API tools faq
paste
Advertisement
ps66uk

#Emotet Malware IoCs 2019/05/29

ps66uk
May 29th, 2019
3,518
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 65.41 KB | None | 0 0
raw download clone embed print report
  1.  
  2.  
  3. ## Emotet Malware Document links/IOCs for 05/29/19 as of 05/30/19 01:00 BST ##
  4. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  5.  
  6.  
  7. #### Epoch 1 Document/Downloader links seen for 05/29/19 ####
  8. ```
  9.  
  10. <none>
  11.  
  12.  
  13. ```
  14. #### Epoch 2 Document/Downloader links seen for 05/29/19 ####
  15. ```
  16.  
  17. http://211queensquaywest.ca/cgi-bin/uRJkIBKaqIWAzTxhbKCUMxa/
  18. http://2yourwealth.com.au/wp-includes/INC/30aacpurkexqy9ub89q5_s5rfe-510755225202880/
  19. http://3546.com.tw/images/LLC/yLujKDMziGxrkmuLegeZZjgRnGjG/
  20. http://4mprofitmethod.com/wp-content/INC/xqwggua4kaqlghlr_ho8qx2wgxa-77436663065526/
  21. http://9adhity.com/wp-includes/Scan/lRdGqCxAIrblhWESpHJPhgiMfXAtF/
  22. http://abasindia.in/abasindia.in/PUpnqGAxXUpWRNKMSrLpDwk/
  23. http://adminwhiz.ca/FTPwhiz/jgldbTNBgBbUHdmt/
  24. http://agriclose.eu/wp-includes/hy5zk-790n8en-zbfqwqp/
  25. http://agromundi.com.br/agromundi/PLIK/pyCcKgLrTkKvHXPibtDQQgwRTP/
  26. http://akcaydedektor.com/dosyalar/lm/kz0ytss82nghog4w4x_vyydeidib-41148966122/
  27. http://albaniadancesport.org/wp-content/Dok/rWQHTbUYAeEsjhwrrTe/
  28. http://aleterapia.com/wp-includes/himt1nj-mgxgmm6-jsmjpxv/
  29. http://alilala.cf/wp-content/INC/djz70j6mhrk4yff5f61db43_ozvt5p1-9291484302/
  30. http://alitekinture.com/wp-includes/s7k3kh-4u4w7-uemc/
  31. http://allaypharma.com/wp-admin/Scan/qywlvf1egg0kgk055d2ee_0b76l5-6114076748/
  32. http://ammar187.000webhostapp.com/wp-admin/Inf/TpaKnEylLPRC/
  33. http://anayi.org/vendor/12d81-1qy4imj-msgxza/
  34. http://andiyoutubehoroscopes.com/andiyout/Document/sMTjKrqKloMdTYJvSHxGrm/
  35. http://antiraid.org.ua/jwkg/DOC/hjtgvz06ogogu00_os2b9-61932144775/
  36. http://aridostlari.com/irfu/Scan/HcdpSzlUrBqSAvyqi/
  37. http://aromakampung.sg/wp-content/plugins/jGCruALnctnhWcPLTfRdBlxQNFpV/
  38. http://arq.holacliente.com/capriccio-web-pedidos/capriccioweb/backups/Document/YxpWfObYOSbNVXq/
  39. http://artworkshopsinternational.com/ewpd/1y2e-m559vsx-iqrs/
  40. http://babaldi.com/wp-admin/vxyotqAtXAwbIe/
  41. http://bangtan.az/yfvxdx/parts_service/ux811t8fb9l1shjgq3cqslrlpnoi_2yvvlnz-98770782433/
  42. http://beekayagencies.com/font-awesome/2qcuj-oisk1r-swuuwld/
  43. http://besttasimacilik.com.tr/wp-content/uploads/gnetrg1o_fpkmc2y-595917581/
  44. http://blog.steadfast-inc.com/wp-content/plugins/paclm/76zekp2xzh1dsgru5jsgmlqoqq8l1u_6k9qxp-883756608888/
  45. http://blog.steadfast-inc.com/wp-content/plugins/Pages/cgser7tm7kq5unqf5w6ok_tjpb7-426423773964/
  46. http://bluedream-yachting.com/wp-admin/YxsWkWbrIxymRWTPWZZWZP/
  47. http://bmk.zt.ua/j7br/Dane/ah4zpt1t9ht24zrc2ts0fhtfycm_lzpow-43467507/
  48. http://bonespecialistsinmangalore.com/b228ac/parts_service/zeKZGHvhqOlxvjUfJygx/
  49. http://brkcakiroglu.com/wp/ycnoo07gcms47q4x_jilxy86jd3-92291441/
  50. http://buildinitaly.com/domina/o6d1f-lbtes-holaau/
  51. http://chicagolocalmarketing.com/cgi-bin/wnicd-l5r1u9-npwkh/
  52. http://completervnc.com/wp-content/ymoin-u42vzb1-sdjlzmr/
  53. http://condowealth.co/wp-includes/PuhLkEtDERZ/
  54. http://contabilidaderesulte.com.br/wp-admin/DOC/ztZpVYxawtwAGMZdUekS/
  55. http://danangluxury.com/wp-content/uploads/rtnc-6wbk7-uyqgy/
  56. http://dangdepdaxinh.com.vn/dangdepdaxinh.com.vn/LLC/ORqoiFwFdlG/
  57. http://dautuchotuonglai.com.vn/wp-admin/FILE/ysjxirpjjm4ob_f39l8z-64165881581302/
  58. http://deepsteamclean.com.au/cgi-bin/txq2m3-3b8zmi-uvlaca/
  59. http://dehydrated.sk/cgi-bin/FILE/QSMycyGH/
  60. http://dehydrated.sk/cgi-bin/sb1iokk-orl1dl-mypjs/
  61. http://dekhkelo.in/cgi-bin/paclm/tcz90ln7m6rc2f1zs21b8ska0hd67_k3gspvt-5742695405238/
  62. http://delpiero.co.il/xzig/4sonl6eogw_cm8hviq-90178285/
  63. http://deolhonaprova.com.br/wp-includes/Dok/tj0hjjpnbjbrekwb4a66ksh88uspe_sbo9xg-399229692101/
  64. http://designartin.com/sites/mdstuikzxis0zcjiduc6awgi_08ij2mxlkv-809790894/
  65. http://designsbykarenpolack.com/wp-includes/images/INF/FZKeFdASHrbDAAue/
  66. http://dev.artoonsolutions.com/linkedin/Inf/y2bla1oq8ct4hf_0on5q0-91901972639280/
  67. http://dialdigits.com/pzor/wizx-ankas-lndtg/
  68. http://disbain.es/wp-includes/xf79ds9dizn5d5l650a_87v710v-119507105/
  69. http://docesnico.com.br/Pages/BStmYmOeo/
  70. http://donghanhxanh.vn/wp-admin/DOK/kHCtBSBTjnhKljIatYmAOB/
  71. http://donghethietbi.com/wp-admin/lm/aRQkqmHLcCqVdOUcrQmZllwJvP/
  72. http://dongxam.com.vn/vgw8/DOC/zLyXUOnYqFeMFi/
  73. http://dotnetdays.ro/wp-admin/4gp8-p5vul-olvu/
  74. http://duelosdificiles.com/img/dfWVEZToGDPDhVnzAPJDzUHfoSck/
  75. http://duneeventos.com.br/errors/parts_service/w6t6qaiz2ao5hdeihro85b7v9ygg_j8gzk8-0877668373841/
  76. http://edicolanazionale.it/wp-content/jh7my-bnqb2-zxav/
  77. http://eiba-center.com/test/Document/8oncgdmkporam63y9bxrre8k5ey7hg_2o49azzr71-435965837/
  78. http://eiba-center.com/test/lm/OaFHHlsTmxnbQGWuvHzB/
  79. http://elstepo.com.ua/wp-includes/PLIK/pq0hcbxcb38dy5g04ba3ky3w30mjwz_z6chp-5660382708805/
  80. http://elvi.info/wp-content/LLC/ygfv9bdoukhmycls0i6r_mcbs7p2da-4181752296/
  81. http://enagob.edu.pe/nuget/LLC/vqsr8lna27ug9nv2feb5jgz_v7ipufb0-702026703803305/
  82. http://endofhisrope.net/2008-08_PSBearDonate/ni5ef9rgv8vpnvdf2wknvy_1fty18-5560290098/
  83. http://escuelahygge.com/wp-admin/PZhsuipgoselHFtHoHJgeOmLEfrC/
  84. http://etu.polinema.ac.id/wp-content/PLIK/qmkozdou9gnrkf6uyorks0_45sszesb-655632009742560/
  85. http://evertonholidays.com/cgi-bin/17dmul8880vaa883nexza_poin3bqzk-3404969777/
  86. http://excellentceramic.com.bd/wp-admin/FILE/39s6ehvlsjbm_2rgd9ksu5-80904262/
  87. http://exclusiveprofessional.es/limpia/xuwfzt-x8h5rq4-qornws/
  88. http://exitex.ir/wp-includes/kqgglk-mpn14c-gqpouhx/
  89. http://exitex.ir/wp-includes/Scan/1p0f4k06detvu_1vntk5va6-2400571204/
  90. http://fatafatkhabar.in/wp-admin/esp/uvn4mnxxgcs9dfqhj_iymvu-8126361721242/
  91. http://feti-navi.net/wp-admin/lm/yOhVYbIZSe/
  92. http://findyourvoice.ca/wp-content/uploads/Document/rclXkasLtkNCB/
  93. http://forum.facedog.by/components/czpf4gijg_d9n4e96eb7-5189701579120/
  94. http://fungames4allapps.com/wp-admin/lhzhnjd-4cp4xm-affe/
  95. http://funsportsgameapps.com/wp-admin/x9olmfo-z7ei6k-pcxpp/
  96. http://futar.com.sg/ua6v/LLC/ofbbog1zvwt4o3vjizrimqvb9ygc_xkgpfol-4139989949/
  97. http://g4osj.co.uk/cgi-bin/FILE/NahUHWYvZxvjNLZjpOSeqdyCXdSw/
  98. http://garcia-automotive.com/cgi-bin/53034evrhbqrjf11l7nmk1cia6_v5btiub00-26351845/
  99. http://gataran.com/wp-includes/0zshvdule0t72q2ids6cjpe6wps_r22izox1-13318428/
  100. http://ghazi21.xyz/wp-admin/adWizUHgZnSx/
  101. http://globalhruk.com/globalhr280318/Plik/ui6b2qadu5djjjawi3thb3_lqlck6-70220690735905/
  102. http://glugaz.com/wp-content/Dok/c6p92o69r4mvpn8_ca5x1-17553174168899/
  103. http://grafikomp-web.pl/images/paclm/qz9gnqox86a836cnaqmi34dpk_z1w9s07-6758905517/
  104. http://growker.co/growkerdemo/Pages/UeWxULNeXsgu/
  105. http://gundemakcaabat.com/jumd/lm/x42ani1hukkebuzybc59yg01ni_dmiev-68340372338/
  106. http://halffish.co.uk/wp-content/5a096qn-76gnh-juzxt/
  107. http://halffish.co.uk/wp-content/7pg6es-an498a-cnocjix/
  108. http://hambike.com.ar/awstats/INF/k12qfakmsebp4evmgv0krgz_dgvi35m-48524571864279/
  109. http://hangaroundapp.cubettech.in/wp-content/uploads/Pages/7mgk2m22u6e662od3lmrsu9ofsc3_kq6rlsd-92667631798082/
  110. http://haxuanlinh.com/otzc/parts_service/ec9qai9jwa5g_fquunn1mp8-8150963330/
  111. http://hazmeeldia.mx/wp-content/ycCgvMqEpKbyTZKJzcBgIB/
  112. http://help.shop123.net/help/DOC/JyywdyyizPxZdZkaUZLqE/
  113. http://hennfort.com.br/install/INC/x500k2dhhhbwj3nce7_m2azj32-120971439204/
  114. http://hifucancertreatment.com/wp-admin/sites/8qxe396yjd3y1evjonfiw9pgcdxue9_k016mrma-55260168521/
  115. http://himappa.feb.unpad.ac.id/images/rbvoi2-63gjefe-qbrc/
  116. http://hiringjet.com/aaupdatecoreo/sites/ixw2adapg3q5popb0_71yus9c-3510138678458/
  117. http://hobus.zema-sul.com/assets/Dane/kZyebrWGHT/
  118. http://hotelplazalasamericascali.com.co/wp-content/p195z1-vph7uc4-mqge/
  119. http://hotelroamer.com/cgi-bin/Dane/w7lbm4l34isfci3vbkpqm3a5wt4kl_m3j5mss-494729068/
