Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 05/17-19/19 as of 05/17-19/19 22:00 BST ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 05/17-19/19 ####
- ```
- http://adamjaneomir.kz/old/verification_area/net/ENG_US/myacc/sent/
- http://blog.meditacaosempre.com/wp-includes/open_network/com/ENG_US/accounts/new_resourses/
- http://callsmaster.com/azureink.co.uk/sec_zone/US/sign/com/open_docs/
- http://doanthanhnien.spktvinh.edu.vn/wp-admin/verification_area/sec/Us/myaccount/new_resourses/
- http://eidriyadh.com/cgi-bin/trusted_network/seg/ENG_US/myacc/send_files/
- http://extravidenie.ru/wp-content/trusted_area/seg/EN/signed/office/
- http://giveaways.secondtononenutrition.com/calendar/trusted_area/net/US/sign/office/
- http://had.at/language/open_network/biz/en/sign/sent/
- http://hitotose.org/public_segment/com/Eng/logged/new_resourses/
- http://inted.org.za/adminer/sec_zone/en/accs/com/open_resourse/
- http://lettingagents.ie/wp-content/open_network/sec/ENG/anyone/office/
- http://montrio.co.za/wp-admin/public_segment/biz/EN/logged/sent/
- http://mrtrouble.com.tw/wp-content/trusted_network/seg/EN/anyone/open_resourse/
- http://myschool-eg.000webhostapp.com/wp-admin/public_segment/com/US/signed/sent/
- http://sosyalfenomen.xyz/wp-admin/sec_zone/sec/en/logged/user_documents/
- http://thezebra.biz/wp-content/secure_zone/sec/US/logged/office/
- http://www.zorem.com/wp-content/public_segment/sec/Eng/accs/open_resourse/
- http://yoloaccessories.co.za/ukhz0yw/trusted_network/ver/US/anyone/new_resourses/
- https://adamjaneomir.kz/old/verification_area/net/ENG_US/myacc/sent/
- https://engenerconstrucao.com.br/nfuvi/trusted_network/sec/ENG_US/accs/send_files/
- https://had.at/language/open_network/biz/en/sign/sent/
- https://thezebra.biz/wp-content/secure_zone/sec/US/logged/office/
- https://www.zorem.com/wp-content/public_segment/sec/Eng/accs/open_resourse/
- ```
- #### Epoch 2 Document/Downloader links seen for 05/17-19/19 ####
- ```
- http://1mm.site/calendar/Document/SyCSbmjCNBLJMhV/
- http://1roof.ltd.uk/creationmaintenance.co.uk/PLIK/0b7yzogc9ssofb8efy4o2otyua0o8_769kqe-314850535719656/
- http://2mm.site/wp-admin/parts_service/mKgGhvCsue/
- http://30undertennis.com/cgi-bin/SSciXOTzaMbU/
- http://37p.jp/PLIK/ABmcygtH/
- http://3e-science.co.jp/0bnr/FILE/uqftm5q5kyuw46b1_lncr44-686604949932/
- http://4mm.site/calendar/paclm/xs7iayebhxav43itekey_684m3-36315752815490/
- http://51wmys.com/wordpress/sites/jcpf6vdw8w_aynhf-24814159993785/
- http://8poverh.com/wp-admin/lm/iwy6t7o3eo78_0ypzx0hes-26872424816/
- http://academia.sprint7.net/wp-content/DOC/y2o7x25x04us850gpca2ogh_mc4rmv-270782010665758/
- http://ackosice.sk/wp-content/INC/57pds8qj977fuqw_bjxbdhsf-3574519625067/
- http://acolherintegrativo.com.br/wp-admin/DOC/hwhyCUiZwJgDRgE/
- http://actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
- http://adbee.tk/wp-admin/DOC/vr23xzu3_4fu1rill-05769244/
- http://adepterssolutions.in/news-admin/sites/KwMonjtPbhHoTi/
- http://adkhw.net/wp-includes/lm/AspdvJqqENclfsu/
- http://advantageautoworks.com/wordpress/vky2upshs_7vkn3a-4894152276061/
- http://advokat-kov.ru/new/parts_service/2cljnkezfje61yi5i3gidtylki1t_pfjx11gy-0167021759547/
- http://ag777.co/cgi-bin/LLC/sfsn56f9mmil3omdgkmw3866elq6b6_aqjz8l-158616319099840/
- http://agents.map-link.co.uk/cgi-bin/Pages/dxebbm7rfe9yjkcu1s0f_owwlim3rvt-900385447853124/
- http://agrobanaselaras.com/wp-content/uploads/INC/scl0jn4di5vbchuyunuyep8eryel5_jmybt4onpm-91631390137833/
- http://aidencourt.com/wp/LLC/raf3n3odxco400jjjpi2hf290qlgl_prw4uxr0-7763309726/
- http://akaprintdesign.de/wp-content/zojdg93o_xynmmr45kk-00422649/
- http://akoagro.com/wp-includes/r04fyabv1mtksp1tgi5mnhgnxparl_3p7hn1m-18151334886016/
- http://akoline.com.ar/Argentina/wp-content/uploads/js_composer/paclm/pttymks2m_1wjvsp-040621983/
- http://alex.zhivi-bogato.ru/wp-admin/LLC/vgxNGmUlHZIkUdBmyVtyQJrztdjj/
- http://allbusinesslisting.org/uploads/DOK/lATaKZeIkwAwpVfWgKTuQRLrIUKRRl/
- http://allhealthylifestyles.com/9yng/lm/isd8j0bsmhi53u3lxao5_bhas06a-10817970098761/
- http://allinonetools.club/application/ximd7u7nigxu9r_kc6bgdfo-958450195888/
- http://alphalif.se/css/le1kcb7jby_5xu6hgr0dd-93379625880817/
- http://amarresyretornosdeamor.com/wp-includes/esp/neJynmXSShVwzuVQWBaeQrwvj/
- http://anarmed.ge/wp-includes/Document/vfh2cntlby3warq_v2gqag9b-5724108769/
- http://anayi.org/vendor/4t9hfvo0mhuo2wbm4gnybzj6_0faosb-30207636/
- http://applesin.in.ua/wp-admin/Scan/VKGUJAoK/
- http://apps-phone.ru/jutorje32/DOC/JbTiJsOuYLfycnAcnNlAVftM/
- http://apptecsa.com/phpMyAdmin-4.7.2/Dok/asbgcruv4k6haf567dfcwtekrl_e6601rvc9-9233947367573/
- http://aradministracionintegral.com/wp-content/uploads/esp/xdesZvyAHcDjfbkQTOQgaOeeFRQ/
- http://artislandjp.com/wp-content/iwyzezhokhmjzqsyxpoxaazvajjys/
- http://aseanarmy.mil.id/adminos/lm/AHFYbndZNarqnjoX/
- http://atkt.markv.in/_notes/parts_service/pZuTaKnhGoNklbzKb/
- http://auhealthcare.in/wp-admin/Scan/dhyhfkp3rpj8hi10fvk_pna118wt6-536580263/
- http://autoscostarica.cr/wp-content/Pages/wmog67unlko5a6tgteoplvhxqc9dd3_wuo9ve-955815100504/
- http://avitrons.com/uma-site/lm/aSPFbPSLPFVHslSsMuAbPhxXdfv/
- http://ayashige.sakura.ne.jp/CGI/INC/l66nxpe9j_i5idhzxbj4-17570585088/
- http://ayrconsulting.com/ssfm/b5kpfyr4brv5ulcvzrj4x4p_1ofz2gukj-441557287873828/
- http://bangkokyouthcenter.com/wp-admin/Scan/ythmkuqzd_jmgn2yp-175573459555500/
- http://basarirerkekyurdu.com/wp-content/3baoaipzi6mqy7whlt33b7vmtdum_wig6m156m1-615007073/
- http://basswoodman.com/janahenry.com/INC/gw9y5bij19cs7fk8_w7z306-48284886/
- http://beau-den.mrcloudapps.com/cgi-bin/sites/k9i5flfy09jn2_u8dj2-68720464/
- http://beenet.ir/wp-admin/Dok/RcYBXGZBCaSsReYhmJhMFEj/
- http://benshill.de/wordpress/INC/zbkeaxnq23_kc7ybzr8-58810947871/
- http://bey12.com/sircuss/Document/weSFwOcnrd/
- http://biederman.net/clients/DOK/dc9v71bcybeh9bmdsqw1y4a6xq_veb2196wtl-65827335/
- http://billy.voxmagneta.com/wp-content/paclm/aiis129kg7ihz0p50gkjgiafh9okbo_1l7vp-334229597472229/
- http://bimeirann.ir/cgi-bin/lm/zep2i1tfx9606nz9zmc_01n5iwx9hz-96231646376136/
- http://biomedmat.org/INC/erNNZoxosDTbeJAaGHmcdAzgZrJryi/
- http://biyoistatistikdoktoru.com/wp-content/jlEzCPsEEfOdjSUjIFIJ/
- http://bkarakas.ztml.k12.tr/39c0ef/lm/b0qb5fmtznzk5u6fe69otm4l66c_936pijskp-49454200064264/
- http://bkkps.co.th/co/esp/cza0kklmw_r38hfwkh-761849473941/
- http://blog.instacart-clone.com/wp-includes/SimplePie/parts_service/uatoqujs7s7ediuaxvs5cuqm_ddt16mxu-564056354031/
- http://blog.orbi-imoveis.com.br/kjbgta/acmreyaa40e_ps0whshh1b-198803276009/
- http://blog.vdiec.com/wp-admin/INC/nzdpfqq4n5heq4tqyqtb309jz5wsp_gvx0ok-68900526928509/
- http://blogs.ct.utfpr.edu.br/mansano/FILE/oHGsFrZhNkGrfNgnF/
- http://bloomflores.com/cgi-bin/fkeae3awg9k6b2dwmkpxxa64v7cw_4uaqa-69978485/
- http://bluestag.co.in/wp-content/Document/ei8b4ogccm21_j0o9skc-45698780357431/
- http://bmwselect.com.br/wp-content/plugins/advanced-cron-manager/parts_service/d6yju8iv2d8i2jvtfqb3_90xlab0wz-784476784/
- http://bornkickers.kounterdev.com/wp-content/uploads/VlYEBegqcq/
- http://brandimpressions.co.zw/wp-content/sve8uvm8csrux7of_xv87jqian7-12284113/
- http://broadlawns.co.uk/wpThumbnails/lm/WHYzQPUZnZ/
- http://bystekstil.com/wp-admin/parts_service/gyxp0yb8ny08cldus9_iz952p72ql-12633794221713/
- http://canetafixa.com.br/wp-includes/DOC/TayOTpSUibJMGVhWPLYMQPNyAMejp/
- http://cantaros.com.br/cgi-bin/LLC/cyUKxsPapH/
- http://capnensensejoguina.com/wordpress/paclm/kzKgmvfbmLfTaweYZCZTpKhWA/
- http://capquangvungtau.net/wp-content/INC/5b1yjo3a2czeua96f2_qh216c-6624318531002/
- http://capquangvungtau.net/wp-content/LLC/XInuBjIcLLCEjfhkP/
- http://cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
- http://centurystage.com/download/PLIK/hhlqSJuAbGEHrKWlHXM/
- http://cgfilm.in/oldsite/6wz4jweq0kim8lp1u1rtxq08_x46qm6ak8-1916202749831/
- http://chakravatnews.in/cgi-bin/Document/lc9l0567sgloqwgr06yn9wz_v66bhhvoc1-9919282734635/
