Daily Emotet IoCs and Notes for 05/15/19

Emotet Malware Document links/IOCs for 05/15/19 as of 05/15/19 23:59 EDT

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.


Seen only in attachments


http://abrcs.org/wp-admin/paclm/vxresoYsFSgSYXlDbcweliPhGiB/
http://acaraberita.me/wp-admin/LLC/baWsFnKSLkasxgAFLSQjbukmMLcl/
http://agromex.net/fonts/FILE/vEMrGXSieqiCyq/
http://agromex.net/fonts/Plik/1ho34bbk7909_zm2ga7-0892900813279/
http://agromex.net/fonts/Plik/jZKpWwXGzL/
http://alfaproject4.eu/wp-content/parts_service/ke9dlk0dw8wazsuf_b0ikb578mb-741227932410/
http://aliciarivas.edu.sv/Sub-Dominios/LLC/mu3dfytk5bf8_sww2nxyr-15974204223/
http://amantiwari.in/wp-content/LLC/rvgily845pklgo9hrz0q90mqro2e6_9arpd-4423382856003/
http://amitrade.vn/sitemaps/paclm/pqr6wwhr_jop51owzx9-5887999294974/
http://anjoue.jp/academy/9x81l-c8ja2-wrakkkd/
http://arqdesignconstruct.com/cgi-bin/dopt-5s67xnx-zczzanv/
http://auhealthcare.in/wp-admin/Scan/dhyhfkp3rpj8hi10fvk_pna118wt6-536580263/
http://autoecole-hammamet.tn/v8ys1qx/parts_service/TjNafnPBWWLskdsPJPqjfNAFK/
http://autorepairmanuals.ws/homepage/bSDjvZYCUYyxvldpcWiSpz/
http://ayashige.sakura.ne.jp/CGI/parts_service/ksDqudmXNvlaBwGVoFEf/
http://bamboosocietyofindia.in/cgi-bin/20h6e4dfqhg4_rd59p-5910102145/
http://bangkokyouthcenter.com/wp-admin/Scan/ythmkuqzd_jmgn2yp-175573459555500/
http://beansmedia.com/zeus16/wp-includes/8zvnh9-jp0og-zqdrbu/
http://biotopcare.top/wp-includes/d2mh-2c1t9xe-ptus/
http://biyoistatistikdoktoru.com/wp-content/esp/xsimCoaDSxl/
http://blackdog.sakura.ne.jp/bbs/fv1i3uw-kdm0fvw-acfnf/
http://blog.citta.website/@eaDir/@tmp/INC/OCKgnGWSrlj/
http://blog.ieeeuet.org.pk/cgi-bin/LLC/j45hduf8sk3hzb_6k8v3y-361818336957/
http://bluehutdoors.in/wp-admin/sudwuKtj/
http://bmeinc.com/wp-content/INC/a24udhcv9f9t7y2sdbyil3qoo2fw_4u1gm2kr-594966293776422/
http://bookipi.net/cgi-bin/parts_service/VSvJSSSRemqMcXTcXFMkCHm/
http://burakdizdar.com/wp-includes/DOK/vgvXUipTXuB/
http://burnbellyfatnews.com/wp-content/PLIK/1tmc1r6efejf658lnf3n_n1xx7n5e-7916936653/
http://buxton-inf.derbyshire.sch.uk/wp-content/rrpnthz-mw1cqv-kivs/
http://cayyolutesisat.net/yed/FILE/mWBBKzQkaamEYgxMlJbWeakRl/
http://chitranipictures.in/wp-content/DOC/IDnxFUZLywHSGXARYDJBUemDjgtbH/
http://chthonian-win.000webhostapp.com/wp-admin/DOC/a8wtvbgz1_aphcj-081209384764/
http://clienta.live/wp-content/Pages/SYumHtmxwPXbqYndkYYsMBVm/
http://clubhousemalvern.com.au/cgi-bin/kpqm3a5wt4kl8m3j5mss9u_etynuc-7757850886/
http://cmtmapi.com/wp-includes/iqPXmstyTYBMrANrUNufDPtb/
http://coebioetica.salud-oaxaca.gob.mx/wp-content/uploads/nts68xu-zmfzf-rumb/
http://comicsquare.com.ng/wp-content/DOK/mwzQlQkCtXLuO/
http://danikarnaen.com/wp-includes/p0en0-m32wp-jrkpw/
http://doan-xemwebsite.000webhostapp.com/wp-admin/Dane/NREalrdAjwy/
http://dorreensaffron.vn/wp-content/uqt6yec3dw_zp5io-680559949308/
http://ducks.org.tw/wordpress/Pages/RKtrGoDHMOciTJFzvhBUffXujHO/
http://duduk-reed.ml/wp-admin/Dane/xjcmndp3_5ia73am8h1-0167599334/
http://dumka.if.ua/wp-snapshots/zrm7b-ax74kc-tsnfhod/
http://ecosense.solutions/wp-content/DOC/jplexvqj5jlufp_pc7wo5xt-33560198/
http://educ-pb.cz/rix4u/qxqacf-wwt9gd6-tbwf/
http://electladyproductions.com/wp-includes/ix6v12l-hglnvy-lvsurcu/
http://elephant7shop.com/wp-snapshots/sites/VwFWTDwJBGtNo/
http://elespaciodepopito.com.ar/cgi-bin/Pages/KgaILaBUBERrNMPzUdrGAoSHi/
http://elsafaschool.com/natiga/8h4j5m8mukt0rou0rpwgph29_ucuwbq4r-45493048276/
http://emieni.com.br/wp-admin/LLC/sRGACqEiQSmiDRCHZ/
http://eroticcall.top/server/INF/CZmAQNvCPBKTAuaTFjCcvEJM/
http://espacoprimeoffice.com.br/voso/Scan/efkPxQdfeTBXyaTcyaeUwKvHUx/
http://estereokadosh.com/wp-content/obeUnyiAig/
http://fabaf.in/wp-content/xQzYymSsFWmifpwkWxFs/
http://farabtrade.com/wp-admin/LLC/PCbgNXIBFVlbcqxUuKbLbdLJMMvPw/
http://finance2.mcu.ac.th/wp-content/uploads/lm/603wpwtgwgny2x9ew_d4148x-68211475/
http://fireprotectionservicespennsylvania.review/wp-content/parts_service/biav6xutxs0dvm4_vmzz6006z7-80650476624977/
http://gabinaud.pt/wp-admin/86ur-rthnt-boeugbv/
http://gestaonfe.com.br/images/tsf79gpe1yrtdtnjt61y3f90j_hi870-054128199/
http://giadaarquitetura.com.br/wp-content/Pages/RKdnHgotCgUfegMeu/
http://giaoducvacongnghe.com/wp-admin/2q08cc-148uim-innmts/
http://glumory.co.id/wp-admin/xbp1-h2zdjaa-hhncva/
http://goegamer.eu/wp-admin/Scan/GSkVpDUuOXCHrHQOdCiPpJyHg/
http://gogobyte.mx/wp-includes/lm/OmYLVmfsznpdvM/
http://gomypass.com/wp-snapshot/Scan/dkqsehu8yatspxp10w32fx_xcu1yo-9516608289/
http://govche.in/vivek/lm/prtLAvbLhs/
http://greenland.jo/wp-content/INC/y0kwbjc359gze7_cwmyx0f-409158997486/
http://gwangjuhotels.kr/wp-content/themes/INC/cezep04e9rsrtvyu9mvwzzfr51zkv_gsml0g-706374977/
http://habito.in/wp-content/FILE/ljfubtzjqsh8cwl9bshlf792ra6q_1o4nlr0zeq-6153969657/
http://helpforhealth.co.nz/css/acbm9-kwj7h-peujkrt/
http://henrique.solutions/yuri/paclm/KXBRPwQCMigJWyNTbDuXuk/
http://honjia-machine.com/wyxey/jvha7a-b5yoc-hovoj/
http://hostcenter.ir/hctf/x718-t4640gr-ybwh/
http://hottnews.tk/wp-admin/i6sbr3gzf7d81ttfsbgcfi_0ep5rrxd-532243386/
http://hsp-shuto.jp/menu/INC/7s7vagi5dl7o0yn44xh4mnlqn_4lxrc1v-96663874/