  120. http://huskfactory.co.kr/ztu8/911i32-23epgdo-xtpjvnq/
  121. http://imagesbrushup.com/wp-admin/6qjxp-6vodp0t-ldovai/
  122. http://indesignflorida.com/wp-admin/Document/nc2m8sgw7d15lgw0np_2y70s43b-644730778/
  123. http://insitupro.cl/cgi-bin/jqz7cly-wc86n-udss/
  124. http://ithespark.com/software/Pages/wZhrIpOlRvFmtcg/
  125. http://jamesapeh.com.ng/wp/parts_service/lb691n3t3hg9i7prhomskfitp313v_duo3m-989273786/
  126. http://jasrajkalianji.com/wp-content/uploads/fa13lpz-m7baa-zyyab/
  127. http://jazz.devdemo.biz/wp-content/rpax1s-flb0twj-shyexf/
  128. http://jbwedding.co.za/css/esp/qtrgcp7mhq8tmg5n265xbukp_qpqopcjez0-2596232733401/
  129. http://jfdmuftitanvirdhurnal.com/wp-content/esp/x79hnzmh3ejk84gl7c_nso9c-355431769/
  130. http://jmade.ru/system/s8wttt3-rxw43-cycphfo/
  131. http://jpqr.my/8y1m/VuYzzNpyqsIzlPPOF/
  132. http://jsc.go.ke/wp-content/uploads/Scan/6s8imqp09p2yegn204izk6p8sg6_5rg8yf1rgp-9697784181/
  133. http://juice-dairy.com/wp-snapshots/esp/SKYosMhiUfKLYVDlG/
  134. http://julnarcafe.com/wp-content/yba4ga-isssli2-huggsom/
  135. http://kalanam.com/wp-admin/Pages/mkLUqAaVSTiGV/
  136. http://karlovacki.typed.pro/wp-admin/Dok/gbwebo1huom7v21cle3lkk48i7rz_2dt17-68880227345289/
  137. http://karnopark.ir/wp-includes/zbzaj8-t1fld-zpumwd/
  138. http://kbj.if.its.ac.id/wp-includes/FILE/WmzjBPCFuKqvzE/
  139. http://kgml.pt/wp-admin/LLC/GSOWbtmhlhBQvUVTVKwzcIOvHKz/
  140. http://khoayduocdaihocthanhdong.edu.vn/wp-content/Plik/nhtek6b1heol169wqg1i4xt9iwa5_a0im7ttz-332385928588322/
  141. http://kihoku.or.jp/wp-content/uploads/2019/esp/NYHbJzbZqfXvKMWZcInRZSYiPh/
  142. http://kimia.fkip.uns.ac.id/wp/DOC/unntsx9ecvy5b16nq_jlursbntd-055048999/
  143. http://kirsehirhabernet.com/wp-content/esp/dJGXGeReeFEWZJg/
  144. http://kisswarm.com/wp-content/DOC/vwwv6riibz86cw4hm67uu1wfbrg_rtqxh-5004364944586/
  145. http://kkss536.com/fwbd/Dane/baBuNvSGcMMTtmxD/
  146. http://konveksikaosseragam.com/wp-content/PLIK/zok540dm3h68hdulc_7z4dok-813739438830/
  147. http://laboralegal.cl/wp-admin/8ycb-7i9zz-xuak/
  148. http://lacvietland.com.vn/wp-includes/avi03v4qjz06lq6_4fi3vx2-74442750378695/
  149. http://lacvietland.com.vn/wp-includes/ldgc7ix-6i0100-hujxrgp/
  150. http://lattsat.com/wp-content/SfmfwUVxskFL/
  151. http://lavinnet.ir/wp-admin/dok0-1x5nhft-ednmtue/
  152. http://lenakelly.club/wp-admin/pb3qj0p0wh6o8_rbfo5-70737820/
  153. http://leplateau.edu.vn/wp-admin/lm/CTVGxZjmd/
  154. http://leplateau.edu.vn/wp-admin/YSyJnDPQrT/
  155. http://lesantivirus.net/css/FILE/zjwv71hchszklf1n1dxw92_jtw1kf3-30228696/
  156. http://lightlab.mohawkgroup.com/wp-admin/fs50vz-mylh5-maetkj/
  157. http://linhviet.com.vn/wp-includes/parts_service/aUfWTZqEDJIP/
  158. http://linhviet.com.vn/wp-includes/yAUcguABSvIGSWibwc/
  159. http://lmbengineering.co.uk/wp-includes/zIlYLSfpLdPzObt/
  160. http://lolavendeghaz.hu/wp-includes/yikjdi-nkkh7k-oongwd/
  161. http://losethetietour.com/loseadmin/INC/oTUemDtSxBNvtIOEMhs/
  162. http://losethetietour.com/loseadmin/k8gzn62-mqdrst-vuvla/
  163. http://luanhaxa.com.vn/public_html/LLC/sukKsYHVpceeVGKMkiZxwilzqIECCx/
  164. http://luteranosblumenau.com.br/cgi-bin/esp/7t6vv50yrw705dqpxub7fwd2_bzykgo-443407317214052/
  165. http://maanash.com/wp-admin/INC/qo7vgv8c57p18r_zrx6v2l-710512963991707/
  166. http://madadeno.ir/ioqz/4xmw49zwlo37a7_6h1emiuz-47966905363445/
  167. http://mads.sch.id/wp-content/FQlfiJdGQGDgotTDCEf/
  168. http://maissa.bio/www/7yk69v7-kp75m-rjartek/
  169. http://malekii.com/clbv/jq8df-7zetr-qxop/
  170. http://marbellastreaming.com/admin/oSMKzwKMQQKIQBdOtQWSX/
  171. http://martianmedia.co/menusl/ql2z5s0mg3bty1r_zhx2tsk2d-035888854789576/
  172. http://mat.umano-dev.dk/images/g0u8fw-pqzw7w-qliuz/
  173. http://mattshortland.com/ozXYuMOiYlguFF/FILE/4ffkoq818anu8bt6_p5k9z-08161156/
  174. http://maul.hr/blogs/kaj1cr-nl3nn-wwaatq/
  175. http://maxad.vn/cscart/paclm/nbvqjivi2o25nxdn4_p1cx07em-34326722638191/
  176. http://mazzglobal.com/51655165g/i17f1a9bjgesszk0_81gdc24k-18444014202520/
  177. http://mceltarf.dz/myadmin/lVnUpoqTLAlATMxpWRBr/
  178. http://mdvr.ae/css/scan/gizsk0y0_afer86g-24194570/
  179. http://medtechthailand.com/includes/jhysv-p4ude-eyrlne/
  180. http://met.fte.kmutnb.ac.th/wp-admin/Document/oq8wzjr532y5obd3g_bgjqpiod3-7712741001967/
  181. http://metaledging.net/wp-content/LLC/k2cplf9519b_3tsh86-4020520927866/
  182. http://mgeorgiev.site11.com/wp-admin/PLIK/5xsa15h1gu7pue9oiq9jnpgy_uy3gyq6qib-59123496/
  183. http://miff.in/media/0qm4oiueyca943tcx0p6_9wsd9s5-58679980857319/
  184. http://modasafrica.com/bwk5/INC/zwJnbSkwv/
  185. http://moneycomputing.com/eebd/esp/QIbgHKbS/
  186. http://montblancflowers.com/sitemaps/esp/QqlaiTnCKKBtDuWlnOE/
  187. http://mote.vn/wp-admin/d0km-1jinj-hlnot/
  188. http://mtaconsulting.com/wp-content/5jdnn04r9_8exdkhlo-201012899235/
  189. http://mulinari.med.br/homologacao/wp-content/uploads/INC/gzppinu9ltkaig_su53ecqpe-86320592/
  190. http://musicaparalaintegracion.org/wp-admin/zpgymbg-obdbf86-vkfumx/
  191. http://musikhype.de/wp-includes/esp/NeuBtTXupVJTrSgtzgCMBzHXGV/
  192. http://myanmodamini.es/wp-includes/esp/duwvZWupqBRltHGdMqBXge/
  193. http://myofficeplus.com/Document/DOC/NPNeMWEIEqbJsQe/
  194. http://mypridehub.org/calendar/vo292i-fq5xyc-qyvvrfl/
  195. http://mysmartchoice10.000webhostapp.com/wp-admin/Dane/UUmHQYNofuIAjlLRvmKS/
  196. http://namanganteatr.uz/videos/6r8c6y-l61lu83-ajezpvw/
  197. http://ncoimbra.pt/31e0/xNFUQMwLjMFwjXKMPbWr/
  198. http://ndm-services.co.uk/DOC/lm/kirsc8anl2obkkb8kjuzalcu7rr_kizfx5g3-689378703394670/
  199. http://neelsonline.in/wp-content/0khlik-gffdw-hptnmxp/
  200. http://neroendustri.com/newsite/6o4eorjp42d3zy_x6ms16jnmg-0304239427/
  201. http://netranking.at/wp-content/FILE/lpDAHwpJzlmVJ/
  202. http://nevenageorgievadunja.edu.mk/alfacgiapi/sites/c4ulng9eqf4ficpwo3o9at8moqx68_695zpr2-01228641/
  203. http://nextrealm.co.uk/cgi-bin/8w2i8ylzveploq9f_6j6ij0-682567154/
  204. http://nexxtrip.cl/cgi-bin/paclm/zKjOywFurzeSMIpdkuboxhdwyTMeEB/
  205. http://nfbio.com/img/upload_Image/edm/pic_2/Document/MIqOgySRzzpZVIhpKtuAipt/
  206. http://nfsconsulting.pt/cgi-bin/FILE/zjRwaRJETtdnNbmBebhw/
  207. http://nhadatminhlong.vn/wp-includes/parts_service/gtqgh281h6shgez5ch2e0h_u0u1cwd-341328710021465/
  208. http://nhatduocnamvuong.com/wp-content/gbWyRMtWxEUmjlghipP/
  209. http://nichejedeye.com/wp-content/Pages/cxhXNWKTMvESu/
  210. http://nieuwhoftegelwerken.nl/lm/vptyzsefxdspgcuf/
  211. http://niezgadujpolicz.uni.lodz.pl/wp-content/upgrade/Scan/rfde1md8rg05ergxezsc5_e7szq5-724123794/
  212. http://nightowlmusic.net/reference/DOC/l29h2lm0r6vpuw6v4hjt4v_db2x446a-645341033965123/
  213. http://noithatpaloma.com/wp-content/uploads/cgxec-j1do6-niij/
  214. http://noithatquyetloan.com.vn/downloads/cpdizih-sz8pmmi-vsznx/
  215. http://nonukesyall.net/pdfs/Dane/HtrPvgbWOYflGojOo/
  216. http://norperuinge.com.pe/norperuana_archivos/Pages/jjzywqoggleqye2ia7owdboijgco5x_l6sutq4i-1864307550/
  217. http://notix-test.ru/zamki/tokpf8s-v9gd9-mwdmns/
  218. http://nouvellecitededavid.org/wp-admin/gfaz4j9-c8tk06-bapqkr/
  219. http://npc.org.ro/wp-includes/Plik/hEQAcVtPiTYYH/
  220. http://oficinadacarreira.com.br/wp-admin/Scan/bARIkDRxrxgvHTceXPAYoLSDUKJc/
  221. http://olavarria.gov.ar/libroolavarria/vrm9-cxviupl-iibwyp/
  222. http://olavarria.gov.ar/libroolavarria/ybgko-408txdb-pxlgyue/
  223. http://omnisolve.hu/sites/Pages/iinhmqmyn7xlh_r84gvw5vd7-0051916833/
  224. http://oncoursegps.co.za/inventory/Scan/qjrmz8ju2686oz5xcb_6kpxemu9cr-5741214415/
  225. http://oneandlong.com/lib/0ceag5v-54dlheg-erzwec/
  226. http://onepointlead.co.uk/wp-content/sites/UrbnLwMJzvVPezk/
  227. http://onepursuit.com/wp-includes/Scan/xbfpv1qb6yg_y2t1mot1-547023491779852/
  228. http://onestin.ro/wpThumbnails/FILE/4o2up4lwzoaafd64w4c3tk2t0_7gmgqn-74402121536/
  229. http://onlinemafia.co.za/cgi-bin/ay341aj0ct_7e8gv2x0v-4928522797/
  230. http://oppmujeresmich.org/web/esp/87epa6mx8no6ztd_cdp79934a-265779557479686/
  231. http://orichalcon.com/GeneratedItems/parts_service/xsi1ue9nzxg_01lndenp-66470856407/
  232. http://orygin.co.za/cgi-bin/vo7g6fhoxdur04w3u5jj_nzw2yohdw-12898478915/
  233. http://ottimade.com/wp-includes/INC/ZLWveLpIxYSiAVnVxNGUdXzZWjvcE/
  234. http://ovelcom.com/cgi-bin/TIiUbNptglMlDsuV/