- http://chavooshstudio.ir/toq7/FILE/e9wj6l1f84zgvtbnu494vq59_dhgdvdhhn8-52283825654948/
- http://chchomesales.com/x3ufe9/FILE/kEffPHaZ/
- http://chirurgien-ophtalmo-retine.fr/wp-admin/Document/e5dkvpp8hhx_fc568mru-29493963168/
- http://chugoku-shikoku.cms.ripplewerkz.co/wp-content_exported/LLC/acx3ms62n_e1toyrawk-169922458553753/
- http://cib-avaluos.mx/images/Scan/UCPljcvhhdDDmN/
- http://cityhomes.lk/wp-admin/lm/shYRNVogewJZZFBOfyKI/
- http://cityride.co.ke/admin/WAmaysZuJKaZyzxTg/
- http://clipsonline.org.ua/wp-admin/Pages/f7c3q50xzoah3besqoua9uby_krc9wg668-22608382178/
- http://clorent.com/ajax/parts_service/ZWMuHHVvXVmquekqkXQMtCzr/
- http://colegioadventistadeibague.edu.co/wp-includes/lm/iindtspj7l1rjua_kth52-09810828625/
- http://congchunggiakhanh.vn/wp-content/FILE/yvGqWEsTeGqWlbJVMkCCMoLbqjKutZ/
- http://congnghexanhtn.vn/cgi-bin/lm/HXiFZxIhssOosIxXZEDO/
- http://congnghexanhtn.vn/cgi-bin/sites/oi2h8eb32rlswyhyoe274vh802q_vd3boc2o-7590611699/
- http://cosplaycollegium.club/wp-content/ht8p0y2d05e5ydd4nvl9ibnzp_r3teinnq3-7560842820/
- http://cosuckhoelacotatca.net/minhan/esp/TozTzAGvwJy/
- http://couchplan.com/wp-admin/nspeBheHdcQO/
- http://crservicos.com.br/cftv/v54ucb6oe1ycj93_fusektth-564258474/
- http://dagda.es/wp-admin/pbjEjvXCDCMbLyYV/
- http://ddmadrasah.com/wp-content/parts_service/n12d50ylod2r8t6x44vqprh4_ex47v5-9015107945384/
- http://deavondkoeriers.nl/wp-content/pEVkYSbYDwzbGABbDEaT/
- http://deerworkflow.com/wp-includes/0eou090z19swauw26buowtra3bfhgb_0rmujb2-12142489/
- http://dembo.bangkok.th.com/wp-content/uploads/5qp5o49wh8s2hd8k15hpcqs84ohe_4fhs4f5vr-877540190855384/
- http://demo.lamppostmedia.in/tms/wp-content/themes/education-booster/IxHdbmBIWcygyaHuxaYbmT/
- http://demo.madadaw.com/wp-content/tmp/parts_service/wduag244xpe8ong90jzuan4khkot_0iumbotp-231441578681/
- http://demo.xonxen.vn/wp-content/FILE/32ftgky4_gkm4dui84-280515485541283/
- http://demo2.tertiarytraining.com/joomla/mLLymnnckRYZM/
- http://demo3.bicweb.vn/wp-includes/FILE/oal3dsh1ii8hwcsrsr6_9wpmzfop8-9587817864/
- http://dev.strkdesign.nl/dtjd/qm79obxj5xy12zee1n72jf4z_8akps-7089410334/
- http://developing.soulbrights.com/wp/LLC/sRaNyeFYEYvlkWkyCDFFTjqH/
- http://dev-visionsharp.co.uk/vendor/Pages/DJEMrSUpZmzimHRPvtsUrIld/
- http://devwp.absclp.com/wp-admin/DOC/3p06pqb5cxah_9o1a4f-661424221533445/
- http://diamondgroup.com.vn/wp-content/tafun4urfhay_l06akx-911889611836/
- http://digitalmaker.tk/wp-admin/sites/9g8kmp2ao8qj0d43j70scd_2jg9b3-4313814001/
- http://disperumkim.baliprov.go.id/wp-content/Pages/kolVuRhGjekQm/
- http://diu.unheval.edu.pe/spi/storage/LLC/tqebgnahha7xvpxpmy_422q7ygl5q-528592909998856/
- http://djdesvn.com/moviewebsite/Pages/rt1rxg7fgo6o6oisb7sxipslefg_qmjebpo54-2478286189/
- http://door-craft.ru/wp-admin/TTeicudkghGGhchRwqL/
- http://dorreensaffron.vn/wp-content/uqt6yec3dw_zp5io-680559949308/
- http://dp5a.surabaya.go.id/wp-content/sites/EKZfdNpWZotyFtajzRWGdNyTuawChG/
- http://ea-rmuti.net/pi/wp-content/KkRXhcNMAXLyG/
- http://eco-chem.hr/wp-admin/Pages/eSKyupWfFrbpzSD/
- http://egplms.okmot.kg/wp-includes/parts_service/xzree20twuo7qxj92l1tz_4fxhkz8ot-60264947320/
- http://elegant-dream.com/wp/pomvntHWuAykrASSUUbTqp/
- http://elenamagic.com/img/DOC/mzCJBBMHCSX/
- http://elephant7shop.com/wp-snapshots/sites/VwFWTDwJBGtNo/
- http://elespaciodepopito.com.ar/cgi-bin/Pages/KgaILaBUBERrNMPzUdrGAoSHi/
- http://elmassahome.com/tr/ftcerrgd5qagqsqw7msargkyy_s91lj0fiyp-431699449079/
- http://elysiumtravels.com/images/Dok/jQyHnaZhuX/
- http://emmaxsimon.com/wp-content/Document/bveowJpDLmSKBIizwkDrjGI/
- http://empharm.uz/file/esp/zdsoz58k1vg8s8i0putwi0o_tt8criqm-280927037619/
- http://encame.com/cgi-bin/30qp3tb67w2txlygzm22sgi57_dqxt1l-1977495695975/
- http://enjoy.cat/wp-content/uploads/FILE/2gkthv5jgk5by3go0p60q_mgjyu7d40-005984582898580/
- http://eric-mandala.com/wp-content/FILE/WJeJoYaBKhIBALNtKpbjwy/
- http://es-noujou.agricom.co.jp/noujou-doc/GMXqAuJPtJktFz/
- http://fargopetro.com/jynne2w/LLC/9emy1c5slucz05ztsb_giwscuomzh-539483200738252/
- http://farsinvestco.ir/wp-admin/74bqrll2fravktt7jkycl_535qav-869522814724593/74bqrll2fravktt7jkycl_535qav-869522814724593/
- http://fearlessprograms.com/wp-content/AsFahoxNfqtWVWeTIGuuIPuB/
- http://femmedica.pl/COPYRIGHT/w2eiyop64h97ht6i3rym_ghznzynpv-411526644922/
- http://films-ipad.com/aeqr/IzKENJhvMnbuYHdfhHanLEDQqlaiT/
- http://firemaplegames.com/screenshots/DOK/36p7ai74pwfft83s39lde90v_ysp3l3vt-52256482068972/
- http://fish-ua.com/wp-includes/mKJniNvPTvRiCKd/
- http://fluo.ocebo.fr/wp-content/uploads/lm/iDMGmpdFajLhAaanraVYPp/
- http://foreignmartbd.com/img/NjpdBAKUgztNDZIn/
- http://fridgerepairqatar.com/wp-admin/qcCkBGRgHSDDG/
- http://fulan.tk/wp-content/LLC/r0gy18x366omf1z9zzz38_pj5h3pxf72-6411330379420/
- http://gak-tavrida.ru/wp-content/parts_service/xj9ep58gcu77dv4a_38ghv2-465992270155987/
- http://gamemechanics.com/images/sites/ARJgpwEUKDppqpSvtntoWtdhkHD/
- http://garageprosofflorida.com/wp-content/INC/xm4qz42spqey0xbmlse935p7n_htnif-808927181/
- http://gargprinters.com/wordpress/sites/o9dj2vvbzymnqesqhfizz3h1ab_g5vk3aqrq-24829672015508/
- http://garlpex.org.zw/foxe/FILE/pmtx4alvqq619qw_kwra3l-4924632531868/
- http://gen1.vfull.in/wp-includes/Document/wdvy75bc_gi1o7yipk-037024338/
- http://gestaonfe.com.br/images/tsf79gpe1yrtdtnjt61y3f90j_hi870-054128199/
- http://getagig.com.ua/images/lm/a6sym90g42a_8d5b2aq-8151006185/
- http://getcloudptt.com/templates/Pages/xxl0cq8cqezqz4621v0cce94y9ghf_ij61d86-70440851677/
- http://gharbkilid.com/wp-admin/sites/RxYjIvXJDTyfeEoafgPrkSlmU/
- http://giakhang.biz/DronePhotos/esp/oti52aat89098xmvyn4g4a2a01_1usqbam-8733587385/
- http://gigmoz.com/saicollection/9tnulb5pniumdu53qd5adk_k9gzahh9o-436784313075/
- http://goldenfibra.com.br/tae0de/DOC/p2ap0ealmknrs68fu2v6_tgp2qiy-39049131/
- http://gomypass.com/wp-snapshot/Scan/dkqsehu8yatspxp10w32fx_xcu1yo-9516608289/
- http://go-offer.info/wp/DOC/PtnjlMhFeuxJeBQbxRE/
- http://gorinkan.org/DVedit/INC/cgyfeo3enwqh1db8t6a3_13xbr8q-1836727870671/
- http://grandesophia.com/wp-admin/LLC/vmnifzb771plk_x7koaqogml-8830515802620/
- http://great.cl/ortuzar.cl/esp/ixjwtev0k5ze2_6pt2rqck3-52580352/
- http://greencampus.uho.ac.id/wp-content/uploads/esp/fexcocn582zqkrx45qc979i_b7al0se-6012446038782/
- http://haitianshowbizz.com/cgi-bin/FILE/c6rc9mi35xjbms6eeqdm7b8y_zviyle2ozh-383346665690/
- http://hakan.gq/phpmyadmin/INC/09j3zev48v1si2_dvo5k-186622991462132/
- http://happyatomy.com/orderV2/FILE/21y5pfd9mbj0nhwilkh2epwwp_2nhfk1n8-9381369434931/
- http://harishnautiyal.com/wp-content/SwmtrAVpRSZRQocyqGSAurQn/
- http://hartwig-paulsen.de/_private/INC/DPbFHjxz/
- http://hausgraphic.com/_FF/StIWtZpyZAcRNVctmJbPp/
- http://hazama.nu/MT-5.14-ja/Dok/6fdzvo5g6gn6s4083n5vpi5qmcbf_rl02uon-0394150359386/
- http://heartburnsafe.com/Heart/INC/wpb3sxn9o1zj4gth_ueiavrvmj-94874739/
- http://hedel.jp/monte/5xnah88x5jqvjzaw5z_uak8v-172663407/
- http://hegdesoujanya.shsoujanya.com/wordpress/DOC/TGfFtNHVzaTZEqlmHrqcdL/
- http://hegelito.de/Service/sites/olwt0ulb_e9xabjilc0-8978386499534/
- http://honjia-machine.com/wyxey/jvha7a-b5yoc-hovoj/
- http://hoovi.in/togb/39l3-2tn8mn-capx/
- http://hotspot-systems.de/jonsfishingsystem/ufo4anic25v9hory_hvtia5t-27231959/
- http://hskf.net/090704/paclm/hmyglYOW/
- http://huskennemerland.nl/wp-content/Dane/GdkPYoUjjerintLfNC/
- http://ibuying.pk/mvmbb6/Scan/kycJsdNnHnGwSCBEAAHeiLuMhLaSG/
- http://icpm-cipm.org/wp-admin/paclm/QVUEilLc/
- http://ideenn.ml/wp-includes/Document/QwhCDlWSqrNIU/
- http://idesa.cl/wp-snapshots/sites/JWTDkdJTEDEsPCA/
- http://ikoym.top/1/parts_service/dq444l3aqmdfnpemawd0a_qgxpaq-78515102739513/
- http://in9cm.com.br/LucasNievinski/9o7573w40425s_xp9q35wxj-746490859/
- http://indieliferadio.com/Document/TdevOMjwyNWT/
- http://indoorpublicidade.com.br/wp-includes/n3jq0t422r2_7hnky38vs3-83093705/
- http://inein.mx/scss/jhkavc7zpcet_noz7a-08940771/
- http://innovomkt.info/templates/INC/gw3ylizcuoloa_fizi77v-661011974372431/
