API tools faq
paste
Advertisement
jroosen

Emotet Malware IoCs 2019/04/23

jroosen
Apr 23rd, 2019
13,921
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 67.04 KB | None | 0 0
raw download clone embed print report
  1. ## Emotet Malware Document links/IOCs for 04/23/19 as of 04/23/19 23:59 EDT ##
  2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  3.  
  4.  
  5. #### Epoch 1 Document/Downloader links seen for 04/23/19 ####
  6. ```
  7.  
  8. http://107.178.221.225/jxewyv9/service/nachpr/042019/
  9. http://118.24.109.236/wp-includes/RqGB-im5oqDanhXZiPb_XjxiHdCih-hL/
  10. http://122.152.219.54/wp-includes/BUYlO-vLosWWhbM8XrS4r_bAbdRvyMy-PZ/
  11. http://3dconsulting.com.au/wp-admin/service/Nachprufung/2019-04/
  12. http://94.191.48.164/hf9tasw/TQxsk-MFAYsgwZh1Ns7z_eEnRiYnDv-rM/
  13. http://aclandgroup.com/digi/YEAP-S6N3rjCaH8bGFOt_FPMIUESl-d7H/
  14. http://advancetentandawning.ca/wp-includes/XNUi-NcDF9HkhiNssiV_ngtjikDB-i5/
  15. http://advogadossv.com.br/wp-admin/AhsM-NUwQ33GA7RH6WAu_LGFdbdnS-2NK/
  16. http://amangola-dgp.org/wp-includes/HpEtX-VC11guFEcFzPa0d_tXEdNqubB-xIn/
  17. http://antiqueclocks.co.in/css/support/Frage/201904/
  18. http://aplaque.com/wp-content/legale/Frage/2019-04/
  19. http://apptecsa.com/img/HNNoZ-eJq9EKsWjF66GcV_goLgMdrv-DCs/
  20. http://aqm.mx/wp-admin/QWqh-uqWtpmBaGpMcGa4_eTtBRDAFE-Asg/
  21. http://arrowandheart.com.au/wp-admin/bkCQ-iXMXX6TpVs5VNQo_yisSFHkVL-oz/
  22. http://artificialfish.com.ar/lXpeo-EPNWYjrxjNfOmEU_XwBuyNFy-nCG/NbBax-cN8nIwecxIYQS7_JhsQsUfXh-y1c/
  23. http://artvest.org/roseled/dcPUN-ayTlvrr3ZdDg2C_HczkPPbP-H4Z/
  24. http://atelierap.cz/administrace/NnMOz-8unu6ziajLjbB1J_XTjdLyIb-gn/
  25. http://audihd.be/amerika/Tfou-uhNh2JMbXnhlOv_ochGSMLNM-OWy/
  26. http://bajabenedik.com/styleguides/legale/vertrauen/2019-04/
  27. http://beirut-online.net/portal/service/vertrauen/04-2019/
  28. http://belart.rs/images/nachrichten/Frage/042019/
  29. http://benetbj.com.cn/wp-content/DSaV-jy2QH7igXgTEiu_liimaNxUG-9ab/
  30. http://beysel.com/XaaK-IZWqrsbyAmxS9X_yHrjsjhEj-a3/legale/sich/2019-04/
  31. http://biomedmat.org/nKtd-08tW7GH4dnNfRf_MzFePcfQD-oww/legale/vertrauen/2019-04/
  32. http://blog.almeidaboer.adv.br/wp-admin/kRZaH-OACVB0lxxVZVZS_NshcyzDE-1jP/
  33. http://bluboxphotography.in/wp-admin/runz-kkdyfzmwwomhqc_lhcmlqyxk-j43/
  34. http://breeze.cmsbased.net/ceekh/support/Frage/042019/
  35. http://brendanstead.com/wp-admin/support/Nachprufung/042019/
  36. http://brunocastanheira.com/wp-includes/legale/Frage/201904/
  37. http://bryanwfields.com/image/sjQy-zu1ro8vpEJ9W82_WBOUxAUgS-uh/
  38. http://butikkanaya.com/wp-snapshots/support/vertrauen/2019-04/
  39. http://caimancafe.com/wp-includes/yqfF-z3DmAqlfc5gJXm3_edmDWMCpU-iGL/
  40. http://capaxinfiniti.ml/wp-includes/rqok-EZhDQULc6qm5im_yPyKpBgz-1Z/
  41. http://cddvd.kz/cgi-bin/nEJQh-2QiNTamwC4jR4ys_JWgbgUHL-Cym/
  42. http://chang.be/carole/ksiJa-HIJ8fRSflJRnFIn_JLsEPIqP-hDm/
  43. http://cielecka.pl/ilum.pl/QyiAW-peU7AssFTut78o_vOGDKvqm-3M/
  44. http://cleverdecor.com.vn/wp-includes/vbFWW-2ZmpzS1K1wQU0tc_nxTjDAJO-xoR/
  45. http://clinicafrigo.com.br/cgi-bin/uFUsi-dEAPHuMAlaPkMmF_aHmGxDErw-x3/
  46. http://cocnguyetsanlincupsg.com/wp-admin/legale/sichern/2019-04/
  47. http://comparato.com.br/wp-admin/JpPT-xokemJB7jlwoRh_NdiiMeTdt-9f/
  48. http://computedge.com.ng/wp-content/legale/vertrauen/04-2019/
  49. http://computerhome24.com/wp-includes/cGAR-N5nPqFXq2khia6_iUJCDfDxA-Fh/
  50. http://creaception.com/wp-content/WhlNb-wvIBgmZZpndvr8_LSWnrYgX-UrI/
  51. http://creativeplanningconnect.com/lttcjwb/legale/sichern/042019/
  52. http://dailynews.techfeek.com/gts/hZLP-KsaeD3dReLVhYV_MAzJRPFdl-hZ/
  53. http://datos.com.tw/logssite/WyoVX-966EGG3hWBRHpe_tTaULnSgr-H44/
  54. http://delereve.com/lq/nachrichten/sich/042019/
  55. http://designshive.co/doveparkapartments/hQDmY-qa1yRboNDHppJi_UGYoBSwD-NbD/
  56. http://dirproperties.com/cgi-bin/RBQQ-3JUCTcunirqEtr_GLyNzyoCu-4l/
  57. http://distorted-freak.nl/html/pRKgx-PVZdaE1vEKpKC2_JBLYuLPty-uO/
  58. http://dogodoanchi.com/wp-content/nachrichten/Nachprufung/042019/
  59. http://dominantainvest.com.ua/wp-includes/GUiC-LARR92mAGdCPE0k_mwtsxZLPA-qYM/
  60. http://douti.com.br/wp-includes/nachrichten/Nachprufung/201904/
  61. http://dptcosmetic.com.vn/zy6xstp/BGkii-BtZmWScPPsxa9O_iXghKIAe-rN/
  62. http://dramitinos.gr/images/JFdTB-OpOZY2roML1l6Cr_gbKDyqZZ-BXZ/
  63. http://drwilsoncaicedo.com/cgi-bin/uouPm-iT6ksIaKV61oqD_YomlbQkdr-Gm/
  64. http://edwardhanrahan.com/images/buKy-frDqYyHZwvdz5k1_LeldCrEFl-BW/
  65. http://ellikqalatumani.uz/dmewfh0/FwsjB-UImRWtUah5rJmb2_LktEvhPNL-Mf/
  66. http://emarmelad.com/wp-admin/XZkH-gucbP0muTUalg12_NOZsYuhQo-UE/
  67. http://enseta.com/wp-admin/service/Nachprufung/2019-04/
  68. http://equitylinkfinancial.com/wp-admin/xPPII-VnnEHhEUVCTTEs_uKdSOqScO-SEW/
  69. http://erica.id.au/scripts_index/FgkO-rS85XYRuptzWzAz_zeUrkEOh-Pz/
  70. http://erlcomm.com/BNzC-VgDgOLD9aPylaRI_sdwzsBjeN-XK/GnwFQ-o9y2miL4AsVniO_lNnlKnFea-iSn/
  71. http://escoladeprosperidade.com/wp-content/GpjW-mXUUaOoBT6DbVDY_oqAMrjSZk-TN/
  72. http://esmorga.com/pelis/osGy-LbBiztACu5ES3b_VzGhzrgch-OM/
  73. http://espacerezo.fr/wp-content/languages/service/Nachprufung/042019/
  74. http://estetikelit.se/wp-includes/EsJW-RyBaIby7U92AGT_xVPQckGE-NGF/
  75. http://etherbound.org/test-images/wVtXu-AurrU3vB4pAMgp_jtIOxzxkd-oN/
  76. http://etmerc.com/12-22-2015/legale/vertrauen/04-2019/
  77. http://fips.edu.vn/wp-includes/support/Nachprufung/201904/
  78. http://fitness-outdoor.be/_notes/nachrichten/Frage/04-2019/
  79. http://flamingonightstreet.xyz/wp-admin/nachrichten/sich/04-2019/
  80. http://forzatattoo.com/wp-admin/NGoO-49PTlW0WNve6TK6_WhJlNSRwE-AK/
  81. http://foxhallcondos.com/wp-content/LODPP-lDBCo6pyo8PmZf_OQbRsDzk-pNu/
  82. http://foxhallcondos.com/wp-content/vDBVh-1NE5CdqrV7W0a7_zCQtadcI-XLQ/
  83. http://fse2020.com/wp-admin/nachrichten/sich/042019/
  84. http://fullstature.com/mid/zEZdK-1ItAsYbsvzsiJKu_WmpRDdkY-aF/
  85. http://gabeclogston.com/wp-includes/kluQx-H117744StC68Gi7_YhDBwIZfQ-Pjk/
  86. http://ghostdesigners.com.br/senna/vUfb-C5rrF5GSM34OOl_guMotwmxD-jQn/
  87. http://gkpaarl.org.za/language/ZjwX-vJdyNsZ0ThhYbA_ErOqAeRwW-PT/
  88. http://gocnho.vn/public_html/nachrichten/Nachprufung/2019-04/
  89. http://goleta105.com/404_page_images/YGiwS-FpNy0v5QsL4LNv_eliQjUchW-11B/
  90. http://gomiles.vn/wp-content/uploads/kzBpc-x1csAto431wENp_TdpLfckI-Hp/
  91. http://grosircelanaanak.net/wp-content/legale/sich/04-2019/
  92. http://hamisport.ir/PHP-IPTest-master/service/nachpr/04-2019/
  93. http://herpesvirusfacts.com/wp-admin/legale/Frage/04-2019/
  94. http://hmjanealamhs.edu.bd/cgi-bin/uXHn-pGwIfHqUsigbTA_psXmtoirs-iWq/
  95. http://homeydanceschool.com/wp/support/sichern/042019/
  96. http://hqsistemas.com.ar/img/Toczr-LU1xfWdPLVD6Dh_fXrSfYFBj-YO/
  97. http://hyboriansolutions.net/wp-includes/Icbt-vDtm5GlpZNQkbG_zuhIQDqTc-VzE/
  98. http://iberias.ge/ajax/Rjtg-15ssbRSK4o4G35o_vgtHqfCa-pp/
  99. http://icasludhiana.com/wp-admin/ckeU-TeQSGTTrjT3kpJ_uqVIsbgO-Mk/
  100. http://imaginativelearning.co.uk/Scripts/js/css/gJwGd-eT578q24MiXpxH_QYHcKEHL-Vfp/
  101. http://imranrehman.com/wp-includes/service/Frage/04-2019/
  102. http://indieliferadio.com/scripts_index/DRSCR-tI4WYt2gFohZf0C_EerSpbCYI-QM/
  103. http://intergemed.com/opez1o4/nachrichten/vertrauen/042019/
  104. http://its.ecnet.jp/logs/lwvc-sCilerXLiFkn4gB_oLmbhnLnx-b4j/
  105. http://janus.com.ve/bonaire/JRNd-pFL2NYvEtklJNi_lwLZGdQAF-pAt/
  106. http://jasaservicelift.com/wp-includes/iRlpZ-aWZohSNJ1E0XqgD_NXarRPrhW-uL/
  107. http://johansensolutions.com/travel/kdknH-uRqFT22SujstO0B_EVlyBnaxB-y9/
  108. http://johnsonlam.com/Dec2018/eYDtZ-aj4eZqD507z5lxA_DFfeiWgi-9V/
  109. http://jorgeolivares.cl/correo/PDOs-4txyhY94jZKs6s7_CIqqxpsT-BVF/
  110. http://jsya.co.kr/@eaDir/iGFE-yUBMaibuO7rUvM_EALOLBggQ-gxa/
  111. http://kingsidedesign.com/blog/KnMZ-HQiysTo8J24DoT_NfXcjnfYT-qeH/
  112. http://kinguyenxanh.com/wp-admin/UqIbr-Ht0CtS6cCOxShe_IStBunTws-5ls/
  113. http://kleeblatt.gr.jp/cp-bin/legale/Nachprufung/04-2019/
  114. http://klex.com.my/landing/ViGai-G2ji9Wqz5D3yBUr_NSfVULZSH-ogb/
  115. http://kurumsalkimlikkilavuzu.com/9tie5kj/legale/Frage/042019/
  116. http://laarberg.com/wp-includes/support/nachpr/2019-04/
  117. http://lacave.com.mx/wp-admin/GdCc-wU4rHS7HASoFj3l_TmMoKXvxC-DW/
  118. http://lacivert.net/cgi-bin/xHLIS-1QQuHkK8hYifPS_xSsgvzlZ-si/
  119. http://lauradmonteiro.com.br/old/yiGt-RZXt7eA5v69nyWP_iVHIWlUfQ-SD/
  120. http://linkmaxbd.com/web/legale/sich/04-2019/