  235. http://ozganyapi.com/wordpress/2ufrsxw-lvejcr-azjbwwt/
  236. http://pafagroup.com/wp-content/FILE/e3ii1s3rj51sui_qi2zzbdk84-69805265/
  237. http://pagan.es/DE/parts_service/odHdzMhnxNC/
  238. http://paifi.net/ssfm/455b7158xjgnhq5zf90qjakpjoo_a5wz85-51998664/
  239. http://panet.com.br/stats/sites/njse5wcorh7u64gdhxo0059mi12_onhaty6x-17998620611/
  240. http://papelco.connect.com.gt/ixop/INF/lnbwoegSaLqIlsAogGjjfjIUw/
  241. http://paramos.info/INC/jiuys7jxqbtuetvcmei398ua_dxnx3-1612900777374/
  242. http://paratoys.ca/wp-admin/djhs-fhtxyq7-hhma/
  243. http://parisel.pl/temp/Document/DCjmvktlcqOywWgvSk/
  244. http://parquet-san.com.ua/wp-content/sites/tg0igiaznonzpqg_fs8pq1-4214797001/
  245. http://parser.com.br/10/uemdtsxbnvtioemhsuwnzyjd/
  246. http://passelec.fr/translations/XmMCGkcPrsWtUUVmXlSslYZkiy/
  247. http://pazarcheto.com/wp-content/esp/KkBinZwvagt/
  248. http://pbcenter.home.pl/pbc/sites/PUxCKmLk/
  249. http://pclite.cl/correo/sites/RDfRXvbkkcW/
  250. http://pcsafor.com/coches/ruk6jsknrrbeoy91_lvsat-989681296456/
  251. http://peacewatch.ch/fileadmin/LLC/FQYIXuVbIXvWgoJW/
  252. http://perfax.com.mx/cckG-iJ0tBPscI3afgSS_HRsdwWrra-aG/DOC/bSotvnZPbSYSEiMWeQ/
  253. http://perfax.com.mx/cckG-iJ0tBPscI3afgSS_HRsdwWrra-aG/LLC/clIxdxWQGDRcoVGLUpVLYkradH/
  254. http://pescadores.cl/wp-includes/lm/WtXaTyDwOVGtucRDxWoBf/
  255. http://petris.ro/wp-admin/nz1dcp8-7rle128-vfnc/
  256. http://photodivetrip.com/test/LLC/sbwx5le0k1fxgf_v6be0jxfra-37193886141/
  257. http://pilardaleitura.com.br/wp-includes/zmVROwQPWxCxCpqwnGkQWocMY/
  258. http://pjbuys.co.za/EN_US/FILE/mn5oblpmldqnm5go1qofxvzsizx_4m4t3116-568597395577409/
  259. http://planologia.com/mail/parts_service/cn1yathgn1rs0_mhayfznqy0-143270358110018/
  260. http://platinumfm.com.my/COPYRIGHT/FILE/7gu4jre63b30xfvq_2zr6zbvm-2568302471380/
  261. http://pmpress.es/img/n1y2fm4etxbgbk_bz3ojs3c3-9888480883658/
  262. http://pomdetaro.jp/sys-common/INC/wo2blm5h5p2jwrbbuqifrt6xq6ap2i_dpaje-95813577/
  263. http://pornbeam.com/jmr0q4ekkhebbu92anxz13z4k_gt5h3dt-730001972445594/
  264. http://possopagar.com.br/wp-admin/sites/zt7xm40dko6fh69b7mkg7o_n0adulyym-456554391045/
  265. http://pranammedia.com/wp-content/svZokukA/
  266. http://precisiontech.com.ar/wp-backup/5e9zuvx-4oz09-wogxnq/
  267. http://produtosangelica.com.br/novo/nfjb55u-saqw8c-gzori/
  268. http://projects.anupamtechnologies.net/cgi-bin/eia1-pkxd117-huuzzxy/
  269. http://projectwatch.ie/mychat/INC/quslRieRiaZVRLb/
  270. http://pronnuaire.fr/wp-admin/7pjq-eyt0r-rrdaq/
  271. http://pufferfiz.net/Files/Document/3a1sm8skeuzgl7cqyy_bmwlr-415254194580508/
  272. http://qservix.com/wp-admin/Document/44jordpkkuwsdwtkry_agc5x-2843467084/
  273. http://qualitec.pl/images/INC/832x74abrffu77vfdt_05vnmis-7201257285/
  274. http://quercus-boomverzorging.be/wp-admin/mf97-tj8yknq-namf/
  275. http://radarutama.com/wp-admin/DOC/RYPLhhNafifOnyexrtXc/
  276. http://rahulujagare.tk/wp-admin/uteh6z-8l9ttrb-qojbx/
  277. http://rameshmendolabjp.com/wp-admin/parts_service/AURFMvGl/
  278. http://rclocucao.pt/wp-admin/parts_service/vttatprzenvmtw_76qed9ax2-59780589/
  279. http://realistickeportrety.sk/wp-content/parts_service/pnPpdkhtpQ/
  280. http://reborn.arteviral.com/wp-includes/esp/ANNKUglqPsBYyTGSqLqoyaLvYHOoT/
  281. http://redakcia.gamewall.eu/wp-content/mufrc-53pp2-cdqntqn/
  282. http://redklee.com.ar/css/7lj8ipbwzyz6ye7ajn49pi9w7vn4w1_ju2uco-4894799229/
  283. http://reportsgarden.com/bill-gates-makes-new-announcement/f5h2czx-qfim21-pwkjii/
  284. http://revolum.hu/INC/GoDdHoWTEdqUWZjii/
  285. http://rezonans.pro-sekrety.ru/wp-admin/DANE/nGqwPrzDBpozJ/
  286. http://rickgomes.com.br/wp-includes/sites/xa3wh98uf0tcupd_fovwymlx-5057433442179/
  287. http://rivermeade.rece2.co.uk/wp-admin/hyxn-mi0bd1-xopm/
  288. http://rsq-trade.sk/wpimages/DOC/OpbvBabezYDAlxbzRYQYBT/
  289. http://rudybouchebel.com/rudybouchebel.com/Scan/KnschlDbPCnUxmnYxfyZCjuhYcpjbR/
  290. http://rukanet.cl/Plus/paclm/avssyrhzww7zmnbgs46s90tz3_cm5ju1-679756165/
  291. http://ruma.co.id/en1/LLC/7aah1jg4r4_dxjcr-683016813/
  292. http://rzesobranie.pl/!OLD/Pages/ZkaLfcNLXJxtQFVYnwJhCcfWctZJyx/
  293. http://s1059078.instanturl.net/wordpress/kxlf8kt-7kqnu-hxsoax/
  294. http://sampling-group.com/local-cgi/DOC/b1qyz9zd6u7fkraw74s4h2_67zmznv-7279456399299/
  295. http://sanchicomputer.com/wp-includes/esp/xnz458qi7ujre9x289gki2dyb5uyn0_jjyb9fie-35729788/
  296. http://satit.pbru.ac.th/en/installationXX/Inf/bgpazl43l3itkgkphg86dbdx_znajxcdnr-4387203861/
  297. http://schockenhoff.net/cgi-bin/SUljGppBcglbQygpSLapbPaSpHg/
  298. http://sdorf.com.br/novo/sites/49r81jh91ta3kv1_r6vvzc-37446666423038/
  299. http://searchingworks.us/pushingon/epzhu-f81kaxr-qsloszv/
  300. http://s-e-e-l.de/cgi-bin/LLC/8009bndfm18tb22dygtbmynvx7ua5e_47v4mrr0-73811913413472/
  301. http://seinstore.com/Suco/kfo7z-j4oqb-byhe/
  302. http://sewamobilmurahdibali.co.id/wp-admin/sites/p6l77hrpl3a6btaqtg6izcmez_8utwvfzzk4-9823369595449/
  303. http://shaperweb.com/cgi-bin/Pages/gkQoOpQn/
  304. http://shinaceptlimited.com/maintl/68oq8-vt88ov7-wrzv/
  305. http://shivodhayaayurvedaclinic.in/images/paclm/adpgdlHEqfvxzSQSsPlrLn/
  306. http://short.id.au/rss/FILE/n0mna08h008hdotwe7t0_vkvtoo7-01972413346993/
  307. http://shreedadaghagre.com/journal/5kvusod-24lwwhb-qsse/
  308. http://silver-hosting.xyz/wp-content/3dn92rq-huxug-rijirxa/
  309. http://sinlygwan.com.my/wp-content/uploads/paclm/EIhvRizHpqbUzExvNzMs/
  310. http://sinmai.com/0677744065017/EaEKUByEymrE/
  311. http://siranagi.sakura.ne.jp/201611/4tyn6g6083pgtqzcieoz6y2cc2z0b_5db7in3ch3-6524113546/
  312. http://sistemahoteleiro.com/clients/esp/WIMSETtxwEKjBp/
  313. http://sites.webdefy.com/velhightechbackup/FILE/8hrcg505m97yu500nktr_cj1yw27e6-42170109393/
  314. http://sixthrealm.com/js/LLC/1esz6wwz34w8kscy7_epfnn2i7y-61039944211/
  315. http://sjhoops.com/LDpOdcsqkAe/
  316. http://ska2000.com/bbs/Pages/e03fi8sg42t7s3g_wjno7m1-74103918631693/
  317. http://skabadip.com/FILE/ZqCRUJPSNaQXPnVDSxoLCcdFDjs/
  318. http://skygui.com/lm/55248ks6um5i21asgg0x3h83ir0zkm_rzeyc7nzf-7305247397639/
  319. http://skylinecleaning.co.uk/contacteotcam/sites/pd6b8ygc6e5863_r0g07-459871542/
  320. http://slate23.com/slate/DOC/bnazkIikgkpqQNNBfXEsIOYvYzPQ/
  321. http://smixe.com/jbwhzay/owaqafj26_145sfchk-86466482679085/
  322. http://sn2studio.jp/about/paclm/RdRcYSzYooMIPRrdJLQ/
  323. http://sneezy.be/files/lm/trlnuyp6txuxkahdf140m_b2ofh0v-1283763430810/
  324. http://snippen.de/301/sites/ICmlFyqgGCmcBnjoVnpOGzHE/
  325. http://sntech.hu/firebird/paclm/KLeRbuTHrGSvzT/
  326. http://sobontoro-bjn.desa.id/lama/ybrhrf-9gnp8t-rwcdn/
  327. http://softem.de/TSV_1861_Mainburg/Pages/IhTNCxjEfBayZzNzqUKWY/
  328. http://softhotel.com/cgi-bin/hsKPeXHFNs/
  329. http://softkiyan.ir/wbcx/parts_service/uj7ftl9i11k6xa75xww93c3g2tlyjg_dg2q7037d-12648867417/
  330. http://solidupdate.com/wp-snapshots/lm/j4kktxxdxe8otcjhmkyjmaoz8_h0k61-01827752155/
  331. http://solutions4brands.com/CREATion_files/INC/ka96r6o5ysrymdmfs9r_kplh9-4260408219/
  332. http://solutionsynthesis.de/rk/hrf7-dm3px-wooeebv/
  333. http://sonnhatotdep.vn/wp-admin/3rjo15c5ga7frtejwoczhes0pyvpj_uxrxoht-3907344799/
  334. http://sonnyelectric.com/ssfm/paclm/pyrrbh2hrzehzcctv3xg89_x9edihqp-692656290/
  335. http://sozialstationen-stuttgart.de/Aktuell/Pages/tdptt4lj_n5v6z9cap-785205044/
  336. http://spedition-wissing.com/cgi-bin/INC/9uppuc04tt1woq8ff95vhvw3nocf_3i1bm-3484897225/
  337. http://spideronfire.com/css/esp/lhtbsyThX/
  338. http://spiritofbeauty.de/AGBs/FILE/KZQzKdKpSJJQRiBAepUIdJlD/
  339. http://sponer.net/bilder/esp/7w0o354uuje9ns_f6nbldn-04871546209201/
  340. http://spot-even.com/cgi-bin/8sheemf6odalslz82yzg5e27bmtz6u_bhofk-37233441460/
  341. http://s-schwarz.de/LLC/DWVNXqowurLxxSJXjM/
  342. http://startupbentre.com/wp-includes/NstGfYECuqbTVwrqDDSlmfptpkx/
  343. http://startupbentre.com/wp-includes/XHRuIOzYOWtzbfQGxEjGtvb/
  344. http://stattplan.net/sites/quyvspvNlZI/
  345. http://steller-architekt.eu/cgi-bin/Pages/mUXgcJlupFdaQl/
  346. http://stockbaneh.ir/wp-admin/dc43-avzx4-zulre/
  347. http://stoeckmeyer.de/cgi-bin/FILE/lzCpUaSdKTCThTR/
  348. http://streamers.gq/wp-admin/esp/OjmARJJsPQKSoHiG/
  349. http://stsbiz.com/js/lm/ZCrYGQlZe/
  350. http://studiospa.com.pl/images/lm/7dejdpjj4vfshi6u46jlwgd5z83_wr00qdh-73288207/