- http://ipc2017capetown.iussp.org/wp-content/Pages/GZBqnhFjUhCY/
- http://istanbul-lazzat.uz/wp-admin/Document/xve9hvwg_ako8h5mh2-1809207412/
- http://jdih.sumsel.kemenkumham.go.id/ildis/FILE/uxlmc3g0i4e6k6yx7fuupdxnd_9bq12vn6-86392596458481/
- http://jesp.ieconom.kz/lk/fBguxIaXQeHwCbzc/
- http://jessijonesstar.com/pyro/Scan/vds5n53mk9elu9s_dfv1fy32zq-9079217218065/
- http://jimenezdesigngroup.com/wp-content/esp/ny6kwhjwwognk_bc7qcu00wj-81739611/
- http://jmade.ru/epiksel/esp/v3ptnnl6fs5al_84jtwamp-82243430084/
- http://juttichoo.com/wp-admin/ntsl5a8pj4jracl8o0i908_gxolr9-70253791/
- http://kadindergisi.net/wp-content/GHHJnlWfdJ/
- http://kejpa.com/webDAV/esp/z3y7ucs8qsqmh58s6854abo5l_kpxeu5-55695822989700/
- http://kevinjay.me/wp-admin/Scan/mhcFhjKTBDXbhXrJjZPrsXCbOBtSpL/
- http://kikinet.jp/album/Inf/RlepFgbeAChcdMiqgkiIkHSuxktIX/
- http://kinderarzt-mistelbach.at/yioc/rFBGsmqWwCEPGFLbmitGH/
- http://klychina.chttit.ru/cgi-bin/Document/27iv1yrg28deb9qia7mqcxifb_3wawzt-20640129400/
- http://kodlacan.site/permalink/DANE/wtSKvxFllItEwQq/
- http://koroom.net/39/esp/hgkrmao0oggay4b39y2fs0oa_wkkjz-94827413647/
- http://kulzein.com/tcsa2fo/titjckjb80xyv6xjs9l879gv_vwuyzcy9pt-31037587938083/
- http://lab-quality.com/nmkh/INC/vrAqqzJgLmVzNQoLVPd/
- http://ladesign.pl/cli/DOC/9q2zhkcyggh1shu00gx_ov7jndh6k-09455198824059/
- http://lbtesting.tk/wp-admin/Scan/sp8s3jj8t3ub5v_09dte-646541542/
- http://les.nyc/wp-content/uploads/gxx2fawhru6axeerjk3p_7i8z1vjilh-3529283555185/
- http://levantu.vn/wp-admin/sTCRRpOIdrr/
- http://lifetransformersgroup.com/cgi-bin/Pages/tvCqHKJxMedVIEVUGmrzWUgpORd/
- http://liliputacademy.com/js/Pages/sZVKaWgsdTqOMYLAkFZJ/
- http://lmichellewebb.com/wp-includes/sites/lsiUKvhcKlmkTYybaSHJLJ/
- http://loanforstudy.com/wp-admin/ov2hwgntpx2799cy9l03jak78l_babkq6fwe-55008712818495/
- http://logisticshopping.com/syscargo/parts_service/IgZWrtZJVuIoPbUpyOPl/
- http://lovelynails.ca/resources/sites/NqdWRIqg/
- http://lp2m.iainjambi.ac.id/old/DOC/lJhTnEgCMyanM/
- http://lukmanhakimhutajulu.com/wp/parts_service/kMPfrxNgryCHxScxdLmmX/
- http://mahala.es/wp-admin/parts_service/bFCccFADAwzYYDtnwvMasFaWXBTDI/
- http://mak.nkpk.org.ua/wp-admin/sites/BrbskSzZ/
- http://manovikaskerala.com/administrator/parts_service/bqtc4tof2ixrqmcm44_h1inlhsj-70729598/
- http://mapala.politala.ac.id/wp-includes/Scan/84lyfqg006n3tnv_pqc15-6573296772/
- http://mara-bau.kg/wp-content/SHRhAKyYBmz/
- http://masbaheri.com/images/872c3i63o7_eilxd69-588594012261116/
- http://masterchoicepizza.com/wp-content/uploads/INC/gc2cbhec5tyopayzcmhxcdl_kdwcp1hlhz-488338475754039/
- http://matthewvincent.ca/cgi-bin/LVhtaFwlzUAwJkyXycaF/
- http://melangeemall.com/images/lm/3f7jx00qxwua_qi82cgg4z4-42435752/
- http://memorymusk.com/wp-content/uploads/ubzaztj2m1frywtpj_5k0m2-0542235047/
- http://mentes.bolt.hu/cgi-bin/parts_service/aDwJLsxguuiEFHR/
- http://miplusmutiaraislam.sch.id/wp-admin/Pages/xn2yogtul7r_unm2vayqlk-14939001/
- http://mjeas.seas.num.edu.mn/wp-content/Pages/pDsDoOJCwDszXUYkcTBwtPAR/
- http://mmateoc.com/wp-admin/DOC/ApRKphCRhUWHU/
- http://mmm.arcticdeveloper.com/wp-includes/FILE/6uwflygw7h3y5oypxrje_m4zz3w3-175725723317644/
- http://mobuzzasia.com/allfiles/temp/wp-content/esp/UOajIKNOgPXkYoUbrJBVmOM/
- http://monument.rsvpu.ru/wp-content/esp/mgh55ffaukk4m1m8wq_osnbr8u-8826913633/
- http://morshinnet.ru/wp-content/esp/omnwwCrInZBUDTQJZjBwaewWIm/
- http://mroneagrofarm.com/wp-content/yQSOlwihKvauXYrdesnywE/
- http://msinet.s87.xrea.com/ogasa_data/lm/wrqrib4qqa_g37i0cgy2r-75961413357/
- http://myhealthyappshop.com/au13/lm/purrrQeamZXyiCDFDm/
- http://mysterylover.com/corenascreations/zencartcatalog/cache/LLC/tYTXviiUWFyKjmIVRksMFt/
- http://myvidzz.xyz/wp-admin/lm/0xmi5dgm2nyy2zv9npukw_024pc4szh-039929300/
- http://mywebnerd.com/moodle/6mzlj4vumsbdgcjm17n8qtawde_0lovhzq-587627277/
- http://nairobitour.co.ke/wp-admin/Pages/BcqgIgdPwXdJamjKuWrgLdFcKdCA/
- http://namgasn.uz/includes/FILE/ynjeciuqbao1oqoo9uo7z_ivwitvqu-8170101122772/
- http://nature-creativ.fr/wp-admin/Document/druVFmMEHJaEgMCYeUgcOoSXXe/
- http://nesrinrealestate.com/wp-content/DANE/KtdQBcEuBAybuVnLqt/
- http://netmoc.vn/wp-content/esp/4gkdpldabt7lt1kem40b5d4oh2qmht_orrf3i1sj-710246102774/
- http://neurologicalcareofoc.com/jutorje32/OfpUqeUuYdluaSgfbIe/
- http://newmarkettowing.ca/wp-admin/gsikuf1n6mzsy_5pukqn-469095634853/
- http://newparadise.com.vn/wp-admin/DOK/e52jnca99j_ufwvghp8oa-92780853/
- http://newwebsite.smex.org/wp-admin/LLC/yebukw3dgwgzq5ebygh_n4g4iort3o-84431657/
- http://nieuw.goeieete.nl/img/Pages/rBjqVNNdsgDpMbInHIZDFVjf/
- http://nissandongha.com/nwlv/ns27hw-99jsfnm-otiw/
- http://nissankinhdo.com/wp-content/INC/cxINdPbSHvWJLYkkGt/
- http://nissankinhdo.com/wp-content/Scan/EOqiZAqSehfbChtjoOZ/
- http://nomatyeinstitute.co.za/wp/esp/jfgqbhr1towl9iedhe6n_3i2npjtm-227259736608/
- http://notix-test.ru/zamki/jwgiy866pt1ct8zemzx8yrku3b_6m6s088-5933526545566/
- http://novaan.com/wp/vNzpvVYF/
- http://novocal.com.vn/wp-admin/bh24s1-4rs2e14-mlmrf/
- http://nppaquasell.ru/templates/FILE/UStyjgzpCUKEe/
- http://ohioamft.org/images/esp/whoiy5qxbjnrp1gmegkx8_2dy87q342n-1691925380481/
- http://old.oleglukanov.com/cgi-bin/cesbtj755s6p0fcyvimmnneg38ms_go812f7-566475421578787/
- http://onetouchfootball.gr/aqqf/parts_service/pmtwlshs32bqzll_ny4lmq4zgp-1593792866860/
- http://orida.co.th/ywhv/lm/gy7eo66gr0f42jbdj5z0wu6_cunzn61nf3-608153857217416/
- http://orientaltourism.com.ua/wp-includes/o0v7314-lskye-wiwrc/
- http://osarofc.com/wp-content/0xza-146jk-vneaa/
- http://penis.tips/just/parts_service/IjjaTgJJmRFScXZFNNVFeOHCX/
- http://permanent-rf.000webhostapp.com/wp-admin/Dane/gyLjTtnSncdMgmLDW/
- http://physionize.com/wp-includes/paclm/wgkcgc583re0c6veyxfn1zf4u95uey_u407xg-23929936006/
- http://potolkiakcia.by/wp-includes/Pages/chMDiBTNd/
- http://priyainfosys.com/products/QpIuZyAaFgoUpASiO/
- http://projetoidea.com/cgi-bin/Document/ntdqwygpvi22hqbr_hb35nj59mk-67421750/
- http://publiplast.tn/wp-content/INC/QYcxBmxCgLSPLghKBguFACNdfmvt/
- http://radharamanudyog.com/ocart/Document/OGypNMTNpuyLKmRqlArCGKd/
- http://radiomediavillage.com/bin/DOC/llwYAboSHCIGNNMARHVlBwgaSW/
- http://rogerfleck.com/hbadvogadas.com.br/Document/gxx8rxyyf7zuz_slasi-93220491303/
- http://rumahrumputlaut.com/wp-content/DOC/m9z2zfv8ty8piy8n3n673jni2_7qxt66f-060570155262/
- http://sanko1.co.jp/lp/FILE/k518bwvfhrv_zicsevw-386184410493840/
- http://saraikani.com/wp-content/k8hnlok-v3ab90j-xutmihs/
- http://sensoryexperiments.com/wp-content/DANE/FwfQCkHKhKDKesvfHyklppxJlRZDz/
- http://serialnow.ga/wp-content/Pages/kyvw2rg8l34j7cr3h5axgi1m4mn_fzjqevf-97122936/
- http://shooza.ru/templates/LLC/e4l23sr2r3hheqvzrcwwjck1_0fo7f3a-47531229276935/
- http://shoprobuy.000webhostapp.com/wp-admin/parts_service/eoBFtBVDFjICdeSlcN/
- http://silcfertilizzanti.it/sitemaps/LLC/FEJXQIywhanjVEqcTh/
- http://sjhoops.com/EPXHHogiQGyFotfWP/
- http://sjhoops.com/LLC/zaHfarwetgvtouIYgJgqLdr/
- http://skylineindia.in/wp-admin/Scan/VAscYQjBlBTEsDRpM/
- http://snsyndicate.ir/cgi-bin/LLC/NaQGnVzXII/
- http://socialfood.tk/wp-admin/Document/udbPXVWIqpPGLQtXY/
- http://sparkcreativeworks.com/lightcraftdev/INC/ODhhvAcQbGfLKu/
- http://spoorthy.ml/test/sites/yKMhqFRmcsGL/
- http://stahlbau.kz/templates/lm/f17n2xp441oxn32cl_nnajqd-37483536518/
- http://tabea.co.id/_tabearoot/Pages/q0b9ltiv7p0hqmp_jamyvr-15838314/
- http://takosumi.sakura.ne.jp/GalleryImage/Pages/gvxyFfuTznyrvJlUA/
- http://tamsuamy.com/images/DOC/n47uq53evl5k4aok0m3u4c_matymqo8dn-00080612/
- http://taubiologic.com/wp-content/parts_service/om2cmp12f6slvrgr_a0i4f1e8uf-95220990/
- http://teestube-luetzel.de/cgi-bin/paclm/nDitKtuX/
- http://tetrafire.co.uk/wp-content/Document/YaMgagUqzQWDEVDtgpE/
- http://tgcool.gq/tmp/DOC/eypKUMPXOajRnKn/
- http://thebiz.000webhostapp.com/wp-admin/LLC/IkIhMNlLflglVDFyNHbiCVSd/
- http://thewaterstation.co.uk/q95z/Pages/sZZeohQBUAmaA/
- http://todomuta.com/tm/FILE/nOaAZQXqAbdXG/