http://iamchrisgreene.com/Plik/VqCxNTUpwJgyyf/
http://iberias.ge/ajax/Document/j819r2b5acjauddmy7g_3dviw-346222721021/
http://ichikawa.net/wvvccw/4emi86-ncwpn4-dggzjy/
http://iclebyte.com/cgi-bin/DOC/8npze9i7vr0g_v7jx3y-49079503304628/
http://idealtech.com.pk/axcv/nu6i7-8d8qjw-kykosad/
http://i-dog.jp/higashiosaka-yao/DOC/94ehnjdukkpk4c888qpw3fjb_hdlhca-0736735396873/
http://i-life-net.com/ban/LLC/vuz91b8m_g2e8k-70032498/
http://indahtour.com/test/iieub-ppe0zks-ekjb/
http://indoorpublicidade.com.br/wp-includes/n3jq0t422r2_7hnky38vs3-83093705/
http://ipdesign.pt/dtm/7bvpw7w-f69b1n-cylu/
http://irismal.com/ecsmFileTransfer/DOC/wwxjrul2118b7fp_1sy9y-49325124795289/
http://itconsortium.net/images/INC/d9e9o214zkleefgzhcv_ete0631837-48808070802/
http://its.net.pe/wp-content/fb3bwwdxnfbl6p6k8se4_dkoa5q96-4422471396/
http://jamsand.com/about_3/paclm/OsllaPAGnGOHMo/
http://janicekaiman.com/wp-content/Inf/BBoojXxFUoQKuLCqNQTKsITdA/
http://jerrytech.tk/mysql/paclm/uIQPvRCmDytqBucg/
http://jsminfot.tk/restaurant/Pages/OMbKDeLMwJsxFYxSTWSsCRKcvmqi/
http://kanoan.com/cgi-bin/KnLSEhvhByrMdJyndQuqH/
http://karenanndesign.com/_vti_bin/esp/8mdys2sisoj5veh_cegy3gle-41684013/
http://karpasbulvar17.com/wp-admin/INC/JcBMtYcW/
http://kazancakademim.com/wp-admin/paclm/1mq88ln97dsk_toxhqwl1d-012916449/
http://kbpbiosciences.com/@eaDir/Scan/ApOmjVKn/
http://keita173.net/0kyoto20120906/paclm/LeOfdbEAOzLxiCTomMgbwoUuOAM/
http://kevinwitkowski.ca/webalizer/LLC/gQYyFJYIIRbWqTghvlxLBHPifI/
http://kndesign.com.br/alarme_files/DOC/CMaBzJzQQmzlagoVZdgFCEGHDaDZo/
http://kodlacan.site/permalink/DANE/wtSKvxFllItEwQq/
http://kongendo.com/images/Pages/lDpbdoYAkjtKVaTAkZKaf/
http://koroom.net/39/esp/hgkrmao0oggay4b39y2fs0oa_wkkjz-94827413647/
http://kreditekfa.co.id/wp-includes/Document/01lk3ku2q2dyl6bi5an9dmtdj9y_mfe4yzn3-59374554445886/
http://kumalife.com/Library/Document/rqtpzqh7ys34_9p01g0g-6505566292/
http://lab-quality.com/nmkh/INC/vrAqqzJgLmVzNQoLVPd/
http://lat.ffcc.co/9hrSXJm/wjc4gsnfa5z_2dc3may-04874681/
http://leandropacheco.adv.br/wp-content/j763or8c_7pre9-275868498/
http://lejintian.cn/wp-admin/parts_service/u0hovmjmmyv1l32_tyg484j-650166756659060/
http://lencoltermicosonobom.com.br/wp-content/pBNlLhfN/
http://likenow.tv/wp-admin/INC/RhgBqAEYbWYVSZvzwmHKMsyeF/
http://magitech.tk/wp-content/zx5plu9ooe08rf8tmozcgxrzp_r160ttiksb-41507208131/
http://maskisudeposu.com/wp-content/FtRpaahRJaaJuPGL/
http://masterestan.com/wp-admin/FILE/DRVaGGtISElAvBdWmdhOlJdkUe/
http://mastertek.ir/wp-content/ykii-hi3m5p-qjpnr/
http://meb.com.vn/wp-admin/bigjln-ru1tn-srhsmwc/
http://meble.grudziadz24h.eu/wp-admin/2s7cq8n-onb70gi-bjazkwq/
http://mediainmuebles.es/wp-content/a7hkg14j_zol3szqgm-91365872286240/
http://medyalogg.com/wp-content/ai1wm-backups/7eb18l-ehu6s9f-glgoyh/
http://meravilla.it/wp-admin/DOK/rSaOyFOigqqczbRsiZQYzxjFLvIOX/
http://metalrecycling.com.co/wp-includes/sites/it4cumyuruk22450hrl48c_ggu53-816092320311/
http://miagoth.com/wp-content/nh8h0yt-m8tsv-fhydcq/
http://mobilesforu.ga/wp-content/2gw5vwnbwy1_yuqjdfsjr9-58449743431751/
http://mobradio.com.br/wp-admin/INC/OdTgzACDP/
http://monnaomotona.co.bw/administrator/Scan/xAxUgGUtJUIclo/
http://mpsday.la/wp-admin/bukpnqpqopcjez0do9f6kdc_9po699-75518771132/
http://musicaparalaintegracion.org/wp-admin/f2v2dka50xoo6rmpa_iqxp512-474972950458877/
http://musmanbaig.com/wp/esp/dvaDfUEekBoSaXjEBCVHcOWKDdMeW/
http://nature-creativ.fr/wp-admin/Document/druVFmMEHJaEgMCYeUgcOoSXXe/
http://newindianews.net/wp-includes/sites/ho7vbirzu_9n96r3h6-804129012/
http://nissandongha.com/nwlv/ns27hw-99jsfnm-otiw/
http://nissanvinh.com.vn/wp-content/FILE/DZsTsBDFMrxcrYLYcPikagMV/
http://nofy-nosybe.com/wp-includes/DOC/3vm5r6dd1zh7a24heu6i1v_pdzt60yww-952543362/
http://nordflaten.art/wp-content/sites/26rred8x295xuzyy0jcp3m3dcqxh_6i5wsry-61885523307/
http://novocal.com.vn/wp-admin/bh24s1-4rs2e14-mlmrf/
http://omshanti.lv/wp-includes/esp/BQXuTRGchODynXgEirQ/
http://onebyone.tk/wp-admin/LLC/7706vgdssf94_42cb3wl6o3-452615088702/
http://opspack.tech/wp-admin/Scan/HuvKLKDAVrvsaIacoy/
http://orientaltourism.com.ua/wp-includes/o0v7314-lskye-wiwrc/
http://osarofc.com/wp-content/0xza-146jk-vneaa/
http://parquet-san.com.ua/TEST777/hk7hh5-owhzas9-zcvvrf/
http://pbj.undiksha.ac.id/wp-content/uploads/is8sa-zp7sjl-kswybet/
http://poomcoop.kr/wp-includes/FILE/0iv4itsyce4ebg1la6p6h2s_v7fn0sh9-21612429090/
http://pornhaven.me/wp-admin/Plik/obLBGjXEosW/
http://profair.kz/profair.kz/w9ffwow-qc2x2-yxff/
http://pyneappl.com/wp-admin/r4x2cea-v6nathl-viladac/
http://radi.org.ng/wp-content/paclm/LKkyuOCjRqsBtQA/
http://radiomediavillage.com/bin/DOC/llwYAboSHCIGNNMARHVlBwgaSW/
http://radiomito.fm/cgi-bin/paclm/4wtdjxun7yoe6prhwdmykvhutvm_trqasxx4-37436569/
http://ranbaxylabs.com/wp-includes/2q33-1ptyaz-klqzcpb/
http://realhr.in/wp-content/FILE/LMtUKTFHGjegGqzXeqpOliQXBZmVB/
http://reffd.com/wp-content/Plik/UZHvFUEKQ/
http://regalosdemaria.com.br/wp-includes/paclm/BghjjRFZMncgnELOp/
http://reklamkalemi.net/wp-content/Document/yoBVKLGgeVAxTJGONEvfCtwqGFBTn/
http://rodame.com/wp-includes/Dok/gnkdmt0smywgujlkye50o2vrh5uyj_rleqlnqiq-017770738/