  351. http://stuedemann-web.de/_mmServerScripts/INC/x40seazb3ebenxrbsiir0s5u6w_mu2r36os-6845265520045/
  352. http://stylishidea.com/arainorio/FILE/LcfpjnwhyoYkVYZrKuBziKCePnx/
  353. http://sunaner.com/wp-content/flq161-zmjmbpw-nrklr/
  354. http://supercardoso.com.br/wp-includes/paclm/xsOHcbQBUOi/
  355. http://supervisor07.com/online.services/ufeg8zcqjqd2g5ihnhr4qujj_j8z8uiers3-9998816732233/
  356. http://susanfurst.dk/wp/mrufg0nv1qo9p11_d2esefh-45474933/
  357. http://sutceco.com.uy/wp-content/jigojof-ze2j0of-goyb/
  358. http://svgcuttables.com/aahurguy4r6e34ce/DOC/LoGSftJSnmfNgZltgDCqEyAPSI/
  359. http://svirid.com/site2/parts_service/VoezUBojKBKpPbvWSPtWgROFjpU/
  360. http://swandecorators.co.uk/cgi-bin/Scan/KIMACowDpVGfL/
  361. http://swastikhometutors.com/wp-admin/b7nxxt-emit7x7-djyzas/
  362. http://swernicke.de/cgi-bin/FILE/yeoq4gzjkyu9rsja_zaxxvklc-40471033965045/
  363. http://swiat-ksiegowosci.pl/attachments/lm/tvjOgMVPKXSOHfTuTiuhhhCxU/
  364. http://sylt-wulbrandt.de/assets/INC/EqVqeadlJdH/
  365. http://t0nney.com/banners/DOC/eey8ti0mce6u50lo1d97k_6mp6buqjb-105020867/
  366. http://takeshimiyamoto.com/wp-includes/Document/rrRweLdeQGKkX/
  367. http://tamsys.net/lgs/INC/cqyj7s6evz_h589j35a5-8309775940523/
  368. http://tavaratv.com/wp-content/q7cpr8xhgen9jje19tcecp_txow6zuea3-0939216683/
  369. http://tcsiv.com/DOC/b3nyy6htv_uggqebju-768156738/
  370. http://teardrop-productions.ro/menusystemmodel003/esp/rl65kshppfvh27yk5_ys96f-24114552/
  371. http://technicalj.in/8lfp/DOC/9fjik6x06odem1o_fnypue-757633306338/
  372. http://technicalj.in/8lfp/DOC/lm/icozf99wjuihh2yry_ssntsxxd-31095594844199/
  373. http://techsstudio.com/wp-admin/parts_service/YJuDzMJsVrQdfJB/
  374. http://tecniset.cat/docs/FILE/gZJWAgcnAjdbha/
  375. http://tedbrengel.com/enmemtech/LLC/yuf93sa8k99_qz9ykn-5165390531226/
  376. http://t-ehses.de/cgi-bin/9ikudmcf6oofi_w3saqvcu-874708921091582/
  377. http://terifischer.com/LLC/sites/UjhzZMGWPoHHWcTRwbiVDE/
  378. http://terminalsystems.eu/css/parts_service/gPtyIwELKzxeEhw/
  379. http://test.upa24.com/wp/s6vjuln-77ung7-urqz/
  380. http://textildruck-saar.de/wp-admin/paclm/chq0vl0mpuc_xql810r36u-72512773/
  381. http://thearmoryworkspace.com/scripts/Pages/YPpgmEXQgUBlDdGnRgSCJLhvS/
  382. http://thefirstserver.com/backup/verg9is7t_k6holk-693999004328980/
  383. http://theinncrowd.us/wp/07uta3ihpis1diu4hqd9_nsf98qgiyp-252422439473045/
  384. http://theliveadmins.com/503bluewaters/Plik/fFHjPnWCHXJD/
  385. http://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
  386. http://theminiscan.com/img/Dane/yFRYVTUpCUJMJHqgL/
  387. http://thurigai.com/pgoc/c0e6-ptfodc-wvocc/
  388. http://t-ill.de/cgi-bin/whaxk2qj5mjya8ph17wm73vjsp824_3q3m9gtd44-21333014/
  389. http://timdudley.net/piano/DOC/DuOnqJSi/
  390. http://timsoft.ro/wvvw11/parts_service/CAskFbdNRynsvzQGIiDUyYRnZLrH/
  391. http://tlb.atkpmedan.ac.id/wp-content/uploads/INF/lphGMnmuxagTHJ/
  392. http://toenz.de/EAI/DOC/xQIugSawlwnvJExxoxqd/
  393. http://tow.co.il/wp-content/INF/SnItxhJVMWz/
  394. http://trackingvehicles.com.au/wp-admin/sites/rIUCgpvCNQXi/
  395. http://tranek.com.vn/wp-includes/a6r4sh1-aat1l2-efslj/
  396. http://traviscons.com/_borders/Pages/hr0oto593o4e2_azkxl8p2-804573082009577/
  397. http://treasuresofdarkness.org/wp-content/cache/Document/ajbarc4qngsy9aa4g86768ik_gncr7ql8l-6989810281/
  398. http://troopchalkkids.com/wp-content/esp/bfvyRzVa/
  399. http://tvbgm.com/z9iy/SKCMWsxAXJaavyRCuuRVJW/
  400. http://twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
  401. http://umramx.bilkent.edu.tr/images/m5xu-xm0tkj8-thurd/
  402. http://universidadvalle.mx/wp-includes/Pages/q4acky06cg95sm076k_aa5bxb-18808866/
  403. http://vaisofasangphuc.vn/wp-content/FILE/bbUNukWQYZUmLeAevkxzzLobINhTK/
  404. http://varniinfotech.net/vender/958nck-c9a6xq-apga/
  405. http://vertientesdelmaule.cl/wp/ml9k-45hsvo-nvjx/
  406. http://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
  407. http://vets4vetscoop.com/wp-content/DANE/msk6w5kr6l8_lneqqqcsu-183806797955014/
  408. http://vinatuoi.com/wp-admin/2150b-yr0dj-jdznehl/
  409. http://vinatuoi.com/wp-admin/lm/iYccjyGkzL/
  410. http://volvocoupebertoneregister.nl/admin/INC/GokPtaqVlbWfbzjiKY/
  411. http://wachtscherm.be/wp-admin/parts_service/huem58o1ig8s58vw70yh6bryhlcp54_jtrqr8h-725791126480738/
  412. http://walkinaluuki.pl/beta/lm/e6znhq7eq0g1nt9f14gb765h_1898qpfmur-23901545806/
  413. http://warriorllc.com/FILE/pdcd2d2wpl1j3hwx2qb0_gja7tgc53t-378690263/
  414. http://webap.synology.me/bicyclettedepaul/wp-content/uploads/mxqhm-fx0ly8-aoqpv/
  415. http://webcluetech.com/vh4l/lm/DdOHREQXXViLYJsanKplApTDUu/
  416. http://websapp.jic-shop.com/wp-content/uploads/8iat6sf4x5vd2xi1g_x6lek6-796715108/
  417. http://whiteraven.org.ua/wp-content/uploads/gz4zye-hfoui-hotk/
  418. http://woocommerce-pos.openswatch.com/wp-content/uploads/esp/lvexmwglehk533gjc078aayor808y_a8cjvpa-12062376287/
  419. http://wp.blecinf.ovh/wp-admin/w6i2t-l24gm-thwhqvp/
  420. http://www.adacan.net/wp/FILE/KhbKFKSM/
  421. http://www.agromundi.com.br/agromundi/PLIK/pyCcKgLrTkKvHXPibtDQQgwRTP/
  422. http://www.dejhkani.com/wp-admin/xz4eq-0mals-bgntxc/
  423. http://www.inkasso-buch.ch/uvm9/9c6qqh5exask0xglzvlhwmo7b911_6g591-749212986976/
  424. http://www.maisonmanor.com/wp-content/esp/n1mk8hgu_t43tw-725714268875/
  425. http://www.mdvr.ae/css/Scan/gizsk0y0_afer86g-24194570/
  426. http://www.sutceco.com.uy/wp-content/jigojof-ze2j0of-goyb/
  427. http://www.twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
  428. http://xn--80aamqk2bt.xn--p1acf/wp-includes/m691-ynwzk-acmdxub/
  429. http://yashhomeappliances.com/_errorpages/7elv-4dbz9-dhiii/
  430. http://yeniadresim.net/wp-admin/374r-2wuiobo-iimsgn/
  431. http://yingxiaoshi.com/wp-includes/Pages/f6g8uidw9c19xn1_0nfnj-266537909430448/
  432. http://yo25.vn/wp-includes/otfvskbp6zytvva7azs99cpfi_h0pm828js9-162355524883/
  433. http://york.ma/wp-includes/sites/s7kj68g00gkb2ny69fwptmi2m6kwh_8pwlc-016299124354498/
  434. http://yourdreamsconnectors.in/bd86ed/0e3uqnu6wpj7i3yob_1vth70hx89-255338451/
  435. http://zaednoplovdiv.com/wp-content/themes/Document/nu8ugbcj_lbo4uxa4-801589900580/
  436. http://zmeyerz.com/homepage_files/paclm/yo5pldcq0j9icwkepvascb_iqdyr-580966208503/
  437. https://365.zham.info/wp-includes/LLC/PExffjfnCbtgsyvunDNJ/
  438. https://ajkhaarlemmermeer.nl/wp-includes/olijv1-ipoq9-sfvo/
  439. https://alilala.cf/wp-content/INC/djz70j6mhrk4yff5f61db43_ozvt5p1-9291484302/
  440. https://ankecnc.com/wp-includes/Pages/puKLamcvnBjO/
  441. https://ankecnc.com/wp-includes/parts_service/TflBOOzic/
  442. https://artworkshopsinternational.com/ewpd/1y2e-m559vsx-iqrs/
  443. https://camposaurobeb.it/img/DOK/QbaLdxlDmMCmMPmpaAPIf/
  444. https://can-doelectric.com/media/DOC/BBaWgOiYoSwIuQfrOIy/
  445. https://condowealth.co/wp-includes/PuhLkEtDERZ/
  446. https://danangluxury.com/wp-content/uploads/rtnc-6wbk7-uyqgy/
  447. https://donghethietbi.com/wp-admin/lm/aRQkqmHLcCqVdOUcrQmZllwJvP/
  448. https://edicolanazionale.it/wp-content/jh7my-bnqb2-zxav/
  449. https://fatafatkhabar.in/wp-admin/esp/uvn4mnxxgcs9dfqhj_iymvu-8126361721242/
  450. https://findyourvoice.ca/wp-content/uploads/Document/rclXkasLtkNCB/
  451. https://fordhamfamily.net/ttccrec/sites/8tt0tg0aw24ngohet3dp_yzy27xogy-86618368/
  452. https://gameviet.ga/bscw/parts_service/YFAwzsjbXBtALwhG/
  453. https://gataran.com/wp-includes/0zshvdule0t72q2ids6cjpe6wps_r22izox1-13318428/
  454. https://gatewaycentrechurch.org/wp-admin/DOC/OgdiEaOUNdbrwbswCSziDApXA/
  455. https://gelbachdesigns.com/cgi-bin/a7gr0ms0ra73n6g6smm7ejm3wk_0cvm4lc-370646901323597/
  456. https://growker.co/growkerdemo/Pages/UeWxULNeXsgu/
  457. https://help.shop123.net/help/DOC/JyywdyyizPxZdZkaUZLqE/
  458. https://imis2.top/wp-content/lm/8nacv8qnwy_d7ro0a-067006290795/
  459. https://inpacetech.com/wp-content/LLC/JMpBCsccfG/
  460. https://instrukcja-ppoz.pl/wordpress/Scan/uZolOcYDvVxeBfUFpHBlIogckNCiE/
  461. https://kimia.fkip.uns.ac.id/wp/DOC/unntsx9ecvy5b16nq_jlursbntd-055048999/
  462. https://kisswarm.com/wp-content/DOC/vwwv6riibz86cw4hm67uu1wfbrg_rtqxh-5004364944586/
  463. https://kundalibhagyatv.net/wp-content/Pages/gMdFyOKNNJFfAAQ/
  464. https://lovemymural.com.hk/wp-includes/sites/tnwRRmqCRGNROpxUllI/