- http://tokoagung.web.id/mikhmon/parts_service/VOiGbJVVelmFDeXTv/
- http://tpc.hu/arlista/oOIySDvQJLfLQTozFfQyENEHfoXvs/
- http://trangsuchanghieu.com/wp/Scan/jsePFSPOMxTUeX/
- http://trichromatic-transi.000webhostapp.com/wp-admin/Scan/aqwzhfwvyhst8ai86uuw_m452ok2g-451213844234/
- http://triseouytin.net/wp-content/Document/nZSzHrGPJqQHbgU/
- http://try-kumagaya.net/4_19/sites/wBeOmDMDBpaDEZXArZGswx/
- http://turbofilmizle.cf/wp-includes/Document/4qxat60pq97loocw9o_0kp5t-807583314427/
- http://ucuzgezi.info/wp-includes/sites/mkngjwv5m6l1sv17p87yx0_pknytr-75251279104426/
- http://uniquedestination.mitsishotels.com/wp-content/uploads/doc/uddqppobklwrngqgyhlzwyp/
- http://usgoldusa.com/wp-admin/vfkyadxlebnftqaq5r53pbjg_0pii503-128245217/
- http://vhadinyani.co.za/assets/FILE/cd2tgc9o5lnpawduex92nw1r_0ijph-743646261560585/
- http://vibeshirt.de/wp-content/sites/4808gr7cs81o_xv8lp5-90716048173/
- http://whitesalon.nl/img/Pages/bf6xoqb8_4hmms-704596943740/
- http://www.actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
- http://www.adil-darugar.fr/wp-admin/Document/e5dkvpp8hhx_fc568mru-29493963168/
- http://www.cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
- http://www.cbmagency.com/wp-content/Scan/qgi7r0g6neq5gak2d1nlamx5xu_sxbdyhu-88393500801483/
- http://www.lmichellewebb.com/wp-includes/sites/lsiUKvhcKlmkTYybaSHJLJ/
- http://www.mahala.es/wp-admin/parts_service/bFCccFADAwzYYDtnwvMasFaWXBTDI/
- http://www.pomohouse.com/wp-content/LLC/bs5wlwidu_lhwh8-6531737739304/
- http://www.wwwhelper.com/comm/moneymakers/css/paclm/58odajp5psbnf3zdrg_nxffzku-08384326922/
- http://wwwhelper.com/comm/moneymakers/css/paclm/58odajp5psbnf3zdrg_nxffzku-08384326922/
- http://xn----8sbabmdgae0av6czacej5c.xn--90ais/lm/04af9pc4r_zr8957e70-92859625159/
- http://xn--c1akg2c.xn--p1ai/wiki/images/parts_service/sk3oe3zcspzdec_1u0sqevw-31877200/
- http://ygraphx.com/DEPARTURES_MAY3/DOC/DiCLLsMFNTLXBwNMLIfFEpOIrupJ/
- https://acolherintegrativo.com.br/wp-admin/DOC/hwhyCUiZwJgDRgE/
- https://akaprintdesign.de/wp-content/zojdg93o_xynmmr45kk-00422649/
- https://allbusinesslisting.org/uploads/DOK/lATaKZeIkwAwpVfWgKTuQRLrIUKRRl/
- https://blog.instacart-clone.com/wp-includes/SimplePie/parts_service/uatoqujs7s7ediuaxvs5cuqm_ddt16mxu-564056354031/
- https://cgfilm.in/oldsite/6wz4jweq0kim8lp1u1rtxq08_x46qm6ak8-1916202749831/
- https://computerbootup.com/cgi/PMdGhLnrayipIMmHiNVShzAXmxzvV/
- https://couchplan.com/wp-admin/nspeBheHdcQO/
- https://dp5a.surabaya.go.id/wp-content/sites/EKZfdNpWZotyFtajzRWGdNyTuawChG/
- https://euma.vn/wp-admin/FILE/RXePxifApJpAmSHvbPeEBjbC/
- https://fargopetro.com/jynne2w/LLC/9emy1c5slucz05ztsb_giwscuomzh-539483200738252/
- https://farsinvestco.ir/wp-admin/74bqrll2fravktt7jkycl_535qav-869522814724593/74bqrll2fravktt7jkycl_535qav-869522814724593/
- https://fearlessprograms.com/wp-content/AsFahoxNfqtWVWeTIGuuIPuB/
- https://gak-tavrida.ru/wp-content/parts_service/xj9ep58gcu77dv4a_38ghv2-465992270155987/
- https://garageprosofflorida.com/wp-content/INC/xm4qz42spqey0xbmlse935p7n_htnif-808927181/
- https://giangphan.vn/wp-includes/DOC/tvohhrTjpSH/
- https://gigmoz.com/saicollection/9tnulb5pniumdu53qd5adk_k9gzahh9o-436784313075/
- https://hakan.gq/phpmyadmin/INC/09j3zev48v1si2_dvo5k-186622991462132/
- https://heartburnsafe.com/Heart/INC/wpb3sxn9o1zj4gth_ueiavrvmj-94874739/
- https://idealo.zendesk.com/attachments/token/mzOHqTed8eyvyHn65rLav1rEZ/?name=INF_718967_0546774.doc/
- https://kinder-camp.com.ua/wp-includes/LLC/xc7nxo2ywi8n52lu8_0fye8j-33860168/
- https://liliputacademy.com/js/Pages/sZVKaWgsdTqOMYLAkFZJ/
- https://nutshell.live/wp-snapshots/Pages/jzopxeblzz61nek_dmf5x814m-670538746883/
- https://onepostsocial.com/wp-admin/IZUAnTNTiZYOOMjqWFxpGmts/
- https://onextrasomma.com/wp-content/parts_service/oglr7g1ozcgl7iem9rugqohcuhrt8_itksg7f4w-7376898186/
- https://paularosalba.com.br/jbcsoz/LLC/DNEUpDmjRKOhXqJgAXwLJKjNjvUEs/
- https://pkols.com/ltc/lm/y0qtzd293a46_edivl-05667044/
- https://potolkiakcia.by/wp-includes/Pages/chMDiBTNd/
- https://rumahrumputlaut.com/wp-content/DOC/m9z2zfv8ty8piy8n3n673jni2_7qxt66f-060570155262/
- https://sensoryexperiments.com/wp-content/DANE/FwfQCkHKhKDKesvfHyklppxJlRZDz/
- https://serialnow.ga/wp-content/Pages/kyvw2rg8l34j7cr3h5axgi1m4mn_fzjqevf-97122936/
- https://tamsuamy.com/images/DOC/n47uq53evl5k4aok0m3u4c_matymqo8dn-00080612/
- https://ucuzgezi.info/wp-includes/sites/mkngjwv5m6l1sv17p87yx0_pknytr-75251279104426/
- https://uniquedestination.mitsishotels.com/wp-content/uploads/DOC/UdDQpPobKlwrngQGyHLzwyp/
- https://usgoldusa.com/wp-admin/vfkyadxlebnftqaq5r53pbjg_0pii503-128245217/
- https://vibeshirt.de/wp-content/sites/4808gr7cs81o_xv8lp5-90716048173/
- https://www.actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
- https://www.adepterssolutions.in/news-admin/sites/KwMonjtPbhHoTi/
- https://www.cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
- https://www.centurystage.com/download/PLIK/hhlqSJuAbGEHrKWlHXM/
- https://www.teestube-luetzel.de/cgi-bin/paclm/nDitKtuX/
- https://www.vigamagazine.com/wp-includes/vf31tim48_w3w3dhra-43233738464585/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-05-17 19:20:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- c56f1cd31df35fc20332d1c7a674250e2be07f027a748859e4944257668c78c5
- 70bf8924b608b94c7329cbadcf040ea8b1e599460c639610d540afddc39d09b9
- 867054a65bd27308c9687cc81eff60031e4235e255ca30773c9f31570245f9b3
- e38394e5722b5b5d51d5f7db40f68781c68a234bce7aadb9fa43217084bf28d0
- c9a57d9792b15f4a84e414372942ec82a02c9b39af2504faecda147b48ef9376
- c01e4db4293d7a126ec2bdfff940fb2d8ec78b81e40d6d9c200df0452ccc7941
- 7192dfed090c2fdba074293b37d16363973c97d8147082a51dd12daa6b585669
- 11ec8abbafb8846496755282478cb7142297bd33f72ee15c4c7db9e6b893a2ee
- 99f4daa4ac2e95fcb8c9e67c987130742a1f571aae9efe80ebd872ca8dfc9f75
- 818c0c5aa031db8ce30311f0278e7a4c7dadaf465ff8e8172e28dedc9a7a1f9c
- 1abb99f70de46aa78138218d5d50bb03bf91043a3621b5420d55999181c766c4
- f05ae8201109ce38a2632655bc234fed437503fed2fce3c9377e8a4004eba633
- 45c04f08be86aa4652c2578e2392f854ec4b97cd8f5705e69991ddae6d8f257c
- a398598a3bbaa614124140f3f8706eeb3535b6c35d03cadd0e7d8d69301cd840
- 76e7f91fd62cf3b695fa783afe7116a7221af8b0abf47f617e336953a33df4ca
- ad5305b6b5ea8f465de11f34610cff8d2f6ebc09c83cecde9c82bc01fe2b7bd8
- 0a95c32c6ffa69ffd58fe8985ffced665b7d9c555c225e07e8c5a8469cb36787
- c85649a71e1fb3cc3992c2c7c4d105fb4ad0a908a4e17d4e99dcb0155345ad04
- 1842925c235cfcfce70109c3b97ff58c4a776e2522223c24b748fbeaaea6da6d
- e489d1b3a1dd4e4b56000c91c274b5a2dc0098c2e1c2a2cc79f08b35fc687d36
- 760912d42fb57f5a9542e9c825fb06cd19a90cb54edb471d4538697d00fd3d40
- fa882ca370c645562311811d9567f8a8b5f7ba1029b43041bfc5f1e350c3e25e
- 880d6bb1dfc065b8a5780b4bcbe41426f5892cafaffdefe36ee00fc7df710d4d
- 308f95b66be6e919bd6585b4a444ed628b324db39e0cbd685f330dc422c9b9e6
- b6d663e7c98c2cba2487ec427c3d6a3561ccce56f065d65c11d37d741cbd2875
- e4afa95e6d8fee739beb203e0d5b3024432e1772d6a652ee08c090de54327383
- f7125666500137305cfb74c64be7937230d562590a15ea6bb1762ec0dc7c39ed
- 5cba4db50d312712ba3db0b0c0e8d752a329e680a55c6a43d14ebf60d3f28ef4
- 5b5e8d48ab265fc865ac55b35006a054d408b2f6ed6ed9e7b0a29327d5f075bc
- 6c963120cd298e8d4e9c7370657c00461b7d0e3fb6d670cae2ba508935f913f1
- f69f1b42177a9f8ddacec146f0e2225784d9e73b69f413f2cc6bf131fd6841bc
- 854a9e2ba9fb300a1d20a120aaa4f2fde1d76ad4f1fe1e6b366e51f30fa5ec1f
- 1d4055ba61d59a306a5023af4cbf04b044564faece02d908bc096dfa24c47683
- de53350f67e4351b7c2eb9c1a3d93e0920d92303d46746aca7dabc90871858eb
- b7ea8f64cc8dc5b1ce458118d361b981e244a5ba376ebc836246c1fd77f81a75
- 2939512fa557f4e50449965b72a05d992f22ff9710241744d3c0e91c76d9295e
- c828f048e3a3adbc6c584e3b296aeba067fadbbc8f50c86230a4b04fb1d2fe03
- cfdca182492672248a7f3af9ed3ed4ea359711f31936f674ad629b92b7f5c1dd
- 692541a096a21584f1e2f1d88ef3fa9a185be41734b9b87c996c1518bbb4f5f8
- a147cc6e92ceb4db735dcd63162789ebda78cf5f9264d2e6b9d8cec01d26ec01
- e1e8d905f122a48fcdf692f1f67903b72f9ee7bbaab609b40794ed94051f5b0c
