGH VOLUME
High-confidence detection of a masqueraded Wmiprvse.exe binary. Despite a 2019 creation timestamp, the file lacks digital signatures and exhibits aggressive (LotL) behaviors including resource hijacking and unauthorized HTTP egress. Domain: Wmiprvse.exe (Masqueraded)Hash (SHA-256): 50994d21e... (Ghost-No Certs / No IP) red flag- lack of digital certificate data. Standard (WMI) binaries are signed by Microsoft. An unsigned version indicates the binary has been modified, hollowed, or replaced. The binary initiates HTTP Comms without resolving to a domain or static IP in the static analysis phase, suggesting it may use (DGA) or hidden (P2P) instructions that only trigger under specific sandbox conditions. 2019- It likely exploits legacy WMI vulnerabilities or utilizes the WMI Event Sub. method to maintain persistence across reboots. Utilizing a 2019, the malware attempts to blend in as an "old, trusted" system file to bypass scanners that prioritize scanning new/recently modified files.
pleasechatcancelemailsorryzendesk chatbacknamechat ratingclickcloseenterprisepremiumlegacyfridayhellomitre attacknetwork infosigmaprogrammid frommemoryoverviewprocesses extraoverview zenboxverdictguest systemnextunicode textutf8 textjavascriptshowstandardstechnologydetailwordpresscveswidget logicinstitutewidget contextrequest forgerywidgetimpactsite requestforgerycsrfcve20267615sliderelementorscriptingmountcve20264341bundlecvecve202620858freeexploitabusedmostvbscriptjscriptwmi trafficremote wmiportdcompowershell
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (128)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL hostname domain CVE
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 64efec9f0dd2955de50c14dacfe76f41 2026-05-22
FileHash-MD5 fe5388b55b7eca33d4988296072cf31b 2026-05-22
FileHash-SHA1 25a30d3b9014bda2933eb16986ff012634673fef 2026-05-22
FileHash-SHA1 9a44ff2f2e2b727eba16dc31e4fc4936429cecc7 2026-05-22
FileHash-SHA256 50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c 2026-05-22
FileHash-SHA256 cd9fc3429bc9a7fcadc4d97ce775e18a17a0590d47fbeda5de0d04e22a4416f3 2026-05-22
FileHash-SHA256 ced895017b55c90686add184a27777227a3440269c732511cf3a8bf10662204c 2026-05-22
FileHash-SHA256 df0e80c49d17e002c74f046c6d5633cc34803119d0a482660da39c89ec540b2e 2026-05-22
FileHash-SHA256 f0af51d32b6fbd6f6800c0d5298f1c0f2536c922af29c5eeecf66aa73bb8e930 2026-05-22
IPv4 1.14.2.190 CC=CN ASN=AS45090 shenzhen tencent computer systems company limited 2026-05-22
IPv4 135.232.92.97 CC=US ASN=AS10455 nokia of america corporation 2026-05-22
IPv4 150.171.27.12 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 150.171.28.12 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 168.61.215.74 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 20.190.157.1 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 20.190.157.9 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 20.59.87.226 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 23.204.165.196 CC=US ASN=AS16625 akamai technologies inc. 2026-05-22