  121. http://makson.co.in/Admin/mAOyn-hvssdifYUrjdtN_BdmpkUumS-97H/
  122. http://masholeh.web.id/wp-admin/nachrichten/Frage/042019/
  123. http://mattshortland.com/OLDSITE/service/Nachprufung/04-2019/
  124. http://mediamatters.info/VVpm/hUmuU-AWd06BxSkx3tka_NRLvwpzd-CF/
  125. http://metajive.com/work/mTURd-SRsWGXXyrULLDM_HNPbtxLP-AN/
  126. http://mipnovic.org/ima/ohto-9v1x3xdqbxyscue_lbtfvpdd-k1/
  127. http://msecurity.ro/sites/etcB-oNJrRcKGdAjwfUX_daiKkMJi-SFC/
  128. http://musicassam.in/pages/gWAKF-g9satqZnebHmdzL_raAWwWgQz-kP/
  129. http://natenstedt.nl/TWPqQ-LHGr5VrBGWRa77_hbSmEhUOT-nk7/
  130. http://natha.is/_/PRYI-83JSQr4gBk0o8G_ASRXDLerK-49/
  131. http://nathanmayor.com/wp-admin/legale/nachpr/042019/
  132. http://nationwideconsumerreviews.org/jospj/support/Nachprufung/04-2019/
  133. http://ncw.com.sa/img/support/sichern/042019/
  134. http://nealhunterhyde.com/HappyWellBe/nachrichten/sich/042019/
  135. http://netsystems.pt/administrator/cache/com_languages/bCpH-pTK5hxUJkZJ2zA_BwWvdwXs-24v/
  136. http://newlifestylehome.com/wp-content/uTsJt-hpZuWI0S3LLvcye_MdPkhzNig-IR/
  137. http://nmbadvertising.com/wp-snapshots/jNFup-zthmA0FbuoQz7Vv_WjQUJkqW-Q7/
  138. http://ntad.vn/gm931mo/DUHP-LhC4EeRQRbivrL2_aaxoXoYt-rQ/
  139. http://observatorysystems.com/wp-content/qKttW-b6sh1vYpvzDrssj_vkOFbyXtY-wSq/
  140. http://okranutritionph.com/w/nachrichten/Nachprufung/2019-04/
  141. http://pakistani.top/wp-admin/legale/sichern/2019-04/
  142. http://palin.com.br/siteantigo/support/sichern/042019/
  143. http://paymate.co.za/src/baTY-2IEZSteLVWMXBT_AvlqWSwJ-2O/
  144. http://personalwatercraftindustry.com/wp-includes/support/Frage/042019/
  145. http://pessoasdenegocios.com.br/img/kHWn-AsIn9Tyk2CdFXX_topPGrCS-zAD/
  146. http://pizza786edmonton.ca/wp-admin/UkZz-vZ6XgxsqRCim4n_yNzCcSyg-BF/
  147. http://planktonik.hu/menu/rdCK-9aldW34AD61vxN_JtIaoEcOW-hy/
  148. http://pneumotronic.com.br/assets/zdOT-7DaWnhCX7TW0tfn_CZMMqczy-hb/
  149. http://porchestergs.com/AGM/waGm-sbb9O7Tu1BCZ8Rl_kYWjpyitJ-RB/
  150. http://provio.nl/collector/nachrichten/Nachprufung/04-2019/
  151. http://puglia.ch/citizenship/GFHq-lSJWuDTLkfyL6m_ovtUBfNSj-0qz/
  152. http://pursuittech.com/css/LIkHk-N4GVEFBLPpQMLxu_fGTAYZua-nG/
  153. http://qbico.es/jAlbum/PYZP-zb7qumsl860C3Nh_BRgtIsPa-Jz/
  154. http://qualitec.pl/images/IbZf-DhxY86DPSuUKI2_KPeuiNEJ-FU/
  155. http://quirkyproductions.com/App_Data/bgYzb-05sill9EWwTFM2_QifrTbQzi-VI/
  156. http://raminajmi.dk/stpre/ikEJ-MFSxZdRRZTtEwv_WXqVBCjOV-5eU/
  157. http://rcti.web.id/hrpel37lgd/BOlR-ZztVv66VA6QsoJ_NxZYSlMGn-6Z/
  158. http://reckon.sk/e107_admin/service/Frage/2019-04/
  159. http://redebioclinica.med.br/comunicacao.redebioclinica.med.br/MvfW-a30zjM4hMM0iX8y_ictaPgXws-h9w/
  160. http://reformastellez.com/css/IbIjp-KQsFa0hpx7JCiPq_hguBAHVd-KB/
  161. http://regipostaoptika.hu/ml67/sVHKq-TGJRZXzgxeq2Z3_ecrSGXWdk-a8Z/
  162. http://remias.eu/ww4w/zWVuF-DuaK9RGOGLdj6st_QiRdNQgwI-HO/
  163. http://romanskey.ch/vajnainstruments/YcfXe-XuFOOZwFhf4Fow_oRnYERMNC-Id/
  164. http://rsnm.ac.ug/wp-content/legale/sichern/04-2019/
  165. http://rtodd.com/NPFt-5FR3N7bmec4thTU_DUjDtlAU-pB/
  166. http://rudmec.adysoft.biz/wp-includes/nachrichten/vertrauen/2019-04/
  167. http://rwbarnes.com/images/BDgn-TElHDeFEdCbxrh_aZLIUNerB-qy/
  168. http://sampling-group.com/local-cgi/QpKeU-RaYLh0x3yPH5TAX_XQpqAwIAs-h3/
  169. http://samsonlineservices.co.ke/wp-admin/legale/vertrauen/042019/
  170. http://sanhueza3.cl/cgi-bin/cwoAu-qTEoR3GcjtXLXpF_ORnAJpjUt-7P/
  171. http://sansplomb.be/nbproject/InYNQ-L7e7uj8ZoY1KjU_wfAxGONqi-Ft/
  172. http://satcabello.es/tienda/Wxim-lioWfDgcwtkTzbZ_ThNJVwFuD-5T4/
  173. http://sbmlink.com/wp-admin/hzHL-hoTdhay7vdK5hGw_eqLIqdeM-OX/
  174. http://schaferandschaferlaw.com/bin/YBmyY-eWqq0c22GOlEURV_ZmoFgzqiY-Wvf/
  175. http://sciww.com.pe/cgi-bin/aqkHI-Khmdw3hwv0GJCKO_QeGmwMdI-So/
  176. http://sebastien-marot.fr/webmail/JnqxY-aZnaa5i8b1JixE_OJDGCHVrQ-K7/
  177. http://setit.ro/camera/rENd-iSrjb5AwUzzkxJM_QobrJEOv-kRY/
  178. http://seveninvest.pl/wp-admin/nachrichten/sich/2019-04/
  179. http://seymourfamily.com/analytics/tmp/BHDVn-i2gPWP46mwrNwy1_IfHcEtlq-i4/
  180. http://sftereza.ro/administrator/nQzt-rxMNu1ydQwUhY4_vfqtnqoA-CF/
  181. http://sgbjj.com/wwvvv/rAQft-5ukvkUXZlfikY3m_lHnNcHeX-o7M/
  182. http://short.id.au/phpsysinfo/tclBO-s9YDqu1Pi2p91rP_lxUbaIsx-kf4/
  183. http://signsdesigns.com.au/bairdbay/iRsA-NEJ5Q17DRSa1kk_DZWrMvIEQ-Y1z/
  184. http://silikwaliners.com/wp-includes/yNqdr-OhRo5nv49CNyRcG_kiAIynCwP-Vf/
  185. http://simonflower.co.uk/iOyu-dBKUmGvzb7vpXXX_NbzvOlZZ-kj2/
  186. http://simplyresponsive.com/wp-admin/legale/sich/2019-04/
  187. http://sinemanette.site/kawsc4k/Vqkn-oQBH1ktWTmTEju_uorqSTBUj-COL/
  188. http://sinequanon.ch/displays/img/css/UoPQ-yR9VOVE77EexRS_gXrjaqwj-9n/
  189. http://sjag.dk/wp-content/DBGW-OzWctQRgSXYUBK_GyQXqgDQu-CB/
  190. http://skaarupjensen.dk/random/YEVc-nXfgmYrkVQF5df_Rwgvfugu-mNr/
  191. http://slotjumbo.com/wp-includes/support/nachpr/04-2019/
  192. http://slvwindoor.in/images/FZvxd-2TLJ6lc0DsRHC0_hiZSjDsr-AgO/
  193. http://snprecords.com/wp-includes/hmYVf-8IrMwBXCrVeHkZ_rMgLBZCET-YoP/
  194. http://sonare.jp/LivliSonare/gGayb-ntR1hjwJKmHlyR_OBLfrmvi-V5i/
  195. http://sowood.pl/wp-admin/legale/vertrauen/042019/
  196. http://stephenjosephs.com/gucci2014/wbNl-glhhV7Wh8FqNgrI_PhMBPFwW-9X/
  197. http://stsbiz.com/js/UXOJ-giIiMclKQhkAVx9_CHfSesEz-j5/
  198. http://symphosius.de/files/onAnL-MZE7xdo4kpBCMAu_CBqElKCf-Sn/
  199. http://taxibreda076.nl/wp-includes/nachrichten/nachpr/04-2019/
  200. http://teamsofer.com/store/service/Nachprufung/04-2019/
  201. http://thanhlapgiare.com/wp-admin/nachrichten/Frage/04-2019/
  202. http://thetechbycaseyard.com/wp-content/myevI-8Pk6qff6n4ulCE_wWcKFWdh-dj/
  203. http://thietkexaydungnhamoi.com/beta/ZFel-LwG4jmm9g5z1TQ_VzIEqebMb-8F/
  204. http://thinking.co.th/styles/CtFL-3uuVTZrD500NdMc_mFYZuohN-HeN/
  205. http://thoroughbredcalendar.com/thoroughbred/jVtDT-KGMIaDBlFq6sI5i_QsBxlGgNh-DDf/
  206. http://tierramilenaria.com/wp-content/legale/sich/2019-04/
  207. http://tinhyeuhanghieu.com/wp-content/GTrDc-2QWMrAEYxV52vzn_CSOHExTcB-wb/
  208. http://todigital.pe/images/oxpNg-GyKUAfF6NBlEV3_crXEyaEd-5bT/
  209. http://tomsnyder.net/Factures/mILU-KH1sEOVl9fUsH4O_OsSStAwR-Sui/
  210. http://tongdaigroup.com/bill/TRXZ-G0yMOIETH0t3NSS_OBoOmlIv-zs/
  211. http://tpagentura.lv/aqyhpuu/legale/sich/201904/
  212. http://tr.fruturca.com/wp-content/pKLPk-2ubbcWkvWkaouvq_qENdntmaf-RBQ/
  213. http://turkexportline.com/e-bebe/qTGE-4bouAY700r3fzL_sWcvbTRcd-4e/
  214. http://ukr-apteka.pp.ua/wp-content/legale/Nachprufung/04-2019/
  215. http://uskeba.ca/earlybird/uENU-nPgPuXwCp7ZMax_zZXepmcz-CF/
  216. http://valumedia.de/wp-includes/support/sich/2019-04/
  217. http://victimsawareness.com/upload/DGilf-Ma3iQ5rbzkiG6Fb_oDzQokUXW-NVt/
  218. http://videcosv.com/backup/nachrichten/vertrauen/042019/
  219. http://vinhcba.com/reac/support/nachpr/201904/
  220. http://vision-4.com/business_growth/support/Frage/2019-04/
  221. http://vivelaaventura.cl/imgcentros/UNVq-kVpzTlO6MAyYwvZ_jwkuRwYzy-C0/
  222. http://wangwenli.cc/wp-includes/DDbky-dUFLglnVe1gj3y_OYxxXunR-3P/
  223. http://webszillatechnologies.com/i9d2pu1/support/Nachprufung/2019-04/
  224. http://wellcome.com.vn/wp-includes/RzLPp-6D0PjOEOTTE0hY_iCGZViYX-OZZ/
  225. http://winnersystems.pe/wp-content/legale/nachpr/2019-04/
  226. http://workingonit.site/wp-content/legale/nachpr/04-2019/
  227. http://wptest.kingparrots.com/ynibgkd65jf/XJRbt-4cJokvhn070vl32_faFaljwfD-yfF/
  228. http://www.aipatoilandgas.com/cellnote5/Mtau-vgbxqzQuqREBthD_ukYppLkYe-vi/
  229. http://www.atuteb.com/wp-content/themes/dwPD-hv3QOMymBxU7nWO_mWcnOndtz-PR3/
  230. http://www.beirut-online.net/portal/service/vertrauen/04-2019/
  231. http://www.bluboxphotography.in/wp-admin/runz-kkdyfzmwwomhqc_lhcmlqyxk-j43/
  232. http://www.fse2020.com/wp-admin/nachrichten/sich/042019/
  233. http://www.gifftekstil.com/C4mAvqn/qoHnQ-c8QQwWNtPWu3HG_uVvPyUFs-D6n/
  234. http://www.hanifiarslan.com/wp-admin/service/Frage/04-2019/
  235. http://www.hotissue.xyz/wp-content/ZqUsZ-YwyY7D6e86Fihv_BXiDDFqc-9r/
  236. http://www.keieffe.com/error/fFmq-tq3Zkwktw4n8pud_HapHIdQT-ZB/
  237. http://www.onyx.co.za/cybered/fzoes-1IwNi7vNBKfIKsY_FmdNVrML-5Qo/
  238. http://www.porat-ins.co.il/wp-admin/legale/nachpr/04-2019/
  239. http://www.provio.nl/collector/nachrichten/Nachprufung/04-2019/
  240. http://www.sinequanon.ch/displays/img/css/UoPQ-yR9VOVE77EexRS_gXrjaqwj-9n/
  241. http://www.stephanscherders.nl/koken/xzDEA-PfIpMjwev0UKxJ_spjVrQsk-NW/
  242. http://www.virtuoushairline.org/8zqijve/nEtHy-GMUxZZdRHgrWjga_LJMNnkml-Wz/
  243. http://xoangyduong.com.vn/wp-admin/nachrichten/nachpr/042019/
  244. http://yarrowmb.org/wp-admin/support/nachpr/2019-04/
  245. http://yayasanrumahkita.com/eqdx/TKWBN-cOKlwF3Cuuj2YoP_DIjOiVfii-suE/
  246. http://yucatan.ws/cgi-bin/KWqJD-P5k3EmDjiVp9Xu_hWeXxucxg-8f/
  247. http://zhannadaviskiba.co/wp-content/OXcN-7k06hrbBQF6h9D_JKvzfLeZL-ka/
  248. https://breeze.cmsbased.net/ceekh/support/Frage/042019/
  249. https://computerschoolhost.com/wp-admin/HAEuk-f7pSlNmoAgJxLQ_KfYvpfVv-MIF/
  250. https://diskominfo.sibolgakota.go.id/wp-content/mshE-eqmQIhrDtfajyEq_zJBjMJxt-Yo/
  251. https://etoiledumidi.de/wp-content/SYmYj-vUf81CaTTM0Q1UT_XOlTGJhBX-rs/
  252. https://giangocngan.com/css/ZFNtx-sMvOheSrh1M27q_ltytHrDEn-Pur/
  253. https://grosircelanaanak.net/wp-content/legale/sich/04-2019/
  254. https://joysight.ga/wp-content/ZqWS-NS85wHTdIY9N5Ay_pbBWLepX-he/
  255. https://kobac-nagoyachaya.com/wp-admin/NqZE-vKDo7DBJpzj8L6x_QNQhCgXql-Qjo/
  256. https://laarberg.com/wp-includes/support/nachpr/2019-04/
  257. https://masholeh.web.id/wp-admin/nachrichten/Frage/042019/
  258. https://maxfiro.net/wp-content/cACav-ajWxYYGqi938Qxo_vTWnGDlx-nW/
  259. https://mdigital.md/wp-content/NzKMv-2horjuyPQDLLOzR_gCKygaFYt-CvM/
  260. https://mybigoilyfamily.com/vrjq0aa/IBIG-1KgCd1xCaXDntof_KXnBmfPXF-Jpk/
  261. https://nanayamfm.com/wp-includes/LQOei-a18cNNrFSlY14t_GVoOoVtZ-9a/
  262. https://nudgepartners.co.nz/wordpress/nachrichten/sich/042019/
  263. https://office910.com/acmailer/pnJa-Hj0ByEkAA6k7jG4_KMgvLHOMn-KAk/
  264. https://physio-veda.de/vqr0/support/sichern/201904/
  265. https://projectconsultingservices.in/calendar/wgeMd-EHAz6dbeax26R2_sZEmqgpT-iY/
  266. https://pureprotea.com/ynibgkd65jf/IjpU-jPXjRcx2PfQ9tT_NhYiukhD-ZP3/
  267. https://samsonlineservices.co.ke/wp-admin/legale/vertrauen/042019/
  268. https://sandygroundvacations.com/wesm1py/RfQZ-EJaz7bVufJ5ubN_NaMFMvJD-uG5/
  269. https://sebvietnam.vn/gxfwcez/nachrichten/sichern/2019-04/
  270. https://siloseventos.com.br/wp-admin/SzghL-mrik4Ur19Cp2cuH_gmNaGhpj-XbN/
  271. https://sulovshop.com/wp-admin/YgCO-w0Mr3uD8XLkWM9_pWtgeokGH-AF/
  272. https://visualhosting.net/css/azFJQ-yanF22gTQjWryz_FGoUbrsPR-qdw/
  273. https://vpacheco.eu/wp-includes/fTTW-Zt3nf66ic2rW8q_VrPqWUTA-5A6/
  274. https://wangwenli.cc/wp-includes/DDbky-dUFLglnVe1gj3y_OYxxXunR-3P/
  275. https://webbala.it/wp-content/support/nachpr/201904/
  276. https://www.goldsilverplatinum.net/wp-admin/xcgf-VtnmV3tNk1kpaDX_bbLFPCZkO-Lw/
  277. https://xetaimt.com/ooecgp9/zBOtt-NoNUBfCU05bihE0_AOlXcday-bOn/
  278.  
  279. ```
  280. #### Epoch 2 Document/Downloader links seen for 04/23/19 ####
  281. ```
  282.  
  283. http://114.115.215.99/wp-includes/FILE/tqT1CIrJY6xF/
  284. http://118.89.215.166/wp-includes/LLC/XFOeTtrg02ii/
  285. http://119.28.135.130/wordpress/INC/w5y2euS18w/
  286. http://122.180.29.167/map/FILE/f0EUuJvvAZ/
  287. http://140.143.240.91/yfwta7q/Document/STVf4apXM/
  288. http://192.144.136.174/wp-content/LLC/duL8HSdCc/
  289. http://203.114.116.37/@Recycle/INC/t2NhfjL8rCj/
  290. http://203.157.182.14/apifile/mat_doc/Document/LPf16lKOLD3J/
  291. http://39.106.17.93/wp-includes/jm3uhrg-q4rg4-ftpkhb/
  292. http://47.104.205.183/wp-content/INC/ftYw7diB2Z/
  293. http://47.91.44.77:8889/wp-includes/INC/zJc4LCIf/
  294. http://81.56.198.200/sendinc/FILE/WiqbwoQKKdv/
  295. http://academiaprimary.co.za/cgi-bin/cwg55zb-vr19efl-iugv/
  296. http://acteon.com.ar/awstatsicons/DOC/xtA2F0y6KS/
  297. http://adammark2009.com/images/porkcnn-juclf-ypag/
  298. http://agencjat3.pl/kopia/Scan/OJb3xGRe72Hr/
  299. http://airmaxx.rs/nulvt-xbrcbp-yfcpetgo/Scan/TsOu8ccYMEKe/
  300. http://akawork.io/wp-admin/LLC/Sb2T8ExB3/
  301. http://algocalls.com/wp/DOC/QKTVgvtKiC/
  302. http://alliedpipelinesconstructions.com/wp-includes/9xfa9-kkdbzs-gosr/
  303. http://almatecsrl.it/wp-admin/LLC/husRbYUu7/
  304. http://alphaconsumer.net/css/Document/g97i7fWWoCVB/
  305. http://anoopkarumanchi.com/cgi-bin/Scan/VRkG1DhTglYp/
  306. http://anphoto.tw/wp-content/uploads/LLC/ngAoAbYzI/
  307. http://antislash.fr/includes/facelift/cache/INC/2ukSjQUMKB/
  308. http://ardali.eu/picture_library/Scan/6WL5AdIEx/
  309. http://auraco.ca/ted/Scan/y3Yw8FWM/
  310. http://avartan.com.np/wp-content/uphw6-cow2r6-dqouvzr/
  311. http://babaroadways.in/e1kypej-alyuopw-bplsmxa/
  312. http://balletopia.org/scripts/frr3lv-57pd4-utvr/
  313. http://banzaimonkey.com/images/rns3-4zsqu-qtkrl/
  314. http://beachwoodproperty.com.au/wp-includes/Document/X70fsSmuK2E/
  315. http://beljan.com/upload/INC/N4UIPAxIcF/
  316. http://benitezcatering.com/wp-includes/fytz3-oy5ybi-ynit/
  317. http://best-baby-items.com/wp-content/Scan/sKt863f3lMzi/
  318. http://bilisimeskisehir.com/wp-content/yzpuy6-7dbmv1-rlaoibp/
  319. http://bocaskewers.com/wp-admin/LLC/nVxTYaJIhR/
  320. http://booyamedia.com/img/INC/vWCvkT01X/
  321. http://borsodbos.hu/kavicsospart/INC/SW1GiUsp3D/
  322. http://brutalfish.sk/dropbox/DOC/RVKGMO9Tf/
  323. http://buygreen.vn/wp-content/Document/8t0tMfUh3S74/
  324. http://cakrawalapajak.com/wp-admin/od89v-nr9l6-gmclh/
  325. http://caleo.co.in/wp-admin/Scan/XjCAywLIgXjl/
  326. http://campuccino.de/uwkoyzy/LLC/tTuzI1cV/
  327. http://carcounsel.com/hid/7hp9-8klic-dukwhn/
  328. http://catamountcenter.org/cgi-bin/LLC/vnBMA5xXeip/
  329. http://ccoach.nl/wp-admin/LLC/UOFwrhR1/
  330. http://cdn.zecast.com/multichannel/upload/record/Scan/sMxfyrTFt/
  331. http://cfsengenharia.pt/wp-admin/Document/8UYQH0VxA71r/
  332. http://chanoki.co.jp/Library/DOC/KeorZLpDT9/
  333. http://chapter3.co.zw/vyk/bqe8l-yldkh-uvlsky/
  334. http://cheapesthost.com.ng/cgi-bin/hkmhg-1od04t-ybxp/
  335. http://chigusa-yukiko.com/blog/INC/Jf1AyOrQDFt2/
  336. http://chouhan.net/FILE/Document/dXCCQfhbtCR/
  337. http://chuckweiss.com/cgi-bin/Scan/XkTrFOVUYzt/
  338. http://coccorese.com/xp/DOC/Pd2RlAxcltt/
  339. http://construccionesrm.com.ar/EN_en/Document/vP8xDeNp/
  340. http://cosmeis.com/vfwp/DOC/M9I9dtrUU80u/
  341. http://craftsvina.com/testgmail/INC/SUhOaKGe2i/
  342. http://ctm-catalogo.it/cgi-bin/Scan/ZlZMNgfA/
  343. http://cupartner.pl/izabela.gil/DOC/9OMmfxHPyRRq/
  344. http://cybermedia.fi/jussi/Scan/NKttnIjx/
  345. http://cyborginformatica.com.ar/_notes/Document/vfg8AcA5IJ4/
  346. http://danslestours.fr/wp-admin/Document/7496tdlWsc/
  347. http://darthgoat.com/files/INC/m1Lcg4ZSUf/
  348. http://datasavvydesign.com/powerbi/FILE/nD0m8sdva9/
  349. http://deepcleaning.com.au/cgi-bin/DOC/IuMCIJUZ0I/
  350. http://denmaytre.vn/wp-content/INC/ScpZVGKIz/
  351. http://desertpandas.com/wp-admin/xwoef-lg0dl6g-efuayvs/
  352. http://designartin.com/INC/x1IoRuJHf/
  353. http://dinobacciotti.com.br/2eqt/LLC/ZTBxQ5y1/
  354. http://ditec.com.my/js/Document/iaUC9Qyrwk/
  355. http://docesnico.com.br/Document/Document/fcP552si/
  356. http://dolanmbakboyo.com/wp-admin/INC/oRN3UUKd9M/
  357. http://dqbdesign.com/wp-admin/Document/1DD806en/
  358. http://dracore.com/journal/Scan/LRcpuiOK/
  359. http://duhocnhatbanvika.com/wp-admin/Document/9qSgtHuFqQlR/
  360. http://duulang.com/cgi-bin/3o3vcbi-5g8kx9c-etygbdw/
  361. http://duwon.net/wpp-app/871az46-f4zgh2-mzsvj/
  362. http://dziennikwiadomosci.pl/wp-content/u4qwj-888xdu-jxlqybv/
  363. http://easport.info/wp-admin/FILE/yowzR7LLf5/
  364. http://easymoneyfinance.co.uk/wp-admin/DOC/m82h11qICVw/
  365. http://ecube.com.mx/js/DOC/U3s6U718Nq5/
  366. http://edandtrish.com/blue/FILE/9MWs8Sviq/
  367. http://edenhillireland.com/webalizer/oorrzhr-wo4bl-iuimya/
  368. http://ejder.com.tr/iuLYqpe6E/LLC/QAWY20Nfm/
  369. http://elitaafashion.com/wp-content/Document/dV4CJz8kO/
  370. http://elitist-trading.com/wnnlfml/jo5ws60-6a26o2g-vzycd/
  371. http://encorestudios.org/verif.myacc.resourses.net/k3yesv3-zyyukdp-pygwcs/
  372. http://engadgetlt.com/4zlr3t2/x3d1d6u-bcv19om-ijkcpi/
  373. http://entrepinceladas.com/resources/9d98-ziodn-dbnohmg/
  374. http://espacobelmonte.com.br/wp-admin/jf92d9-79vp5-deyymak/
  375. http://exotechfm.com.au/YDmHx-wlaRWdBx0K3g9n_PDbPkfUl-iT/sc4s6k-boufp0z-wbgz/
  376. http://eztravel.jp/wp-includes/4s5t4-7ov7wm0-cqhiuim/
  377. http://famaweb.ir/intro/INC/RH6e5iD8/
  378. http://famillerama.fr/roundcube/vendor/pear-pear.php.net/e7mder-iol91-ejcn/
  379. http://fanzi.vn/wp-includes/dhrb-zx009-teqy/
  380. http://ferramentasindustriais.com.br/wp-admin/h47xsvd-c5q5zg-ztldk/
  381. http://fisiocenter.al/wp-includes/1w8f2p5-w9ably-pccrgr/
  382. http://flatbottle.com.ua/@eaDir/Document/WwdoVE76a98S/
  383. http://fondation.itir.fr/wp-includes/DOC/pF9HsxcbC/
  384. http://fon-gsm.pl/ip5daee/LLC/W8keoanQG/
  385. http://ftsolutions.info.pl/wp-includes/u8l3gb-k5nlr-cqbsidz/
  386. http://g2ds.co/wp-content/LLC/vOta9TadT/
  387. http://gamvrellis.com/MEDIA/Scan/z00oafbg9/
  388. http://garammatka.com/cgi-bin/Document/GKl3ccBnrMn/
  389. http://gardellimotors.ca/agora/html/FILE/mkQuOwk9x/
  390. http://gazianteplaminatparke.com/wp-content/kodp-94iy61d-oidso/
  391. http://gccpharr.org/assets/1i4r0-cfyfx8i-jnbxs/
  392. http://gksign.com/baxai/Document/G0L2gvsHUL/
  393. http://gnimelf.net/CMS/Document/UFjyWVpKw3A/
  394. http://gomsubattrangxuatkhau.com/wp-content/LLC/HxkQpb2u/
  395. http://goudappel.org/HendrikMGoudappel/3kgr1f-95ba01r-cqhk/
  396. http://grafikomp-web.pl/newfolde_r/Document/FQWQAVrb/
  397. http://grayscottage.co.uk/DOC/9on4vbCN/
  398. http://grf.fr/css/INC/6MGwY8q9/
  399. http://gunpoint.com.au/jqQB6bFC/agh2-9scajqi-bklorhk/
  400. http://haek.net/admin/FILE/MabDexPs/
  401. http://heke.net/images/rnjmcf-406o76s-auxdmln/
  402. http://hermagi.ir/wp-includes/FILE/t4zOcq9j/
  403. http://hetz.nu/wp/bhwl-753tt-horfls/
  404. http://hgrp.net/contacctnet/LLC/rY3SRRv11BI9/
  405. http://hkpatrioti.lv/wp-includes/akpc8-4fdblx-orzwz/
  406. http://houseofbluez.biz/vt/myrhx-wrxelpq-aecw/
  407. http://iceco.cl/cgi-bin/Document/APCYA95Q/
  408. http://idfutura.com/Matt/INC/ppopLv0w/
  409. http://idrmaduherbal.in/wp-admin/k62ve35-5ixmn3-gxhuyer/
  410. http://i-genre.com/wp-admin/INC/UOx4oHA0/
  411. http://inandmusicgroup.com/wp-includes/Document/3TzvlUWsCHHM/
  412. http://inbeon.com/sites/Document/VD3B0SjH/
  413. http://indodentist.com/wp-admin/Scan/TtNpztds/
  414. http://indushandicrafts.com/wp-includes/Document/rNaXkvM4WxD/
  415. http://industriasrofo.com/Connections/Scan/UrBuBROez/
  416. http://infoteccomputadores.com/i2test/rje9a-s7xaxy-hryo/
  417. http://inputmedia.no/wp-admin/LLC/dnypSLvK/
  418. http://irbf.com/baytest2/o1mvk-z14cq3-dqtbk/
  419. http://irismal.com/ecsmFileTransfer/FILE/RwHM77Jm/
  420. http://it-eg.com/wp-includes/INC/tz1mSOxxQ/
  421. http://javiersandin.com/wp-admin/LLC/gr9yoFeCX/
  422. http://jeffwormser.com/v1site_images/FILE/pgnGuO4MVkUk/
  423. http://jenthornton.co.uk/wp-includes/Scan/2kmaAbRWP/
  424. http://jkncrew.com/c3gsvz-cfgw8rf-lajbwlp/Scan/4CmnJBHWRF/
  425. http://jmbtrading.com.br/secure.myaccount.resourses.net/ucpm-nsnhgf-otxdrzf/
  426. http://joepackard.com/_vti_cnf/INC/CgSd2prNI64B/
  427. http://johnnycrap.com/verif.myaccount.send.biz/Document/zFxICh5FWZSk/
  428. http://jvalert.com/wp-content/mucs0n-oln7k0q-lbpndi/
  429. http://jycingenieria.cl/images/FILE/LETTGgztM/
  430. http://kaipskanu.lt/wp-includes/FILE/iGSfWHU8D/
  431. http://kamir.es/controllers/FILE/DxBfP5Vp/
  432. http://kamsic.com/wp-includes/z93a-je645-oxwdo/
  433. http://kejpa.com/shop/845pkl-o9hrz0-peside/
  434. http://ketodiethome.pw/wp-includes/FILE/7z8cLuhZ/
  435. http://kicsipatakvendeghaz.hu/cgi-bin/1bl5hpw-17jt5q-ogainz/
  436. http://kirklees.phewinternet.com/site_checker/e2wct-byxv7ge-pvxj/
  437. http://kitabos.com/wp-admin/o72k6-xnp3g22-vlilvff/
  438. http://kmgusa.net/a2test.com/DOC/JOJUpqbR7/
  439. http://knappe.pl/wordpress/e01lhe-c4069ej-sziblax/
  440. http://kodlacan.site/wp-includes/Scan/tIfgZWeB/
  441. http://kolarmillstores.com/cgi-bin/LLC/xPPlYKWlzXb/
  442. http://korfiatika.gr/wp-content/aa16fx-dua05u-hxef/
  443. http://krisen.ca/cgi-bin/r1shq72-ii2zd-johkc/
  444. http://l7zat.com/wp-includes/k5jjyr3-8oe9n-fewi/
  445. http://lalunenoire.net/loggers/Document/UyjxGWI7QwIS/
  446. http://lasso.vn/kppupag/LLC/LLC/dzJRyMdlu1AP/
  447. http://lexusinternational.com/wp-admin/LLC/1uZnWIRXuNWk/
  448. http://li-jones.co.uk/NVtz-JPa4XqPL1XZ8inH_lMvLBZZBA-L1S/INC/qlld5sE7a/
  449. http://lookingupproductions.com/wp-includes/LLC/uFL6lWDQKXdR/
  450. http://lotussim.com/Scripts/INC/IZzrsvoMeM/
  451. http://lucidcreations.co.in/wp-admin/axq6z53-r5t0egy-zedux/
  452. http://mail.mtbkhnna.com/oqfi4kksd/mzhzfy-m73iw-rbuihy/
  453. http://makepubli.es/tshirtecommerce/Scan/Mi9lOaRiBmJ/
  454. http://mangaml.com/jdownloader/scripts/pyload_stop/nyoa4zw-1x23q3x-nguvkq/
  455. http://marbellastreaming.com/2016/FILE/YzV1k3KSRsDo/
  456. http://marcofama.it/tmp/Scan/jM9LPnf9Cz/
  457. http://mazzottadj.com/stats/INC/2ci7GK9Yb/
  458. http://mc-squared.biz/note2/uceu-jc336t-kqiz/
  459. http://mebel-brw.by/wp-includes/kdoopi-993xr-vpvhdn/
  460. http://mehpriclagos.org/wp-content/INC/76qDvjmA7yfl/
  461. http://mersia.com/wwvvv/INC/y5oqLVbMJeu/
  462. http://mickreevesmodels.co.uk/micks_chat/DOC/g1gr5L0vR/
  463. http://millenoil.com/modules/smarty/sysplugins/DOC/mRi0fGjB/
  464. http://mis387.org/cgi-bin/Document/XdhQfQbU/
  465. http://mission.com.vn/nfcg/2exxbj-u6sguew-ezrvvro/
  466. http://moes.cl/cgi-bin/DOC/IRRMQOI4Aa/
  467. http://moneynowllc.com/cgi-bin/Document/FV33zBMGR/
  468. http://monngonvietdalat.com/ohgup/urkoai-ver508-uinzrcy/
  469. http://motor.real-web.pro/wp-includes/el2v-nkl00d-puakgw/
  470. http://msnews.ge/wp-admin/y2cdy-9zzw1p-zkhimkr/
  471. http://mtcr.co.za/wp-admin/l6djp-rup1s8-nfvjzz/
  472. http://mundosteel.com.br/resposta_clientes_mundo_steel/9w7h-pv0dh1-kimesg/
  473. http://museothyssenmadrid.cn/wp-admin/16fe6x-yi5oo-nhkue/
  474. http://mymachinery.ca/DI/tqr55-8tioi8-oqpqpc/
  475. http://mysprint.shop/wp-content/Scan/wPpd9j7U/
  476. http://mywebnerd.com/moodle/Scan/R6uLMDFo/
  477. http://naum.cl/8mljmyk/Document/Znory9mk/
  478. http://nhasachthanhduy.com/ynibgkd65jf/LLC/Ttutte2DUAb/
  479. http://nickycooperhomes.co.nz/wp-content/rfcw3nn-lf707th-lteu/
  480. http://nissanquynhon.com.vn/kfde/dkxgk-zkk2f-dryy/
  481. http://noithathuybich.com/security/lasee5-leaatzf-hiwis/
  482. http://nortic.co/cgi-bin/FILE/UwjSv7TRIvcO/
  483. http://nurotan-edu.kz/wp-content/LLC/Ypb0SgzoW/
  484. http://ocean-web.biz/pana/DOC/W88wZI7981Li/
  485. http://ohmpage.ca/reviews/FILE/aRrqJuEpf4M/
  486. http://onair2tv.com/css/4lc4-87cfgu-jvbwag/
  487. http://onestin.ro/wpThumbnails/INC/d1vvyEgr/
  488. http://onlinemafia.co.za/cgi-bin/FILE/Us9LQVkRP/
  489. http://opticatena.com/wp-content/ag1ev-gthfrn-ryfohx/
  490. http://ows.citc.pk/wp-includes/LLC/9N60yM5qMf1d/
  491. http://ozkayalar.com/admin836cnxhpb/file/xgfqiwusgsim/
  492. http://pakuvakanapedu.org/wp-includes/iyh1-xrui5nk-zxojr/
  493. http://parakazani.net/lgmawkf/8zs6xd-vj71i-meyut/
  494. http://passelec.fr/translations/jcrw0v-6lssxvs-npnwflk/
  495. http://pbcenter.home.pl/pbc/FILE/p9yIqYZN3/
  496. http://pemasac.com/css/Scan/dl2vKZW8ju2/
  497. http://perenso.com/wp-content/plugins/gotmls/safe-load/Scan/jIXgpkr1aXY/
  498. http://perfax.com.mx/Wmasa-DqQwrSlVW5lJurY_gzziLrmV-O3I/Scan/Vtc3bUxAdQx/
  499. http://performancelink.co.nz/cgi-bin/counter/data/LLC/dvrHv3NP0Tb/
  500. http://phileasfoggtours.com/wp-includes/Document/wggBiUQLsX/
  501. http://piccologarzia.it/admin/LLC/bBrpfmVDJz/
  502. http://pilyclix.cl/wp-includes/Scan/qbbhZX4Lb/
  503. http://pimpmybook.com/cgi-bin/INC/2EqsdpohIC/
  504. http://pitypart.dk/sites/Document/I4br53MM84i/
  505. http://pmpress.es/img/FILE/LCYuNOiKM/
  506. http://pompeymusic.co.uk/awstats-icon/Scan/LEkk8RF5J/
  507. http://pornbeam.com/wp-content/FILE/VQgGoo94/
  508. http://positiv-rh.com/wp-content/fokxo2-fwby6-makwp/
  509. http://priatman.co.id/wp-admin/9dk6v1-76v26ls-iluwyon/
  510. http://projekthd.com/pub/Scan/R0LCUuXdWQF/
  511. http://psicologiagrupal.cl/wp-admin/Document/RmzptR0Aqc/
  512. http://ptgut.co.id/admin/DOC/iOHWpMTjJNoE/
  513. http://pufferfiz.net/spikyfishgames/Scan/iION9gxu/
  514. http://pyykola.net/wp-content/DOC/fryJb7YQ77Y/
  515. http://qgproducoes.com.br/wp-content/dte0bg1-au7tsm-odwel/
  516. http://qhemp.io/wp-content/FILE/3991eYF3Mad/
  517. http://quintadeparamos.com/administrator/LLC/p64xiIoF/
  518. http://rachel-may.com/Restore/LLC/LGuVADDZ/
  519. http://radioshqip.org/assets/LLC/y3vNFMCeGOY8/
  520. http://ragnar.net/cgi-bin/FILE/MczrTug4g/
  521. http://rajgraphics.in/cgi-bin/e01x1vq-xaitho7-xqvssmp/
  522. http://ralozimper.com/cgi-bin/LLC/VlShLMKqx/
  523. http://rcaddict.us/worbpress/Scan/SpEiBLvp/
  524. http://readnlead.de/wp-admin/6zkwtc-1hwgg-zuojt/
  525. http://readyloans.net/wp-includes/yhzw7-9zxjcd-isidh/
  526. http://realistickeportrety.sk/wp-admin/js/Scan/Jdbumi446LMI/
  527. http://redklee.com.ar/css/DOC/l7gkcASOO/
  528. http://revolum.hu/templates/FILE/Rb2rHQM1yUg/
  529. http://rezontrend.hu/mail/Document/LNC16To5t/
  530. http://riserock.com/LLC/V77pUDtxPUI/
  531. http://riverrosephoto.com/exmgmu6/DOC/4QSx4t9z/