- b8b9d94290ed2a1f33388ea5b3524c85fff648d9c621d871a3ecec3f520a1d6f
- dd1ec24587425445d7e480e14cec5cc8b6bfc13c9f07899f4f2f8745bd126ce6
- 75071845f59b012e89d2bd268622920152636053b0a0a4144597766d048c0fa0
- 9ae71c28b40c7679aea8330082b9512b74f6f2466b31600cd55ba82b98d5d24e
- 1951ba12799c5ca0de175a132be0100caa97a26d04c7fbd32db9a208428ecb47
- 1a113744b019171137426cb3f81af6866b3d68ecbd1e1f94d785895ca8011e42
- a0192530ae854c9140727d720158a5935ef2682d6c8719492d4b8cd6da2df3f4
- b643a9933a79746544cd3c2002ea0ab2c22c1ec327e36b2dcdd0f81c96be0e4b
- bac4c7d853d8f5cb3a5779926f957281aed52e71f2b17bcef4d8d83f8adfff89
- http://munteanuion.com/wp-admin/8ny9evo5/
- http://healthytick.com/wp-content/uploads/w85/
- http://lafloraevents.com/wp-includes/q1/
- http://giumaithanhxuan.com/wp-includes/m3455/
- http://kulalusramag.net/calendar/wwql8uc746/
- Creation Time 2019-05-17 14:30:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 819ab52e52c297347cd1bad4084e8471ba9c93d703ba3cbc876fab73563e8e9c
- a13ae5724a99c6daba33e6315062f22fa4626fbd7bd3e9957c50a043d4b1e654
- 26c075cd553a10f85fdae3549e13dc89a7eef19a18b3923a9df5d98484e36369
- 3a6367008f935eb38f7b1427cde51e227984cd70e4f0ce1a780c9beb588a6c74
- 7b78d8a43cc4679d957c96adc9f47f02737604f467ae0006cbbaf2c1705ffdaa
- 2e80025f194a852888956538135b099b885b6bf4aada5db2e2399205757141c5
- f020cc5d9e3f169bd2c155676e6c92ee7b14e12f5643a1ee6284f14b9603fa37
- 2ff9e37e83e0023bcc678ac743ff3217f41042b2e98bf82d31e6eceeb5fd722c
- 4a9d62214f2ad64fea06f2ebd732c63d1474c2a3811302e984e39528167ed835
- 3ea1cb216379b980b98072a9b216b05a4d90bc9ec5ebd35d0538bdbb0239c0fe
- 24641c1a99addc0f9f35309a36953bc78939f5dbc7e802dea8f215a96582a979
- 8fbb5a1fbcc888bc4f8f570c85661cb4b9f6c034b9efbb33dba2ff49ed8a8d55
- a0c791d868397818483f64ac74c97c0467f71f9e226ae6a989a1aff18d590fc6
- 70e4f1456e99d0d44284aca59a395e5808c30f781a34928d2f80fd9989c2a06c
- 8772a7e196e9bd918200036694f2766b70994b07dc8c8cc1a8f6fe658853f454
- 61a9446964a94b7814b05638ec873a1c83ddaf04d82995ed99a92c1db84b529d
- 783f1613c31b05278f66692cc9cf4d8186237833a95103e13ef4bd2e70a3d277
- 1a806fd396b8823785f6ba871e95955ad76132f1eb0fddd88a66a960fa4ca157
- 7a56e929bb472531ab37c188968c61eb697ad6800eba77252d514e05b122da42
- 3b7514aa510415630f938206f77f157717c0deb55a0d2700291bf6bb2367e526
- 615275427d4732b3ffd9abaea16457fb6f6627e221555a729a404953117c6e01
- a82a5bb9f568bf1c2dbb0cfa775f6d86a71cfca1e783dd790434c7691d3c573d
- ce0415b6661ef66bbedb69896ad1ece9ee4e6dfde9925e9612aec7bbf1cb7bc5
- d1deaefc8538e4bda63e23fffda9b67a7a83c0bd330581d95f6c00bf661f933c
- b332cc2f9f0e8a460d1b69de6debc0afc98a5fe9724d2ddf4448e8c9d0b168db
- 634dcb0a5ef30ce7fa66f49c1f2e2b819531c20bebf1ef6110e393893b70b0f6
- e5bf1f965ee66a7b0974972ca92977e8534afedcd839b9d8ab131ee10a9e4f17
- 4f140a17756d5254f1e5b5792d50b9b3ea22574ea0ba9baeb68cc1981fe7d77e
- a350b81ac763eb36cdfbd0dc52449af7223059f4b00a85eed43a58ff871bb643
- http://hpaudiobooksfree.com/wp-admin/6ns631/
- http://aldocontreras.com/wp-admin/hqw76y14/
- https://irismal.com/tutorial/addnews/css/25301/
- http://irbf.com/baytest2/3zf1ba7569/
- http://hanabishi.net/rikkyo/kw7/
- Creation Time 2019-05-17 07:25:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- a4db63ae9370261c1584e603e2d082858bf0ba5c3aef0ac620e76178fbe9fc79
- fe856c6ba05dfefd57a384cc901c94a03402765005687f06f927f39292970935
- 333001a58a1a60a14661a9db36c44c14a66c1bf21f3c1360a22ea7d94f6da02c
- cb3f1f122e3a6c11554d22de755c6234ff3c97f10678340536ad535bac5a0604
- c96e00e7feddf086c07dbae67794e8b3229c3225c9d5fea5e3bc30fe346afb58
- fed668eb24ca328b99050e8356c01eccd0cbf390855c763c46fd869e0905e126
- f0fac2d475cc31f62258c513432d4fb9db6505a8527d54b69b6290fa466541a2
- b335f1f67f8755a146974796fea45c3f289b8e75076f549f1d7fcfabbaa21fcd
- abc11c290e52cc53cf38892bf89b0ca205d0b329358ec2eec9b087418d6db701
- 2b99c802bceea92b291ad6afe4d930d575cded3434eced458891bd164f242a68
- e5f8e609f1489702a1b2a793ffa81996c8602499b73cda786691a28a66e3ba3a
- 4d6e52c9502c0f48da275a910b0c47b3c3a016ddbc4ed210e3fa13c8e8172556
- 4fcdff510ff87238071a015044d840627c95aa7030d47928a7ba177d0b47977b
- fe86d7e431d22812fa2ab998fe70de16517dccb0f2f06d04f8d47b19c0d7fde6
- 5543e676a138bc104a3d162aadfe9566cab3df165b7f8180be18764346eb5faa
- b0016e459a1f4c30a38fd5574090e696989fca9e8d9cd6830ab52dbfd71dc497
- ca88b0fb77bf59490d06ae30c49d31c358154f2787f1ce9c99d3f5daebbcfbb7
- 998d693263dc3d5c32e70964e6ed43852e7a88da9951f085c5d67fded13f21e3
- 923977f74bc7c5b466c53d1c76961ff3c2f860d992124ccc1eb22aafa2ebd35a
- ef6ec6ff2febf1a15213a7e0064746929a2fc40e0a3bc946c2115a53ab04961f
- 68976bbf2c8706a73fde0743c18e207f853d9914b7a8f55b4ddda1a8a88e3a58
- 241ef2cd9bdf1b105b51eae5b58b8d11e2ab34306781ba926eadeb34898e5379
- 3871ba5f1733ba61dad62fb43b7c649e392841b326d85ba63d50c0d5aa10beed
- 044d13f08d442a540f2992030f6a347e802fd2a07e956e860baa7bad0eca81f5
- 2030bb87b7253368bd608882d2c4d2b365aeccd41e40679148d171a1fd96f9c7
- ffed5e3a535a2df46b55302304840c96928d5f95cc71d4d209a7134dde25f959
- e128eb718262620d14e9a6ec6d2ada7c3644f0a92fdcef0d68b988a44b9d8713
- 5f4ae2baaccbf0412d2b428b34cc713cd53eec1d588145b5f3caff4103a1e8f1
- fe1275d3cd0cccb635d03a4ab67605d0eb23dce52dbd5197c25a85770d003f30
- e784f59fbfa82821fbbbec7caa6855156f339f92203087870bfedee386dc98a8
- 57d724dec8c4a24618c1d3b04e6cf7f990a0d1bc48b4f08572e453e267f3a17b
- 704b1e097d9c913acd3429ba8c34ceab4208d451aa610937d8f4f4985fcab831
- fefb35b7b73be4dc4723c5f5eb6e24f6bfc6f307d0f60bce3eb1960f321aac6b
- f96528dc70948567aeb68026441b4c4a14bd25a45de50d4fec675c80c91287d2
- 12b3a4a90c5b27134dc54ef4f9fa56627da81b4b88c8807fce8cfefa61c88986
- c6e1331ab2b2997aa81bde34cbffc9479637b29a1c909ae8ec0283961c874a81
- a26e5443d48b38cd364c21057352d743b8e54cad7736e499a4559e41a1ca8a36
- f97ab5ebe08fdb20dfb7187effcc64fdf703c01310d8a2babc2c65c6707fb129
- ac3940724e8a2fe9cbcc9f3455ee1fc1e85644cece587f91f11967073346a23d
- 28bd3b3e923db6c93c8ca04491e07b127dbd0ed01fb3cc9481c0ab543b447a3f
- 035759420aca3b28bd1352f166a4cd34bd0ec2686a8ba6d9177ba500087481c4
- 881952be84631f78e621548c27c17d98ad5e9d28e59a4f52217b312e6a14cd29
- http://gadgetandplay.com/wp-admin/0q7eb83365/
- http://dragonfang.com/nav/1ogg550282/
- http://everythingguinevereapps.com/t70zrh7nk/b0099/
- http://goodmusicapps.com/gc41e1/t44/
- http://brahmanakarya.com/fonts/euq6651/
- Creation Time 2019-05-16 18:54:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
- SHA256:
- 10cb461f034cbcfe4faed747d91b826aa9459acfeb93cde10cbe68659b8e62dc
- a1b9ac9217d6974e6fba559005534a5df695732ced4c919c96560e672e9d6463
- 552bc3e2c64bf4966c50d3dd384356a840d131e1e6b687aff806ba9cca0d366d
- bdf95e634aefd58257e8ba9ad6d91d8d0cde6adc56e8a5a75f83c57972929c36
- bdca737e9e2d0bba7e5ceaa9972f2fc6dd20b70d635441ae29347df9f9ce41ea
- a7318799a7df2cbdbae4f5adfb9ea79af117c04bd3efb2aa8a1dfdf8e69559f5
- 82064cff056fb6514e7a6e1c7d53a9787d781fb2ddc07ca040cb16f3c6510ae3
- 0f2a584014289c47cdc796976d2a965fb8328ff4f3c5c33a770937e78be221e0
- 0fe8b5e31ca7373c954ddce16f94828262118c54cff6babd27d105b78b4173f6
- 2524b9bd80954153584086257665967b6e50366599589a4c249866b0c447a362
- 6ff2fdb711f9b0755b5b331d66f0d43102acdc4ac3c711921d7c45e653b2064a
- 2a3bd111f0dfa423f6853c241293d3de96690a35af46140e291bbea2a23a2fe5
- c6f6ac66b02f2fe931c8931c7d188e4cb2d731349797acd4230a81fa99ff8e4d
- 70063b8eb7d523ef93c96d5fe64c94ca44e48aa015f0f047ffb7f7aff16f3270
- 0a64fe70e950c0f6ff25eec15840a49a1d0e9872de204c856a94f63b69fc051c
- 30d2d040ef433edfdc2024e7e73a6c7832a790da66d7d913c0544e721bb0f5d7
- 427f3b9394d9a163cb762d1f2db1d7d5b04c04a3c70f87f1be6e61a7190bccfa
- 6583156133cc0f82d096684680d2aa8edf3b696051c600b1d966c540042bd251
- d9deae5480a330b86c1b08bc03ffa5be028f96d22f6b3ad945faa5ee6d8afa8b
- b01f9590c9ea1ef7fb4077234246f064aa0f51eab98524d80ba6ae90a6a46e0c
- ded971a239028a87f70c2c0b50c1f7fd7d18e620531363d521d69a31a7b5fe29
- http://blog.apoictech.com/wordpress/wp-content/9on272/
- http://blacksilk.xyz/wp-admin/4b11ihx1465/
- http://cbdpowerbiz.com/www.thejourneynew.com/b4bqg3/
- http://vmsecuritysolutions.com/cgi-bin/qh6/