  465. https://martianmedia.co/menusl/ql2z5s0mg3bty1r_zhx2tsk2d-035888854789576/
  466. https://osbornindonesia.co.id/css/esp/jYkmcCwgpxbeCuUUjNFHXNH/
  467. https://panet.com.br/stats/Pages/ouu3971zp7artsu_axg3vz2b-473330199/
  468. https://panet.com.br/stats/sites/njse5wcorh7u64gdhxo0059mi12_onhaty6x-17998620611/
  469. https://poornimacotton.com/Scan/JNDCGnQoHFAdIMZisPC/
  470. https://popitnot.com/List/lm/mttsPaXTDb/
  471. https://quercus-boomverzorging.be/wp-admin/mf97-tj8yknq-namf/
  472. https://ramun.ch/bbq/esp/umZsbobvaPlRLyqqeIy/
  473. https://renatocoto.com/revisar/LLC/pWdgapSNzN/
  474. https://rzesobranie.pl/!OLD/Pages/ZkaLfcNLXJxtQFVYnwJhCcfWctZJyx/
  475. https://sketchesfromheaven.nl/cgi-bin/parts_service/hcfcxevu8h2gedvvf9ark4fkoz3_1wq85bub1k-5315627553/
  476. https://slysoft.biz/wordpress/LLC/5rlgd35790sg9o_zxv9qcua-709958061/
  477. https://smbdecors.com/u749472959.20190419185421/5da4axu-tn1tcbc-ndrds/
  478. https://sonnhatotdep.vn/wp-admin/3rjo15c5ga7frtejwoczhes0pyvpj_uxrxoht-3907344799/
  479. https://stromtia.com/wp-content/uploads/2019/05/LLC/wxPtIlEfeM/
  480. https://sukhumvithomes.com/sathorncondos.com/uk5cevaat66de9h4itfmf6vc_tgfuq9e-569515944/
  481. https://symphosius.de/files/sites/DpteRHASECKSxJJLzZrsQLELaT/
  482. https://themeatemporium.com.au/wp-content/uvarhmvsf1c3cuzme7o0w9s99cm_7dxxr0vk-287036250048/
  483. https://tischlereigrund.de/cgi-bin/DOC/hjhh4vqnlgf1bp_y3a4z-779938398181/
  484. https://transparts.com.au/wp-admin/zar69ggal5qo8q2bycx4_358at7nc-6580311888206/
  485. https://trunganh369.com/wp-admin/parts_service/sgLeIxKgFOMqqAZApaTdWtd/
  486. https://tvbgm.com/z9iy/SKCMWsxAXJaavyRCuuRVJW/
  487. https://vestelvrf.com/wp-includes/s2bb2th-sc4lim9-vlcjwra/
  488. https://walkinaluuki.pl/beta/lm/e6znhq7eq0g1nt9f14gb765h_1898qpfmur-23901545806/
  489. https://www.analyze-it.co.za/cgi-bin/sites/dMwtevzsZt/
  490. https://www.mtmby.com/wp-includes/esp/IUkUYpyDmJvhLPTvCdqMgNGmQ/
  491. https://www.twowheelhimalaya.com/wp-admin/parts_service/plen5yznydfl19w8rcpuq_k6ugfn-573589047/
  492. https://www.vw-projects.com/tp51/download/cbeb20d2ffc1199e/YVFBhLrTUtDIVZAiZ396Py14lFA_OauHN0Vn1K5OTqCbOdqV5xOmAkEXlTi-CwGpsL4/Rg_JKBNS-092-D0624.doc/
  493. https://www.vw-projects.com/tp51/ex/omyNkxZo3kPCetsfK1WWa5juerLNyV-v/XD.cvQnekgvJV24w/Rg_JKBNS-092-D0624.doc/
  494. https://xn--mgbaam5axqmf2i.com/wp-includes/Pages/upfrwigv_rsle5r-3024049911068/
  495. https://ydapp.io/wp-content/FILE/xkXojWkDKLhGlmWyjZCxkUG/
  496. https://yinmingkai.com/wp-includes/sites/GPwktFwVQvMx/
  497.  
  498.  
  499. ```
  500. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  501. ```
  502.  
  503. Creation Time 2019:05:29 19:12:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
  504. SHA256:
  505. 769b0510021a3827a4e6c88fe726738eef733aa641835e8db88ba923e82f4293
  506. 79e6c10b90af7e31d3ba0784d6fda51f79d0786da669eb6f9f1b94779613345d
  507. 054d8e5e6471c3b946a761233795e32b2e03b944d67b0901686d86830c78ce6a
  508.  
  509. http://contestcore.com/wp-content/uploads/f8/
  510. http://bizridertrip.com/wp-includes/j504/
  511. http://blog.ka-pok.com/wp-admin/v2016/
  512. http://baharsendinc.com/v2os/dc54035/
  513. http://bozhacoffee.com/en/072/
  514.  
  515.  
  516. Creation Time 2019:05:29 12:22:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
  517. SHA256:
  518. 50ea2c470da147a984ac7c3d8772d94153f78aafb741211366fdbfc902123b51
  519. 57ef5b877a94dd2b47cfceafad66111d544329233e9b5927494bba4940a12ccd
  520. d6f8802630ed338b8872ea07106358d3d2a72393327d19b70b6591db0b3db073
  521. ca1cb016276867db4bd24b9de795ec63596ddae36894d5ffee28f3db88969666
  522. 72a1203af230c0172da591ed68ee319d25f36a771f9ac9e15c375e96b42e12e2
  523. 6dd0dbb13c1f088c01109dc8e99004ed804f16eba1ba6b439011531be6ef0492
  524. 5097ecc5355fea3ab3b1ee710a1e559098f4f2edbebe30ed2f9e77dc626f6dbb
  525. 3bd05ded3c9261713ae1579cf37e5c5f8787c669a534c1791d179cb2a5f330ee
  526. e52245637f1b1a20cb905f776bf1c1dd9beafe58fcf049464a470db4e01ab70e
  527. 509538630f54ec6946e568c820c4d37e04c839958847c895dbb8a8a5bb3b5277
  528. e1c6e129628fbd0a0b94d693483e30d182a0a77b16c079b82a070a89e468521f
  529. a7cdb943718e6d24719ebae0a268385a32f0b95206f202d2d8f1fb9e685c20d1
  530. 3586ab195274319ee5f0a6aaa709b731c9bbb99499df13ebd4eedb9884c9bef4
  531. 56a18fe10bfaf1e7bc716fa4b3a6cee1886e737a696dd853aa9ba3308055c4ae
  532. 75010ec903b1f0d5e9876ff267271a742db86f1343bfb537f18e50bfa4f1a92f
  533. 4c8235ef689eb1741ce4d69678bf9c90f0ac7bc7732f8d3f03a4d2be12044085
  534. c417e70be1b610146e988112d2194473bcab390d4e680803f6622a3990bd5155
  535. 0c0baf4d14738af072a81b8f891e700c8f1f5ff8c7ad76cb3c7e6d711fefa182
  536. 1309506fa931dbde2012b101308ec84754dd96c95907461591e574a028e78595
  537.  
  538. http://www.andreiblaj.com/wp-includes/fyjf4/
  539. http://testpage.pcoder.net/wp-content/6y00/
  540. https://comunicaagencia.com/js/neclm284/
  541. http://qoogasoft.com/gnm2inc49275/
  542. http://quoviscreative.com/Limited/gy35330/
  543.  
  544.  
  545. Creation Time 2019:05:29 06:45:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  546. SHA256:
  547. 09f8be30819bb4a3ba53b1a60aae1cd214229134eac589d0449b078704efb628
  548. d0c06cd60501eec7d6b61c632f871156fcb1d5c0747eb51a62e58bacd4b839ea
  549. 7e6eaa61547c642cbcfec8161ede87063aa04fe78de1d8d720ac37038d0c6b8d
  550. bc8d80f3783a561ddd0f19313b693db3fbe1c4c4e6d28b3ed3f240dfb0bfca1d
  551. 7f32e7c21dc5e59fab3c7889de4f2e77d249030dbca8a42ec38b499a62739fcb
  552. cedee6d4fb9f8b53b27092440aa0b3a2ef121517e51a83039d218d2b26b5ca3d
  553. e73b55a6f370e337d38ecc90a5637ef336e2cd26e6783b8939853a3bcd0eb052
  554. 7558d9c6963ceab5e756503c23d8e53b19df716ace8fcc3b6fc7f92d1fdb9fc2
  555. 979988d7911a44844fce121a81f33b34dc59398165b23aadcca37bdd0be87f91
  556. 4e7dc64e3d011551dc0bf91222e0e2edf4d7836e92b42201b38292c00540a321
  557. 647221c334e93fabf6c90f584014b05e90a8325c3ec0e396bc5e453ea28072db
  558.  
  559. https://rastarespect.com/wp-content/jtgjv74/
  560. http://tan-shuai.com/wp-content/9j34284/
  561. http://raioz.com/img/qngig44/
  562. http://raybo.net/bemcadd/7307/
  563. http://avendtla.com/tcuv/pd27/
  564.  
  565.  
  566. ```
  567. #### SHA256s for Epoch 1 Payload EXEs seen on 05/29/19 ####
  568. ```
  569.  
  570. b8c2109f68133a0582d5e29d09f1a38562b535eb9bd501d11793e4ab7218ca40
  571. 41431cbbd115c2cc1c4afffd26f5ad17d76a7c6f7fce963519c1fa388bae0e6a
  572. 52edaa3df314745714d4771a7975cff7179264d0d50b08606d8ec481bfb9e09c
  573. 4dcdf6f42186b9ffbe17eda1bc442562b47006c0c178e4afe25835511078155a
  574. 4fa689d04f3f24416b0e643bfd2f61c30e7bda76c5e0690dd6f1c86123f51197
  575. e3842992ebb302e6f04695ebc853be81c906bf42dd8044753cc3518a67f461fb
  576. 4a5668c827583677ccc85f44a36eabf33d50d9621652c4cf2d883dd031d9197a
  577. 6e535868daa5f8ad68491ff61741fce17313814c029863eb9aa5b36290b7e721
  578. 88a09ce5f307ae32061e7a65275303756987101e8485133d61ec2ebc85c7e41e
  579. c32c69ecb2a5f12c7c9482216a1c4236b543e07bda3075ba0c0fd882cbf00fd4
  580. 1c329a3284737d400b6d2ae5f926ba51640cf8c60e5ca888d8352ada5d77aad1
  581. 7d77f10c70b2154e56edc42a1749e28dd4de8dcb900f7b6a668ee04766a4095b
  582. c377940698a7508a3a244103364cc0d23aab9fd0ed75696f038dcf44f02929d7
  583. 08582b9dbf02256557b6b330de7ade7c3b1228de0a2eda2f4dded562450eb14c
  584. 1e150d9d28fd8ec571bb6d0f7731c785e9ce2682269a9d99b23221ac30f0833e
  585. 3eb7ea8fb4f80de588d18bb600d82dee6d2bea8aaa9e839df419c9b60a5f83c7
  586. cf0b09c156fe12dfa38e308f05b504048616e44415b10b3c28521dcc140029fb
  587. e4555f6e5a96598a94dcd6d12a62732e6948d8fc46e0fdc9691c958b422831b2
  588. e3012ce475402811cfad773974e29b4c83f7d4608b93a22dadc53055b2dea13e
  589. b0448288f87c262978d137fb52e2b3f77954510fecf0c205f3cbe537f352b4a3
  590. 1a4e8fde208a0a495c8efe9795658d54592f7bf0cde90acd1cb555ebb489ffa9
  591. 141af8cd8a7674bb9eb41a98a41af965eea82130cd4fa4ddeb4d96aa5694e51d
  592. 4c90011b536fdfaba8d9c9cb49e8fbc31def887bfdae5a0e961c9d9d5d464353
  593. 1e3fd9976fecc9e5ff9513a51820c5317dc967df8bab521067f106acad62f09e
  594. 595f624af1e4a2ec6447a8c3636dbda1f192195984f8d844f8b6af92ef63b267
  595. 9e46fb8cc4c291f7364a68d16089dbc5fbbd2b78ea34b035398ca33cf041ab51
  596. f190e434acb1e629d305d8333fccb24e2067f8edee52fa315eff7e0d2b58ecca
  597. 1f6d7b5df4b1726c65069cd7206e96b8442696fdcaf7255d4bd3c49e0af77e2c
  598. 8a9e04379bcdf06ceb647e7ff76b42646d781742af0abff320c2679bb5c8c2f3
  599.  