  532. http://robbiebyrd.com/backup/Document/1zF99ySJ5Y/
  533. http://roidercontreras.com/wp-snapshots/FILE/9GaQ0ubdT/
  534. http://roxhospedagem.com.br/chatonline2/LLC/PC8VVubJCC/
  535. http://rsq-trade.sk/wpimages/ehf7k-x7u4lg1-topde/
  536. http://rusticwood.ro/ww4w/FILE/IRIAFuBVc/
  537. http://ryangetz.net/cgi-bin/Scan/HAgbQepiHBt/
  538. http://samgyang.com/wp-content/INC/5DYll2IYq1/
  539. http://sanabeltours.com/wp-content/rmfq-dkmvqm-wnimqyq/
  540. http://sanduskybayinspections.com/logon/INC/ds37LVLopa/
  541. http://sangpipe.com/inquiry/Document/wFPwa81gkzXF/
  542. http://santoconselho.com.br/logssite/Scan/l2iEmUkT/
  543. http://sarli.com.br/wp-includes/INC/fZhC0YZxIByh/
  544. http://scampoligolosi.it/wp-admin/FILE/GEAqfvAdLD/
  545. http://servidj.com/cgi-bin/LLC/r70sL2iNgYeD/
  546. http://sevensites.es/D1J/Document/fnYAdd2PhnzM/
  547. http://shangdaointernational.com/1oqaq31/3wmt3b-1bwrbav-kqgftmc/
  548. http://shapeshifters.net.nz/files/DOC/SUvyvdi6zql/
  549. http://sharifulislam.co/n1t6crj/FILE/2LfXOhWKD/
  550. http://shastri.com/GOOGLEB960D79703C80265/INC/p4kJj6m02T/
  551. http://shopbikevault.com/wp-includes/2r00l-63ys24-wfsptg/
  552. http://shopmeet.com/fk/Scan/h2c7vDrHw/
  553. http://simhafusion.com/qu6yfhx/0e19-mms72l-vwsvub/
  554. http://simlun.com.ar/css/INC/fuFtae3Kc/
  555. http://sintraba.com.br/wp-content/Document/ZMk8QjtRzS/
  556. http://sixthrealm.com/dee/INC/JYWI8Hat/
  557. http://sjhoops.com/FILE/fmN3y4tiVM6/
  558. http://skyggehale.dk/includes/LLC/C4k0bzCoMC/
  559. http://skygui.com/wp-admin/Scan/g8b4oPzXCb/
  560. http://smapp.ir/mail/rl1jh-1qej91-spmd/
  561. http://smbdecors.com/wp-admin/oy0342-1qjwhjo-ldaaz/
  562. http://sonargaonhs.edu.bd/cgi-bin/INC/f8E8Sw7T62/
  563. http://spaziooral.com.br/wp-admin/Document/slDvXhuIbIXc/
  564. http://stateunico.com/wp-content/vs7ghh-jgtpo-umypn/
  565. http://stay-night.org/framework/images/uploads/Document/qpmEvPLuRQHN/
  566. http://stephanielasica.com/wp-admin/ix3sn-pzbpg-hvtnql/
  567. http://studioduofisio.com.br/wp-content/INC/6BFHVElMuvqo/
  568. http://sublimart.ge/cgi-bin/714zh-9qoot9w-bnafh/
  569. http://symbiflo.com/PJ2015/Document/HZ2VFp6Ih/
  570. http://taskforce1.net/wp-admin/mhsn1z-ytvzr6-ctzjj/
  571. http://t-comp.sk/qmECW-FkeQnzxaezI5E1_jbhgzFwa-c1w/DOC/ChsTUlBBi7/
  572. http://techshahin.info/wp-content/DOC/BDFNt7nQwU/
  573. http://tekalu.pt/0xjvnok/afpii-mtjwg-ouzlt/
  574. http://testfixit.tk/6tg72hd/LLC/Ah0NsSCQ/
  575. http://theconnectionsindia.com/wordpress/d8qa6as-0mdt60-cdlauyt/
  576. http://thefintech.com.au/wp-admin/t4db-f2fdx0-zmewqpy/
  577. http://thuyluckhinen.com.vn/er3j0ev/DOC/TMF4t0whh4eX/
  578. http://tinyfab.in/wp-includes/Scan/yJyeEnHAeM/
  579. http://toclound.com/kdbl/7d324-x9izdf5-uqoxyju/
  580. http://todaylink.tk/wp-content/fm66zwg-jrk7e-cmjx/
  581. http://toyotamiennam.vn/wp-admin/wa8yxu-piz3t6h-orglzav/
  582. http://tradereport.cl/lmae/j72i-5o52n-rqucl/
  583. http://trainghiemsong.com/ujbllmy/pc8d88s-bnx6rs-nigkzt/
  584. http://trangtriquancafe.com/wp-includes/hwsvnd6-4xunnn-ofnn/
  585. http://tricktotrip.com/wp-includes/nflr0-c5eyxrz-uuwy/
  586. http://trident-design.net/agcrm/Document/hk54nKkIqVNn/
  587. http://tristanrineer.com/sec.accs.docs.biz/Scan/8dsyHnkn/
  588. http://tubbzmix.com/07u6/mnhg-8vstvzz-sosvf/
  589. http://tunnelpros.com/wp-admin/i8puze2-mk0kn-mxld/
  590. http://uztea.uz/wp-admin/INC/ZUsLKPD9bLF/
  591. http://vallabh.zecast.com/wp-content/uploads/q836-91g7of-qkvh/
  592. http://valoomanus.com/q7rjcoh/2ysqt-jpmb9-ojpsvfu/
  593. http://vanspronsen.com/test/INC/68KEIgnbiqzo/
  594. http://vertuar.com/Logo/INC/Fn48NBB4LC/
  595. http://veseco.pt/wp-admin/LLC/oEoHMrTYVx6g/
  596. http://villamontesdr.com/daua/xjpd3s-v179bg-qfjp/
  597. http://vinagyp.com/security/bxzb-yjrxu-osnv/
  598. http://vivationdesign.com/files/FILE/YmDMJ2PDliJc/
  599. http://watelet.be/wp-includes/FILE/mhNzetvTus/
  600. http://weblebiz.com/wp-content/mgvqv-dhvn0r-zpxiso/
  601. http://whistledownfarm.com/dev/DOC/Escq81d9jF/
  602. http://wladdes.com/wp-includes/Document/guOUQrtGj/
  603. http://wordpress.demo189.trust.vn/wp-content/uploads/FILE/YdcLqbS7/
  604. http://wpdemo.sleeplesshacker.com/wp-includes/Document/XrgbvGGI8FvC/
  605. http://www.aktifsporaletleri.com/assess/Scan/l7vlHX0jdDGH/
  606. http://www.bnc24.in/ynibgkd65jf/Document/hn9sojMa89au/
  607. http://www.bouwinzigd.nl/wp-admin/Document/8uRTXXih/
  608. http://www.completedementiacare.com.au/wp-admin/kk3nxjl-id2whjq-gfct/
  609. http://www.edelhof.cc/wp-admin/j0dxs-mciyu-cphdoqv/
  610. http://www.elevationshairboutique.com/7synaav/Scan/ooDB4Y9ehupq/
  611. http://www.farvest.com/form/64j43yc-mhsyl9-cybpeg/
  612. http://www.fuerthkaffee.at/wp-includes/Document/5q8RMMMTZiZr/
  613. http://www.jubileesvirginhair.com/wp-content/DOC/EA1LXd0x/
  614. http://www.kvsc.com.my/rtrtgtm/blc8-4345am9-jehirg/
  615. http://www.lafoulee.com/calendar/ai9tx-pyen5zi-tdmaf/
  616. http://www.lecombava.com/wp-content/FILE/PRs3CWUiT/
  617. http://www.lotushairandbeauty.com/op0bkpn/INC/8z6iSqqKp/
  618. http://www.maestraleyacht.com/wp-content/o97v-6rl7ent-sayen/
  619. http://www.megawindbrasil.com.br/css/FILE/9Sos3l8TxxQ/
  620. http://www.mhkqyj.com/wp-includes/Document/KZ1AxOyfyIj0/
  621. http://www.scilijas.com.ba/componentsasd/FILE/K9jWXtx51ty2/
  622. http://www.smc.ps/ar/Scan/ibEMEaYxaRDJ/
  623. http://www.sz-lansing.com/wp-includes/Scan/gQ4yUHQu1UeU/
  624. http://www.versatilehairshop.com/m8gzo1y/vgrhvk6-ik615-gohar/
  625. http://xn--h1adcfjmfy1g.xn--p1ai/wp-includes/utnpww5-j03d0-zihtpic/
  626. http://yellow-fellow.pl/wp-admin/DOC/0xN36TKC/
  627. http://ymca.monkeynbiz.com/wp-admin/fp36bur-adu1nar-euqzhe/
  628. http://yoyoplease.com/ebay/FILE/8NUrTGbHy/
  629. http://yuyinshejiao.com/wp-admin/DOC/dy4FSEaOTP/
  630. https://aabbcc.gq/wp-content/INC/BX7oj8ttIDc/
  631. https://aktusglobal.com/member/rfu02-cets80f-oqsun/
  632. https://amoyal-law.co.il/wp-content/INC/dUgjhWJ5HG/
  633. https://anoopkarumanchi.com/cgi-bin/Scan/VRkG1DhTglYp/
  634. https://apsblogs.com/wp-includes/2r09i5-4iapze3-qrbdwk/
  635. https://asis.co.th/cisco-sg300/FILE/i0zEB0n1NQpL/
  636. https://business-insight.aptoilab.com/wp-content/Document/TiWwwrh0e0m/
  637. https://chlorella.by/cgi-bin/FILE/P5NZpZ1tu/
  638. https://christianconcepcion.com/wp-includes/DOC/lMgXLyEcGinH/
  639. https://cosmeliti.com/wp-admin/LLC/a4aWaRWqMft/
  640. https://criminalisticaycriminologia.com/wp-includes/zvwz8-qrvwc-mgnnza/
  641. https://dadgummarketing.com/error/opek3xg-t8xt7-ezakezb/
  642. https://disnak.sukabumikab.go.id/wp-includes/LLC/mjI8TozRco/
  643. https://dziennikwiadomosci.pl/wp-content/u4qwj-888xdu-jxlqybv/
  644. https://escuro.com.br/ckeditor/FILE/Rfw3oKtI/
  645. https://fanzi.vn/wp-includes/dhrb-zx009-teqy/
  646. https://fishingbigstore.com/addons/FILE/aq73bdkf5o/
  647. https://geladinhogourmetoficial.com.br/wp-includes/DOC/1FeiuO8n/
  648. https://kxmgf.cn/emp5/7nb7a-zjb02f1-ylft/
  649. https://lcced.com.ve/images/FILE/RQmoqv2qet/
  650. https://mundosteel.com.br/resposta_clientes_mundo_steel/9w7h-pv0dh1-kimesg/
  651. https://musicianabrsm.com/8uhpkl5/g7qsw-euwgq1-yrmgicf/
  652. https://nhadatphonglinh.com/wp-admin/dm3u1-v4y93ut-eksz/
  653. https://privacydesignstudio.com/wp-content/Scan/OL7da4MV/
  654. https://psicopedagogia.com/glosario/INC/MJJ6pQ3VfQ/
  655. https://rtarplee.stackpathsupport.com/wp-admin/qo36ehj-bjgt61-gccdsnh/
  656. https://sillium.de/Scan/fQOWzePg/
  657. https://swbproject.com/wp-admin/x8ofi-acrpkjo-vfucsy/
  658. https://thingstodoinjogja.asia/wp-includes/Scan/lSKrx7e7kq/
  659. https://tradereport.cl/lmae/j72i-5o52n-rqucl/
  660. https://wangwenli.cc/wp-includes/LLC/xjUxkowAm/
  661. https://wordpress.carelesscloud.com/wp-includes/Scan/SjNzNCJocgR4/
  662. https://www.bitsmash.ovh/wp-includes/LLC/9k83vg0gslt/
  663. https://www.completedementiacare.com.au/wp-admin/kk3nxjl-id2whjq-gfct/
  664. https://www.diezauberin.xyz/3zyf/FILE/TIbeLuj295K/
  665. https://www.eigenheim4life.de/s/p89km6e-q1l97-beryri/
  666. https://www.elevationshairboutique.com/7synaav/Scan/ooDB4Y9ehupq/
  667. https://www.guy007.com/wp-content/d3zewz2-xac9bb-hjni/
  668. https://www.hrportal.co.il/wp-admin/ijtu9x-fwub6-rvbt/
  669. https://www.jubileesvirginhair.com/wp-content/DOC/EA1LXd0x/
  670. https://www.lotushairandbeauty.com/op0bkpn/INC/8z6iSqqKp/
  671. https://www.versatilehairshop.com/m8gzo1y/vgrhvk6-ik615-gohar/
  672. https://xn--80aao0acd1ak7id.xn--p1ai/wp-content/themes/creattica/ibe0949-aoibin-eziw/
  673.  
  674. ```
  675. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  676. ```
  677.  
  678. Creation Time 2019-04-23 16:25 (JS Based - Fake Error)
  679. SHA256:
  680. 8870927b7fcb804322779608fabf59e1c019245df08aaaf5f9202d131e92efda
  681.  
  682. https://sundarbonit.com/xd/A9N4/
  683. http://potterspots.com/cgi-bin/8MnY/
  684. http://sandovalgraphics.com/webalizer/Xfje/
  685. http://nexusinfor.com/img/pjVK/
  686. http://recepsahin.net/assets/F2f/
  687.  
  688. Creation Time 2019-04-23 15:59:00 (DOC Based - ENG - 365 Blue Box)
  689. SHA256:
  690. 62314d9127e21a4c6699cd64b66367e6c8b8485ef64db9a028a8edcd01fe75fa
  691. ac96c75c569e5c3b91a6b35c7515aa4aadc2dea24fc7b81db63e6584651ba0d6
  692. 9e7dd8e9ea5a6f360878a30d733c3ad5e2ed98c6f833b4e3af59254b9ce0d628
  693. 53e9f7828635fb6942f861efe6a7a34ef7c23386e3cdcc40532006de16224af7
  694. bac7104f09a2bd62e763f70c397d04ed4557a039d8c6874565811c4fb57b5e34
  695. 05614336198c070f40cbadb19084134eee12925d96dabd7f8a019c22653f01df
  696. b781f610acb1dcbac1a5fab85b8a5229a4f19ca226dbb1761f48495570c4cfb0
  697.  
  698. https://ecitytanduclongan.com/wp-admin/lY/
  699. http://lamdepuytinsaigon.com/wp-includes/XZl/
  700. http://lakeviewadv.com/cgi-bin/uSzIw2/
  701. http://trajectt.com/admin/RxBnOe/
  702. http://platinumbizleads.com/assets/QUPv/
  703.  
  704. Creation Time 2019-04-23 13:04:00 (DOC Based - ENG - 365 Blue Box)
  705. SHA256:
  706. 29a925b3e50af3942f309839f65675057062a73de483bef6f76d5e22c35fa682
  707. ff7052efb78b1bf3b9940feaa60a8602f46f0f3954e0174a1fe3bd051c47aa6a
  708. abbd0218bb6170f2a29651775f304ce7242b5e4960549949bb45e2e31087eeca
  709. 281618c4a9f369f622db7d0e858a475cd37a645a38b319ea119c223e0b245ebb
  710. 5d161eab7ef2878e01833a5eaa610cb8512d10bb3606bcfdc1dfa486598fa093
  711. b66dc10da4466199693f91df5ea7dd2ed60a9cb1a78bc4f0f8fdfce491b2d9fa
  712. 14b44d0c1a2f12237df53f00dc5f2b077cdd61eb5c6c425ff3a5fefcaa45e0ef
  713. 143a148ea107f581f93b5db736e69c98b30f148ca2a085a44cf64f9f46c425b0
  714. 9cf3e252ff58bda643296cd07649a27244e6ae4335e3f5d876d8ea92c5b90d6f
  715. d8eb301687446e4cd6e78a8a12023289acb786b98b7fa84768b9dbd732180584
  716. c06cc7019df2a0d97b134e586e0ccc0775347b8b0a82e2b91afc1b6bb6acbb70
  717. 9fa8025e2b7b7773cec40a06799cb49e3e9e0b9ce12898fc7d47af6aaf029af2
  718. ba1027d8e0eb986ca3400cd96f18e9af558c75dbec99ea06f18c89df8ce5a5c7
  719. 97876ee20e38192df516f76fecfff1344d009473c4ac728c488eb4fd1428e42a
  720. 50932d29893a6e40edd28fd11c78563ab28cbe43f4a55a4678b93c2dc8e9c94d
  721. bff675cd3d783a2763dad5d38f8fe22e94f7d3cd8c68b55794b625caa341126c
  722. a6dc193f79bcf2949b0e36c094b8f74d200ed6f5cacceb1e725c47dc1d8b830c
  723. 3ccc08551639ea7da8a092efdb09741ee02811fd2a184d1251912d1fbac80cb9
  724.  
  725. https://italiansupercars.net/wp-content/OFyT/
  726. http://lammaixep.com/wp-admin/aT9/
  727. http://dragonfang.com/nav/0fa/
  728. http://diegogrimblat.com/flv/1SOeU/
  729. http://depot7.com/aflinks/IDNf/
  730.  
  731. Creation Time 2019-04-23 06:36:00 (DOC Based - ENG - Off-Center - Light Blue White)
  732. SHA256:
  733. ca3f54d1fcff1a1efd989216700b026258747b559c276c6529c68cfd95e31d66
  734. be5ddc5205ae3fe281120ec331bd7147840abd5525f92f54e17b7077bf6c3e9f
  735. e466833b13d52c1a53ff88edff210675c05b035de470bacbf3e458a42b56572c
  736. 456ceacee3301702311d82930f828249fa4491e41c7fc14514e18478cd5a9098
  737. 2133eac1611dc2053b14dcd5b31a18ba33a97a4ca3c577e3bc9503a758c9b523
  738. 45316e992538e2e2a2cd6170639c3ac7cc32e1574b96c33f68f094062b69e497
  739. 1970d5dd4090db52ddf0da8612ea02103afe13b7d858161378043b9931f78f07
  740. 05ed93a6f628dda8a17a679f15bbc24c0bc74e62abcdc4936ff3c558fd7712c5
  741. a13fb3d24e666871b1780e2bf04b62cd827d856043fe644245809f368ac600ea
  742. 43c0db4b7f256f51b2c99e2c5afec802b1c97268b25845297f4b57047fa0de76
  743. 038b79a29410a9ded140ddaab017ea772eaa3d791f24bdcef637a85c8e1b1c28
  744. c96751644ae83458397db3e959978b553f3c862144e99cf7b8ab4c59a231b7d8
  745. f7923edcc2b5a2222045ce7c6b655c532d93f1570a09f7f0184a4a1493769d88
  746. 6a2b372164f3a1575f60581b21966a519c7b7bcb3896dc6a0157205b899c00e8
  747. 349808ae5cdb176953e1cdad90f95c82fff460a2d1c7f381fd03b9fa7ee01275
  748. 9b2c8629ee8aca6148453497504a78ba3941e88e0240573e5cad9643149ff674
  749. f5efcb5f8cda89bf1a782faba2763205544a7014c263e560bdae75773f89267d
  750. 18bbd30411778c812f8261c8301b1ef6dae3a3a0c004c597ef3188bb4562ead2
  751. 3db5e98669141a68e434ed306bf1c068ec74815c480ddfa788a10141b9ca2153
  752. 27a52a537cd972688dc4265b77793a0d9262efab808e6c94f67f15527d9ad7df
  753. 7495db6637503d92e6da60393bc1c06ebceb2c96add65ee85f91507a45bb4848
  754. ed45725970bc308762a415bfe8e337d407cdce14c319cfa627b452c981e39266
  755. 198386980851d33a9065f13c27b424e89e6914ad9e3b68c03a8bd64c75ac5f72
  756. 578d17f95e6e0d99106da42e4ad45845e15675bcc78a203b31db1ad2e635e81c
  757. 13d853bba4b842e3ba4a73e2a8b427a2d8dc50986dee04e7eb0674aa1219b8cb
  758. b045cf47cdc4739c7f59af29ff7e2ff3e8c00758a790600ef9e875646fb7728a
  759. b8304ef53f9c5462f71c0231ffe09332a49d933b1288025b250f19486f4abe75
  760. 5d1a306f10dfbc62a20479bd1284319fcd3ee5d23b5934a2897669a2c84cbc19
  761. ff94c2f8261ebc790b43a550a54454c87c92da6eb5fb561f663bc0c98776ff31
  762. acf352b18b4027f9ec3ade17c179641bf2ffaf3fbc5d05dd8f4c9082363f633f
  763. 0613a5d290dd56c9f205c408e5f101f40c8a49066db7c76d7138e8c0d2975a75
  764. e4e68555c1f99b66a7d9e18723aa2695b38ddf1593d2b6fb13b69de36cae475a
  765. 7836eca87915833bc896f259106067f5b2b683c748259cccdd862d0bc4677dfd
  766. 3de209898999145cd434482cd442c2788b9f3303c48a4859e0737c3c0ce485a6
  767. cb9f35a8695a24c59a3f4390572c03bd0b3da9740949509b3695e6e1de636ae6
  768. a35b5d2be5e897e676a9f988b4988faec6ed74cfbeb0bcd10818ac95b9293fcf
  769. 80169761726119400f6609e90b944d0298d53b95e48b794e6ad4c9c4f9d3d2c5
  770. d8223a40d23863346896d66ad28467a4107c744a8f6968803156adaffc639c4b
  771.  
  772. http://arenaaydin.com/wp-admin/m27pq/
  773. http://alokitosovna.com/wp-admin/R17lCz/
  774. http://912graphics.com/cgi-bin/caUh/
  775. http://happytobepatient.com/o8rxofd/880/
  776. https://www.thebermanlaw.group/wp-content/Y6V/
  777.  
  778. Creation Time 2019-04-22 19:25 (JS Based - Fake Error)
  779. SHA256:
  780. 79270d1e30b8e29e99db95c42e8d33801b27624fe09b05d51f4dd5c0a945d987
  781.  
  782. http://www.ahosep.com/wp-admin/Cu4oJ/
  783. http://www.veryplushhair.com/wp-content/HJtW-uphj19AdL727Yo5_svcWyoja-se/uCN7/
  784. http://raorizwan.com/mail.nexitsystems.com/fSTj/
  785. http://www.tophaat.com/abacus/aQda/
  786. http://momtomomdonation.com/dbau/v23J/
  787.  
  788. ```
  789. #### SHA256s for Epoch 1 Payload EXEs seen on 04/23/19 ####
  790. ```
  791.  
  792. d192e212101c718c80a36a991d3e967f0e9934a6844ce4907b8b5846693e015a
  793. a2aeb5f507d5a5ca62ffc73fa34c825890d9bccd686079a283e37a3d21a0c50e
  794. e24d216a48831d6aea667016faf1c5a0a2ddf47cf95e0a80623be0dfc3ada8a6
  795. 760ccb0edeeeafe0cae52334884c431ccd8a753b070cd4f6cb3d2dc2acac2404
  796. a935e3538afb699f13da4578dee4ab77e255419f487a70375f9224d929360bee
  797. f4df5458f10a2b6ff06370d74c4d4e0d49c7e1f37c23a975c1a70714e40ff471
  798. 83add8abcfaa2f492c95a471066ef63ed7f1271511475f7daedacea92327b4ed
  799. 9e960667e11d148901e9e2c6792027764ccf1daa531960dbfda20e26fe0dc2ca
  800. 7174da45ef7eb800a50e5a4d6dd77a6a5ef5f58f976fc67ba48ea59ed7e20d67
  801. 477740b7225bdf26d7b9719b4306feb996eca93a853b632851ed37a4bdf08e25
  802. 7dc44c5d3a2643d4cbb2c0648a2d0cf31a8c2402aba38cfa3aee1c0e4fc17e80
  803. 1c500e35e33de21db2ef5b4eb553d585ec651997abeec720f337690e682faa5f
  804. 7fab9e357b397df96b825ad1f634491a33c7ea8ec4ae5e1fb95ea4a54f9f2c9f
  805. d473ed661b66285fb80de0dd5cc30b99c5048eb9da142ed9ed2be3139fa7c2bc
  806. a716fb303dee550318cc2158267b219fcbc26b048d7daed9ab9b9ea17aac1ce7
  807. 77f5c4a34fee54488ee47fc1d0659991ee2202746f1e81b9cd2ed26a043b29ed
  808.  
  809. ```
  810. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  811. ```
  812.  
  813. Creation Time 2019-04-23 21:05 (From ZIP - JS Based - Fake Error)
  814. SHA256:
  815. a89d55ff31f6d08a85a5d289901fc98d4bfcf5a856ced841496b1bfb951744cd
  816.  
  817. http://robertwatton.co.uk/uo_LL/
  818. http://sapporo.com.pe/cH_2/
  819. http://search4.ie/includes/O_gK/
  820. http://shot.co.kr/yupdduk717/Zd_R/
  821. http://shawktech.com/shawktech.com/5_nW/
  822.  
  823. Creation Time 2019-04-23 18:35 (From ZIP - JS Based - Fake Error)
  824. SHA256:
  825. 70bc77f6cf5975f8264223d0e98cbbbcb6974b98e0e4e3aa70c45c253d9c1ae5
  826.  
  827. http://berenbord.nl/wp-includes/7n_D/
  828. http://mobilifsaizle.xyz/wp-includes/j_zO/
  829. http://ganegamoks.com/wp-admin/up_K/
  830. http://recep.me/welovemilk/02_0/
  831. http://xianbaoge.net/wp-admin/3_j/
  832.  
  833. Creation Time 2019-04-23 15:50 (From ZIP - JS Based - Fake Error)
  834. SHA256:
  835. 82faac5b1de8020cbeaff66440bfa37deda302f4b2f37b3e554f269e377bda35
  836.  
  837. http://emrabulweni.co.za/wp-admin/Io_z/
  838. https://www.nadlanhayom.co.il/wp-content/1x_ke/
  839. http://tmp.dln.solutions/wp-admin/X_1k/
  840. http://emrabulweni.co.za/wp-admin/Io_z/
  841. http://raptorpcn.kz/wp-admin/Mb_Ae/
  842.  
  843. Creation Time 2019-04-23 12:52:00 (DOC Based - ENG - 365 Blue Box)
  844. SHA256:
  845. 495e01af5674dd68450d5b5a14a2fcc49a26ca68916feaaa452d1a2eb201a0a2
  846. 285a768fac07c8161f6a07b67a28e19a8db77ef7ed9e435f56814b0a4ff80491
  847. 99e638f6c4aa79656fee7ce55d9006b0d32618e4ab7126a221f21c1145d6dafa
  848. 24cf2ab0d94eefc1e250cda59f79f3315a2a42564e07def2f8f1bfe4e937db2e
  849. ee2720cc87f318dbfbbd59202ca8ad2d040ff4b5ed2906bea4f6f29330f64352
  850. cf16a16a44203bc21a49504576474aa2b496627ef23d07e0bf330c2e37a1562c
  851. a3933f110219fdc4b27bb3cc9df87a6d5ffca5c849206816c1311f2185551f9e
  852. 1c65c0215346a85601fda399fb4a9ef9b8ccd842ade60d00e203d595a92ee259
  853. 031a535d9bcc4ef5dfbb559582a702c51659d7b426312830b307244f623705a7
  854. 49ae36bd67358f651213cc5da473e1f458f060b7c4e405a1ceadad37918d4858
  855. f6d327e2c36bf45b3d4875ab3663fb0370ceaeab1bd3ed66146ac15934764af7
  856. 178f9807e09da56ff02b4c72907f5cec2a567527da4ee515aa6453f47e52a787
  857. 675fa576848c8a67edfcef7e9681c981864ba3cf3d6a9ee9b5ea44a494f2ead5
  858. 400ae560116bf0ef226d0bd4ef45a39a2565bb0855cce51784174d56250245f6
  859. 4d9cfb2c1a23a9ee12aef0f2956d60a1dc540182eb919ea57b21c90016f112eb
  860. 03d471048561df5ca748a9cbb38b424eb5ae4910faebee09b8182c96dfbc37ad
  861. bd1ad940def500e3d59d0e332c307cc51ca6bf3c6ba350f99d9d0b078fe667d7
  862.  
  863. http://cosme.kyawaiiiii.com/wp-content/F_q/
  864. http://mirai-ek.com/wp-admin/S_Hh/
  865. http://esmeraldadelmar.info/wp-includes/4V_2e/
  866. http://solrichphc.co.za/wp-includes/9_rq/
  867. http://anshindia.co.in/wp-includes/a_mb/
  868.  
  869. Creation Time 2019-04-23 08:33:00 (DOC Based - ENG - 365 Blue Box)
  870. SHA256:
  871. c2ca9216937b1370a716d4c794826a52afce64f4e11977aae9a9e4623a15dbbc
  872. 322234c35234943d7d6ed1ae0d4456259e0e766054faf29e94350d4700c24812
  873. f5a6ffb607acd20063ae377d9fec4eb7e711e901ab55a70d05e3027f7173cbea
  874. 947cd52e3ba71b6930c3fb752e273e7c1fa3222c3c327a7d307be1130b4fe4b3
  875. b619c40db4b3bac7a6368728d62a075a5fff1754d5949d75c0ba54a23564ce97
  876. da4dfeeea62db89fff33cc53d8e40375c5002c4c98d57d6a1ed7cd4a8a6c655d
  877. 5a6e36811650641a65b747d97580253559986118a49605133f8870b8319f2f42
  878. 8cb861e7a8800043b68e48a6f554c6e009672ed8476e99c2db33525e894fdbd2
  879. fd99ddc2ca1d961cc8c92b266b59145640cbc1cd571c391ca1dc3d8235905f9a
  880. 7169323bd6c9ee7c407e5b654bdbccc85adfead85e80ed65f147f79da7e7004c
  881. 48c186204c7f7ddec825e8853569ac42ee5f374e0c6a3e01ece52bb24b94381f
  882. 4796a9b178509e64b34e6d0e9b0d45f987db00fe2714d1bc3f8bf3fe34301d7d
  883. 25642b4bbb562527cb4bb493029d0b16711312b09e8532a9969631dee47d46ce
  884. 069e351bf97b6101fa1d1265c869a02b49bf633132904217c2fd410d373f114d
  885. 5332772c957d3798b563f103a5e46f88b6e19d550257ae43151e28a3fc822251
  886. 44c89fcfe2b096c7e98f7ade38c8425c043de5f52011f2bd516a127ac21e786e
  887. 98bdb5edfbb87cecd1915e6d8712d18e4653df3f16caa4241faa82279d621e2a
  888. 78ed92ad5d192475a5aa2e710bdba8564842fd89547d606d3064b007a87239b4
  889. cc400d6799676af69385ded789883f294d9f3da2f09bfc3439ce5745a2e11b5f
  890. 7bba52bed8170af15520935659a77862418c71a8e871dcee3069f854e9099765
  891. a5b79368dec93d883473c35f7fdfc6edc120b75892906fcd525b685b0df06c9f
  892. b242cb11f8229e1aa091258442a8c93eed17aad21333d4c2b9b8332a9ac3c657
  893. efc112b0cc6f900702b85bd4b90ecfd44865f76710d3223d833ffc3a504f1fcd
  894. 2195cee5fa989ab82bd3d8b22f61716ffdabce020a3fe562bdf8aea45dc3c913
  895. 8f957284fe9b3c22f776a5585ace8196cf14acf41c240647b732d8a6849b1c01
  896.  
  897. http://multitradepoint.com/wp-content/6_gq/
  898. http://maspan.org.ng/wp-content/u_A/
  899. http://freecell.id/wp-includes/g_f/
  900. http://guimant.com/wp-admin/c_x8/
  901. http://trimsalonhandsome.nl/wp-admin/lZ_e1/
  902.  
  903. Creation Time 2019-04-22 23:20 (From ZIP - JS Based - Fake Error)
  904. SHA256:
  905. 5d89c4cb4860ea6552e5045a8c845fd5574ab20e6b186f5f5b3001faab57d558
  906.  
  907. http://insurgentguy.com/wp-admin/y_I/
  908. http://vitallita.com/wp-includes/N_2/
  909. http://eiamheng.com/EES/F_bi/
  910. http://himatika.mipa.uns.ac.id/wp-content/O4_Hx/
  911. http://patriclonghi.com/blog/pN_T/
  912.  
  913. ```
  914. #### SHA256s for Epoch 2 Payload EXEs seen on 04/23/19 ####
  915. ```
  916.  
  917. b73d0d387e795267c39d299027c57ab4e610b0e02d79c3b6aac0273e601eedc2
  918. be3e02e26379369f8058b166e51cd05ece579a90889f938cc5f8da2a29b6cea1
  919. b2bcb7fe83ffb8606ba25c652c5dfa2b2cf0dc694af39285546d44910b39f208
  920. 582c432d98b47033db8ee54020c056ea601fda5782b5cfeea69802af2a414560
  921. 99bfcb5e5a2f376a2669b55f47f0057050a754f30f15a7efc8a0f38927bd9df1
  922. f6ed3a56a0cdf245c8e5c9458bbf13aca9ac83c5659f0b315ac8c95a181db172
  923. c50999bfffc53c78843c686ce10c1e3c758af1a51675fcbf18c2b6d1571d3dac
  924. 7dcc05ba32a7a976675c7ffa234ab6d79d1de3208353db63821f571296784f64
  925. 2fcda732715461e50e4e40c8c7bfe8691ac5847110e12be125cb46b648cbbe4a
  926. e75b4bfc84ebed34f2d0dd4e626841cb538221d2b1119a51860c8d2bbdc5e227
  927. 0d6fd22e12d9e6900d35160ae70c8ef4d1f639e9b5720a6d426f09c85ec5a51b
  928. 691b8a29b0e017849ee81d4f67412feede6cc520c73d6aaf00afca58d22f5793
  929. eccee65a45ae542365666dfa9b19542124985a2ec6dfdd81f37ace4ff2ad8524
  930. 714032b5e9c06fcfbc3014b8fae232f26a7443b08321ce6f847ecb1eff9e8ab5
  931. cf7881f855a691cd37fb706e4fa63866d58b63ab4542df402aa0dd005bfcf436
  932. b4f48fb312c231a178a1f4130a5fe321a9f0a1222f0cc95f53d18ce7fcb23b60
  933. 1d851af306e20e2b5b0e48256f69d6fd2510a80337700764fefb448b043a9503
  934. 334d9e0c7a2708c193186318b858bdf18915c4ea416f4ed4341a3da6e3e50fea
  935. f5a2159a5d5dc57417bb055000a1689664524ef9ff95d64693f8f87d7ab99984
  936. 6daf924b05ef8fa822d073f8ce066bbed450d7eef5b2360c213246aa72173f62
  937. 053b2dc44fcfac0e20f9b8c630f31a697877fc7b797cebedb0ce4cb17d504906
  938. b4d63aed8366e5a497d596cdd53ad2a6cb66d4bbe4acc55bc9e1c1cb24dbea02
  939. 15cc5cc19e3fc4a096d4daf4a2eba362a7fc10b66223047584f910ba852ce666
  940. 3c5998ea1f8c3c1d4da22b0a93ab86e42267c313427781147ecc6e6d01a97d35
  941. 2c1e8552818d370cb49d591433c779c40dc40f8a7986241dec5ec775b1758973
  942. 7401c4eecd540d25a74dd082c684a7213ac1be666274d7ba96607f892421b95b
  943. c7c21c207c985ea39949200116809dfc83a71026574283935a98ce4fe945853e
  944. 3797171e6006c8fc610d6223dd0337e6448846300b1b0092f82b56743d984f6f
  945. 2bbd2344e33209569fab125208c5d5e43e3b11a6b386be81edbaacd6240a59d2
  946. 3433338dc674d4a8a765dcd9b9ba9974324980dc432d3800627abcd0cf740804
  947. 1aa731b6025db5409fe91f228f6ba6511b671590a008b881e5e81e585c1ea2f4
  948. bcb87d9fda073b879526b88de2264efa2bb714e34d1e94eb68c9be6d73c829a2
  949. 4814a73236d7754102f8fc491d51963e6d86153e6813b94f2ab67566ba2a4df0
  950. 787af8c65c4e745058b5e64a427c280fff9cee21ccca0563a0857faa70dab4be
  951. 1401dd547f950c88326469d9eab68aab77dc1c70ed886c1f54b247c67160727a
  952. 053e4a628be3a5f446ed96ec5134424a8a72581cb1c0fc694fb401fa144b3c23
  953. cb2331ced669a6de4344d7a45794170a1d0ab4308e3a5c180fdb5f0a37837f98
  954. ad000ebcd310eb54206101bd7ab1c1bd0d182096855f69068cfa8646957ef088
  955. 1249b48fb90c65b12a708bc65993346040f8776539aca9201432e680e01d8d46
  956. 94a9fc6b149a528e115e61fdcac954b27f0aa70df5a078d0de6b58e351a856e6
  957. ff39a9760b4be04852860b5a44ceb545a3dbb6a76ad9f9dc5fb2f87199e06f90
  958. 6a9e9b258d90c0573ce4abc69cde366ce9105fb9848314bf3984df00ba660727
  959. 488b3e96934f9a815ee63b5d280d42438db75a54f3be8a3fd978925edb3c646d
  960. 8e20d09ae1514237e629118b33b1cdf7e39b818afedfeeae98b21532c09316cf
  961. b8abc7a915d025955ae020ecf1d68b3e7e9cbe337d5236fb56412e2f54d9b7d8
  962. a8758f06a76e0b0ec8963b9a1c9f3362f3fc86384de7dd889ca6036f098a4f8f
  963. 8ae1b2d3af3722a78c9ec50941b9580caaf7c6cbefeeb6f8f4f6dc75e4bb8fdf
  964. e62c20e5018540aad8796b50b46ceb7a31069b064d9863e9b374d645d6b95b7e
  965. 50dbf82003a998f1dc067a8c6fd81785bd30b347f440a4ad49d4b54ae3f93e55
  966. 7faa05f93c56cd58fad0d2f6d4592d279071bd56fdf24bf8286e97a4218f0ce6
  967. b9d64084b2c58560aa737d9d846723b13a01e891766025dac0f4c30f1b9e0b03
  968. 044877949335dd85481620014afb27ee054d267669701443c77b79881a4768aa
  969. 144944dd50c0612c4d80a8dd82a4cb9fa4267361b4ca7475632549ca7fefbe80
  970. de7291d05aa7dd4ef710022ce0913dcf438fb9c05597d72ba89887a84acab10e
  971. 3bf584e9322d3c48d61913b740f280982b925939f668f83ae2f18ef7d4175da5
  972. c16924cc3dc51d0ab690c49cbb083f495e932e2cd42a8c3eb385d4789acc7d29
  973. fd4ec0c245af875204098dec6eb42e353dea86b94dd873a2750f2fc5c514e8dc
  974. c6e2c295cef34a4dd25dd64a4520970998f7be1702f9dd3877abd79466da2b36
  975. a72d94aa1c8880314439226d8277aba1dc10b29cf6bccdece46b1ada3ced96d0
  976. 80ab48eba881cf62e38c78013ee06d1775de011b5cf15293a18f0f8244a9b14c
  977. 3e40d1ebf7b149898c023c9baa4ddddaa54ebdbb7b9054e3226dd3420c67df31
  978. b37a4a75881617126e51ffe8d337ed937fb56e4d3f7c34dc974bc04046591aca
  979. 7c26232667a88a5111926515d6a722362d46c3b04a552b18a1950ee1a8cb02f5
  980. 6bd5a56b1c9ad3521f75cc557376818163a88e763fa07173e7bc141d77d9b3a8
  981. 2278ccbadd8c85862c9dc38ada4ccaa1fd179cb64cbf87685f35f962c3d5d2a3
  982. 66f4e795b2347a28350a1bc2b6e85311212ab86965426435681abd4ec0aa8b13
  983. 3650d8f991e2f1a52bf0e240440963e022cce3bb0e12eef4294a8c46b90e139e
  984. 9be8e489c2c33668a9ed18e99a39f40e68e7815380b8a012806bc93a8e6b27c2
  985. b903fe25f91ba94f05cd8cdcdecee0be90832071740bf39489a2c0a887779013
  986.  
  987. ```
  988. #### Epoch 1 C2s ####
  989. ```
  990.  
  991. 103.201.150.209:80
  992. 103.213.212.42:443
  993. 107.159.94.183:8080
  994. 109.104.79.48:8080
  995. 109.73.52.242:8080
  996. 139.59.19.157:80
  997. 144.76.117.247:8080
  998. 165.227.213.173:8080
  999. 175.107.200.27:443
  1000. 176.58.93.123:8080
  1001. 177.225.175.199:80
  1002. 181.142.29.90:80
  1003. 181.199.151.19:80
  1004. 181.29.101.13:80
  1005. 181.29.186.65:80
  1006. 181.30.126.66:80
  1007. 181.37.126.2:80
  1008. 185.86.148.222:8080
  1009. 185.94.252.249:443
  1010. 185.94.252.27:443
  1011. 186.139.160.193:8080
  1012. 187.188.166.192:80
  1013. 189.205.185.71:465
  1014. 190.117.206.153:443
  1015. 190.147.116.32:21
  1016. 190.171.230.41:80
  1017. 192.155.90.90:7080
  1018. 192.163.199.254:8080
  1019. 196.6.112.70:443
  1020. 197.248.67.226:8080
  1021. 197.91.152.93:80
  1022. 200.107.105.16:465
  1023. 200.114.142.40:8080
  1024. 200.28.131.215:443
  1025. 210.2.86.72:8080
  1026. 213.172.88.13:80
  1027. 219.94.254.93:8080
  1028. 23.254.203.51:8080
  1029. 24.150.44.53:80
  1030. 37.59.1.74:8080
  1031. 43.229.62.186:8080
  1032. 45.118.216.70:80
  1033. 45.33.35.103:8080
  1034. 5.9.128.163:8080
  1035. 51.255.50.164:8080
  1036. 62.75.143.100:7080
  1037. 66.209.69.165:443
  1038. 66.228.45.129:8080
  1039. 69.163.33.82:8080
  1040. 72.47.248.48:8080
  1041. 77.82.85.35:8080
  1042. 81.3.6.78:7080
  1043. 82.226.163.9:80
  1044. 85.132.96.242:80
  1045. 88.215.2.29:80
  1046. 89.135.138.149:80
  1047. 91.205.215.57:7080
  1048.  
  1049. ```
  1050. #### Epoch 1 - Spam/Stealer C2s ####
  1051. ```
  1052.  
  1053. 31.172.86.183:8080
  1054. 104.236.185.25:8080
  1055. 50.116.63.9:7080
  1056.  
  1057. ```
  1058. #### Current Epoch 1 RSA Public Key ####
  1059. ```
  1060.  
  1061. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  1062.  
  1063. ```
  1064. #### Epoch 2 C2s ####
  1065. ```
  1066.  
  1067. 106.51.37.192:80
  1068. 119.155.153.14:21
  1069. 119.93.243.2:50000
  1070. 124.123.42.93:80
  1071. 133.242.156.30:7080
  1072. 136.243.117.85:8080
  1073. 138.201.140.110:8080
  1074. 139.216.191.234:20
  1075. 144.202.9.18:8080
  1076. 147.135.210.39:8080
  1077. 149.255.56.242:8080
  1078. 162.243.125.212:8080
  1079. 167.114.210.191:8080
  1080. 173.255.196.209:8080
  1081. 173.255.250.241:443
  1082. 174.93.130.148:8443
  1083. 175.100.138.82:22
  1084. 177.230.108.144:22
  1085. 177.231.157.189:53
  1086. 177.242.214.30:80
  1087. 178.62.37.188:443
  1088. 178.79.161.166:443
  1089. 180.150.87.75:22
  1090. 181.39.51.243:993
  1091. 186.4.234.27:443
  1092. 187.189.195.208:8443
  1093. 190.112.228.47:443
  1094. 195.99.230.208:80
  1095. 2.50.52.255:20
  1096. 201.220.152.101:80
  1097. 208.78.100.202:8080
  1098. 211.63.71.72:8080
  1099. 212.22.215.140:80
  1100. 213.14.166.152:990
  1101. 216.98.148.156:8080
  1102. 217.13.106.160:7080
  1103. 31.163.99.231:80
  1104. 45.123.3.54:443
  1105. 45.249.156.10:8090
  1106. 45.33.49.124:443
  1107. 5.230.147.179:8080
  1108. 50.101.180.172:7080
  1109. 50.31.0.160:8080
  1110. 58.65.211.99:50000
  1111. 58.9.168.7:990
  1112. 62.75.187.192:8080
  1113. 64.13.225.150:8080
  1114. 67.205.149.117:8080
  1115. 68.229.130.39:80
  1116. 69.198.17.7:8080
  1117. 69.45.19.145:8080
  1118. 70.116.68.186:80
  1119. 71.78.158.190:80
  1120. 77.56.253.112:80
  1121. 78.100.187.118:80
  1122. 78.149.210.116:22
  1123. 78.186.5.109:443
  1124. 82.0.19.40:80
  1125. 83.110.155.238:8090
  1126. 84.241.10.111:53
  1127. 85.104.59.244:20
  1128. 86.136.28.152:8080
  1129. 87.106.139.101:8080
  1130. 91.205.215.66:8080
  1131. 94.130.35.140:443
  1132. 94.76.200.114:8080
  1133. 95.128.43.213:8080
  1134.  
  1135. ```
  1136. #### Epoch 2 - Spam/Stealer C2s ####
  1137. ```
  1138.  
  1139. 198.58.114.91:4143
  1140. 213.136.86.219:7080
  1141. 91.205.215.10:7080
  1142.  
  1143. ```
  1144. #### Current Epoch 2 RSA Public Key ####
  1145. ```
  1146.  
  1147. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  1148.  
  1149. ```
  1150. #### Credits and Notes Section ####
  1151. ```
  1152.  
  1153. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
  1154. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  1155. https://pastebin.com/u/jroosen
  1156.  
  1157. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  1158. I am providing them for your benefit in case you want to parse them to be sure.
  1159.  
  1160. ```
  1161. #### What is Epoch 1 and Epoch 2? ####
  1162. ```
  1163.  
  1164. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  1165.  
  1166. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  1167. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  1168. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  1169. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  1170. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  1171. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  1172. time period.
  1173. Here are some observations I have noted since I have been watching these botnets:
  1174.  
  1175. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  1176. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  1177. being delivered in maldocs on Epoch 2 at any one time.
  1178. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  1179. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  1180. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  1181. Monday morning/Sunday night.
  1182. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  1183. Epoch 2 may have a document hosted on host.tld/B.
  1184. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  1185. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  1186. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  1187. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  1188. - C2s are never shared between Epochs/Botnets.
  1189. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  1190. via C2 to stay ahead of AV defs.
  1191. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  1192. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  1193. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  1194. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  1195. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  1196. spam template, word template, document type and even payload.
  1197.  
  1198. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  1199.  
  1200. ```
  1201. #### Community Lists ####
  1202. ```
  1203.  
  1204. https://pastebin.com/3vv5zZ0e - @ps66uk
  1205. https://otx.alienvault.com/pulse/5cbf738701c33d2844eea31a/ - @SecSome
  1206. https://pastebin.com/LMGJAK10 - @pollo290987
  1207.  
  1208.  
  1209. ```
  1210. #### Credits ####
  1211. ```
  1212. (OC from @JRoosen and/or combination work of the following)
  1213.  
  1214. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  1215. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  1216. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  1217.  
  1218. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  1219. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial
  1220.  
  1221. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  1222. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  1223. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman
  1224.  
  1225. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  1226.  
  1227. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  1228. helping out with this!
  1229.  
  1230. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  1231. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  1232. @urlscanio and @Virustotal for providing services/software no charge to this cause!
  1233.  
  1234. ```
  1235. #### Daily Log 04-23-19 ####
  1236. ```
  1237.  
  1238. General News:
  1239.  
  1240. I got a fair bit of link malspam from both botnets today. Mostly E1 but some E2 early. The Emotet guys seems to be working on the
  1241. loader code quite a bit lately and keep changing things up. Sounds like someone doesnt like all the poking around lately and notes
  1242. being published. We expect more major changes soon. Still a lot of weirdness with E1 and E2 Distro/C2 binary updates.
  1243.  
  1244. In other news:
  1245.  
  1246. @Luca_nagy caught the latest Emotet EXEs using the Heaven's Gate technique to switch 32 to 64 bit and avoid some debugging. :)
  1247. https://twitter.com/luca_nagy_/status/1120634450201722880
  1248.  
  1249. Explanation of this here:
  1250. http://www.alex-ionescu.com/?p=300
  1251.  
  1252. Email Template Report:
  1253.  
  1254. I received 42 in total and the majority of it was E1. I did see a burst of German based malspam in the early morning around 07:00UTC
  1255. from E2 and then sporadic English E1 until 21:00UTC. I then got 3 dozen E1 link based malspam in a burst until 01:00UTC.
  1256. None of it was reply chain based and it was the same templates I have been showing lately for billing and invoices etc.
  1257.  
  1258. Review:
  1259. What we know about the threaded templates:(changes are marked with *)
  1260.  
  1261. - Emails are sourced from once (or still) compromised users all over the world.
  1262. - Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  1263. to the compromised party on or before Nov 2018 until at least January 2019. (may be up to present) Also have seen emails going
  1264. back as far as June 2018.
  1265. - Now on E1 and E2.
  1266. - Now seeing German based templates that are essentially the same thing but in German.
  1267. *- The injected reply is usually prefaced with the following:
  1268. "Attached is your confidential docs."
  1269. "Attached please find the wire transfer form."
  1270. *"Thank you for your help. Please see the attached."
  1271. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  1272. - Attachments seem to be in the filename format of *_April_DD_YYYY.doc/js so far.
  1273. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  1274. - These templates are pretty limited in run and not very numerous.
  1275.  
  1276. Link Regex Report:
  1277.  
  1278. Regex directory patterns - The following patterns were seen active today:
  1279.  
  1280. E1
  1281. \/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-49\-]){6,7}\/
  1282. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  1283.  
  1284. E2
  1285. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  1286. https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{8,12})\/
  1287.  
  1288. Payloads Report:
  1289.  
  1290. E1 had 4 quintets today. E1 was doing DOCs all day and then switched to 15:59 for a new creation time and then quickly moved
  1291. direct JS downloads where it has been all night.
  1292. Entirely link based stage 2 downloads seen.
  1293.  
  1294. E1 binaries are updating in distro and C2 today. However, distro E1 slowed hash busting to at a rate of 1 per 6-8 hours as of
  1295. approximately 08:15UTC this morning. The new EXE showing up in distro is very different than what is showing up in C2. It is
  1296. small at 78KB and contains some odd behavior. It is currently the only type on E1 Distro.
  1297. C2 is updating every 2 hours.
  1298.  
  1299. E2 had 5 quintets today which is a higher than normal count. As it has lately, E2 started the morning as documents but then moved to
  1300. hash busted ZIP/JS files after around 15:45UTC. It is currently still doing hash busted ZIP/JS files.
  1301. Entirely link based stage 2 downloads seen.
  1302.  
  1303. E2 binaries were updating and hash busting at a pace of 5-10 minutes until about 08:30 UTC this morning. From that point forward
  1304. it has been following the 6-8 hour update pattern that with the small 78KB type binary in distro. C2s are still "normal" and
  1305. updating every 2 hours.
  1306.  
  1307. C2 Report:
  1308.  
  1309. C2s DID change for E1 and increased from 54 to 57 combos in total. - recorded above
  1310. C2s DID change for E2 and increased from 65 to 67 combos in total. - recorded above
  1311.  
  1312. Closing:
  1313.  
  1314. Ivan and the Emotet gang are showing themselves to be resourceful as of late. It seems like some major time is being spent on the
  1315. binary loader development and there are likely major changes coming ahead. Be prepared. TT
  1316.  
  1317. ```
  1318. #### Sandbox 04/23/19 ####
  1319. (all with fakenet and MITM unless spam/secondary infection)
  1320. ```
  1321.  
  1322. Epoch 1 C2 run on 2019-04-24 at 00:15 UTC - https://cape.contextis.com/analysis/68810/
  1323.  
  1324. ```
  1325.  
  1326. ```
  1327.  
  1328. Epoch 2 C2 run on 2019-04-24 at 02:30 UTC - https://cape.contextis.com/analysis/68928/
  1329.  
  1330. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!