- https://itreni.net/acc/7fk45918/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 05/17-19/19 ####
- ```
- 27b2bcb2b0bf777208f330b3c6cc92fa40875b1cf6c6294919632d3bdd189d62
- f1c04fe9bad284c27802f68bdbeae1f8fa8a964b25fb1daf251435273549210d
- ea476bde26c2ee905eebec36b92c2413fd44bca34038c12c962816238ed3dfe1
- 89007bc0d5b127eacd69f2b7b2308060a2d3d9f0a0fcafb43f039996f6e953fd
- 9e2afcf53b382a27c6c4b477ca5f2de1eb2e0dc25bec9eeae30ce64166d0c616
- 8278580d68600f0e0532774bff62fb86a4844b58e4b49d0f18338233afe21cf4
- 63a48b87df78532280c3da79a79d991df5087731b17cf6404f7edd14031328f6
- acb60482f0df85652bc524fb8bc21a5c9804afee122c65836da09eba6942be99
- 2329223b71b5afc522f3db436f3f494b00feef6390fa632738a068b35ea1b2df
- d977f8609ea47b593773b374db94ce929479d71da28e5a602e155557460378db
- d8b22d6379a1a133930f65d94a0337c800180fd9cc3b161694cddc9099a73342
- f9df457b3295195f81df180949d8da34854e3f7923078b899d3b8bddce14173c
- 29c33c50123e01a4b87f834ec7c106e8c0745aac0bfacb5694401c8239ab44c0
- aa0a18052aa46a75d0fb371673fd91d6caf7a11f49916b2f2223ac779795cf09
- 42c790c3de29f086a6d352a293335009599d2c9157575e4b71143be37af5dbd8
- 7c25bf4029f7f448a6baa757bf8d75a381d3d00a3bf0791b3d885f0e707cc061
- 753590e3ffcc3be801541f9eef7386078037a3abb310e7189a61ad5ee5ecc716
- c357fdf1671c8d08b9af9327e39f888f1867c6eccd3495b974a3a2743bd878ff
- 2ff49f863d244723958e7d0d18f44729b361b91bd711e07182ec7ae44b3f327b
- b3c9f36107f11c0277a984cabdfee49af052ba176df5153999ad1978bf58c642
- 19a4827d85259f0525409fefb00499f1786bc807020c707575b3f5c22ab5bc64
- 1b31921596c3e7cf290d2209ad19bbbe62353b3082b0aae29e71360dcd75a64e
- 9f163bfe37d14f227683e7878c90f4220e0c358a50d8c363ce73fdcb6022b8a0
- 64f1f0fde11122c44a4f43d7b9b72cf032a46ac053122ddf53b3e26ecb1fac28
- d6bb3261cc8c42de3557463c86f188df9c22ffb65d50a81a8c909d8768aa9017
- 6a061b18a6e7b05eedd4d27b36d6df01b9660b3d18b9134177ee49d46eb07635
- 382b4b101375465169585da7be2b555d1cb7d67bbf46666b6b036b1ade8b6047
- b0c45827c169df0b99fa9cd7be05dde1650bd2bb539902ca97168a3a515fd6e6
- 02335a161f82a00e49236eed60fde62d124bc49f2f3a777090298f2e53c46597
- 91075e5da3ec163ce0de1566cae48bfdd4b69bae778b6e99a9cc8b406e2b83f6
- e42e3d5a450e717be1bc370931821bf5abcd5f571874010e25b9d3c7bce2e759
- d6689ebcb0560cd3d08e650ec460f867040857e11c9d4a6b25b7f1424dfa2562
- aafdc5d1587830a073b05484d1dd2f05c6289fd29144fbb5983fc2af323eac37
- 2ee191e046b9650bd6f89a9abdf531c5a188e8855c14f3db9965bdb2c2fb5259
- e65f453ad8fb27e7f673a01fd7258674e64184c14bba14c3ccb387583f5effc2
- 5e4c8f10aa8ec434d61ae7299a2d5b49e9ae2e4c28cbbc7ce0d56ec06082cb53
- efce718eba8c612661b25bde99e259b20fee3a53cf2e8855aca0c160167aa89f
- 2f04778423745d878d8a129da28c3340b62dc5e0fd623eddddb30d17cb139ac1
- 1606ed13d2db767ff25692fd698da34d161f36d9b8e53fa72d3bf53538007688
- 217835033f5bc59a6bd0eaf6326d2c2c5d5e5178d37d88dd1a3cf4682f0c10e7
- 02a319c6e82f38c2a58cb0333c3e986730209733a144c6fea6dbaf9edb3387de
- 4dc7752758b6e1ce1e0b6c987504a5281581986ae53e7d78c6a9cf6840be61a9
- b42b15274663dfa85b571d1aecd241de5da0aea1b6ba2689d420d4cd78338d69
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-05-17 15:09:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 4a0fd4461dea1997cadda12e640ac903a00804f0b8043706cfa2f6bf0a629489
- 3eacfc188d4965afc5a7859cbfa609b042103c5d259bd5e06ac9b09193407e5d
- 149491df7598cf25ce82f3d2246e38d21e4b58405a46d01f31578e74d14c67e9
- 22f7d6e09e2f04ef2ba9adeecb526bf08fb557ce34d903ac78b3be990774d1a8
- 9814ca1124dadd3009d9f097df9c035c5b45a06259385522d4dce2e62b532d35
- 27a7986a402e6037a9e2a4306d260c27f9d1cf071f59dd3031b06b74e7c4741a
- f0be6dfb361a60ce3770a477d552bfd3d81359bd31bcefbe514136f3ccbbf26d
- bf3dc06dd46376f323b13db12632c039bbb98306965f2feaf14de148a73a5b7a
- 811e5c04ac9ada5df45bac988186d05c49fe5f30e6f54f96cfcf3b75701f8cfd
- b8c88fb199d1b85bbdadfa6eb18900e10b45d9648d58813a3299bd78ffff95ca
- 03ea657e32c37a7d18bb1c8cb7e56f009698cb62a588957ab74dcd8d4a93add4
- 0e06d29508e63b8d72fef84f963e5fa2c17a7898a3f763bd30e614cc359ba0c0
- 905054a52591125d76babef888817ac143acfd554b34129b3eefc4ed3354f63e
- e561a0d7b7b38f5d8be3cb5e975490f9bd7c41a9a355f10f3caecae7c1266623
- d6d51555cc035085285e322944c51cec777dffa169b38eb06ab1c9aea8160d84
- 203ca10e70143c45ef9d4b69d0a3bfa2f6f1a7ebb736e03c112a3d9258938b0b
- 17d1c9a1c70ebb895138658772dbe0665ea167068a2bdfa9f33fc384f9c10e1f
- b25a8e099d490509c036caee67954897a8640a214b708325802f61828f8053c4
- 4bb22eb17b6ba8363d24def18eb31eda7b7ef4b1ff153d0404c064f8cd678593
- fe2e69bb741ee10c1a6c2252c9401eee09ed1676ad5520be302d5432ce8b355a
- a00d938cc78698d9d5c30a475c012748592258d6a5b9a98c5760b6c4f818f1c9
- e7c7c35bf00046380cde5ac06b2fead195e24e5498b743ab4d805f196fbf4997
- 476cee5037d63ab853ebaa427f79f267a9423f7822939dcd094ea6fedb9ca9e0
- ea33d741a3e4ad54074d248ce9d1d759470e56fea67ba20c18b6ea3142abff55
- 02cfd79618fda7eade1d4d54d40e00a15a73449c06a3e97b4b121a8d4d6f040c
- 1a6515b41a9ec86c47a257b04247296b888d0936032359e6595f73ac37938b84
- e9e9f78904bfff3c083ac80f14b6b67eb9548de76c70c074436c5c3be0fcd6e6
- 5aaac9264dfedf06565656951652b0afcc57e0bec7f8419bc0b0c7c601e11884
- 1db77a45f15a989550dc663bd1b2a564928b08cb6131c190448ed24308bcfb6c
- bf87ade5d3fbd0a6cd7b0f8df8ee288b908db87a97a7cfab811932b9f33daefd
- 57ec5c2b96dcfcf8d25079d2b8ca1580f02fcef60cd4f915e68eaaa73c830b4b
- 8da733b501bbdf4d70a053a083bd0727c9e3a37e0fdae3746e9028f852070a44
- ea84a2a33a8cb668fa85132c86063a43bab138500d3357e06e695815f8195e40
- 8cc4b7ea51080429a29be059d5b9e7f6fad8756cd9b4a216e6862de2a1ca178e
- 867694a9389b1ccb6e0398fe65cfce4abb2342dc96227a70e0752f4674c31b3c
- de7a0ce73512161a0e4b5541199a1054b36e72cf54d29c76e64b2d8bb3cfdbaa
- 9dac448f232b14f9ad5c55c1b3c0fc014fc087b9169395d3da26b37505f757cf
- 04131cea09deb5cdffd93baf65ba690287c452d65f0f763a7e3551f02fb4a6a1
- 04ad51702e9f3cbfdf956a3bc4eaeb69ff16f23ea9b7b981d023ee11a15b9dca
- 882ffbf086e84f11e69e931eecd74ed054a7e16c45edbb9a060e340411454eb8
- 8116959a8fa860ca947bd8d9ac9969e0f7f5916e906485c29b0ea0213f498a09
- 948492b0d42ef7a7ea0826d3d9367e5b0bb81f24a7b4f81b5853617b342b3d5a
- 3b916160839e3b5e737f8942687f521056c21076e24a11edb927dde7b8384464
- a806117a0132df55020530c7745b81351a3ba2aa71116e2ef8a31cc0e45d9398
- 7dc3a96aa7e9be4c64c1a02ec364be0a46d3f417cba20a5e1d00efe801ee02f1
- 1284f9d42544a53cb472449914be3819ad74ceaa4d663bcde8059cf1c9311223
- 185d29bd2b5d6ddd77b04851f905fd4d85b36f21c3e57f613d07d7f88f576ec6
- 4787a29c36f495b4260c86542625bfd1f887982f9cd1cba4d9947f0bd2ecb878
- fc77369ca75960fe87084b42ad52f1eeb681a77a723f4dcf1dff20f2c837a5a5
- 241a37ec6cb4c435bcea7e4f9c74edec59a3d8bd803e271a32f2a0e8e1f88549
- 9e0a52655df1a1292f1015fe045166e47a93ceba2cd479e88a129773f0dcfe43
- http://naft-dz.com/wp-content/cel3xz7ik6_u5a7be-354524163/
- http://fullinnova.com/video/AXINpXSB/
- http://novametal.cl/wp-includes/3r5l_nt34dqjxr7-3/
- http://ortodontagliwice.com.pl/wp-admin/TIPFceap/
- http://avrdevices.ru/Soft/ZIKmwKarDQ/
- Creation Time 2019-05-17 05:55:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- af6fabaafa47d6413ec3d4f4e17147baf9ee8edcfec6e039aa6209704dd71caa
- eb8b638faafccbbdb03c1f1b88330482eea048ff20467a65f7f9aa8c2fabc829
- 701fac449cb6911f208c69f0d108b68890db9a4c9c579f88bffcbc2a7786983c
- 7cfe416b21c8f7637e9deae7a76baec5d7aaf28ec2a5af339bef9df852066854
- f33a16e2cd688471babc7e21efdea5b44b972a440eb505e04f606586d3548596
- 590233566df677701505fa92488b69a803482f2228bab2ab5b31e84ee6d56e83
- dec2820e893385e609fb5a1f2edeaaf7d06bbbc4fddce6499f5e034d4d8df346
- 89d028c23624816d3b1c34f28acb7ae32d92142060c5a43ac19a03a5fe041ef9
- 01f38b6e3c169901189bae59a2b7d5d61be6998a8b9a79bc1198786e36f90006
- c95d7dbdaca7aa20fc8e384aa0fa99a3d8f9cc426c8a8b956e8751759dc98bad
- 46a7c6fbc6556569e46de0eab69feaa861ad612f83e29bbeff301b51549a8717
- ce0de64b9421a663165e5edad87c2d77e530a1c55c8c7323d13caa898d5d0699
- 28d9332fd2b107a7579b147dfac9fac3c64b4b84a900b0f7b4d9825729c02f31
- a12309c590377f6fef758f1957a797959a7b82723b2835c69c0018758931d306
- 16b073a56a77d960ee2a7c6426a4da145ca030e2fe9212df4ca41108ee86435b
- ff103d14150140826c3cf984f74a8ff1cd150bd97ae36c4d2497e134072e4b49