IPv4 40.126.29.10 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 40.126.29.11 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 40.126.29.14 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 40.126.29.5 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 40.126.29.6 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 74.178.240.61 CC=US ASN=AS8075 microsoft corporation 2026-05-22
IPv4 74.178.76.128 CC=US ASN=AS8075 microsoft corporation 2026-05-22
URL http://20.190.157.0 2026-05-22
hostname api-msn-com.ax-0003.ax-msedge.net 2026-05-22
hostname ax-0003.ax-msedge.net 2026-05-22
hostname microsoft.windows.search 2026-05-22
hostname object.prototype.hasownproperty.call 2026-05-22
domain disallowedcertstl.cab 2026-05-22
domain pinrulesstl.cab 2026-05-22
domain t.name 2026-05-22
domain zop.im 2026-05-22
domain bit.ly 2026-05-22
domain m.me 2026-05-22
hostname a-0003.a-msedge.net 2026-05-22
hostname a767.dspw65.akamai.net 2026-05-22
hostname api-msn-com-oneservice-world-default.trafficmanager.net 2026-05-22
hostname api.msn.com 2026-05-22
hostname bg.microsoft.map.fastly.net 2026-05-22
hostname cdn.onenote.net 2026-05-22
hostname cdn.onenote.net.edgekey.net 2026-05-22
hostname cdp1.digicert.com.akamaized.net 2026-05-22
hostname cdp1.digicert.com.eip.akadns.net 2026-05-22
hostname cdp1.digicert.com.splitter-eip.akadns.net 2026-05-22
hostname client.wns.windows.com 2026-05-22
hostname ctldl.windowsupdate.com 2026-05-22
hostname ctldl.windowsupdate.com.delivery.microsoft.com 2026-05-22
hostname dns.msftncsi.com 2026-05-22
hostname download.windowsupdate.com.edgesuite.net 2026-05-22
hostname e1553.dspg.akamaiedge.net 2026-05-22
hostname e16604.dscf.akamaiedge.net 2026-05-22
hostname eip-terr-na.cdp1.digicert.com.akahost.net 2026-05-22
hostname fe3.delivery.mp.microsoft.com 2026-05-22
hostname fe3cr.delivery.mp.microsoft.com 2026-05-22
hostname fs-wildcard.microsoft.com.edgekey.net 2026-05-22
hostname fs.microsoft.com 2026-05-22
hostname glb.cws.prod.dcat.dsp.trafficmanager.net 2026-05-22
hostname glb.sls.prod.dcat.dsp.trafficmanager.net 2026-05-22
hostname login.live.com 2026-05-22
hostname login.msa.msidentity.com 2026-05-22
hostname ocsp.digicert.com 2026-05-22
hostname ocsp.edge.digicert.com 2026-05-22
hostname oneocsp-microsoft-com.a-0003.a-msedge.net 2026-05-22
hostname oneocsp.microsoft.com 2026-05-22
hostname prdv4a.aadg.msidentity.com 2026-05-22
hostname prod.fs.microsoft.com.akadns.net 2026-05-22
hostname sls.update.microsoft.com 2026-05-22
hostname slscr.update.microsoft.com 2026-05-22
hostname time.windows.com 2026-05-22
hostname twc.trafficmanager.net 2026-05-22
hostname wns.notify.trafficmanager.net 2026-05-22
hostname wu-b-net.trafficmanager.net 2026-05-22
hostname www.tm.lg.prod.aadmsa.akadns.net 2026-05-22
hostname www.tm.v4.a.prd.aadg.trafficmanager.net 2026-05-22
hostname api.zopim.com 2026-05-22
hostname use.typekit.net 2026-05-22
hostname v2.zopim.com 2026-05-22
hostname www.zendesk.com 2026-05-22
hostname www.zopim.com 2026-05-22
IPv4 184.29.30.58 2026-05-22
IPv4 199.232.210.172 2026-05-22
IPv4 199.232.214.172 2026-05-22
IPv4 204.79.197.203 2026-05-22
IPv4 23.11.32.159 2026-05-22
IPv4 23.53.127.170 2026-05-22