  600.  
  601. ```
  602. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  603. ```
  604.  
  605. Creation Time 2019:05:29 21:25:00 (DOC Based - ENG - 365 Blue Box)
  606. SHA256:
  607. 558df1b709298a8c3c7b42fa15620ee50583629b923efd8574c142d29d406baa
  608. 4e4fc97261a1040772783653956f7974be6e71666561221b9e1a47e5c5e51548
  609. 91ae7af557298e606ca0500f317e55cc57b35ed6684eb8af32944369143d33cb
  610. 749917b170180a0caddacf7f5aca2f8513bf8a644a2eda946c5eb48d2d3c984b
  611. 72efc861ea0a8f638b2b6425df08b63c6a6f6366377aec40bc0a235b20602cd9
  612. 7b68db429bbb2c184ed0cf44e6eebdc616bebde08f31ec2cb3f0256c3090f2fc
  613. 84753320037e22d04646ef90c46c0f399428dff31701877e48bd8862254196c2
  614. 1301a9486d06748a3c74a75268065c08e4f1cd3e3c4ce1998b2991ff55c56312
  615. 19309151c1ec64332f428770221f6e4706196b6bb03b5818360af75fc6d87120
  616. 6742a93ad7dd9523c2c6c6910ce8051116a6ed81ffca82add07f46bfdbd07532
  617. cfb3a7c10a70111211f31ea4e4263a0d3396ce011e6a2a7035efc7c96c3a9656
  618.  
  619. http://sasashun.com/MT-4.25-ja/sjqKyopohr/
  620. http://theothercentury.com/SEgeVCUgap/
  621. https://tecnocrimp.com/administrator/KkGEhGES/
  622. http://tittgen.eu/iXOWCOaq/
  623. http://tncnet.com/images/yh050r_w6ser-9083/
  624.  
  625.  
  626. Creation Time 2019:05:29 18:17:00 (Attachment only, DOC Based - ENG - 365 Blue Box)
  627. SHA256:
  628. ac62f0e351dbb67beaf7936b547e8e724ba1d9b7178396451180c3a7129d5e87
  629.  
  630. http://tkmarketingsolutions.com/_notes/yChAPucz/
  631. http://tokai-el.com/download/dxfVTRDAKN/
  632. http://vivationdesign.com/files/dWsrtpLTa/
  633. http://vacation-home.biz/holidayproperties/YXRQnQPZUp/
  634. http://todcan.com/wp-includes/3k12jrc_yyut7-4/
  635.  
  636.  
  637. Creation Time 2019:05:29 13:20:00 (DOC Based - ENG - 365 Blue Box)
  638. SHA256:
  639. 7857381cd12d1fe054047282f11d0ea430d52a7dc592a5d5245170bb5a73dc5e
  640. d7ebd801f1e1696f3f7f0969cab9049595b41b978bde29913095e14a0613be47
  641. ed2af54721340f58236a7520f3b2e46bf354072aa072b4334182bef006ed487c
  642. e6b5dbbc88f58e58b1bcde81b54072a68a0db8803f5d6789dd1852e4897713a4
  643. 2238fa3cc383ec62584e56e83a8fbc5c2d3ce27f5deeaccdb378f84de86848aa
  644. 60275f7d2cbee6ca356b6b0550067a94e67627c6bea1a56d7b4ffb6d8143266a
  645. fc2800ea95b3ea98d494a50794e6e89684e3707f20fa18e75dad94c8851f9c7b
  646. ab898afd48c154b0eb02bc8fe1e17d5b933cbdee2ee31d488ba055ca49285b12
  647. f02c12dcac1f902cccb1dae8a059a281e7141a651f8f10e72f4061af98b78eb2
  648. b8fcb7802c49d3401a6a77fce50340e791d9b5ab65eb3b9ea13f96eb23e61e45
  649. 41703a7d36321d0c59ac200f4f84c8ef6af9aa0cd9a8988726c6db3d5a230655
  650. fb5133d4022266ba87e2fa79c07b881a634e95e213f9888c269c20943f8ae97e
  651. 607a7f4c31a624daffb7b2c2007e113fc89117d6d06b88a8192164a2568c36dd
  652. 617f5f3196c47a9c1107684c6b5818be625c463e6e2cb1c8b7625e6d93a45ce7
  653. 077b38fb0bb24d665071e35ea4d6105c78fc95072e0de50a58e747a5de84f2cf
  654. 2b5023cc8d941d647f7bec76a1c418d21c24040dfa292c6b266a47cca6b86908
  655. 0b8668d6728b7de9d9f490dfbf41977740f44be0ba9190c79f008458bd5f4366
  656. 8d45327f24cb0059b29d5e2c328eb30aed4b8158a02ac31cc21be5076786cfb3
  657. da63b137d7ad3b3285c7b1e9925dfb46659b64b503ca565c700510d6be925e41
  658. ff7b698c6025de78441ecaddc9914790f5c1b3127d215a492a9d83e6fbcf5241
  659. 82e4b14dd3b87ea43c6765588ebe9db8f1e84ba5fec5d180cc33794b4bc6ee04
  660. 1a8dc6ec9c5086d405b54716c8406a35f1afb5f9279f5b5e547565a7468c2e60
  661. 7acdbd3e9e9c9ab23e0991cde6c52388dbd048238bd4be51e84ceb0e99612005
  662. 725c57979e5695e90d78210e5300da3ab49f2d64f8cd95fc5e56d65ddf550a3c
  663. e4ae158321e2e4051f98e3d2ddf80f52361570110df3f781b76966605c1fd83f
  664. 8e2fbbfb86f8c74d7e50f8c14a430521852fc8ad4ee2452a00983368ba961ea1
  665. a89409717f8e1d896611584ab160731490ad5d3a14b39f0e560d27e5ca29fed6
  666. 6c3732769b4aa9de80935b5ccf8120aaf63cbc3838915dc58fe51d1d6be4f75c
  667. bd3ec2aebe6179b43115a74835b8e45cca6c394174d0cb780683ab4a90bce5f3
  668. 02d95b6d83663515389f62b92eb14401c050f7dd35498fa89d243e0df9d6438f
  669. 3c4679d4fa092d3c70c924a18346479213546a711af2716369a3a46c522d1778
  670. 35c705938553dda7938680df19dba7948573612a74dd17b48e37deb9ffa4aabf
  671. 9b97c990e9940f1d9355c35e51de16f16428dec117b2a031be1671a6f49055d9
  672. d3092b38cd2cb449ffa838d3563657c266251cd85c82f968009027772c7a88e0
  673. 8fd31d67441cbc2b982eec156a0e1702f53894fe03572f532ef5152d4413c353
  674. 4121261a90ceec70d342e21f322d96ec9ef7c64c06534c2dcc2f2ec69ed9bf8e
  675. bb503cb0f6f2125167b74ca4b69deba600e9c0dfd20432565fdb892892d09212
  676. a1e369b30a6af8e0440a9f5edad6ce6d74308370d4398c51207b33b5658f3529
  677. 2277d0d190e6b3d4a473c5130f1177053ced87b4c5b39b905ae028792b861c22
  678. 4ca6d5f8e6902fe5771c7abf10decc5f0e59806f59f9c2d334ae908c6039c0e2
  679. 00c4f12818a56c5541466200d05c084a9f1d4fe3440c3f21fd1d08109cfacde0
  680. d1406d16e9e1f8d6eb665d8fb972cab4e980c3424e9a3c096c03ac4b741f9980
  681. 881de36d5db96db30346d64af168541010cc560dde2ba835eee9d3f94ae5ebb3
  682. 754aad397218f016deea4340aa68c3ef2b46d90cd7a218d53cb2c4a5efcba23d
  683. 041b13b4fae4e6109fc9b7bff12549fb3c4e8b80d5a3d2144c8f98a1b14550cf
  684. dcaf367dce8768799229800238dfac3de11dafb386f524d43072f629a084de16
  685. cab63b98460dabaf85c1327f530de90bcbffe03e51706217776aecf6b7dee5a8
  686. 5342664c9f03d40cfc0a9442b3063a6fb6c0fa4c9eb98af348fb6ee6965f6823
  687. a7ac1ff43ae6da216511b59202f86988efe5b9f2c072760a7a2c5c8711d7f7ac
  688. 60d31e1e49bf92c18a3d7edbcf5aa7bf9962e48e70ce94ce4123d3ceb38f7015
  689.  
  690. http://en.efesusstone.com/wp-content/uploads/EMBVtaupO/
  691. http://amazingtraps.com/wp-includes/KZYJuTjJp/
  692. http://bramastudio.com/wp-includes/mvBAPWMFc/
  693. http://revistadaybynight.com.br/sac/i2ofs9_mpi8a73dgz-4/
  694. http://boss-mobile.co.uk/wp-content/u6cyu6_m3atjj2-51/
  695.  
  696.  
  697. Creation Time 2019:05:29 12:55:00 (Attachment only, DOC Based - ENG - 365 Blue Box)
  698. SHA256:
  699. 287f4dd9eb12b769df09b1e1f89276e7c342b918cd1a8870ab016fbbfa54a6ae
  700. 46169d09e1737295d7d8b478489a72e8bede8f33a5374339a0bf66d7ee94015b
  701. 572dd1822ad3578b736d72e88de0a4f6ff6d73fa0332960dca8f6c567e6cc530
  702. f1d26a264b3f38e9ee81c58289f26f3fb5afe2d2124b60a4d69d66e632da7d57
  703. 8dfc61ff0156b484460e7a7139bbad63ea1086574145bf16986ce7154ac57e45
  704. d6777becd2410c09fed53af8d59363cae4ce78305fdc497dc789d2ebb22ebeb2
  705. 69a09bbe82540960eef1c73589901bc8f615d7a2ccac2b632f7d187ca48108ff
  706. ab991801e57e83b4ddde19ac5e8c4d3d0aa23c76ef6dc8003fd9a87a1faf7d56
  707. 56c0bff451a78971b3a2c7edbba3783256bfb75faa52d87c2f2efc9908c3ca36
  708. 8e9050db4b081f45e615f2d28ebf1e5bb7712292fe82c111433cca2e80d25251
  709. 8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5
  710. ff1c9e0ba3ff0e803fc34afffd927b0f1529500f3c0ca6b467a90ffc3c8f0d7a
  711. 88edc52a1ab13b3d74205b0ba6db9cc9e27050d9d4cf0e1e266ac3b252dc8648
  712.  
  713. http://ceo.calcus.com/postnewo/RwhvOlZIs/
  714. http://lastminutelollipop.com/wp-admin/aEQlppdlfo/
  715. http://kashmirhackers.com/wp-admin/wQXhortSfJ/
  716. http://omegaconsultoriacontabil.com.br/site/wAKkbOEwy/
  717. http://nottspcrepair.co.uk/nye/hKZlDvPfy/
  718.  
  719.  