http://rollshtora.by/wp-includes/parts_service/yrZKGYOOoptluKTeuKvdqSrqUx/
http://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
http://samsunmansethaber.com/wp-content/ngucluy9ylb4zygoi_uxqputkn27-483516794/
http://sa-pient.com/wp-admin/INF/RMXgMrSzIFWYQcgaDxblxFn/
http://saraikani.com/wp-content/k8hnlok-v3ab90j-xutmihs/
http://sarayemesri.com/wp-includes/gbp72vu-pyn3pwn-ghysyjm/
http://sarilahotel.com/wp-admin/parts_service/yjn2nqilx9sg7nbcnh61y_3ltruvczp-892693941531/
http://saturday-school.org/wp-content/52x264qdz9q3tstfzyagovrst6j3d_d0nfmfe5hs-35969571794/
http://shanghaitour.site/wp-content/3ha3f-865hco8-zqwnau/
http://shdesigner.com/cgi-bin/esp/FSgyAKIBQNSZp/
http://shdesigner.com/cgi-bin/esp/FSgyAKIBQNSZp/\/
http://sinlygwan.com.my/wp-content/uploads/Document/aaMvzztMSMSzJcPewhyDdpTcQbAD/
http://siragehad.com/wp-admin/lm/19zrzebriefqhegi_482ss92-87064803611642/
http://skylineindia.in/wp-admin/Scan/VAscYQjBlBTEsDRpM/
http://sleekinnovations.com.ng/wp-admin/DOK/m5kydrv1nj1288p7y4e35oox3j_x203fr-98860666476178/
http://smaki-natury.eu/wp-includes/n8ir7na-yshm171-vzozudw/
http://smart-dentist.pp.ua/wp-admin/INC/i2crllps52mifvmdtiwthhlwhucuz_jza9slq3n-60901708884028/
http://s-maruay.com/administrator/FILE/aTKnyvvbxQhUZIE/
http://smooth-moves.com/ykoc/parts_service/r8gs26y5btcy1jxjgfaz4j9_c8tk06-38744374962491/
http://soladeouro.pt/wp-admin/sites/GGJwUfMENUwSroMLKKyFeeJHDaMJer/
http://soulbonanza.com/lounge/DOK/i5ruldd6w7op8wn8cj1dyz63udh1_a8syl-969837728830/
http://staffline.com.co/cgi-bin/DOC/oj0lcem89wh0xbb11kvk_29w4e6xt-784623781995/
http://stage.bakeli.tech/cgi-bin/cr8sn021qkbl2krv_a8zbzq4jpi-7592281876/
http://stationpowered.com/wp-admin/paclm/tubtrysd/
http://stijnbiemans.nl/wp-content/pw6fms-s6lbuj3-aierldo/
http://targetrentalcar.ma/wp-admin/paclm/bWGnKCtnEPxyYVYP/
http://teksint.ru/includes/Pages/bsjzQNJVlReGtbwvpFM/
http://temizsudeposu.com/wp-admin/pllcWdhqzKxelzKz/
http://thanhlongland.vn/wp-admin/aFPuEMMIHXcLTKWGgzHdq/
http://tokoagung.web.id/mikhmon/parts_service/VOiGbJVVelmFDeXTv/
http://tosetaban.com/en/3uivg-6kowc-kchpjb/
http://tuyenvolk.000webhostapp.com/wp-admin/paclm/w5x74v9u5q6p1wj_xo30hwvbr-9914872349/
http://uniformes.com.tn/js/parts_service/PRsuIafsWAkdxoVXJVmSjmf/
http://unioncomm.co.kr/wp-includes/IXR/INC/SzbKyZNfCGqyCBxTlmKxv/
http://veoreport.com/cgi-bin/XjKasTavHOhSuowm/
http://veresk-studio.ru/wp-admin/p1ptsd5l06catpoq4_jdd5y3sp39-95860538271/
http://wciagniki.eu/wp-admin/DOC/FlHkZDrRtGWKxFYgqBHfiNbeCpBMEP/
http://wciagniki.eu/wp-admin/DOC/FlHkZDrRtGWKxFYgqBHfiNbeCpBMEP/%20/
http://wedewer.com/wedding/i0hlzp-zxfbg-rhaxtm/
http://weseleopole.pl/wp-content/esp/MhYFThDgwjpSCpqovlBDVJdVjOzow/
http://winnersystems.pe/wp-content/Plik/ewlho76c6_rpvf7r668-6979499490/
http://wisam.xyz/wp/parts_service/2fphhsvocoyrnbvi5njyuual5_0o59ex-0066139507/
http://woxear.com/wp-admin/n5ovoylp7ezibjd9bg0dp_31vhle6j1e-1556384229959/
http://wp.devsite.com.pe/Search-Replace-DB-master/paclm/kLTkcmEtLuWCz/
http://www.mahala.es/live/c453k5-fn42h-iklsbb/
http://www.nextleveltravel.es/language/INC/daTpvRgY/
http://www.travlsocial.com/gyiodv/Document/JgNOOIjYDCQIxgoUAewiQdbxaTOG/
http://wz6.com.cn/wp-admin/LLC/NlYeMdMPe/
http://xenang24h.net/wp-content/qsyn-wivtse-eywijza/
http://xn--c1akg2c.xn--p1ai/wiki/images/parts_service/sk3oe3zcspzdec_1u0sqevw-31877200/
http://yzanmh.top/wp-admin/Scan/DXNPUbuCttexXHxPvlxGzloDKtaInN/
http://zalog78.ru/wp-includes/parts_service/ulbgyx64j94a1o3n_vvsjjeegli-584173111/
http://zestevents.co/wp-includes/7gyqq1-gxxjn89-klybthd/
http://zhozh.ru/wp-includes/lm/kcTMaXPJURcfuo/
https://aseanarmy.mil.id/adminos/lm/AHFYbndZNarqnjoX/
https://buenoschollos.es/wp-admin/Pages/2cudm68w7lue6xxd32woevdmpa_1mmc3j9o-3719672984/
https://carpartsviet22.site/autoleek/paclm/zvbaHUvVb/
https://dp5a.surabaya.go.id/wp-content/i0vccrz-b69c8p4-wbch/
https://epi-basel.ch/b/Document/hfvfXJUXKywglfdWggiWtrISdIDfQ/
https://hsp-shuto.jp/menu/INC/7s7vagi5dl7o0yn44xh4mnlqn_4lxrc1v-96663874/
https://huskennemerland.nl/wp-content/Dane/GdkPYoUjjerintLfNC/
https://icurse.nl/jeffrey/wtfvv-robj69a-sauettl/
https://informatika3b.com/marcador/EuvgsJKTUOMOCzkSzMPQ/
https://kerosky.com/wp-content/DOC/dktSNTtfSpqXrZblmTRXtE/
https://lodicak.sk/wp-includes/LLC/brkiwgsxg/
https://mrts.ga/gallery/img/uploads/BmSCADCNVDuCFiJ/
https://onextrasomma.com/wp-content/parts_service/oglr7g1ozcgl7iem9rugqohcuhrt8_itksg7f4w-7376898186/
https://phukiensinhnhattuyetnhi.vn/wp-admin/Dok/dAsiYLWHSXSjuKMqwUmSZ/
https://potolkiakcia.by/wp-includes/Pages/chMDiBTNd/
https://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
https://schroeffunderingholland.nl/wp-content/Scan/BUjiOhqDVnmiI/
https://sportboutiqueheleen.nl/wp-admin/sites/ifeqze447_cad5c0-88908196117026/
https://stationpowered.com/wp-admin/paclm/tubtrysd/
https://tajrobtk.com/wellsfargotextcenter/HRBcyHIxb/
https://www.bat.archi/wp-admin/lm/bw0n1svwvd8shr5yf1uy546xj6s0e_za6ahbfsa-93869808191/
https://www.cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
https://www.kaum.com/wp-content/plugins/sites/l006jmwzvwk6cr2ie6_8f1de-04921188537/
https://www.travlsocial.com/gyiodv/Document/JgNOOIjYDCQIxgoUAewiQdbxaTOG/

Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-05-15 19:56:00	(Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
2111f3703bb08e49ac15cac50018d916092243375ff295f2a465b095bc8ad388

http://pawarsoftwares.com/shree/o7u4s7u3775/
http://tarakangroupsro.com/wp-includes/s350496/
http://stampa3dplus.com/wp/mf9pbly5824/
https://mondainamsterdam.com/xkcm/9o1i83/
http://jiyasweetsandrestaurant.com/wp-content/jsa08124/


Creation Time	2019-05-15 14:20:00	(Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
a3156fbf1ceedd1083118ff6deecf4b704e42e3a076cfca1cf14fad64d3da67c
f6087311ff333cfcc436f204318c5fa5a1cdde58f460a5c8c034d4373fb5c57f
5219ef99f614acc503dc7c4049238f1fbd06832d95e27be8358a86e9f1a5b31f
313e7e5ab7e05ec7d2b2d8434325edfc3f2d48c676178fe16827fec2f9e8a193
69f97037831e1d0666adf2fefb028a65d557e9ffe1ba0e421d04ce90d74be5e2
4ce396cf7261b508ec089ae8a900f8be3a9d9e34489866ad90881c1111eaee04
5955a0454e97b2bb233ceb312f11f2ceda984f1df88917eed5cbe0d252e10b09

http://rojmall.com/wp-includes/rpu7qe375/
http://aleatemadeg.com/wp-includes/hrpps344485/
http://60708090.xyz/wp-admin/jziinti061/
http://feti-navi.net/wp-admin/a8a625687/
http://tavay.net/wp-admin/nfjyi8m1/

Creation Time	2019-05-15 06:58:00	(Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
328442d28eb42113eeb05cb90a710207bf12a56be45e9307d14eecf16e16eb72
8dfe30a3242a582c8ae717454febdc5831f45c8b54679ed2f54c5f925b68c0bf
69659aab4abe650e8ef70e9902ebb45e5b8ddf9c1990f66af717c6094436cc5f
8b03d9329a029e7797d43eea6c3fb69f1245674322818fbb17e1b0180a63b707
ee5d1c80f535338a9bbb6c958d70f114d436cefa5e481f52b1ac5b160b53b81b
61185f54e0c230140cb9396fc379ab8fc3d0bdff4ce983b26c5126be95d70d1b
cafa1b1f3922975c0ecdabffb2e0540d0509fccd8067d9f7f8a635f5bd8a5314
4a15c55e95d500bffa89a127cb065325d75ae84a08f3780a49a7bf975235aa57
5c19a97afe840b05235d6d3a3dcc142a3c5c5baf1949f9e78a6a7a658a26cb21
a0aedc90de8688c7e1e51fc82ad700aca8e0c620dd69b2c68b7b235d1587e34f
292e79db7dd867a1a7d33de7e19e91e1ba203e09f7409fdaed1962017cecf7c7
10637e759d7d2314bb65eb9e64c57b756b9400cc8d291f317f5c5267feb0aaa4
8dfae420b8822be3d2bd1fcf42a3a1797a79c9fff8568eb7540bdd7b02758f51
2ff43b151ff2baca5cdd1af702ea2dc2802d06be66172e32c3b9eb7fb3685ca8
d9e961726d5477178f886755b1ad568dd60435f80c6be8804f7fe0cabdebdea3
6522cca08dd748d4de5f533e81373e37f3a5e890ec2af3714033f745695b5699
6c0a1a2aef667257cb7d6e70e96d77ae73ad4ef69bef34ac6b72a9ec4526cfa0
f20eaad09405cda54df004d4c0f0bf0a4c519320526e7dafb4d013cf4a96c6bb
8dfae420b8822be3d2bd1fcf42a3a1797a79c9fff8568eb7540bdd7b02758f51
11839cc29827cdabe0150922e1f8ac693cf4b1f88eae795283ebe375796f6577
47574a85d9275c941a6de8879c84c062d38c56d0e174d101672693998ed1cbd2
d9e961726d5477178f886755b1ad568dd60435f80c6be8804f7fe0cabdebdea3

http://elememory.com/wp-admin/9y80024/
http://aktpl.com/wp-includes/zv1x90/
http://risingindianews.com/wp-includes/l2/
http://fifidossaltosaltos.com/yfpo/ufjeix07/
http://weartexhibitions.com/eqplsj/b1v3z10/

Creation Time	2019-05-14 16:58:00	(Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
ad3bd25e5369a634ca73916b76e1a5e4d83ce7eb41025dc7e0d8bc3c25bdb46d
6645a5f0656f769fddc8fd7ff748c698b17aa17a7671f6e79f429463c01a3581
4919226d79001ff770e78b9d654577e4baa97719da2d32cd4d12c8babda318ad

http://12bdb.com/wp-admin/qm6xxb651/
http://flystuff.com/wp-content/uploads/ual30/
http://icaninfotech.com/wp-admin/20/
http://spacermedia.com/wp-includes/l4ic57758/
http://rmhwclinic.com/wp-content/sy3/