IPv4 23.53.127.231 2026-05-22
URL http://131.107.255.255 2026-05-22
URL http://disallowedcertstl.cab?486a59f4ce44caaa 2026-05-22
URL http://disallowedcertstl.cab?e6f4d7546acd297b 2026-05-22
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?486a59f4ce44caaa 2026-05-22
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e6f4d7546acd297b 2026-05-22
URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?7bb5bf7dc4b5a9eb 2026-05-22
URL http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsMayxGaRewR3PGR9SvwMg%3D 2026-05-22
URL http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D 2026-05-22
URL http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAFUWohyJgUzPcAAAAAAAU%3D 2026-05-22
URL http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D 2026-05-22
URL http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBR0TBEVYklX7A9yLoLD9hqmCWDxFgQU3pGGSLehMVkx8UtfB6nciHnaqHYCEzMAAAAMSWShb0QgOyIAAAAAAAw%3D 2026-05-22
URL http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBR0TBEVYklX7A9yLoLD9hqmCWDxFgQU3pGGSLehMVkx8UtfB6nciHnaqHYCEzMAAAAPMyBlN%2B5Crk8AAAAAAA8%3D 2026-05-22
URL http://zop.im/prem-offline-form 2026-05-22
URL http://pinrulesstl.cab?7bb5bf7dc4b5a9eb 2026-05-22
URL http://api.zopim.com/ 2026-05-22
URL http://bit.ly/raven-secret-key 2026-05-22
URL https://m.me/ 2026-05-22
URL https://twitter.com/messages/compose?recipient_id= 2026-05-22
URL https://use.typekit.net 2026-05-22
URL https://v2.zopim.com 2026-05-22
URL https://v2.zopim.com/widget 2026-05-22
URL https://v2.zopim.com/widget/fonts 2026-05-22
URL https://v2.zopim.com/widget/sounds 2026-05-22
URL https://www.zendesk.com/embeddables/?utm_source=webwidgetchat&utm_medium=poweredbyzendesk&utm_campai 2026-05-22
URL https://www.zendesk.com/privacy 2026-05-22
URL https://www.zopim.com 2026-05-22
URL https://www.zopim.com/auth/$NAME/$KEY-$MID 2026-05-22
URL https://www.zopim.com/auth/logout/$KEY-$MID 2026-05-22
URL https://www.zopim.com/privacy#cookie 2026-05-22
FileHash-MD5 6902377f105c6ad254fa36d5d757504a 2026-05-22
CVE CVE-2025-6757 2026-05-22
CVE CVE-2026-27984 2026-05-22
CVE CVE-2026-7615 2026-05-22
CVE CVE-2026-8949 2026-05-22
CVE CVE-2026-8950 2026-05-22
CVE CVE-2026-2127 2026-05-22
CVE CVE-2026-27937 2026-05-22
CVE CVE-2026-4341 2026-05-22
CVE CVE-2026-20858 2026-05-22
domain wallpapers-nature.com 2026-05-25
References (2)
↗ https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482077&Signature=nJUEiJ6dQ9BpsB0iqcay0woOAG%2Fp%2FZrQWO3F9ECQng4g5IghQMR2UtGHtz69%2BXwm5SmZln9qdlb6k8fO3vZ1i8iYCIYD4to7EkIelW2SmdfX%2FvBT9VAo4l%2B74GtPn32h%2BRAZCfkA%2Fa7jIs%2BL5GfGqOjOyCossQG6h%2FHhJlhOk5%2FEmdR0SPESzQzsQaDNt9eRcjgm4HvCXbbia01tcosvJrvko3cIKinj0xKmSzUI7k ↗ https://vtbehaviour.commondatastorage.googleapis.com/50994d21e6e536c08192cb8956f81eacfef9f30a0a7a5e0353331260944c074c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779482097&Signature=sACP7gBBLJngNhl4IUXtgAiK29nO0W90X4yE9f7kzzAPem3FAhuJfM1VaC4SBLuxW%2FHZBwX1ugrpwkF5q3iP6n9XnEoXtrzlFgd2Y6Q%2FEWrXgE3dKrKOfdT4lLqIJ6Z9gNMupmI84vm5KvS2pvUnuhEc5odbK6Iefl%2Bc8dtZeittEaaKcGiFdYPcEhS%2Fb5Okxu9LLjb%2Fm8u%2BzcrWLWM736OdZwQpDnsmGctSIytTKdxEMUZElJdrtTyd8A