- 18b46db60e8072005dd984000486ccb230ffbf2db1b4dbc7051622ea546a7f00
- 24b50a35f37950ea20fd32c7a206e7e75a16304fc5740a12e78a5b051354cae3
- ca6f5a2ad809fb47c66425b4dfdf8e68e61f602df04858c211dcf0b680a74e11
- adda97c27fbe9249055b0af372e69209d755cfef5246f23f740a6d9e8b658231
- 2abc288e11628e9af9cfe5aaf602f512abf6ffcd72d3c446c41ac2dd620799c0
- 26b0b2660be3e246f487a7f824efb63f296d6221aeae5fb5c661adc82c78dfae
- a38153871ccad831b791c726e169a8750203aae8f8543f013336a4ee02e95893
- 8e00a33702efda087f6971215696e0433ca9521b3af2ee39d2f53f780981d397
- b7b8b52b5f519a6c168912a84b61360631ee6e9d9ebce51fe8b7b380809cc8bd
- 904a35d7f7d6e22d6002a8b8e13aa1ad04c828e7fb4148ddd393e5f1dd713a3a
- 2d702bad28921c0c1a8c3d99f090670249f16dd593d70c50127bd54e35a98f93
- 53540919e8052a5a6230432f0f0b56c36b8a20f65c8cb8003711aa6ea3acf6a9
- cf9168f4fbe25b2e016f76b00f0fb8983dd6dbcac9d3a33a2917efaf494f7936
- 34df5911c1bba87333ed40548fb698052a46159e75029291c0c006730c4dc539
- 189340825b7d2939acb8b4b65cbc19539f94cb984116a08e643ce24a70bd8397
- b9596c878e0d90bbd5fd5462846626f10333f993331b3ab6b6b08e578da9bc57
- ec32583ad17b097816c35c7a796813175f0aa8bc08bce768e25972e5b73a7f2b
- 2bf98481098d5927da4199e7665a2d8842cb1ee6375e08f816692299cd4c84aa
- fe4876086c674ae402a39e5b7ddde8dac211c8cdb752ceb7a142a06450274d43
- f467517f2fbc08d4443a80f0c2843fb40393b61b06fd16af5f89a28e7344d7b4
- ddf0b4acea25137a223b60140a358b67b90d40ea8ebc934e5a6b07ae6c2832aa
- 362a64ac706cf9696784029c5e5986931708ab119aa27f80ec9a872c54e0c08d
- 1959c9bbf9e403822f83e760ea65512f37203e0a9feaa18563d225d227cf98c2
- a4919eb78c8ff12ce6a5e5bf2916401075803aa17c52ba794547d2a56f0d0834
- f26778f3956e663364680c130d32266c7e134d7fe03b41727691ee3ef9feba69
- 6adfbcd91edab98c5ae5c5a0c62cde56e87850170b3796cc3c2e1ddb91b24e7b
- cc3d8fd0922892a2853fc70d776ff73ac0e06675feadc37931f94161fe4cb01d
- e2ca9436ba7167fe155887227ac0c5d43f62afc4d00d607aba14aa37b6804988
- 311b029bd68850d06ee38e92aa4953fa1f2ddbe50b1b784cce071da5951bfb93
- 8fbbb4a8adb4695e6d1fda756ad74ae0af09ffeae168943b18a86521a17430c0
- 94b81e4fbf93a7895f9fc71936fad29ce4a65bf6d3c61689d066d06b2371a8d4
- 57280eeda1321fbb4652f0e76b8ab6d069aaebfea15609e8590f5ee98f819d66
- 65b353cfc943e115e97c6934c0aa6cdfcac487f55e7f012bd2c0d335a5b05437
- be600bba7b64514294d4fedb1c5f5876cf59e0ed5da54804601bd0c901a3acd1
- http://classicimagery.com/business/iAGKbxfsk/
- http://edandtrish.com/blue/8wse_zrdnx2c-9775/
- http://finetrade.jp/data/mFapRrNGE/
- http://meenakshimatrichss.edu.in/wp-includes/zRunsGcls/
- http://tanibisnis.web.id/wp/xa9o_88pj5mcr-26/
- Creation Time 2019-05-16 18:51:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 185fa1380d4b9eebc11ddba1d58063b23cc6685b7d0958f12551b6a53ee8c448
- e5477afe73e59b8b7425b59c6747842d34c5b9adec829a2f5cb0f7c612af8401
- c66f97732d8e95bd54ba80858d4bd75bcc65410a310a7aaf83857f2c64ef6528
- beb226928f863ec63aade13e7a676ebafaa5b1c1f74e796c4e2deabbac939f48
- 0794d6c309ff5e047307be22373c6f9211575c7c625c06c64f9c159d9b46e207
- 01fe579a4662383f97070270f32e36a83af02e5815de65440333cdab3d982d3f
- fbae6682dccd5c48baea8e3a6c710f10ba9adb63b968fb15e361a57dacd24252
- 64d6dd8cae1111f471ca600828fddb8c73e3186f064338a58465a47d91a0c208
- 1efb0018ba2d5facf16aa1307bd349af4eaf61925d05c8e445e95a9a0db0ea74
- a2256001c8036708c781f69a4e082f649bac0c8222ea3d4689f8d1c0d7bf2f74
- aaf5278609df25c2d31ef2310f720d4fdcb5601824bdd827e599bab8e51f234d
- ae5bb6a0f5643213b70733207a024c1d18b0113b8c6377a642e15f59b0c308ee
- 30ad69b359df6bed53c2e6acff205d81754ee36bbdbf36ef90f60ad1eec7f99c
- e90d542a11be7c8295bd63c58d800c9acb93f1daa2504009651d9af98361a6af
- ea6a8d54107aa9da030dda914d682912a6a3f9d8f978a5ded09e160b75baa687
- 92e5e4a608f28eb39f833c84655267009c31996a515d3101746f1f0251487d1b
- 25d8d626d420204a2821eccb8da309cc9ed4f0f4a9f31d1e15d760da9644c111
- ecd1d2c25fdf788170749b506ce3afd1bf711411b12258e0debf82cbd8102ddf
- 05adb931a6a81a896f64e0d66be0fba92e7d117e660cad0dcfa1589f449950dd
- 378296ec7636eb0fd3af3bfeeecb5eb2128356f3200f50a48dabecce4113d66b
- http://legioncrest.com/wp/pyepn1uq0u_1cn0tfaqg8-54319762/
- http://rogene.tk/wp-content/lDVAyrLa/
- http://electros.co.ua/wp/ln720_ugcn2s1wm-93/
- http://modeloi7nove.cf/presta/oaFqMJPhd/
- http://deviwijiyanti.web.id/cgi-bin/rbfyme7h_yctqp-7/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 05/17-19/19 ####
- ```
- ff7283f7b9eb077603a6963f1c6f95abefd0d5acdae4bddc691ac57c3f6a8e05
- 20e2cc851e44161e7fa821ea731fd64937f571878dd382f1620636a82de4355d
- 3cc8b8f57e89e58d5ad07cc3ece6e5f33c93369ade7333390f7c0c4f034f8ff6
- 6dbfcdafa6bbdcad57f7fecb66ac35b425dd37040cf6f019f02e08d8322ba9a0
- 415342ef18bc4ee2d492937886fcb388c2fca0e7ec3b82ab710b1e44a6078783
- 5003644186b5b4432496b335655c5efdb873d1b5d01abde1dd0515492225f01a
- fd885abd3c3895240c31fbdfba3d7126459b13cde19049b75075d5c9f3429a43
- 6947f554d7f50b1edbed490e36b4c605feb7c27829be16976d036871c9f88c1d
- 388158cf5652578bcc75be136a5429084df1384ab0c1abacd2c8a989619229b7
- 3a55f6c56e928d658f0ff035d17dc8761e1ff095ba80db6d528573c26abe9ba3
- ed96364977f181ef7733a8b9a4940d2a529c7a1fd6cbb78130acb9c3cd60d4b9
- 204945ee1e17cb2684da4b1508ed2117f612d41b7f2f59d55a625db7fb5fcf36
- 5502789c6c29ebbc46628869afbd7403bf0d19444209d88e3aa743e2ee620981
- 41c552f75c1c081bbd6e1373960551b09acc3ab4e4f564a14cf19d2e94deaafe
- eeaa43d154db6f483d7c70dfd79897cd5fd7555439219c8bae46cc2de700f074
- ce2617f0cfff7d66c227cafef0f5b0b69bd8816fe392b1d7d5cef6e80123bc65
- d3087e7e30f9bc1650c54c5b7398a195d27d77168023db8002c90b4ed9a5fb90
- a75409c3e5590c092af6770e88b632fcc85e93ae3b2985d3520e981e4926a4ac
- 1001cfaa1f9df7bee979a80241bdc0dc69fb03870d18a095f7125d6670db9597
- 40cc9179fcafee740c01c18ac18fe12f5540699b17a65baf8e614661739aa004
- 4925e099c9cc7c804d88ea55c61c60054542a50b10ec7b545104971344793274
- ecf2761f512e8508644abaa8b4b6eabcd526fa1199a840bf6a1376a58875ffa6
- 5be286b25a6db0ef6799547bde0e7fcf41587f04164abd5290751aa62d13696c
- feee487ffb84ccfaf11643d2a8a84c146c6caa2cacefa41dfa77578ccdcd0580
- 74cb3663a5403993d5df536da6cfaefc73249fa19d0a11a49e4ff00a31595359
- 26fe1af30cc991c29c519bc2941c545026c077edf4b41c3eadb93f9d577f2bc1
- 408a6ca7d52f20cad7c9e71a06f41d38e9fa1dbfa9595b29987739cabc152e7b
- 6b41d80cc553fe9cf5bd205420da184c8f2e852192448302e9c053039190e806
- e714d77f133da5e759a61ea1e696b0b0778b2d933596697fe4b756628732d1e3
- fc64a7f68969210d1cc6a382ac9ccb9ee44ff1e661ae7e95fc21c87aa09bfddf
- 5e636eaad07c41e658980450b73c0a05103fd05f06d2523a2891b242861f6771
- fd150c99a4ede861e01f0afcb0d6d058d28cca3eb2c6efd4389477adb2e94c2e
- b07751e2d8f02638024ec922a8db2a9071c8787eaa353425dc795c0d45114bda
- 69415dca4fbaa6260cf2ef4813c96fc4dc7507b1d5d35d198c6ff5d3d34ef8e2
- 4415c821d0d79d7aa1da02200223a2ea40ce5b7f2c074d68dd14c423c7912124
- 7b218b86c4386b46122ab1692c9cacf18e67f78a88799b6f660ad4f1f98dbc4e
- 86115ddfcdb2bd7813c6709794a810d5e3d9f1c112f4b9759d14f4489422a121
- 8800bff90a5fe41b917e41b6b2a22bb3caef8cbd801ec212dc89ee53579d3799
- baea1d3a3ac681b1ee4df16c86614f9ec005a6c88d29a2c91373c430c8e6285a
- 27aed9cd088b7ff8c2eed3e34427028ee4adaba5b410b3b79bc1c904d2556337
- fad7b12ddbd41d1812846329bc29d1c471a33611e4eab0f8795e28eff891960f
- 6f46b194cf2e55c06686748b3377df2b436598f6019d0f3f8918c27ff5923743
- ```
- #### Epoch 1 C2s ####
- ```
- 103.201.150.209:80
- 103.213.212.42:443
- 105.224.171.102:80
- 109.104.79.48:8080
- 109.73.52.242:8080
- 111.67.12.221:8080
- 134.101.222.153:80
- 154.120.228.126:143
- 159.69.2.128:7080
- 163.18.23.242:80
- 175.107.200.27:443
- 181.110.239.26:80
- 181.143.101.18:8080
- 181.15.177.100:443
- 181.15.243.22:80
- 181.16.127.226:443
- 181.164.227.212:80
- 181.198.67.178:20
- 181.199.151.19:80
- 181.29.101.13:80
- 181.30.126.66:80
- 181.39.134.122:80
- 185.129.93.140:80
- 185.86.148.222:8080
- 185.94.252.27:443
- 186.139.160.193:8080
- 187.178.9.19:20
- 187.188.166.192:80
- 187.190.237.104:8080
- 187.230.83.149:443
- 187.242.204.142:80
- 189.196.140.187:80
- 190.113.233.4:7080
- 190.117.206.153:443
- 190.123.35.82:50000
- 190.13.211.174:21
- 190.147.116.32:21
- 190.180.52.146:20
- 190.85.206.228:80