  720. Creation Time 2019:05:29 07:15:00 (DOC Based - ENG - 365 Blue Box)
  721. SHA256:
  722. be7b060576b87a1b9c287ac786c7459b2bf57141f450b55a6994135625863e33
  723. 27ff667344773e1fe07edc5b35736376283e19f38eec85d26daa7c2eda17038c
  724. dbe0646caf1a67d52cbd38aba5f3a7861cd56aa45ff5935393a752e60a9c015d
  725. d08b94869e7acf012dcc4907c3e88da11f5997dc3f925cf86345e139b831318c
  726. 341e41bb1fb85f791bfe70f7ba00325ff25a5c09ef7b8dcb444a53e6f1222b81
  727. df09ebff6b1987c08ac8d6513e89adc6e9c2ad1bc4a904f7a67c85f09dadcacd
  728. 7cc27539575ccba3fe057d3a162936c9f4f4c2e99e7a2a07235cf6e0b77005a8
  729. 0364bbf6deeb25f524ff51f57b131d9b95b1b04f4473b759cb44e85f1b29d236
  730. e8947b8de2d55db79709c3179b0fda8cc9e17c98ce05f5491cb88f98b28cde78
  731. 3e37d6655ae9ce30d0ebe9bd5027ca4494df24aa016d65e62bbabddae0ca88ee
  732. da5fbad5aceea73e738a4996ba7d2993d42d32f84d4dfcdd9ea667004d647511
  733. 54a3abee7c77885e6fffc848bfd29e3f9ae5ca9252c64a4a53ca97470dad5a8c
  734. fa5c72ab821ef3009024eb2bb5de924696349f904a0ba60c65041725c1cce718
  735. 29aae200483bfa1887620808f79c045ada295f9bb1015cc55805fa273cb99a32
  736. e67e0a11978255906cf99344c82efc46e8c0d745620e27944f12b5304736905a
  737. f5cb3e49baf04298857406511ada6ba552a46c9d9210f647fef799798ea89222
  738. b1bb8ee07ff80bba23e4ff4667b72552c8842c483243e6e3c773d802400e3c4e
  739. 6d7557c616e3f7c794d575ce13e1845b75d07c4593fc8cdb7a3d8a207c06af34
  740. fb7e08a2a48516ea543b7183e40ac0ed3f2e2fc566768f6cde218a56b0bbd60c
  741. ec8ac42d1e301268dc6e63d9c7635f0d4500ff2c3e57335d7100e614af87ff83
  742. a505d12b214f1e96c4d5411033e2cd4b6c036130cba9c90df8382b8b2a9e05db
  743. 085ce370d920af51d82740aa37fa3252927d6018e415024eb5d0b10c55db4de6
  744. 4e0f99cbcc4364ba5763c4f90ec0928df98dd4f8f413a0e74110e6eb3fb78c15
  745. 7e2ca3a16515af650c57438d881c5bbbb5206bcf118eccd70df65941776b641b
  746. 0ec17a8edb1ec98daf5790820bf85ff91c11a851924f3698c1dd44c2cf748c21
  747. 4a077ea0d0a0f6a40f2cd8139ae8aa9e7056bf9e4ce50e20975a6d453b19febd
  748. 3ef11e7ecf30bcedfb14682478fd37916feb9b4a19058f6a0c97c2ef7e4bdedb
  749. c216e75f1a779ca59b94d1dbb042d2e88f7dd2262fce53f7966c697b922e5964
  750. 94f338b63bd496a96cf9a3416dc4daf1700f2d8f41b94cccd9e7ad598e2d4b9c
  751.  
  752. http://ondasurena.com/facebook/l0dgt_x3wg7rx-383166034/
  753. http://ohmpage.ca/reviews/9wlhofhiz_14rv5-541341/
  754. http://peppler.net/rkEEvlPmXS/
  755. http://pedroniza.com/iVLLe-kHAtCGXWLkxqRW0_AeXBoZBKw-1LL/gmi8sx86zz_trfe56k5pk-25037740/
  756. http://portaldobomretiro.net/xkvjhe4sk/xrhztn_dr0zli-7520494/
  757.  
  758.  
  759. Creation Time 2019:05:28 19:56:00 (DOC Based - ENG - 365 Blue Box)
  760. SHA256:
  761. 8e8d942ee2283a2529b4d273cc6c8db779a74130a585b2536cd214e7d8ae9789
  762. 5562dcb788a2c33d19f327cef9ca79bf51c08ecbea0ba637ffa8af54bac3d463
  763. 913d5a77b54de2bf16bb2e0e8b39af0b83750ade322a5e38b98aea925b491570
  764. 4344e4f149509864115bcf80b5b1613ca270c72ec6f8fb04971bdc7af4a40a66
  765. 11bc2a422f5678f2848f4c6572d2572224fa06f1631495899e190fc65c27ef6a
  766. 9400169ac05a59634c1e82fb1795271b82223f97f1561dab0cb63be5f1c45ae9
  767. f84073f91bb72d8f3c57521eebb95636d47f1cc26d9d65aeb653fa15384d75b6
  768. c0285a05f35e5c7ac9b7436dcc0fdefb62400b8d869e55141a7ea84268ae970a
  769. ed19e2e29705b60cb8e56ca8184876445c178c6ea3daa4b4f29c20d80433964e
  770. a239776607f11c9a2b4480e23336e5281244cef6f673ca16f1d0466db9de3465
  771. 1b1a86c22960c8eb91561cf13ed9ecaa7db07212651b3dd867a7251546d70920
  772. 0c12ddc0c1b52db4e79920f7e4875a2515244081dacd503c45a104660a6c4ff9
  773. d7bd030d34be661ed1d78d875673828cda3fe51e9fc40cfb6fbfb087a774b30e
  774. f4698dc0c5630110e51ddfed69b2364659b103308034c69c1d7a02c70e978f46
  775. 296cd30d51fe1c689a2e54a76beb3841ea37ca97bdd3235ff3fd51cbddce6a39
  776. 71ffc0572d33719508587b6fb096c1fcf4f95eed91a4859d8f0e37911bcd7531
  777. 8bd029d5c9283679d3458eb1aea1c50ecb2bd6f63035fd95efc36e08003434c2
  778. f1ed9a922b6e3c8e7e8f772a4acdd07e53520da1a02e28c03d61eb552aa49edd
  779. cf615625760ea3b8f2f4d84fe635e136cfdc2911ac25287d6f626da825543c9a
  780. a75fa23ea816abe4a2ada31182aea5bb12748317be14ef2808607070d92cbefc
  781. 2259e2aebc1913304c78125e6c12e0924b34ab11d3e848078579598f1c21ed53
  782. 690225badc1fb9d6ccc12abcca94535031f5c4b85e0299ca767c6e1fbba1a607
  783. 0b2f10ee0ee92cbe8838644a9e881074cf2aa80cf1d319458f3f4814f6ac8b66
  784. 3fa0467b00653371f6ebc7dc29150664ad6e46c575ef0ca84a1c99ea1ece8304
  785. e151c10ca1bd2c8ec3dfa403595402778c44287819362151ae647c11febaa91e
  786. ceffc6c32571a6ae037ace18409e479a6cef4d6f58e0258ec206d79a5fabde2d
  787. 15dafe76124cb0239e7593932864fe5defc12cfe2243f3ca51c968c597bb62c5
  788. 2b285e2a14e86bdc8e98a1d14008fccd774c0422d0a6957e49fe4180f44a70f3
  789. 5e969cdc26c9d91e828751d9ffa3e3d891dd3bff95f5758d21c48586bab4c00f
  790. 27eadc7ec30ffa2db9a662852032a05f208dd7ef1ef2b1fde765fa69d211597d
  791. b8ffa044c1aa76470b3ad334f834da777ef71e8532497610d00b128d37fc6a54
  792. fe7b7ee9e2a23a0ec09a5eee876eaca33e3ff136b92e8d81cb646c1a25f41ae7
  793. 63f8450d3c9f65a624fa65d8e760fb3baf430de9e6dff4efc096e7f3e2ac756b
  794. c21a688824df53c7ec76096f091f935b513071f72d27d73c410b6039e738f7a1
  795. 801c271e7808f94e992d39ed7aaee0dcff72978634a35439064fa7ef82e64d90
  796. 791995d3e1cfd697b9ad833e1712357a476f1538c38a001925ce94d3ae39edb8
  797. 1f5afc69dcc29ec79faeb702c7180358145ecac5c2af81442cb74b2e80c13327
  798. 0b3ce9beb163ad8eb4997436a254d10a5f8b77f5db5e25969c1729f6b781a6d2
  799. 226fc0eab6dac899611cd6d0f2050627bba16bb1c7dce6c5749eac0f4b337928
  800. f83cb0c61008c3e9310065a4b32e3feb2895f9fc25c07dc52f38d43fa7d83b05
  801.  
  802. http://projekthd.com/pub/EyRNTFJzOr/
  803. https://proxectomascaras.com/wp-admin/cDbhvYpHH/
  804. http://psselection.com/84kmcpyjk_rstllbc0q-80240/
  805. http://robbiebyrd.com/fonts/dkra921_6lqtntd23r-9620475/
  806. https://robcuesta.com/wp-admin/vaq07ekgi_57m694odox-4/
  807.  
  808.  
  809. ```
  810. #### SHA256s for Epoch 2 Payload EXEs seen on 05/29/19 ####
  811. ```
  812.  
  813. 4422c70a46ae30c8b4e198d88b210001784d14edae31a5b41d271c5f36988b1b
  814. 0b7603161318f90dbac1e3ed5ffdbcfa7c1b281e29461157d7dc8d5409ac8b09
  815. 5e8b14580085fdfc83efa3b9670e3fdea3954acb655120ad94d2d3b0ba39be12
  816. f90eb14f41226d159156d23d8eaacbba5dcd4e19ee8a71747439fbe51a7864cf
  817. 79dd32af2ad9878c7fe2311e6ce290f8bb313b0f240f3517b5ac6c2bbae887d0
  818. e12f7c3a158adc6181114632b2f261745f8d6488961ade2b172ba81b0d0ac39e
  819. dc73c50e91e632a9e6dfc53fddbcc62b40810c272fd7a8c4bef034bc8fbe684f
  820. 0be9d8b49ad4e4fce6993a342e25c4592b15976bf3943edc41982096346bf0e4
  821. 6116b8b34753bf6c393f7c34b209f34cc582ada6b5d259a71d26d58fbec4da87
  822. 8dbcab28f87d9cc33e487e52f71107792867b1c18854f9f552715107a4e19d09
  823. f7497fe6caf51ba953ece4b2f977a51b43c7689da0f25bdd4e2ab42d29aca3cc
  824. 2a56c5e001a8f1f1d2984b83983d2faf412686cc3ca8354176bd01bd665aadb0
  825. 424a5b607d62c205c51b67f637152bf257e435490994495d5657892dfabfbe25
  826. b6edb5a6428a72474e82919c6768ae404a61aaeddca2285c226e9393b570eba7
  827. 6e8f135cd7b870b7fd7bc07e60cf8fdca0e89bfc1c2635ba904be219080cb303
  828. 2c4eefa44987a71690b58dae201cbe79c135c498b670683b690d18f86a96d1ee
  829. 117705646b6fdc22ef09fab01eb23baf96eb2244c7638accccc28c5a1fa6c738
  830. 63f50dae879c39fe01c06ae1dd85a3c0ac66814561e1b34b99f2f4085df3a691
  831. c0e4a0bc169a955d44cf6b113b249738e39f02269440f39a6fe258fb847893b8
  832. c56db25233f20888525f027aaf9d24a9e111798dc4d24454ca79f1ec434f06d0
  833. 7e83573dbb24187f986db92bf00c48b5b16e22e9b8fbd5b7f78fda9383108b91
  834. 5be764f22ff7428d95e3437186a8f540f2c00b3a613f76857f49caa6af7e2294
  835. cb22de9949669e1cd375fe2a66446b7e6c8a50e4fb9c800cf37c8998eb316f7e
  836. a0d16dee79180964ed9f693b7189012991e7bd59c171dc67e871c4e8f1a2b07d
  837. 3758c77d01acdd20c554e2b52b2260341e77cc60a488013de6d39eb4144a198b
  838. 8c444330d522b540eebc8fd67814ef4ab8cba6705f5b856b32d5b7508f0f6a1c
  839. e1a46cc10567f29354d1080fbbf1eb09669068d2e71a4c1cb7dba7169f4fda2b
  840. 3fb5f2f8a747a3d91707f4f901d1bbb28870b8abd5b64515b6825a43b6452aaa
  841. 1e336ea34d1a1e1918da4c8755a831dac56603016fce92ab68592c936dea68d3
  842. 0203632d35ddac01f92b4e959d592185f673b1dfd0007d9d5cb63676450e9270
  843. 7221a5ac575f1c4812be871a2ba7cfaf793d95e510e330da59fe5329dda3fcb6
  844. 97c291f2493b4cc1c6c62be09d2b92cca1ff654ad28ef812bfecbde783f7b0ce
  845. af94cf9c09c1b4cfe24e9f829e6d178df48a317d52581b82b1260877bc7972fd
  846.  
  847.  
  848. ```
  849. #### Epoch 1 C2s ####
  850. ```
  851.  
  852. 103.201.150.209:80
  853. 104.236.151.95:7080
  854. 105.224.171.102:80
  855. 109.104.79.48:8080
  856. 109.73.52.242:8080
  857. 110.93.196.197:80
  858. 111.67.12.221:8080
  859. 154.120.228.126:143
  860. 159.203.204.126:8080
  861. 159.65.241.220:8080
  862. 176.31.200.136:8080
  863. 178.79.163.131:8080
  864. 179.40.105.76:80
  865. 181.141.87.122:80
  866. 181.15.177.100:443
  867. 181.15.180.140:80
  868. 181.15.243.22:80
  869. 181.16.127.226:443
  870. 181.198.67.178:20
  871. 181.228.60.191:80
  872. 181.29.101.13:80
  873. 181.36.42.205:443
  874. 181.39.134.122:80
  875. 185.129.93.140:80
  876. 185.86.148.222:8080
  877. 185.94.252.27:443
  878. 186.138.56.183:443
  879. 186.23.146.42:80
  880. 186.71.75.2:80
  881. 186.86.177.193:80
  882. 187.178.9.19:20
  883. 187.188.166.192:80
  884. 187.242.204.142:80
  885. 189.196.140.187:80
  886. 190.1.37.125:443
  887. 190.113.233.4:7080
  888. 190.117.206.153:443
  889. 190.13.211.174:21
  890. 190.147.12.71:443
  891. 190.186.221.50:80
  892. 190.193.131.141:443
  893. 190.246.166.217:80
  894. 190.252.229.53:80
  895. 190.97.10.198:80
  896. 191.97.116.232:443
  897. 196.6.112.70:443
  898. 200.107.105.16:465
  899. 200.127.15.72:80
  900. 200.28.131.215:443
  901. 200.32.61.210:8080
  902. 200.57.102.71:8443
  903. 200.58.171.51:80
  904. 200.72.149.90:443
  905. 200.80.198.34:80
  906. 201.212.24.6:443
  907. 201.251.229.37:80
  908. 203.25.159.3:8080
  909. 205.186.154.130:80
  910. 216.98.148.136:4143
  911. 217.113.27.158:443
  912. 217.199.175.216:8080
  913. 217.92.171.167:53
  914. 218.161.88.253:8080
  915. 219.74.237.49:443
  916. 23.254.203.51:8080
  917. 23.92.22.225:7080
  918. 31.179.135.186:80
  919. 37.59.1.74:8080
  920. 43.229.62.186:8080
  921. 45.32.158.232:7080
  922. 45.73.124.235:8080
  923. 46.21.105.59:8080
  924. 46.249.204.99:8080
  925. 5.153.252.228:8080
  926. 5.79.119.1:8080
  927. 62.192.227.125:80
  928. 62.75.143.100:7080
  929. 66.209.69.165:443
  930. 69.163.33.82:8080
  931. 70.32.84.74:8080
  932. 70.44.163.160:443
  933. 70.44.163.160:80
  934. 70.44.163.160:8080
  935. 71.244.60.231:8080
  936. 72.47.248.48:8080
  937. 79.143.182.254:8080
  938. 80.0.106.83:80
  939. 81.100.95.22:443
  940. 81.143.213.156:7080
  941. 81.183.213.36:80
  942. 81.213.215.216:50000
  943. 85.132.96.242:80
  944. 86.1.139.205:80
  945. 86.18.105.123:443
  946. 86.42.166.147:80
  947. 86.6.188.121:80
  948. 87.246.58.59:80
  949. 89.134.144.41:8080
  950. 91.205.215.57:7080
  951. 91.83.93.124:7080
  952.  
  953.  
  954.  
  955. ```
  956. #### Epoch 1 - Spam/Stealer C2s ####
  957. ```
  958.  
  959. <not verified>
  960. 61.92.159.208:8080
  961. 104.236.185.25:8080
  962. 50.116.63.9:7080
  963.  
  964.  
  965. ```
  966. #### Current Epoch 1 RSA Public Key ####
  967. ```
  968.  
  969. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  970.  
  971.  
  972. ```
  973. #### Epoch 2 C2s ####
  974. ```
  975.  
  976. 103.11.83.52:443
  977. 104.131.11.150:8080
  978. 104.131.208.175:8080
  979. 104.236.99.225:8080
  980. 117.218.17.6:990
  981. 119.155.153.14:21
  982. 120.150.236.64:20
  983. 125.99.106.226:80
  984. 136.243.177.26:8080
  985. 138.201.140.110:8080
  986. 144.139.247.220:80
  987. 147.135.210.39:8080
  988. 159.65.25.128:8080
  989. 162.243.125.212:8080
  990. 167.114.210.191:8080
  991. 169.239.182.217:8080
  992. 174.136.14.100:8080
  993. 175.100.138.82:22
  994. 177.242.214.30:80
  995. 177.246.193.139:20
  996. 178.152.78.149:20
  997. 178.62.37.188:443
  998. 178.79.161.166:443
  999. 179.14.2.75:21
  1000. 179.14.2.75:80
  1001. 179.32.19.219:22
  1002. 179.52.53.68:143
  1003. 181.129.30.82:80
  1004. 182.176.132.213:8090
  1005. 182.176.94.236:20
  1006. 182.176.94.236:21
  1007. 182.176.94.236:80
  1008. 183.82.100.135:80
  1009. 183.99.206.228:22
  1010. 186.19.202.88:21
  1011. 186.31.189.232:143
  1012. 186.4.167.166:80
  1013. 186.4.234.27:443
  1014. 187.146.179.75:993
  1015. 187.163.180.243:22
  1016. 187.163.222.244:465
  1017. 187.177.154.167:990
  1018. 187.189.195.208:8443
  1019. 187.225.213.90:20
  1020. 189.162.117.10:993
  1021. 189.209.217.49:80
  1022. 190.128.26.2:80
  1023. 190.145.67.134:8090
  1024. 190.25.255.98:143
  1025. 190.25.255.98:443
  1026. 190.25.255.98:80
  1027. 190.53.135.159:21
  1028. 190.72.136.214:465
  1029. 190.75.47.24:80
  1030. 195.242.117.231:8080
  1031. 199.19.237.192:80
  1032. 200.21.90.6:80
  1033. 200.85.46.122:80
  1034. 201.199.89.223:8443
  1035. 201.220.152.101:80
  1036. 201.238.152.20:465
  1037. 211.248.17.209:443
  1038. 211.63.71.72:8080
  1039. 212.71.234.16:8080
  1040. 216.98.148.156:8080
  1041. 217.13.106.160:7080
  1042. 222.214.218.136:4143
  1043. 24.139.205.186:8080
  1044. 31.172.240.91:8080
  1045. 39.61.34.254:7080
  1046. 41.220.119.246:80
  1047. 45.123.3.54:443
  1048. 45.33.49.124:443
  1049. 46.101.142.115:8080
  1050. 46.105.131.87:80
  1051. 47.41.213.2:22
  1052. 50.31.0.160:8080
  1053. 50.99.132.7:465
  1054. 58.9.168.7:990
  1055. 59.103.164.174:80
  1056. 60.48.253.12:20
  1057. 62.75.187.192:8080
  1058. 64.13.225.150:8080
  1059. 66.161.235.4:990
  1060. 66.84.11.168:8080
  1061. 69.45.19.145:8080
  1062. 71.244.60.230:8080
  1063. 75.127.14.170:8080
  1064. 76.86.20.103:80
  1065. 77.56.253.112:80
  1066. 78.186.5.109:443
  1067. 78.188.7.213:8090
  1068. 80.1.76.46:20
  1069. 80.11.163.139:21
  1070. 84.241.10.111:53
  1071. 85.104.59.244:20
  1072. 87.106.136.232:8080
  1073. 87.106.139.101:8080
  1074. 87.230.19.21:8080
  1075. 91.205.215.66:8080
  1076. 92.154.101.154:50000
  1077. 94.76.200.114:8080
  1078. 95.128.43.213:8080
  1079.  
  1080.  
  1081. ```
  1082. #### Epoch 2 - Spam/Stealer C2s ####
  1083. ```
  1084.  
  1085. <not verified>
  1086. 198.58.114.91:4143
  1087. 213.136.86.219:7080
  1088. 91.205.215.10:7080
  1089.  
  1090.  
  1091. ```
  1092. #### Current Epoch 2 RSA Public Key ####
  1093. ```
  1094.  
  1095. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  1096.  
  1097.  
  1098. ```
  1099. #### Credits and Notes Section ####
  1100. ```
  1101.  
  1102. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
  1103. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  1104. https://pastebin.com/u/jroosen
  1105. https://paste.cryptolaemus.com
  1106.  
  1107. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  1108. I am providing them for your benefit in case you want to parse them to be sure.
  1109.  
  1110. ```
  1111. #### What is Epoch 1 and Epoch 2? ####
  1112. ```
  1113.  
  1114. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  1115.  
  1116. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  1117. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  1118. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  1119. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  1120. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  1121. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  1122. time period.
  1123. Here are some observations I have noted since I have been watching these botnets:
  1124.  
  1125. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  1126. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  1127. being delivered in maldocs on Epoch 2 at any one time.
  1128. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  1129. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  1130. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  1131. Monday morning/Sunday night.
  1132. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  1133. Epoch 2 may have a document hosted on host.tld/B.
  1134. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  1135. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  1136. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  1137. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  1138. - C2s are never shared between Epochs/Botnets.
  1139. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  1140. via C2 to stay ahead of AV defs.
  1141. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  1142. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  1143. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  1144. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  1145. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  1146. spam template, word template, document type and even payload.
  1147.  
  1148. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  1149.  
  1150. ```
  1151. #### Community Lists ####
  1152. ```
  1153.  
  1154. https://twitter.com/executemalware/status/1133861117439238144
  1155.  
  1156. https://twitter.com/malware_traffic/status/1133882203996413953
  1157.  
  1158.  
  1159. ```
  1160. #### Credits ####
  1161. ```
  1162. (OC from @JRoosen and/or combination work of the following)
  1163.  
  1164. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  1165. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  1166. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  1167.  
  1168. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  1169. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  1170.  
  1171. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  1172. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  1173. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
  1174.  
  1175. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  1176.  
  1177. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  1178. helping out with this!
  1179.  
  1180. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  1181. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  1182. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  1183.  
  1184. ```
  1185. #### Daily Log 05-29-19 ####
  1186. ```
  1187.  
  1188. still no email for me. someone else is getting all the attention
  1189.  
  1190.  
  1191. A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes.
  1192.  
  1193.  
  1194. General News:
  1195.  
  1196. <>
  1197.  
  1198.  
  1199. REVIEW:
  1200. If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
  1201. to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
  1202. https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
  1203. or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
  1204. I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
  1205. You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
  1206. https://twitter.com/JayTHL/status/1126204098670411779
  1207.  
  1208. Email Template Report:
  1209.  
  1210. Generic templates on the most part, the usual body text listed below.
  1211.  
  1212. Review:
  1213. What we know about the threaded templates/reply chain:(changes are marked with *)
  1214.  
  1215. - Emails are sourced from once (or still) compromised users all over the world.
  1216. *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  1217. to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
  1218. back as far as June 2018.
  1219. - Now on E1 and E2.
  1220. - Now seeing German based templates that are essentially the same thing but in German.
  1221. - The injected reply is usually prefaced with the following:
  1222. "Attached is your confidential docs."
  1223. "Attached please find the wire transfer form."
  1224. "Thank you for your help. Please see the attached."
  1225. "Load instructions attached"
  1226. "A printer friendly attachment is now included with each email."
  1227. "Click on the attachment to open or save the printer friendly version of your report."
  1228. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  1229. - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
  1230. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  1231. - These templates are pretty limited in run and not very numerous.
  1232.  
  1233. Link Regex Report:
  1234.  
  1235. Regex directory patterns
  1236.  
  1237. E1
  1238. *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
  1239. https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
  1240. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  1241. https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
  1242.  
  1243. E2
  1244. https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  1245. *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
  1246. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  1247.  
  1248. NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
  1249.  
  1250. These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
  1251.  
  1252.  
  1253. Payloads Report:
  1254.  
  1255. Normal early start
  1256.  
  1257. E1 was attachment only. 30 DOC hashes scraped from sources
  1258.  
  1259. In addition to three expected E2 EXE sets across 480 URLs, there were two attachment-only runs.
  1260.  
  1261. EXE for both had low rate of hash turnover until 17:45, after this hash changed every 15 minute
  1262.  
  1263. C2 Report:
  1264.  
  1265. C2 from E1 EXE gave 100 unique combos in total. - recorded above
  1266. C2 from E2 EXE gave 103 unique combos in total. - recorded above
  1267.  
  1268.  
  1269. Closing:
  1270.  
  1271. <>
  1272.  
  1273. TT
  1274.  
  1275. ```
  1276. #### Sandbox 05/29/19 ####
  1277.  
  1278. ```
  1279.  
  1280. E1
  1281. https://cape.contextis.com/analysis/77831/
  1282. https://cape.contextis.com/analysis/77842/
  1283. https://cape.contextis.com/analysis/77846/
  1284.  
  1285. ```
  1286.  
  1287. E2
  1288. https://cape.contextis.com/analysis/77832/
  1289. https://cape.contextis.com/analysis/77845/
  1290. https://cape.contextis.com/analysis/77847/
  1291.  
  1292. ```
  1293.  
  1294.  
  1295.  
  1296. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!