SHA256s for Epoch 1 Payload EXEs seen on 05/15/19


64c2327fb3dafb942c37240874cb201c5614e9b68d19503963cc4c664d8f18c0
17120e2006e4ac0f68eafedb960617b2d0ce56b163d4715d4c194c0b9e6584d3
fb40eb674e785d753e45d9cde9e70a9316bd04b84b171efd80758839be200a10
371220c9489525eb65b39042f8d4d1ec1a61c06fa9403df2eae83e99f7e45682
26d9569baab5a093d2dd665e100ef0ece0fcb78769235e6e9955eb5b9cd4ba8d
1cdae96fed935196efe5395aca8a23e18ad3c1061261991bba980ee20480f96e
b0f8cc8cd7a02ec7f26ce6bcf6c4696bd7bdce74c653a5f05620d52b36beb0e4
58a34f248fce1d5b939e381acdad7387cbd0203dc50a25da037137f88c48d2a4
7580e3a3c802cbe0b228215799d6cc4c2836d0317821040babb83ff5a921c226
1d527da78114511c91670d2c8ed8638519d2db9a9446df095d3b86991e1ea349
57caee9184341c206a508b37b2768ae8b277c22592d050ec679432262fac19db
13190d0f9b60449c530897199dc1ded64bd823c7d158736229a90fa874609971
8fa7bf34e78b67ba8d97ef0cba317c5347159ce493433a1460205e4312b75941
0d0240039be3abeadefa5dee9bcc36370c3a421309725506604d1ad94f79c395
dc9dbd730fd6acff7bfcbf9047477e24a28c9a0462f594823ef6bb873c5bd138
e7ef217c0b15d2389117dd898d7b39c07109407e02cc410ceb2a24c6d17f92c2
9cea5ad4e113fc547aa3dd0a493e7f5eec757767ad44885a77b233df456c6ee2
266d1b7edf2f97826491f5090d7a4d768c455c748dfba7fdf452bb3c57fb93bb
6abd86a4e480342515a85acfe206cd39435d1b284549152a44b703e986f5868d
e0e8c117215367206b3dcb03ec520f2ec85e1b8883371c24cb3a841b119101aa
6309424bfb92b0438cb472be7fcb937e951f5a72364ca934293272066fed2ffb
b49783c68734dbea136cda05eff6f285a2fdd3b227a200e9f4e9e1623b5c4358
87003f66d102cd1e47cf59a5e7c4f03113939225751082d0e413ea378c8c6af1
f1404f118b2a3ce1120a59c0e7c02f4917350c22c6d85ebb4f44c0b04cda5ed1
01d9ea70429adc72e09f0aeff996fc30ff5c761b0dd846b76c4541a392b78dba
d7f48cc941cf9a4e3540d50e7d761f681bbce5a3acb163f054f51d6ba0b04b55
c59169cfd0099280ab6abfebb9cb6dd6d1bdb3f157317b5af628d8fb089b97cc
6dc3a811d504fc16f43ebae9c6c35983772cbfdba48bb44036bfeb9aec1237e1
53038bc3205b9747b291bc11b24a2dcb536551c897c8bdbd53559907e7ac998b
1ada223a49ba749cabde7a4f4a5245047077159adfabb4fb4109db8612e0812d
9ea4a2c13003aff75c32fb381d9c292877df178e343088b807b2cfe9fd376df5
a4b1891b9fd51621e0b47c2dec716ad03d7da9880177ecb67927738188a60a50
b41f0b68b316ab049ce081b2a25810d07c29994e835b7564aac908809667656d
b41af3e559c7e5f83d78ec176f080cc1aa0ae4759ef9e511d48eead6d73c45f6
a75f79a01ba0d647d47d2328eda950f6a7f28fd03922e323ae22c28a77100ba3
ab17175b152dcc4e3e2099e96486847f196d101249d4515c0556280401230c49
51526650655967bb421a1b43ab5aa7c2e86dcceb9438ad71e4e0b578a2bed7bf
45763ae36929f02957af3d864acc86cd65aaf08dbb66d76e3e3ff6ad35055a26
e57849f7a16c48f509286ac3ae5ad21bad2572a685b5323d4aa8eb8201081b45
71c2384bd841114727a5362c789b6b65fa8aa69b141ad0da77d92ca9352a58ae
7e8e707b52940d081f1ae1b4a12f5216e55a8381d4f42da99f8e82f0aa51d897
2923f38e771bc61a7f64886179ab2d0e363992cd6b15ba3fdf6091d3146e6274
31e1ae0b3193d06d8a0926f1ea67599576a188b3800e8f74618b0faca990a284
e525501dcfd819e6833febe0fcf920ec1c6d9c25cc18700e783e383fd21a8173
7b3509f6d4c45b1081bcc031e07c4d310268a31992c1ff3f80a9f306f4849885
dfde9f01184bdd3870172c825fd88d86f749e02bac86e9128d6464a97c85d75f
d627ac1dcd6079cb3262887c42615b42bc00100dedf546613d6b7a9da29e2aa7
727f2a638535f67ae3a7cead0cc6ca9e3818826bd75fb2b41055764d0a75f7b1
0a711882e0f86c37488faed5425dbbadb6b743909fe35d4017ba1e72b5f118e8
8cb60c924d643ed0beea9edb3ae373e3199ac2c7ef038b26d7fa41538f2587ac
10b11b9af10275d12df2a014a266390282bbbad87181791beb692a10c0c83e71
589cfd7d6a2411579736ad02da604358a717e54f6ba799cfe32c214b5703a5dc
287188451288b0d259ec912ac1fbb062eca739d074d2dfd41f37a79a206f90b0
e3e0bb1e6589f0393f2ac477e0c019b3698dc8352f2cecb70b8e72b9f653b089
a1d1c5ef96db18e3cfe1b8f78a70cb09ea7604b946c05325d92335991aaf75b4
696fa5ba8eb0298fb9452fab5ffb0fbf2ac9cec7cc0ba6adcf754f8ddcf9de20
e257bb5a3ce487b971968c07954725cd29cba4b20d7e9fac5c79dd8a6f497c31
c54188ac80c9b4550200368adbc40b3e9a5bfdfaf001a879d042c2ef5a4cd18d
bf011bf787aef5314cdc7fa9d75b7adf520edf1bffdceddb0f6c0d422b367882
a822af1bb648c64bbaea50e827c4439023017db1b3f47a127ff2b2e846f3c5b3
7b5ce1ab6bc29050aece18e55fc4fbeeec7a652fe18554e95b6ddee72c11d854
e7c71fd2954c4df629edbb68a9ac035f4d81d232c678042bd3bb971308b7cd85
aa05d217ae03d6b384751da1133b6b181e2ce148101b913c45dd0c672e94e453
19200e21c501b65c705217bf6930117c22d4c747f3ff2f7bb13f6dcca8547d42
f189c92133ed3c4bace033bbb85bc1e3b24946d6b145785dd9f263a57df39454
0bf2b8f3f0fc5daccd38591e1afd6be0651d7ab04a2875cb7bee8cd2804809b0
bbe7ac3ddf6ca2e2a002ddfd76741025d283d4b64953467c7018b489003ec2e5
6ffe96f3abec30fb4a73271ed0aa96d9c994cce3ca8529ab7543eeec1102d2e1
f95b4b9b27c47dbae3b48dff7e2766a5845be83eabeaf03b4017de3f5b9562c7
aebdbc96bfff0899e4501945da7b29029705ef68d3248ffe4fccea30c238b2c2
18a10e97e13749be4bf91b285da6b192b137f560ed9201ab8e0c7dd14c0f546d
8cc08f998d9f45da55ac9459a5471a6f6190a35088087b774a804e0444e5fd9c
88a4dc2c391af97856d731538cdc19d52b48b6a493b9147e0ed571f567d88d71
6f2b419364c3039f1172c610438f967bddc043a59598748e1af5279cc24dee86
3d6943816af9da61b65c12a6e4d8ce6bea41056778cdc8ad3bc3986e62143260
8c662ba3ba447018153843e599da26c82a9fe9456325598b0cbbe647e404f67c
992a78db189848326417e8b493baa7cff9914e7208f98b2025233c70aa848c51
a5a624a9bfd0a5017e6373de52c75662c9030ff704db7ef120a7bf46a54ab4a0
da749c0cf803d879ff440de2a47e00b879feccc1311e2ebba4c92f82d6c27ab8
9b60a3309884a11f07956c476303858116654dd2c96b10c849473a5708e74995
bef675d50685f173fb0ba215ff275ce563fdb0e2c03935bfbb7641eca5f2640e
1d12e81be801e708a739843e4bc86e19dcad056c1daaa2ec5e440ff04e18678f
246174fb6ebbcb09679e7ef89431a5fa39b1d38f7fec9677ba46709131485a80
404baa60fdb6e5b296a80d14bba941876b68ccea3c68432dbae67c0156bf0d8a
05b3ea03295f365020c0e855336b090a58e0474e0a6cdc3f7c427b93631f8945
41666821f448ab565de554326dfb66f1d0a6affbc29352e21be56dbc4a322d19


Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-05-15 19:18:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
876ef1c3b8aa4aa4e88e33f1b71e2507969d126edc5a111553480ebb3fe12459
b8304bea7cd5270509a5196224eceffcdd199ef4e303c65d5af104cea4239a35
acec5b482ad5a4de84e5e7f3146c7e04131d0a04b6874d552f33a97812fc9e38
3ba1cad4f797c189510cbffa728b2b1b85ad1400d5ecbee223e262f03acf0443
e47f8c73b71b01c3afa583d966d945f3b464a362aeb50175f69b01d2210083ee
c3bd3e3df0bb391b3a5808ca3c517abc5d4731441df38b7e30b69ce7bb3dff6f
400a5d6d21230c8fe91fed9cb2fa2ddae199cfa892462281452b106bd219a782
9b7e99499d0dcd4959e69800de74b8356b9ce5da4fc2e5897c3edfcead8bd8d3
706373653bea1bfd1d577a640e2942a16d064636f6a9aec85b58da3b0cb7ce2b
d3d69226a3f6759d15a4b94a3ad99da3e20a28113194cff91dfe345c1696a7a9
75f8716c14b028fee42ba751d4aae0ececdead291572bc36b8f9afeb1e71fb0b
7ad693a3fd9da1b97c0e7f85fb37bf15f511168d2aa397ffcd4d0f3aeacc84db
942c724bdf60dba3fad9f8695be9b19d96df15a8314d35fd82055b62610f62cd
5b4be5216d7eb192ca92a660ecb8fb86adae5da2727485141e9e9f02d6a24544
3299e6f7204ea1a44782d496c99329b76218b70233892426c02f872221548784
1d174cf281f20a5f318e24b5df536ff2d04d6ea854a81d8d45a519cf3ca60ac2
9762ba52106a0148507908106036e0685026493dc390413549e1d4621b193c04
4821d11f5f6c1d360fb783467ccf365e9e9d412b9d63e262004e592bf8083d03
4d9b585b5bb977301647ee51bffa8dc42b2f2ef1568a1693cada306de09d134d
724c3189c486f06b9090c094256d1ff91fd4e235ccc39a0bd96dfd1b9e2e91e7

http://tomasoleksak.com/wp-includes/zm2ga7ha2l_5q8wl-2798/
http://mmassyifa.com/wp-content/d3ntkm81gs_5129qfvt2i-244324062/
https://aaliotti.esp-monsite.org/wp-content/6orh12qu_7dsv031ip-0075691/
http://adsprout.co/wp/oMrTbPUxE/
http://springhelp.co.za/wp/jMSZNshHRf/

Creation Time	2019-05-15 14:15:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
bc97596fe24b9ea6dbdf3b79905e7605a182c0dbe9425be238d91a8ccd3416aa
d29f6030fc82c182401170d9f7c16805011d26e3b2e6517be9329aac5f76eab8
dca1f72df40ae287350b5f56dee80a00c578ae6947e1cdc2b30e8a8729c570b3
5d96199193fd88fe85736d9fbcbf089927a15256528555e4e83b198a730c1824
0924abfc228a5127ff1dd3298b6eb682405d434c552c3fe479280e5acbec25f8
3a26799b284110e4dbb03656850eb1dd8ccbf78f1c4ef641d980668649994c3e
92628f8542e2c4f401c94d5fdb03d4ccade61a51becae5b7f9443d5dfc57f48f
bd82d8791edc039ad7fe29fed742630ec59e1253cc58e9c9a4650f21f55095a6
682353178ae0d75d866f1fb4f0f888f86fd1f6b30c2100562af83def2616c2e6
fdf0e5c1d38c12d7877c65b2bb16aaedf41cd907636554ef9eb7d372bd647fa4
4492ed4c96bc6045ccf82f5d529b9d9dd0cfb99508cab52a43dbab4b035beec2
0fcf7cf2c7214cce93fe5ac19b40adf15fbaf85d7a3ba0448346419024d04556
e61ecdeb7d0d5e709511bf3a05f93ec484b55209dab718cf51d22579be2d711a
e17fe81a4b7570eb64abd9164e3656ce6e707f976a81679e19cac3b3e51b61bb
7873556779ae9d41b3826ee5a1bf4c89388e9dadfb3286ce43e5ec52ead674d6
7982f9b9f14867cad8e4484a6913b351f8bef1f424d7054841dc92e0369c9ee9
3e7c9a76109feaa7e7d079401d59530c4685c532a45521c8665462efca4a7e71
04d4be108e974493c8202e5d8ee64d0108c07bf3518a0e3275045d88f6859936
cd223f60662186903ce90dec6904622b66d75b694f6ce21330b1e475de1d973e
ede61ea068666c707af52a910a2867ac9056b307e44e67c879525ac6d9e16e3e
ff21a92675a320b32d9880963ff053baa155739a9ab3dd0c75914cc32c2f8fdd
f90ceeea4c6b2a250b65dc3d9a32450dfd933dce742dbdc7accd95f0ab0c309a
1e9eee2a36d0fb0264fe6f45e68574395cb5f43a494371c347d6b5eb1f0a9768
fa4653f09cbefa0862e457cdc243982df3fae03f9722bf596ff74658394ea67f
c36b1f3a264e5471d01200b112b4261ef77cbb7138e147d3ab91e78d962fc48e
ac6fa29a2bbaf4c70d7420fbfd5f0f0c206af78cafa180de6064086da3e0f27d
530d831a6bd6131d50a016d892294855ec878184c15b459367d331af006ffb4e
a5880e0b0795ff59ff9c1dae8192c22ccb1fae7316a867a0dd9ccf54bd93ccda
0e8f14f5ab762828fa27495bfe232f34727b30c00fc3a413d14adc85f5028490
4171885b42a0b28e5e5a3d2e74e910f279eb7f6391b21c1db494505cb17b200f
5f4334cd07236b87b412dd33aa8abfbb144aadb18b1b0b7fc73356b91b575441
6863324974137d1b6ad13c241ea234ca83e218e62011cf187b085831459b4e9d
53cb16e937c5e92af6b4581190fcb628662b76ba6a5b4ede2d5cf3be210044bd
3a1cb2260605a1e551c62cd3e0e374e321b29d3990939b36c871c1dcc77edf84
8df835a0bf2251c91d7c607742cd028f8a97a2dd9adb2c95643d6cff5b302e5f
d4777218f3750320270743da37a31cf730e086528c09a9952198a8f7bb10b26a
9a402e62f564f1507f057181f9e6a2381798591cefb97978fa82122fbb072ab1
827608c8a4854bfc571b21271fb2b6311a05daa95f60b0cc69de8dcca02d1d64
bad82e85dc57ee2da146b15b51eee53cb542f7b835c59a8d3a75dd133e31e7a6
d93f100a7450d1221718b34f4579afad93550525b4dba71d211822f4399e8fa9
c8e902a29b0f2bf62dce9d3e68e38abddae4bcb84f533e7edf03b02111c43e51
3b4cb1b6586403b5129ff15e9af7e18de91b60d5e0aaf20cc7ed3120ab10c3a7
b593b09f27224656a01d5aabf8cfa0ac8dc8dfc13fe8e307cc9bcc9c44fe9f7f
be8ba4d9082afa61749b0e8492243a0bd67052fadccb26d0f8bbb373e698e970
ce9866e2f62102481bed0ec69ea30044ad9db02002ffc85a5e2c6c0d0a46035f
89d27d3e106583ef2e07d184e62702f5653f94454be7bef136968ab9b0f1570e
b5257875d4e82a9cdd0ee182e4dc194174f7e0564854083657b84ef818d892f5
86c58ddbedfa222998b78d8fcf57e1b1d273a2c21f5bffe1033451c2dce7679f
773755f3164a339938ccb87bd223515247a372db0b400677b7a0a11709b4e070
4249181338e4936a2908a63a08117386ce7134b7873d1dacffbc1690cf8dc7d7

http://shophanquoc.net/wp-content/73it74nh83_js5m6-716/
http://sanvieclamngoainuoc.com/wp-content/QrzwTpywLM/
https://inhuiscreative.com/wp-content/qdbb0_jgb5c-981069283/
http://gmrs-roanoke.com/wp-content/bKrtHYcBh/
http://blog.canmertdogan.com/wp-includes/zpuFONhf/



Creation Time	2019-05-15 07:34:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
049a78fdd15678f268dde513c39b7b8ad7bd4a76db05fc2fb30d63dbd88e7f3f
90e4c4d3e28cbb8079e45b77198bedfb25fa9dc5383277f2cbaf8bd0c7c7ce54
a8cf43b1a7e95e6b6be6ce0bf0dd20a3831f3f292531b5312c9e40398d218343
b56d126b99435483539fb9ea1db0d269d8b26900bd081bfd8558a4a89d1728a0
16aa0ba31a676c768374a4811756c18a79a99912f3c89123f81dd21c842a9626
03fddbbfa438e6fbc1e1220cbdc31a3ae18dcd2c77273a5a1624e4f03b62de8f
7a4881229ca767839e8b9995cbfcf443be9a032905dd8995ec5d6acb6ce050c4
0f7434ae82615ba5001794b3ccb0022f52f81301376fcffcf3efe0dbedd8c3d8
32ecf836ef107f60c8d76df92bc7bd42535e4ef9e29694f4655f1cb170bc667d
aee14a20193ecb808fa3efdbeae5d59c6743fcd2998bff3c5227be448826bc1e
2b7840500d88aec77c60b247cbaebda3b372b2a80584cccbcf33e4079ac5282f
9cbf289774b328e8b65cad33374da81d3a8ac28281ba4b99edb25d98fb04aa2b
8ef8b790ded99130ae70abd8a3775835bb1a279799745994d01c9c9e1bce07d3
e0b99a6df592160a770d28e1e763c47a63fbdb357ba4bfef9810a28ec4a4efcb
781057e4fc05d8206913611da110145548311a440f0922c5a238dcf4839f963b
e3c0cd46f3b8a3d0eb6c333dcdcfe13c0f3c883c67905f40256be1368473f0cc
b7f2802de808bbcb4d8f07514c4becc02c85a6df5099228089963ac96771fbb2
61ca42e19f2254dfd288f912afc1d7c7a20dcc2790687821acde622470f35308
dc48137ae9dfa5d668ed911b8703f9725ed94ea241c40bc9bf3d159c094eafe7
f2c356a5be1efb7ecd91c0cdf1d9526c539c7477f448eec89342ff38dac8d918
5964373413861ea4771be9df789ec174d7931e41721993a21289b4549c566186
13a46bce1ad2b5433a3915060639a5073ae68779da1b599658271d8e9f2932ea
6273492f7425010ac115b511226334f85378b15d21cf49e27e8ab35503a55adf
0e97304127079f3e4c6cc267f2f49eaf6e5a66736f8fd0e8ad73d6e4641243b7
bdb00c63e7a50f94e9d416c9cf16ad4b4c1cbaca53558c2f26679450ede68559
d0b346ed8262e30fb81abdb4fdb9873712fc265305dde4f2c2f4dec391341fbe
77c11c6c0263591de5f59f4d4f883da6363a7d294a2b9bda16d00f42009210e7
4f67ce8f4acfe18129b453caca39145cb95ec6ed11a9694fed841857f28a9c3e
769cc3e61d5656e37f834b89fec79ba90093a635e9fec85ae8d33164ba3d9149
574f6094f3e77af7915fc6c58b46b969a7f378c4fd2a197721f77013bbcd4f38
4d45957815c0e45c62f076946b505b1b4388d531436dc94238bf407a5e01f1fd
3adbfbd11a5299f0f18788996d5d89720bf672ebbc1008fea02ef732f50017c0
e2c0d7da5e9f1c5f10816d04997eb2b84cb2992566d062568876c96e24636c2c
9b12451e5be682342adee2b45ade1255ca9d748a7f6e9b73b3b29b308d156098
5193eb38e48695aa084621411de74c0c61759e7dcc253ba2be0947a80c0b322e
ba10319f5b905bc7b26bbf05ff764674e55ab6122773c20d797f38aeab63e977
bf6ef8b65aa5222ab16969656bee2b7e5c9712cbfea83b6fa8d94b442a363ba8
1041bf0b05d7ab777252793a46fc9626d90002b87379aed40a1e735df59b4ce7
0dcd677e685098f3c450d99d81b96f6fc592e294fd75961f62364c318276d8aa
ccbf4c1d8d50c097b3d50b2211242670f8dfafa0f62411cc9fbf671ccbe5b5a5

http://drmarins.com/engl/pCAdOLWLJ/
http://hybridbusinesssolutions.com.au/cgi-bin/t6ye0j_wyhf4yw-2/
http://durakbufecengelkoy.com/wp-includes/GrIBQTnoO/
http://performancevitality.net/partner/rq2totv_bryhdqjc2-17320/
http://tnrkentonode.com/wp-admin/vxaljneq_f9vcwvsz03-015845519/

Creation Time	2019-05-14 22:43:00	(Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
edd7683434bf4b5dcf6e62052c0d260f9ce2824bcd2e7fc527680dc96cf84fa0

http://angelyosh.com/andreaputriana.online/QSSVHkBY/
http://4im.us/wp-includes/cMHGNWRN/
http://alankippax.info/wp-content/MvAXogsxrQ/
http://solutionpub.dz/wp-admin/MajOQGpI/
http://parttimepazarlama.com/sitemaps212/hrUpeljH/

Creation Time	2019-05-14 16:10:00	(Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
41743d480c3a97d8475eaa4958e46a6e9df7a3f25a034194b5ba57e43e664ed2
6719d9db1a6b6ac88a386c24cba086025aebc504773433dca6fb569cd88bf929
b0227e5477f2c043eef7f404c69eb02ffdfc15f99e973f12de0b86addf03d898
76cf785870fdb543f0e2b1e7fc610c97886a570cfde9f66b7dbe24e909e0344c
1583078312fe29c688d44c6c15a4ff2f303f6cfdc32e910629132515ae885a60
b2c7523bbcf91ea107010fa04635d5dadefae7a6302d31fe48fa978909682257

http://riversoftbd.com/wp-content/vFikaQjYg/
http://dayiogluun.com/wp-admin/DhMoxPrwC/
http://therattgang.com/wp-content/yos4u6h_pt8wdb-3/
http://beyazgarage.com/cgi-bin/NuygiMFoRC/
http://ksafety.it/awstats-icon/bhrdd5_52hq89-34/

SHA256s for Epoch 2 Payload EXEs seen on 05/15/19


4fd7e69b107fe0c6493339f845a3c6482f6ab370f35952a13bff026b6c9a7cf2
7d4dc03394db567dbb6a1294740c46af5684c8190ae27ae1a25d517d912cea69
5ee2b9406e31f3006b3327b19f1a62153d75ac9ee2fe97d27e9d1f64fb8589c3
1b176e194dcf0a586b4f9a6febc51dc2d24db6e93ee5bd44edd95581702c3274
5cd23bc71dfad1a730802b6ef10b6e4916410549f1daacb95af1c39796548cca
622414f8a0c309bf1aa3f47a3dd4ccdd1a0ccd6e656aae1101b95273ae1caf03
06a4e80c4b4c76b2b45085ae91dd9180554e2b8fb74671241c099a575af44e17
7d7f15be88432a9ad02cc7a96de1a1ab151b8475956c0273fa54dec83740bd4a
67c34af66619236307f635cf83afb4ed6680a578afb5a356ca19471174ab0d86
bdc089224fa0992637594ac52ebee77f4c6c0d0f361a6ec868d74ca026a4c5ec
0edba0eb53c5aee4f55e0df924cdbc482c7c8edcf55667f8c914a0bf635820e7
3aa9537705eaa07e02f378c1ba6db7008dcffb28b21ff0b6f43a926a80c015e4
e8c591db1758728370fa4b3cfd3d6089547ac597a3e6c01dca0cbe2c05b93180
f17d51cd3a10beaf3e6334dc1dde4afd0be9b011dbaa531590b718b48d3fe36b
4d2ef6d38674d3125c423a6a0101a0470d35c69e85c4c37c268e08421e6b02f3
3b4cf098b9d31e1291c17ea18f70b16203d56b5b99cbce5c0a546cc3bc293af8
86fc83da4d0429091bda7724a0abd520461018fcce7a7063ecf4044eec37e75e
87c01a1010066527797657c15a3a34821ee67c2c5727465b7a66bcce6e48c8bb
70b814f6eabf53b272ed7dc19ae386949a1768c85824656f198ef0ca1dc73098
e55f09940649d3f92c21332def35df46deba57b3e289a856749b67ed95d89925
e55f09940649d3f92c21332def35df46deba57b3e289a856749b67ed95d89925
864c5f6a98bcf7e51401728526a26e6dcb8f5060e3b81f346c99899990beaea4
716e36ee071fd837df288137ae1ada0212e439c3f7c3fda949c3437a47623270
99eb678c926a8e3c93b6327959bf06d26db9c85ba6fee7d56412e788ca0ac285
40ede55df9f672b234c372b585a5b390f7d7168974c3757a344942ba71045c9d
6fe85f051e7a67e8f9a204f30f151482072976517fe4bbb5c28695c3b5193477
01be569ddaa5d619923ef2061a59554258c70a9106fddef8dd2286c561ac6aad
c820852f8c821c9c9bae1fa839d605fe91ed88c8de5a829642adb798af03de62
c6afadd4271e65f11fdb29dc0ee1792d3852e040b05eaa129e97cf496572d394
7cdd7778792ac0ea1600b6da97c843ce283ae3b02bd292389a0b6645abd3c4c1
5829b40f161c0104d6c8d45ded1b7019127dd8ed1067bcc136766b4d0c6d11ad
c89521beafb0512674aa2379c2b3d088d5e9fc1974993b3de36b1a5acdd9d7df
18a2a257224bbf025e37369d6004dde1572d8ae29dac72f640c182a293fb4cfc
b5f6146a99ccf88df5b48ffbf9e06e457b22cb111e1b7de9b1b63b8b20d85efb
178eed97038cc594652aa784b49f778e01cf5f6533fd6d336afc9adf7a23826b
da6f1954d469d2f2273f6385fbe947e4e9c66d9edeb4f12239521ca9acdf6b63
67420468a8973bc7699370e70eb71dda7c9616f7797c4a903facc9c86d9f9b26
39afc2c85f7e4824b7692a5008fc22af5f32bde9d933f2a6b8f207657f937ba9
f0abf117bbb9ad4c7a29b1205fde1687f943f460df9dec719db6eb9dac35124d
b6b1ab181da4a70bc414cde451b06dd9a16041f392b5d0a90e0315de32a36719
53a127fdc57f3c39b0feca98c5b64919c28980d450fd701f3c839776b411b128
12ba09d1fb95a170e4fdcb28f1dc36882d2cb47e4a6d8219899abdc2005db6d4
844e3b338abefbf6b7e29f5947373616248b3548dee938add767eebc57feaeba


Epoch 1 C2s


103.201.150.209:80
103.213.212.42:443
105.224.171.102:80
109.104.79.48:8080
109.73.52.242:8080
111.67.12.221:8080
154.120.228.126:143
163.18.23.242:80
175.107.200.27:443
181.110.239.26:80
181.143.101.18:8080
181.15.177.100:443
181.15.243.22:80
181.16.127.226:443
181.199.151.19:80
181.29.101.13:80
181.30.126.66:80
181.39.134.122:80
185.129.93.140:80
185.86.148.222:8080
185.94.252.27:443
186.139.160.193:8080
187.178.9.19:20
187.188.166.192:80
187.242.204.142:80
189.143.52.49:443
189.196.140.187:80
190.113.233.4:7080
190.117.206.153:443
190.123.35.82:50000
190.13.211.174:21
190.147.116.32:21
190.180.52.146:20
190.85.206.228:80
191.97.116.232:443
192.155.90.90:7080
196.6.112.70:443
200.107.105.16:465
200.127.0.8:80
200.28.131.215:443
200.32.61.210:8080
200.45.57.96:143
200.57.102.71:8443
200.58.171.51:80
200.59.189.217:80
201.217.67.3:80
201.251.229.37:80
203.25.159.3:8080
205.186.154.130:80
213.172.88.13:80
216.98.148.136:4143
217.199.175.216:8080
217.92.171.167:53
218.161.88.253:8080
219.94.254.93:8080
23.254.203.51:8080
31.179.135.186:80
37.59.1.74:8080
43.229.62.186:8080
45.73.124.235:8080
51.255.50.164:8080
62.75.143.100:7080
64.87.26.16:443
66.209.69.165:443
69.163.33.82:8080
72.47.248.48:8080
79.143.182.254:8080
81.183.213.36:80
81.3.6.78:7080
82.226.163.9:80
85.132.96.242:80
89.134.144.41:8080
91.205.215.57:7080
91.83.93.124:7080

Epoch 1 - Spam/Stealer C2s

	
61.92.159.208:8080
104.236.185.25:8080
50.116.63.9:7080

Current Epoch 1 RSA Public Key



MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB

Epoch 2 C2s


103.255.150.84:80
103.53.44.20:80
133.242.156.30:7080
134.196.53.52:7080
136.243.177.26:8080
138.201.140.110:8080
138.68.13.161:8080
147.135.210.39:8080
149.167.86.174:990
149.255.56.242:8080
162.243.125.212:8080
167.114.210.191:8080
169.239.182.217:8080
173.255.196.209:8080
174.93.130.148:8443
175.100.138.82:22
177.230.108.144:22
177.242.202.30:8080
177.242.214.30:80
177.246.193.139:20
178.152.78.149:20
178.62.37.188:443
178.79.161.166:443
182.176.132.213:8090
182.188.47.206:990
183.82.100.135:80
183.82.110.170:53
186.113.19.171:80
186.4.167.166:80
186.4.234.27:443
187.189.195.208:8443
189.209.217.49:80
190.112.228.47:443
190.145.67.134:8090
190.25.255.98:443
190.25.255.98:80
190.72.136.214:465
191.92.69.115:80
2.50.4.159:443
200.21.90.6:80
200.85.46.122:80
201.199.89.223:8443
201.220.152.101:80
201.238.152.20:465
207.44.45.27:22
211.248.17.209:443
211.63.71.72:8080
213.14.166.152:990
216.98.148.156:8080
217.13.106.160:7080
222.214.218.136:4143
24.139.205.186:8080
41.184.246.205:53
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.100.165.6:53
46.105.131.87:80
50.31.0.160:8080
50.99.132.7:465
58.9.168.7:443
58.9.168.7:990
59.103.164.174:80
62.75.187.192:8080
64.13.225.150:8080
66.84.11.168:8080
69.45.19.145:8080
71.244.60.230:8080
75.177.169.225:80
77.56.253.112:80
78.186.5.109:443
78.188.7.213:8090
84.241.10.111:53
85.104.59.244:20
86.122.149.86:8080
87.106.139.101:8080
90.57.69.215:80
91.205.215.66:8080
92.154.101.154:50000
94.59.49.76:995
94.76.200.114:8080
95.128.43.213:8080
98.142.208.27:443
98.144.73.193:80

Epoch 2 - Spam/Stealer C2s


198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080

Current Epoch 2 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

Credits and Notes Section


WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1 and Epoch 2?


What is Epoch 1 and Epoch 2? (updated 03/07/2019)

I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications. 
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more 
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen 
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same 
time period. 
Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those 
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on 
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this 
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

Community Lists


https://otx.alienvault.com/pulse/5cdc7dcab39d030f86e97ab7/ - @SecSome
https://pastebin.com/tTPYiSHd - @ps66uk


Credits

(OC from @JRoosen and/or combination work of the following)

Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, 
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk

C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192

Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro

Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt 

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, 
@urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!

Daily Log 05-14-19


General News: 

Unfortunately, no break for us and both botnets were at it again with low volume spam. Malspam was reported again from many
in the community but I still received nothing today. Other researchers reported receiving a handful to several dozen malspams.
It looks like E1 was still stuck in attachment mode but E2 did a burst of link based malspam. The document template is still
the 365 Blue Box type but the builder changed as of Monday because we are starting to see the randomization of metadata in the 
Author/Comments and other fields. Additionally the new builder seems to use EvilClippy type techniques to block the viewing
or editing of the VBA macros in Word. E.g. Word just crashes. Kirk Sayre -@bigmacjpg broke this news first here:
https://twitter.com/bigmacjpg/status/1128742495591047168

Later the author of EvilClippy(Carrie Roberts - @OrOneEqualsOne) decided to update the project in order to reveal the Emotet
macros by adding the -gg option. This may be a bit of joke by using GG. GG indeed. :)
https://twitter.com/OrOneEqualsOne/status/1128759076505116672

In other news:

Once again @JayTHL had a nice summary of our data from last night:

https://twitter.com/JayTHL/status/1128516821370441729

Also heard that Poland was getting hit hard with #emotet today but I was not able to confirm the details. 
This was stated here:

https://twitter.com/c0t0d0s2/status/1128632394620313600

REVIEW:
If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
https://twitter.com/JayTHL/status/1126204098670411779

Email Template Report:

The vast majority of malspam today seemed to be low volume attachments on both botnets. I did not receive anything but 
@executemalware and @ps66uk did. Here is what they saw:

https://twitter.com/executemalware/status/1128830368872849408 - 25 with .DOC attachments and 2 with links.
https://twitter.com/ps66uk/status/1128769883729219584 - 5 DOC attachments and 1 link.

Review:
What we know about the threaded templates/reply chain:(changes are marked with *)

- Emails are sourced from once (or still) compromised users all over the world.
*- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
back as far as June 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
- The injected reply is usually prefaced with the following: 
"Attached is your confidential docs."
"Attached please find the wire transfer form."
"Thank you for your help. Please see the attached."
"Load instructions attached"
"A printer friendly attachment is now included with each email."
"Click on the attachment to open or save the printer friendly version of your report."
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous. 

Link Regex Report:

Regex directory patterns - Changed one of the Regex's for E2 to pick up more common directories that were seen today.

E1
https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/

E2 
https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
*https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/

NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/

These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam. 

Payloads Report:

Again stage 2 docs were all being delivered by attachment on E1. E2 seemed to be a mixture of DOC attachments and links. 

Once again the newish hybrid loader appeared on the E2 distro and C2 updates near 1900-2000 UTC. Not sure why they change
at this point. It still is not hash busting and remains the same hash for many hours. E1 is doing all old V1 type loaders.

C2 Report: C2 Combos are slowly falling now on the E2 botnet after reaching a record 95 combos over the weekend.
C2 combos on E1 are slowly increasing. 

C2s DID change for E1 and increased from 69 to 74 combos in total. - recorded above
C2s DID change for E2 and decreased from 90 to 84 combos in total. - recorded above

Closing:

Unfortunately I was fooled again by Ivan thinking that this was a break coming on. The reality may be that Ivan and the Emotet
actors are changing their tactics to move to a lower volume spam operation with more attachment based malspams paired up with
reply chain exfilterated data. Since the beginning of this month, the spamming patterns have for sure changed and it is not
exactly clear as to why yet. Time will tell if this is just a phase for now or if this is the new norm. 

TT

Sandbox 05/15/19

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 C2 run on 2019-05-16 at 02:15 UTC - https://cape.contextis.com/analysis/74094/


Epoch 2 C2 run on 2019-05-16 at 02:45 UTC - https://app.any.run/tasks/36c17906-7f37-42e8-ac3c-e2af53cfefc1