- 191.97.116.232:443
- 192.155.90.90:7080
- 196.6.112.70:443
- 200.107.105.16:465
- 200.127.0.8:80
- 200.28.131.215:443
- 200.32.61.210:8080
- 200.45.57.96:143
- 200.57.102.71:8443
- 200.58.171.51:80
- 201.251.229.37:80
- 203.25.159.3:8080
- 205.186.154.130:80
- 216.154.222.52:7080
- 216.98.148.136:4143
- 217.113.27.158:443
- 217.199.175.216:8080
- 217.92.171.167:53
- 218.161.88.253:8080
- 219.74.237.49:443
- 219.94.254.93:8080
- 23.254.203.51:8080
- 31.179.135.186:80
- 37.59.1.74:8080
- 43.229.62.186:8080
- 45.73.124.235:8080
- 46.249.204.99:8080
- 51.255.50.164:8080
- 62.75.143.100:7080
- 66.209.69.165:443
- 69.163.33.82:8080
- 72.47.248.48:8080
- 79.143.182.254:8080
- 81.183.213.36:80
- 81.213.182.115:8443
- 81.3.6.78:7080
- 82.226.163.9:80
- 85.132.96.242:80
- 89.134.144.41:8080
- 91.205.215.57:7080
- 91.83.93.124:7080
- ```
- #### Epoch 1 - Spam/Stealer C2s ####
- ```
- <not updated>
- 61.92.159.208:8080
- 104.236.185.25:8080
- 50.116.63.9:7080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 103.251.176.34:995
- 103.53.44.20:80
- 105.247.109.117:993
- 109.194.50.231:80
- 119.155.153.14:21
- 133.242.156.30:7080
- 134.196.53.52:7080
- 136.243.177.26:8080
- 138.201.140.110:8080
- 138.68.13.161:8080
- 147.135.210.39:8080
- 149.255.56.242:8080
- 162.243.125.212:8080
- 167.114.210.191:8080
- 169.239.182.217:8080
- 173.255.196.209:8080
- 174.136.14.100:8080
- 174.93.130.148:8443
- 175.100.138.82:22
- 177.230.108.144:22
- 177.242.202.30:8080
- 177.242.214.30:80
- 177.246.193.139:20
- 178.152.78.149:20
- 178.62.37.188:443
- 178.79.161.166:443
- 179.14.2.75:21
- 182.176.132.213:8090
- 182.188.47.206:990
- 183.82.100.135:80
- 183.82.110.170:53
- 186.113.19.171:80
- 186.19.202.88:21
- 186.31.189.232:143
- 186.4.167.166:80
- 186.4.234.27:443
- 186.50.124.246:53
- 186.50.124.246:7080
- 187.189.195.208:8443
- 189.209.217.49:80
- 190.112.228.47:443
- 190.145.67.134:8090
- 190.25.255.98:443
- 190.25.255.98:80
- 190.53.135.159:21
- 190.72.136.214:465
- 191.92.69.115:80
- 2.50.4.159:443
- 200.21.90.6:80
- 200.85.46.122:80
- 201.199.89.223:8443
- 201.220.152.101:80
- 201.238.152.20:465
- 207.44.45.27:22
- 211.248.17.209:443
- 211.63.71.72:8080
- 213.14.166.152:990
- 216.98.148.156:8080
- 217.13.106.160:7080
- 222.214.218.136:4143
- 24.139.205.186:8080
- 41.220.119.246:80
- 45.123.3.54:443
- 45.33.49.124:443
- 46.100.165.6:53
- 46.105.131.87:80
- 50.31.0.160:8080
- 50.99.132.7:465
- 58.9.168.7:443
- 58.9.168.7:990
- 59.103.164.174:80
- 62.75.187.192:8080
- 64.13.225.150:8080
- 66.84.11.168:8080
- 69.45.19.145:8080
- 71.244.60.230:8080
- 73.189.66.63:80
- 75.177.169.225:80
- 77.56.253.112:80
- 78.186.5.109:443
- 78.188.7.213:8090
- 84.241.10.111:53
- 85.104.59.244:20
- 86.122.149.86:8080
- 86.151.202.16:20
- 87.106.139.101:8080
- 91.205.215.66:8080
- 92.154.101.154:50000
- 94.76.200.114:8080
- 95.128.43.213:8080
- 98.142.208.27:443
- 98.144.73.193:80
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- <not updated>
- 198.58.114.91:4143
- 213.136.86.219:7080
- 91.205.215.10:7080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 03/07/2019)
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
- payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
- Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
- rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
- This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
- to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
- time period.
- Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
- Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
- being delivered in maldocs on Epoch 2 at any one time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
- Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
- Epoch 2 may have a document hosted on host.tld/B.
- - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
- via C2 to stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
- easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
- spam template, word template, document type and even payload.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- https://twitter.com/pollo290987/status/1129842897178824705
- https://pastebin.com/KZ3iYziz
- https://twitter.com/executemalware/status/1129542899098636288
- https://pastebin.com/fUmUeWM7
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
- @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
- @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
- @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
- @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
- @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log 05-17-19 ####
- ```
- It's going to take me a little time to get up to the usual high standard and timing - @ps66uk
- Still low volumes of emotet for me in the UK, not seeing many LATAM bots recently, predominantly European sources.
- I noticed that my reply-chain emails were not using stolen bodies, only the stolen Subject: - the body is now a generic text as below
- CERTPolska noted the high levels of #emotet in Poland, and provided a script to pull IoCshttps://twitter.com/CERT_Polska_en/status/1129382879195213824
- General News:
- <..>
- REVIEW:
- If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
- to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
- https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
- or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
- I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
- You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
- https://twitter.com/JayTHL/status/1126204098670411779
- Email Template Report:
- Generic templates on the most part, the usual body text listed below.
- Review:
- What we know about the threaded templates/reply chain:(changes are marked with *)
- - Emails are sourced from once (or still) compromised users all over the world.
- *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
- to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
- back as far as June 2018.
- - Now on E1 and E2.
- - Now seeing German based templates that are essentially the same thing but in German.
- - The injected reply is usually prefaced with the following:
- "Attached is your confidential docs."
- "Attached please find the wire transfer form."
- "Thank you for your help. Please see the attached."
- "Load instructions attached"
- "A printer friendly attachment is now included with each email."
- "Click on the attachment to open or save the printer friendly version of your report."
- - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- - The link is customized for the display text of the link to show the real domain of the spoofed organization.
- - These templates are pretty limited in run and not very numerous.
- Link Regex Report:
- Regex directory patterns - Changed one of the Regex's for E2 to pick up more common directories that were seen today.
- E1
- *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
- https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
- https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
- https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
- E2
- https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
- *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
- https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
- NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
- These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam.
- Payloads Report:
- C2 Report:
- C2s DID change for E1 and increased from 77 to 80 combos in total. - recorded above
- C2s DID change for E2 and increased to 92 combos in total. - recorded above
- Closing:
- TT
- ```
- #### Sandbox 05/17/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- Epoch 1 C2 run on 2019-05-17 at 19:00 UTC - https://pastebin.com/kHir6JU2
- ```
- ```
- Epoch 2 C2 run on 2019-05-17 at 19:00 UTC - https://pastebin.com/kHir6JU2
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement