API tools faq
paste
Advertisement
ps66uk

#Emotet Malware IoCs 2019/05/17

ps66uk
May 19th, 2019
3,457
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 67.20 KB | None | 0 0
raw download clone embed print report
  1.  
  2. ## Emotet Malware Document links/IOCs for 05/17-19/19 as of 05/17-19/19 22:00 BST ##
  3. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
  4.  
  5.  
  6. #### Epoch 1 Document/Downloader links seen for 05/17-19/19 ####
  7. ```
  8.  
  9. http://adamjaneomir.kz/old/verification_area/net/ENG_US/myacc/sent/
  10. http://blog.meditacaosempre.com/wp-includes/open_network/com/ENG_US/accounts/new_resourses/
  11. http://callsmaster.com/azureink.co.uk/sec_zone/US/sign/com/open_docs/
  12. http://doanthanhnien.spktvinh.edu.vn/wp-admin/verification_area/sec/Us/myaccount/new_resourses/
  13. http://eidriyadh.com/cgi-bin/trusted_network/seg/ENG_US/myacc/send_files/
  14. http://extravidenie.ru/wp-content/trusted_area/seg/EN/signed/office/
  15. http://giveaways.secondtononenutrition.com/calendar/trusted_area/net/US/sign/office/
  16. http://had.at/language/open_network/biz/en/sign/sent/
  17. http://hitotose.org/public_segment/com/Eng/logged/new_resourses/
  18. http://inted.org.za/adminer/sec_zone/en/accs/com/open_resourse/
  19. http://lettingagents.ie/wp-content/open_network/sec/ENG/anyone/office/
  20. http://montrio.co.za/wp-admin/public_segment/biz/EN/logged/sent/
  21. http://mrtrouble.com.tw/wp-content/trusted_network/seg/EN/anyone/open_resourse/
  22. http://myschool-eg.000webhostapp.com/wp-admin/public_segment/com/US/signed/sent/
  23. http://sosyalfenomen.xyz/wp-admin/sec_zone/sec/en/logged/user_documents/
  24. http://thezebra.biz/wp-content/secure_zone/sec/US/logged/office/
  25. http://www.zorem.com/wp-content/public_segment/sec/Eng/accs/open_resourse/
  26. http://yoloaccessories.co.za/ukhz0yw/trusted_network/ver/US/anyone/new_resourses/
  27. https://adamjaneomir.kz/old/verification_area/net/ENG_US/myacc/sent/
  28. https://engenerconstrucao.com.br/nfuvi/trusted_network/sec/ENG_US/accs/send_files/
  29. https://had.at/language/open_network/biz/en/sign/sent/
  30. https://thezebra.biz/wp-content/secure_zone/sec/US/logged/office/
  31. https://www.zorem.com/wp-content/public_segment/sec/Eng/accs/open_resourse/
  32.  
  33.  
  34. ```
  35. #### Epoch 2 Document/Downloader links seen for 05/17-19/19 ####
  36. ```
  37.  
  38. http://1mm.site/calendar/Document/SyCSbmjCNBLJMhV/
  39. http://1roof.ltd.uk/creationmaintenance.co.uk/PLIK/0b7yzogc9ssofb8efy4o2otyua0o8_769kqe-314850535719656/
  40. http://2mm.site/wp-admin/parts_service/mKgGhvCsue/
  41. http://30undertennis.com/cgi-bin/SSciXOTzaMbU/
  42. http://37p.jp/PLIK/ABmcygtH/
  43. http://3e-science.co.jp/0bnr/FILE/uqftm5q5kyuw46b1_lncr44-686604949932/
  44. http://4mm.site/calendar/paclm/xs7iayebhxav43itekey_684m3-36315752815490/
  45. http://51wmys.com/wordpress/sites/jcpf6vdw8w_aynhf-24814159993785/
  46. http://8poverh.com/wp-admin/lm/iwy6t7o3eo78_0ypzx0hes-26872424816/
  47. http://academia.sprint7.net/wp-content/DOC/y2o7x25x04us850gpca2ogh_mc4rmv-270782010665758/
  48. http://ackosice.sk/wp-content/INC/57pds8qj977fuqw_bjxbdhsf-3574519625067/
  49. http://acolherintegrativo.com.br/wp-admin/DOC/hwhyCUiZwJgDRgE/
  50. http://actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
  51. http://adbee.tk/wp-admin/DOC/vr23xzu3_4fu1rill-05769244/
  52. http://adepterssolutions.in/news-admin/sites/KwMonjtPbhHoTi/
  53. http://adkhw.net/wp-includes/lm/AspdvJqqENclfsu/
  54. http://advantageautoworks.com/wordpress/vky2upshs_7vkn3a-4894152276061/
  55. http://advokat-kov.ru/new/parts_service/2cljnkezfje61yi5i3gidtylki1t_pfjx11gy-0167021759547/
  56. http://ag777.co/cgi-bin/LLC/sfsn56f9mmil3omdgkmw3866elq6b6_aqjz8l-158616319099840/
  57. http://agents.map-link.co.uk/cgi-bin/Pages/dxebbm7rfe9yjkcu1s0f_owwlim3rvt-900385447853124/
  58. http://agrobanaselaras.com/wp-content/uploads/INC/scl0jn4di5vbchuyunuyep8eryel5_jmybt4onpm-91631390137833/
  59. http://aidencourt.com/wp/LLC/raf3n3odxco400jjjpi2hf290qlgl_prw4uxr0-7763309726/
  60. http://akaprintdesign.de/wp-content/zojdg93o_xynmmr45kk-00422649/
  61. http://akoagro.com/wp-includes/r04fyabv1mtksp1tgi5mnhgnxparl_3p7hn1m-18151334886016/
  62. http://akoline.com.ar/Argentina/wp-content/uploads/js_composer/paclm/pttymks2m_1wjvsp-040621983/
  63. http://alex.zhivi-bogato.ru/wp-admin/LLC/vgxNGmUlHZIkUdBmyVtyQJrztdjj/
  64. http://allbusinesslisting.org/uploads/DOK/lATaKZeIkwAwpVfWgKTuQRLrIUKRRl/
  65. http://allhealthylifestyles.com/9yng/lm/isd8j0bsmhi53u3lxao5_bhas06a-10817970098761/
  66. http://allinonetools.club/application/ximd7u7nigxu9r_kc6bgdfo-958450195888/
  67. http://alphalif.se/css/le1kcb7jby_5xu6hgr0dd-93379625880817/
  68. http://amarresyretornosdeamor.com/wp-includes/esp/neJynmXSShVwzuVQWBaeQrwvj/
  69. http://anarmed.ge/wp-includes/Document/vfh2cntlby3warq_v2gqag9b-5724108769/
  70. http://anayi.org/vendor/4t9hfvo0mhuo2wbm4gnybzj6_0faosb-30207636/
  71. http://applesin.in.ua/wp-admin/Scan/VKGUJAoK/
  72. http://apps-phone.ru/jutorje32/DOC/JbTiJsOuYLfycnAcnNlAVftM/
  73. http://apptecsa.com/phpMyAdmin-4.7.2/Dok/asbgcruv4k6haf567dfcwtekrl_e6601rvc9-9233947367573/
  74. http://aradministracionintegral.com/wp-content/uploads/esp/xdesZvyAHcDjfbkQTOQgaOeeFRQ/
  75. http://artislandjp.com/wp-content/iwyzezhokhmjzqsyxpoxaazvajjys/
  76. http://aseanarmy.mil.id/adminos/lm/AHFYbndZNarqnjoX/
  77. http://atkt.markv.in/_notes/parts_service/pZuTaKnhGoNklbzKb/
  78. http://auhealthcare.in/wp-admin/Scan/dhyhfkp3rpj8hi10fvk_pna118wt6-536580263/
  79. http://autoscostarica.cr/wp-content/Pages/wmog67unlko5a6tgteoplvhxqc9dd3_wuo9ve-955815100504/
  80. http://avitrons.com/uma-site/lm/aSPFbPSLPFVHslSsMuAbPhxXdfv/
  81. http://ayashige.sakura.ne.jp/CGI/INC/l66nxpe9j_i5idhzxbj4-17570585088/
  82. http://ayrconsulting.com/ssfm/b5kpfyr4brv5ulcvzrj4x4p_1ofz2gukj-441557287873828/
  83. http://bangkokyouthcenter.com/wp-admin/Scan/ythmkuqzd_jmgn2yp-175573459555500/
  84. http://basarirerkekyurdu.com/wp-content/3baoaipzi6mqy7whlt33b7vmtdum_wig6m156m1-615007073/
  85. http://basswoodman.com/janahenry.com/INC/gw9y5bij19cs7fk8_w7z306-48284886/
  86. http://beau-den.mrcloudapps.com/cgi-bin/sites/k9i5flfy09jn2_u8dj2-68720464/
  87. http://beenet.ir/wp-admin/Dok/RcYBXGZBCaSsReYhmJhMFEj/
  88. http://benshill.de/wordpress/INC/zbkeaxnq23_kc7ybzr8-58810947871/
  89. http://bey12.com/sircuss/Document/weSFwOcnrd/
  90. http://biederman.net/clients/DOK/dc9v71bcybeh9bmdsqw1y4a6xq_veb2196wtl-65827335/
  91. http://billy.voxmagneta.com/wp-content/paclm/aiis129kg7ihz0p50gkjgiafh9okbo_1l7vp-334229597472229/
  92. http://bimeirann.ir/cgi-bin/lm/zep2i1tfx9606nz9zmc_01n5iwx9hz-96231646376136/
  93. http://biomedmat.org/INC/erNNZoxosDTbeJAaGHmcdAzgZrJryi/
  94. http://biyoistatistikdoktoru.com/wp-content/jlEzCPsEEfOdjSUjIFIJ/
  95. http://bkarakas.ztml.k12.tr/39c0ef/lm/b0qb5fmtznzk5u6fe69otm4l66c_936pijskp-49454200064264/
  96. http://bkkps.co.th/co/esp/cza0kklmw_r38hfwkh-761849473941/
  97. http://blog.instacart-clone.com/wp-includes/SimplePie/parts_service/uatoqujs7s7ediuaxvs5cuqm_ddt16mxu-564056354031/
  98. http://blog.orbi-imoveis.com.br/kjbgta/acmreyaa40e_ps0whshh1b-198803276009/
  99. http://blog.vdiec.com/wp-admin/INC/nzdpfqq4n5heq4tqyqtb309jz5wsp_gvx0ok-68900526928509/
  100. http://blogs.ct.utfpr.edu.br/mansano/FILE/oHGsFrZhNkGrfNgnF/
  101. http://bloomflores.com/cgi-bin/fkeae3awg9k6b2dwmkpxxa64v7cw_4uaqa-69978485/
  102. http://bluestag.co.in/wp-content/Document/ei8b4ogccm21_j0o9skc-45698780357431/
  103. http://bmwselect.com.br/wp-content/plugins/advanced-cron-manager/parts_service/d6yju8iv2d8i2jvtfqb3_90xlab0wz-784476784/
  104. http://bornkickers.kounterdev.com/wp-content/uploads/VlYEBegqcq/
  105. http://brandimpressions.co.zw/wp-content/sve8uvm8csrux7of_xv87jqian7-12284113/
  106. http://broadlawns.co.uk/wpThumbnails/lm/WHYzQPUZnZ/
  107. http://bystekstil.com/wp-admin/parts_service/gyxp0yb8ny08cldus9_iz952p72ql-12633794221713/
  108. http://canetafixa.com.br/wp-includes/DOC/TayOTpSUibJMGVhWPLYMQPNyAMejp/
  109. http://cantaros.com.br/cgi-bin/LLC/cyUKxsPapH/
  110. http://capnensensejoguina.com/wordpress/paclm/kzKgmvfbmLfTaweYZCZTpKhWA/
  111. http://capquangvungtau.net/wp-content/INC/5b1yjo3a2czeua96f2_qh216c-6624318531002/
  112. http://capquangvungtau.net/wp-content/LLC/XInuBjIcLLCEjfhkP/
  113. http://cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
  114. http://centurystage.com/download/PLIK/hhlqSJuAbGEHrKWlHXM/
  115. http://cgfilm.in/oldsite/6wz4jweq0kim8lp1u1rtxq08_x46qm6ak8-1916202749831/
  116. http://chakravatnews.in/cgi-bin/Document/lc9l0567sgloqwgr06yn9wz_v66bhhvoc1-9919282734635/
  117. http://chavooshstudio.ir/toq7/FILE/e9wj6l1f84zgvtbnu494vq59_dhgdvdhhn8-52283825654948/
  118. http://chchomesales.com/x3ufe9/FILE/kEffPHaZ/
  119. http://chirurgien-ophtalmo-retine.fr/wp-admin/Document/e5dkvpp8hhx_fc568mru-29493963168/
  120. http://chugoku-shikoku.cms.ripplewerkz.co/wp-content_exported/LLC/acx3ms62n_e1toyrawk-169922458553753/
  121. http://cib-avaluos.mx/images/Scan/UCPljcvhhdDDmN/
  122. http://cityhomes.lk/wp-admin/lm/shYRNVogewJZZFBOfyKI/
  123. http://cityride.co.ke/admin/WAmaysZuJKaZyzxTg/
  124. http://clipsonline.org.ua/wp-admin/Pages/f7c3q50xzoah3besqoua9uby_krc9wg668-22608382178/
  125. http://clorent.com/ajax/parts_service/ZWMuHHVvXVmquekqkXQMtCzr/
  126. http://colegioadventistadeibague.edu.co/wp-includes/lm/iindtspj7l1rjua_kth52-09810828625/
  127. http://congchunggiakhanh.vn/wp-content/FILE/yvGqWEsTeGqWlbJVMkCCMoLbqjKutZ/
  128. http://congnghexanhtn.vn/cgi-bin/lm/HXiFZxIhssOosIxXZEDO/
  129. http://congnghexanhtn.vn/cgi-bin/sites/oi2h8eb32rlswyhyoe274vh802q_vd3boc2o-7590611699/
  130. http://cosplaycollegium.club/wp-content/ht8p0y2d05e5ydd4nvl9ibnzp_r3teinnq3-7560842820/
  131. http://cosuckhoelacotatca.net/minhan/esp/TozTzAGvwJy/
  132. http://couchplan.com/wp-admin/nspeBheHdcQO/
  133. http://crservicos.com.br/cftv/v54ucb6oe1ycj93_fusektth-564258474/
  134. http://dagda.es/wp-admin/pbjEjvXCDCMbLyYV/
  135. http://ddmadrasah.com/wp-content/parts_service/n12d50ylod2r8t6x44vqprh4_ex47v5-9015107945384/
  136. http://deavondkoeriers.nl/wp-content/pEVkYSbYDwzbGABbDEaT/
  137. http://deerworkflow.com/wp-includes/0eou090z19swauw26buowtra3bfhgb_0rmujb2-12142489/
  138. http://dembo.bangkok.th.com/wp-content/uploads/5qp5o49wh8s2hd8k15hpcqs84ohe_4fhs4f5vr-877540190855384/
  139. http://demo.lamppostmedia.in/tms/wp-content/themes/education-booster/IxHdbmBIWcygyaHuxaYbmT/
  140. http://demo.madadaw.com/wp-content/tmp/parts_service/wduag244xpe8ong90jzuan4khkot_0iumbotp-231441578681/
  141. http://demo.xonxen.vn/wp-content/FILE/32ftgky4_gkm4dui84-280515485541283/
  142. http://demo2.tertiarytraining.com/joomla/mLLymnnckRYZM/
  143. http://demo3.bicweb.vn/wp-includes/FILE/oal3dsh1ii8hwcsrsr6_9wpmzfop8-9587817864/
  144. http://dev.strkdesign.nl/dtjd/qm79obxj5xy12zee1n72jf4z_8akps-7089410334/
  145. http://developing.soulbrights.com/wp/LLC/sRaNyeFYEYvlkWkyCDFFTjqH/
  146. http://dev-visionsharp.co.uk/vendor/Pages/DJEMrSUpZmzimHRPvtsUrIld/
  147. http://devwp.absclp.com/wp-admin/DOC/3p06pqb5cxah_9o1a4f-661424221533445/
  148. http://diamondgroup.com.vn/wp-content/tafun4urfhay_l06akx-911889611836/
  149. http://digitalmaker.tk/wp-admin/sites/9g8kmp2ao8qj0d43j70scd_2jg9b3-4313814001/
  150. http://disperumkim.baliprov.go.id/wp-content/Pages/kolVuRhGjekQm/
  151. http://diu.unheval.edu.pe/spi/storage/LLC/tqebgnahha7xvpxpmy_422q7ygl5q-528592909998856/
  152. http://djdesvn.com/moviewebsite/Pages/rt1rxg7fgo6o6oisb7sxipslefg_qmjebpo54-2478286189/
  153. http://door-craft.ru/wp-admin/TTeicudkghGGhchRwqL/
  154. http://dorreensaffron.vn/wp-content/uqt6yec3dw_zp5io-680559949308/
  155. http://dp5a.surabaya.go.id/wp-content/sites/EKZfdNpWZotyFtajzRWGdNyTuawChG/
  156. http://ea-rmuti.net/pi/wp-content/KkRXhcNMAXLyG/
  157. http://eco-chem.hr/wp-admin/Pages/eSKyupWfFrbpzSD/
  158. http://egplms.okmot.kg/wp-includes/parts_service/xzree20twuo7qxj92l1tz_4fxhkz8ot-60264947320/
  159. http://elegant-dream.com/wp/pomvntHWuAykrASSUUbTqp/
  160. http://elenamagic.com/img/DOC/mzCJBBMHCSX/
  161. http://elephant7shop.com/wp-snapshots/sites/VwFWTDwJBGtNo/
  162. http://elespaciodepopito.com.ar/cgi-bin/Pages/KgaILaBUBERrNMPzUdrGAoSHi/
  163. http://elmassahome.com/tr/ftcerrgd5qagqsqw7msargkyy_s91lj0fiyp-431699449079/
  164. http://elysiumtravels.com/images/Dok/jQyHnaZhuX/
  165. http://emmaxsimon.com/wp-content/Document/bveowJpDLmSKBIizwkDrjGI/
  166. http://empharm.uz/file/esp/zdsoz58k1vg8s8i0putwi0o_tt8criqm-280927037619/
  167. http://encame.com/cgi-bin/30qp3tb67w2txlygzm22sgi57_dqxt1l-1977495695975/
  168. http://enjoy.cat/wp-content/uploads/FILE/2gkthv5jgk5by3go0p60q_mgjyu7d40-005984582898580/
  169. http://eric-mandala.com/wp-content/FILE/WJeJoYaBKhIBALNtKpbjwy/
  170. http://es-noujou.agricom.co.jp/noujou-doc/GMXqAuJPtJktFz/
  171. http://fargopetro.com/jynne2w/LLC/9emy1c5slucz05ztsb_giwscuomzh-539483200738252/
  172. http://farsinvestco.ir/wp-admin/74bqrll2fravktt7jkycl_535qav-869522814724593/74bqrll2fravktt7jkycl_535qav-869522814724593/
  173. http://fearlessprograms.com/wp-content/AsFahoxNfqtWVWeTIGuuIPuB/
  174. http://femmedica.pl/COPYRIGHT/w2eiyop64h97ht6i3rym_ghznzynpv-411526644922/
  175. http://films-ipad.com/aeqr/IzKENJhvMnbuYHdfhHanLEDQqlaiT/
  176. http://firemaplegames.com/screenshots/DOK/36p7ai74pwfft83s39lde90v_ysp3l3vt-52256482068972/
  177. http://fish-ua.com/wp-includes/mKJniNvPTvRiCKd/
  178. http://fluo.ocebo.fr/wp-content/uploads/lm/iDMGmpdFajLhAaanraVYPp/
  179. http://foreignmartbd.com/img/NjpdBAKUgztNDZIn/
  180. http://fridgerepairqatar.com/wp-admin/qcCkBGRgHSDDG/
  181. http://fulan.tk/wp-content/LLC/r0gy18x366omf1z9zzz38_pj5h3pxf72-6411330379420/
  182. http://gak-tavrida.ru/wp-content/parts_service/xj9ep58gcu77dv4a_38ghv2-465992270155987/
  183. http://gamemechanics.com/images/sites/ARJgpwEUKDppqpSvtntoWtdhkHD/
  184. http://garageprosofflorida.com/wp-content/INC/xm4qz42spqey0xbmlse935p7n_htnif-808927181/
  185. http://gargprinters.com/wordpress/sites/o9dj2vvbzymnqesqhfizz3h1ab_g5vk3aqrq-24829672015508/
  186. http://garlpex.org.zw/foxe/FILE/pmtx4alvqq619qw_kwra3l-4924632531868/
  187. http://gen1.vfull.in/wp-includes/Document/wdvy75bc_gi1o7yipk-037024338/
  188. http://gestaonfe.com.br/images/tsf79gpe1yrtdtnjt61y3f90j_hi870-054128199/
  189. http://getagig.com.ua/images/lm/a6sym90g42a_8d5b2aq-8151006185/
  190. http://getcloudptt.com/templates/Pages/xxl0cq8cqezqz4621v0cce94y9ghf_ij61d86-70440851677/
  191. http://gharbkilid.com/wp-admin/sites/RxYjIvXJDTyfeEoafgPrkSlmU/
  192. http://giakhang.biz/DronePhotos/esp/oti52aat89098xmvyn4g4a2a01_1usqbam-8733587385/
  193. http://gigmoz.com/saicollection/9tnulb5pniumdu53qd5adk_k9gzahh9o-436784313075/
  194. http://goldenfibra.com.br/tae0de/DOC/p2ap0ealmknrs68fu2v6_tgp2qiy-39049131/
  195. http://gomypass.com/wp-snapshot/Scan/dkqsehu8yatspxp10w32fx_xcu1yo-9516608289/
  196. http://go-offer.info/wp/DOC/PtnjlMhFeuxJeBQbxRE/
  197. http://gorinkan.org/DVedit/INC/cgyfeo3enwqh1db8t6a3_13xbr8q-1836727870671/
  198. http://grandesophia.com/wp-admin/LLC/vmnifzb771plk_x7koaqogml-8830515802620/
  199. http://great.cl/ortuzar.cl/esp/ixjwtev0k5ze2_6pt2rqck3-52580352/
  200. http://greencampus.uho.ac.id/wp-content/uploads/esp/fexcocn582zqkrx45qc979i_b7al0se-6012446038782/
  201. http://haitianshowbizz.com/cgi-bin/FILE/c6rc9mi35xjbms6eeqdm7b8y_zviyle2ozh-383346665690/
  202. http://hakan.gq/phpmyadmin/INC/09j3zev48v1si2_dvo5k-186622991462132/
  203. http://happyatomy.com/orderV2/FILE/21y5pfd9mbj0nhwilkh2epwwp_2nhfk1n8-9381369434931/
  204. http://harishnautiyal.com/wp-content/SwmtrAVpRSZRQocyqGSAurQn/
  205. http://hartwig-paulsen.de/_private/INC/DPbFHjxz/
  206. http://hausgraphic.com/_FF/StIWtZpyZAcRNVctmJbPp/
  207. http://hazama.nu/MT-5.14-ja/Dok/6fdzvo5g6gn6s4083n5vpi5qmcbf_rl02uon-0394150359386/
  208. http://heartburnsafe.com/Heart/INC/wpb3sxn9o1zj4gth_ueiavrvmj-94874739/
  209. http://hedel.jp/monte/5xnah88x5jqvjzaw5z_uak8v-172663407/
  210. http://hegdesoujanya.shsoujanya.com/wordpress/DOC/TGfFtNHVzaTZEqlmHrqcdL/
  211. http://hegelito.de/Service/sites/olwt0ulb_e9xabjilc0-8978386499534/
  212. http://honjia-machine.com/wyxey/jvha7a-b5yoc-hovoj/
  213. http://hoovi.in/togb/39l3-2tn8mn-capx/
  214. http://hotspot-systems.de/jonsfishingsystem/ufo4anic25v9hory_hvtia5t-27231959/
  215. http://hskf.net/090704/paclm/hmyglYOW/
  216. http://huskennemerland.nl/wp-content/Dane/GdkPYoUjjerintLfNC/
  217. http://ibuying.pk/mvmbb6/Scan/kycJsdNnHnGwSCBEAAHeiLuMhLaSG/
  218. http://icpm-cipm.org/wp-admin/paclm/QVUEilLc/
  219. http://ideenn.ml/wp-includes/Document/QwhCDlWSqrNIU/
  220. http://idesa.cl/wp-snapshots/sites/JWTDkdJTEDEsPCA/
  221. http://ikoym.top/1/parts_service/dq444l3aqmdfnpemawd0a_qgxpaq-78515102739513/
  222. http://in9cm.com.br/LucasNievinski/9o7573w40425s_xp9q35wxj-746490859/
  223. http://indieliferadio.com/Document/TdevOMjwyNWT/
  224. http://indoorpublicidade.com.br/wp-includes/n3jq0t422r2_7hnky38vs3-83093705/
  225. http://inein.mx/scss/jhkavc7zpcet_noz7a-08940771/
  226. http://innovomkt.info/templates/INC/gw3ylizcuoloa_fizi77v-661011974372431/
  227. http://ipc2017capetown.iussp.org/wp-content/Pages/GZBqnhFjUhCY/
  228. http://istanbul-lazzat.uz/wp-admin/Document/xve9hvwg_ako8h5mh2-1809207412/
  229. http://jdih.sumsel.kemenkumham.go.id/ildis/FILE/uxlmc3g0i4e6k6yx7fuupdxnd_9bq12vn6-86392596458481/
  230. http://jesp.ieconom.kz/lk/fBguxIaXQeHwCbzc/
  231. http://jessijonesstar.com/pyro/Scan/vds5n53mk9elu9s_dfv1fy32zq-9079217218065/
  232. http://jimenezdesigngroup.com/wp-content/esp/ny6kwhjwwognk_bc7qcu00wj-81739611/
  233. http://jmade.ru/epiksel/esp/v3ptnnl6fs5al_84jtwamp-82243430084/
  234. http://juttichoo.com/wp-admin/ntsl5a8pj4jracl8o0i908_gxolr9-70253791/
  235. http://kadindergisi.net/wp-content/GHHJnlWfdJ/
  236. http://kejpa.com/webDAV/esp/z3y7ucs8qsqmh58s6854abo5l_kpxeu5-55695822989700/
  237. http://kevinjay.me/wp-admin/Scan/mhcFhjKTBDXbhXrJjZPrsXCbOBtSpL/
  238. http://kikinet.jp/album/Inf/RlepFgbeAChcdMiqgkiIkHSuxktIX/
  239. http://kinderarzt-mistelbach.at/yioc/rFBGsmqWwCEPGFLbmitGH/
  240. http://klychina.chttit.ru/cgi-bin/Document/27iv1yrg28deb9qia7mqcxifb_3wawzt-20640129400/
  241. http://kodlacan.site/permalink/DANE/wtSKvxFllItEwQq/
  242. http://koroom.net/39/esp/hgkrmao0oggay4b39y2fs0oa_wkkjz-94827413647/
  243. http://kulzein.com/tcsa2fo/titjckjb80xyv6xjs9l879gv_vwuyzcy9pt-31037587938083/
  244. http://lab-quality.com/nmkh/INC/vrAqqzJgLmVzNQoLVPd/
  245. http://ladesign.pl/cli/DOC/9q2zhkcyggh1shu00gx_ov7jndh6k-09455198824059/
  246. http://lbtesting.tk/wp-admin/Scan/sp8s3jj8t3ub5v_09dte-646541542/
  247. http://les.nyc/wp-content/uploads/gxx2fawhru6axeerjk3p_7i8z1vjilh-3529283555185/
  248. http://levantu.vn/wp-admin/sTCRRpOIdrr/
  249. http://lifetransformersgroup.com/cgi-bin/Pages/tvCqHKJxMedVIEVUGmrzWUgpORd/
  250. http://liliputacademy.com/js/Pages/sZVKaWgsdTqOMYLAkFZJ/
  251. http://lmichellewebb.com/wp-includes/sites/lsiUKvhcKlmkTYybaSHJLJ/
  252. http://loanforstudy.com/wp-admin/ov2hwgntpx2799cy9l03jak78l_babkq6fwe-55008712818495/
  253. http://logisticshopping.com/syscargo/parts_service/IgZWrtZJVuIoPbUpyOPl/
  254. http://lovelynails.ca/resources/sites/NqdWRIqg/
  255. http://lp2m.iainjambi.ac.id/old/DOC/lJhTnEgCMyanM/
  256. http://lukmanhakimhutajulu.com/wp/parts_service/kMPfrxNgryCHxScxdLmmX/
  257. http://mahala.es/wp-admin/parts_service/bFCccFADAwzYYDtnwvMasFaWXBTDI/
  258. http://mak.nkpk.org.ua/wp-admin/sites/BrbskSzZ/
  259. http://manovikaskerala.com/administrator/parts_service/bqtc4tof2ixrqmcm44_h1inlhsj-70729598/
  260. http://mapala.politala.ac.id/wp-includes/Scan/84lyfqg006n3tnv_pqc15-6573296772/
  261. http://mara-bau.kg/wp-content/SHRhAKyYBmz/
  262. http://masbaheri.com/images/872c3i63o7_eilxd69-588594012261116/
  263. http://masterchoicepizza.com/wp-content/uploads/INC/gc2cbhec5tyopayzcmhxcdl_kdwcp1hlhz-488338475754039/
  264. http://matthewvincent.ca/cgi-bin/LVhtaFwlzUAwJkyXycaF/
  265. http://melangeemall.com/images/lm/3f7jx00qxwua_qi82cgg4z4-42435752/
  266. http://memorymusk.com/wp-content/uploads/ubzaztj2m1frywtpj_5k0m2-0542235047/
  267. http://mentes.bolt.hu/cgi-bin/parts_service/aDwJLsxguuiEFHR/
  268. http://miplusmutiaraislam.sch.id/wp-admin/Pages/xn2yogtul7r_unm2vayqlk-14939001/
  269. http://mjeas.seas.num.edu.mn/wp-content/Pages/pDsDoOJCwDszXUYkcTBwtPAR/
  270. http://mmateoc.com/wp-admin/DOC/ApRKphCRhUWHU/
  271. http://mmm.arcticdeveloper.com/wp-includes/FILE/6uwflygw7h3y5oypxrje_m4zz3w3-175725723317644/
  272. http://mobuzzasia.com/allfiles/temp/wp-content/esp/UOajIKNOgPXkYoUbrJBVmOM/
  273. http://monument.rsvpu.ru/wp-content/esp/mgh55ffaukk4m1m8wq_osnbr8u-8826913633/
  274. http://morshinnet.ru/wp-content/esp/omnwwCrInZBUDTQJZjBwaewWIm/
  275. http://mroneagrofarm.com/wp-content/yQSOlwihKvauXYrdesnywE/
  276. http://msinet.s87.xrea.com/ogasa_data/lm/wrqrib4qqa_g37i0cgy2r-75961413357/
  277. http://myhealthyappshop.com/au13/lm/purrrQeamZXyiCDFDm/
  278. http://mysterylover.com/corenascreations/zencartcatalog/cache/LLC/tYTXviiUWFyKjmIVRksMFt/
  279. http://myvidzz.xyz/wp-admin/lm/0xmi5dgm2nyy2zv9npukw_024pc4szh-039929300/
  280. http://mywebnerd.com/moodle/6mzlj4vumsbdgcjm17n8qtawde_0lovhzq-587627277/
  281. http://nairobitour.co.ke/wp-admin/Pages/BcqgIgdPwXdJamjKuWrgLdFcKdCA/
  282. http://namgasn.uz/includes/FILE/ynjeciuqbao1oqoo9uo7z_ivwitvqu-8170101122772/
  283. http://nature-creativ.fr/wp-admin/Document/druVFmMEHJaEgMCYeUgcOoSXXe/
  284. http://nesrinrealestate.com/wp-content/DANE/KtdQBcEuBAybuVnLqt/
  285. http://netmoc.vn/wp-content/esp/4gkdpldabt7lt1kem40b5d4oh2qmht_orrf3i1sj-710246102774/
  286. http://neurologicalcareofoc.com/jutorje32/OfpUqeUuYdluaSgfbIe/
  287. http://newmarkettowing.ca/wp-admin/gsikuf1n6mzsy_5pukqn-469095634853/
  288. http://newparadise.com.vn/wp-admin/DOK/e52jnca99j_ufwvghp8oa-92780853/
  289. http://newwebsite.smex.org/wp-admin/LLC/yebukw3dgwgzq5ebygh_n4g4iort3o-84431657/
  290. http://nieuw.goeieete.nl/img/Pages/rBjqVNNdsgDpMbInHIZDFVjf/
  291. http://nissandongha.com/nwlv/ns27hw-99jsfnm-otiw/
  292. http://nissankinhdo.com/wp-content/INC/cxINdPbSHvWJLYkkGt/
  293. http://nissankinhdo.com/wp-content/Scan/EOqiZAqSehfbChtjoOZ/
  294. http://nomatyeinstitute.co.za/wp/esp/jfgqbhr1towl9iedhe6n_3i2npjtm-227259736608/
  295. http://notix-test.ru/zamki/jwgiy866pt1ct8zemzx8yrku3b_6m6s088-5933526545566/
  296. http://novaan.com/wp/vNzpvVYF/
  297. http://novocal.com.vn/wp-admin/bh24s1-4rs2e14-mlmrf/
  298. http://nppaquasell.ru/templates/FILE/UStyjgzpCUKEe/
  299. http://ohioamft.org/images/esp/whoiy5qxbjnrp1gmegkx8_2dy87q342n-1691925380481/
  300. http://old.oleglukanov.com/cgi-bin/cesbtj755s6p0fcyvimmnneg38ms_go812f7-566475421578787/
  301. http://onetouchfootball.gr/aqqf/parts_service/pmtwlshs32bqzll_ny4lmq4zgp-1593792866860/
  302. http://orida.co.th/ywhv/lm/gy7eo66gr0f42jbdj5z0wu6_cunzn61nf3-608153857217416/
  303. http://orientaltourism.com.ua/wp-includes/o0v7314-lskye-wiwrc/
  304. http://osarofc.com/wp-content/0xza-146jk-vneaa/
  305. http://penis.tips/just/parts_service/IjjaTgJJmRFScXZFNNVFeOHCX/
  306. http://permanent-rf.000webhostapp.com/wp-admin/Dane/gyLjTtnSncdMgmLDW/
  307. http://physionize.com/wp-includes/paclm/wgkcgc583re0c6veyxfn1zf4u95uey_u407xg-23929936006/
  308. http://potolkiakcia.by/wp-includes/Pages/chMDiBTNd/
  309. http://priyainfosys.com/products/QpIuZyAaFgoUpASiO/
  310. http://projetoidea.com/cgi-bin/Document/ntdqwygpvi22hqbr_hb35nj59mk-67421750/
  311. http://publiplast.tn/wp-content/INC/QYcxBmxCgLSPLghKBguFACNdfmvt/
  312. http://radharamanudyog.com/ocart/Document/OGypNMTNpuyLKmRqlArCGKd/
  313. http://radiomediavillage.com/bin/DOC/llwYAboSHCIGNNMARHVlBwgaSW/
  314. http://rogerfleck.com/hbadvogadas.com.br/Document/gxx8rxyyf7zuz_slasi-93220491303/
  315. http://rumahrumputlaut.com/wp-content/DOC/m9z2zfv8ty8piy8n3n673jni2_7qxt66f-060570155262/
  316. http://sanko1.co.jp/lp/FILE/k518bwvfhrv_zicsevw-386184410493840/
  317. http://saraikani.com/wp-content/k8hnlok-v3ab90j-xutmihs/
  318. http://sensoryexperiments.com/wp-content/DANE/FwfQCkHKhKDKesvfHyklppxJlRZDz/
  319. http://serialnow.ga/wp-content/Pages/kyvw2rg8l34j7cr3h5axgi1m4mn_fzjqevf-97122936/
  320. http://shooza.ru/templates/LLC/e4l23sr2r3hheqvzrcwwjck1_0fo7f3a-47531229276935/
  321. http://shoprobuy.000webhostapp.com/wp-admin/parts_service/eoBFtBVDFjICdeSlcN/
  322. http://silcfertilizzanti.it/sitemaps/LLC/FEJXQIywhanjVEqcTh/
  323. http://sjhoops.com/EPXHHogiQGyFotfWP/
  324. http://sjhoops.com/LLC/zaHfarwetgvtouIYgJgqLdr/
  325. http://skylineindia.in/wp-admin/Scan/VAscYQjBlBTEsDRpM/
  326. http://snsyndicate.ir/cgi-bin/LLC/NaQGnVzXII/
  327. http://socialfood.tk/wp-admin/Document/udbPXVWIqpPGLQtXY/
  328. http://sparkcreativeworks.com/lightcraftdev/INC/ODhhvAcQbGfLKu/
  329. http://spoorthy.ml/test/sites/yKMhqFRmcsGL/
  330. http://stahlbau.kz/templates/lm/f17n2xp441oxn32cl_nnajqd-37483536518/
  331. http://tabea.co.id/_tabearoot/Pages/q0b9ltiv7p0hqmp_jamyvr-15838314/
  332. http://takosumi.sakura.ne.jp/GalleryImage/Pages/gvxyFfuTznyrvJlUA/
  333. http://tamsuamy.com/images/DOC/n47uq53evl5k4aok0m3u4c_matymqo8dn-00080612/
  334. http://taubiologic.com/wp-content/parts_service/om2cmp12f6slvrgr_a0i4f1e8uf-95220990/
  335. http://teestube-luetzel.de/cgi-bin/paclm/nDitKtuX/
  336. http://tetrafire.co.uk/wp-content/Document/YaMgagUqzQWDEVDtgpE/
  337. http://tgcool.gq/tmp/DOC/eypKUMPXOajRnKn/
  338. http://thebiz.000webhostapp.com/wp-admin/LLC/IkIhMNlLflglVDFyNHbiCVSd/
  339. http://thewaterstation.co.uk/q95z/Pages/sZZeohQBUAmaA/
  340. http://todomuta.com/tm/FILE/nOaAZQXqAbdXG/
  341. http://tokoagung.web.id/mikhmon/parts_service/VOiGbJVVelmFDeXTv/
  342. http://tpc.hu/arlista/oOIySDvQJLfLQTozFfQyENEHfoXvs/
  343. http://trangsuchanghieu.com/wp/Scan/jsePFSPOMxTUeX/
  344. http://trichromatic-transi.000webhostapp.com/wp-admin/Scan/aqwzhfwvyhst8ai86uuw_m452ok2g-451213844234/
  345. http://triseouytin.net/wp-content/Document/nZSzHrGPJqQHbgU/
  346. http://try-kumagaya.net/4_19/sites/wBeOmDMDBpaDEZXArZGswx/
  347. http://turbofilmizle.cf/wp-includes/Document/4qxat60pq97loocw9o_0kp5t-807583314427/
  348. http://ucuzgezi.info/wp-includes/sites/mkngjwv5m6l1sv17p87yx0_pknytr-75251279104426/
  349. http://uniquedestination.mitsishotels.com/wp-content/uploads/doc/uddqppobklwrngqgyhlzwyp/
  350. http://usgoldusa.com/wp-admin/vfkyadxlebnftqaq5r53pbjg_0pii503-128245217/
  351. http://vhadinyani.co.za/assets/FILE/cd2tgc9o5lnpawduex92nw1r_0ijph-743646261560585/
  352. http://vibeshirt.de/wp-content/sites/4808gr7cs81o_xv8lp5-90716048173/
  353. http://whitesalon.nl/img/Pages/bf6xoqb8_4hmms-704596943740/
  354. http://www.actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
  355. http://www.adil-darugar.fr/wp-admin/Document/e5dkvpp8hhx_fc568mru-29493963168/
  356. http://www.cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
  357. http://www.cbmagency.com/wp-content/Scan/qgi7r0g6neq5gak2d1nlamx5xu_sxbdyhu-88393500801483/
  358. http://www.lmichellewebb.com/wp-includes/sites/lsiUKvhcKlmkTYybaSHJLJ/
  359. http://www.mahala.es/wp-admin/parts_service/bFCccFADAwzYYDtnwvMasFaWXBTDI/
  360. http://www.pomohouse.com/wp-content/LLC/bs5wlwidu_lhwh8-6531737739304/
  361. http://www.wwwhelper.com/comm/moneymakers/css/paclm/58odajp5psbnf3zdrg_nxffzku-08384326922/
  362. http://wwwhelper.com/comm/moneymakers/css/paclm/58odajp5psbnf3zdrg_nxffzku-08384326922/
  363. http://xn----8sbabmdgae0av6czacej5c.xn--90ais/lm/04af9pc4r_zr8957e70-92859625159/
  364. http://xn--c1akg2c.xn--p1ai/wiki/images/parts_service/sk3oe3zcspzdec_1u0sqevw-31877200/
  365. http://ygraphx.com/DEPARTURES_MAY3/DOC/DiCLLsMFNTLXBwNMLIfFEpOIrupJ/
  366. https://acolherintegrativo.com.br/wp-admin/DOC/hwhyCUiZwJgDRgE/
  367. https://akaprintdesign.de/wp-content/zojdg93o_xynmmr45kk-00422649/
  368. https://allbusinesslisting.org/uploads/DOK/lATaKZeIkwAwpVfWgKTuQRLrIUKRRl/
  369. https://blog.instacart-clone.com/wp-includes/SimplePie/parts_service/uatoqujs7s7ediuaxvs5cuqm_ddt16mxu-564056354031/
  370. https://cgfilm.in/oldsite/6wz4jweq0kim8lp1u1rtxq08_x46qm6ak8-1916202749831/
  371. https://computerbootup.com/cgi/PMdGhLnrayipIMmHiNVShzAXmxzvV/
  372. https://couchplan.com/wp-admin/nspeBheHdcQO/
  373. https://dp5a.surabaya.go.id/wp-content/sites/EKZfdNpWZotyFtajzRWGdNyTuawChG/
  374. https://euma.vn/wp-admin/FILE/RXePxifApJpAmSHvbPeEBjbC/
  375. https://fargopetro.com/jynne2w/LLC/9emy1c5slucz05ztsb_giwscuomzh-539483200738252/
  376. https://farsinvestco.ir/wp-admin/74bqrll2fravktt7jkycl_535qav-869522814724593/74bqrll2fravktt7jkycl_535qav-869522814724593/
  377. https://fearlessprograms.com/wp-content/AsFahoxNfqtWVWeTIGuuIPuB/
  378. https://gak-tavrida.ru/wp-content/parts_service/xj9ep58gcu77dv4a_38ghv2-465992270155987/
  379. https://garageprosofflorida.com/wp-content/INC/xm4qz42spqey0xbmlse935p7n_htnif-808927181/
  380. https://giangphan.vn/wp-includes/DOC/tvohhrTjpSH/
  381. https://gigmoz.com/saicollection/9tnulb5pniumdu53qd5adk_k9gzahh9o-436784313075/
  382. https://hakan.gq/phpmyadmin/INC/09j3zev48v1si2_dvo5k-186622991462132/
  383. https://heartburnsafe.com/Heart/INC/wpb3sxn9o1zj4gth_ueiavrvmj-94874739/
  384. https://idealo.zendesk.com/attachments/token/mzOHqTed8eyvyHn65rLav1rEZ/?name=INF_718967_0546774.doc/
  385. https://kinder-camp.com.ua/wp-includes/LLC/xc7nxo2ywi8n52lu8_0fye8j-33860168/
  386. https://liliputacademy.com/js/Pages/sZVKaWgsdTqOMYLAkFZJ/
  387. https://nutshell.live/wp-snapshots/Pages/jzopxeblzz61nek_dmf5x814m-670538746883/
  388. https://onepostsocial.com/wp-admin/IZUAnTNTiZYOOMjqWFxpGmts/
  389. https://onextrasomma.com/wp-content/parts_service/oglr7g1ozcgl7iem9rugqohcuhrt8_itksg7f4w-7376898186/
  390. https://paularosalba.com.br/jbcsoz/LLC/DNEUpDmjRKOhXqJgAXwLJKjNjvUEs/
  391. https://pkols.com/ltc/lm/y0qtzd293a46_edivl-05667044/
  392. https://potolkiakcia.by/wp-includes/Pages/chMDiBTNd/
  393. https://rumahrumputlaut.com/wp-content/DOC/m9z2zfv8ty8piy8n3n673jni2_7qxt66f-060570155262/
  394. https://sensoryexperiments.com/wp-content/DANE/FwfQCkHKhKDKesvfHyklppxJlRZDz/
  395. https://serialnow.ga/wp-content/Pages/kyvw2rg8l34j7cr3h5axgi1m4mn_fzjqevf-97122936/
  396. https://tamsuamy.com/images/DOC/n47uq53evl5k4aok0m3u4c_matymqo8dn-00080612/
  397. https://ucuzgezi.info/wp-includes/sites/mkngjwv5m6l1sv17p87yx0_pknytr-75251279104426/
  398. https://uniquedestination.mitsishotels.com/wp-content/uploads/DOC/UdDQpPobKlwrngQGyHLzwyp/
  399. https://usgoldusa.com/wp-admin/vfkyadxlebnftqaq5r53pbjg_0pii503-128245217/
  400. https://vibeshirt.de/wp-content/sites/4808gr7cs81o_xv8lp5-90716048173/
  401. https://www.actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
  402. https://www.adepterssolutions.in/news-admin/sites/KwMonjtPbhHoTi/
  403. https://www.cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
  404. https://www.centurystage.com/download/PLIK/hhlqSJuAbGEHrKWlHXM/
  405. https://www.teestube-luetzel.de/cgi-bin/paclm/nDitKtuX/
  406. https://www.vigamagazine.com/wp-includes/vf31tim48_w3w3dhra-43233738464585/
  407.  
  408.  
  409. ```
  410. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
  411. ```
  412.  
  413. Creation Time 2019-05-17 19:20:00 (DOC Based - ENG - 365 Blue Box)
  414. SHA256:
  415. c56f1cd31df35fc20332d1c7a674250e2be07f027a748859e4944257668c78c5
  416. 70bf8924b608b94c7329cbadcf040ea8b1e599460c639610d540afddc39d09b9
  417. 867054a65bd27308c9687cc81eff60031e4235e255ca30773c9f31570245f9b3
  418. e38394e5722b5b5d51d5f7db40f68781c68a234bce7aadb9fa43217084bf28d0
  419. c9a57d9792b15f4a84e414372942ec82a02c9b39af2504faecda147b48ef9376
  420. c01e4db4293d7a126ec2bdfff940fb2d8ec78b81e40d6d9c200df0452ccc7941
  421. 7192dfed090c2fdba074293b37d16363973c97d8147082a51dd12daa6b585669
  422. 11ec8abbafb8846496755282478cb7142297bd33f72ee15c4c7db9e6b893a2ee
  423. 99f4daa4ac2e95fcb8c9e67c987130742a1f571aae9efe80ebd872ca8dfc9f75
  424. 818c0c5aa031db8ce30311f0278e7a4c7dadaf465ff8e8172e28dedc9a7a1f9c
  425. 1abb99f70de46aa78138218d5d50bb03bf91043a3621b5420d55999181c766c4
  426. f05ae8201109ce38a2632655bc234fed437503fed2fce3c9377e8a4004eba633
  427. 45c04f08be86aa4652c2578e2392f854ec4b97cd8f5705e69991ddae6d8f257c
  428. a398598a3bbaa614124140f3f8706eeb3535b6c35d03cadd0e7d8d69301cd840
  429. 76e7f91fd62cf3b695fa783afe7116a7221af8b0abf47f617e336953a33df4ca
  430. ad5305b6b5ea8f465de11f34610cff8d2f6ebc09c83cecde9c82bc01fe2b7bd8
  431. 0a95c32c6ffa69ffd58fe8985ffced665b7d9c555c225e07e8c5a8469cb36787
  432. c85649a71e1fb3cc3992c2c7c4d105fb4ad0a908a4e17d4e99dcb0155345ad04
  433. 1842925c235cfcfce70109c3b97ff58c4a776e2522223c24b748fbeaaea6da6d
  434. e489d1b3a1dd4e4b56000c91c274b5a2dc0098c2e1c2a2cc79f08b35fc687d36
  435. 760912d42fb57f5a9542e9c825fb06cd19a90cb54edb471d4538697d00fd3d40
  436. fa882ca370c645562311811d9567f8a8b5f7ba1029b43041bfc5f1e350c3e25e
  437. 880d6bb1dfc065b8a5780b4bcbe41426f5892cafaffdefe36ee00fc7df710d4d
  438. 308f95b66be6e919bd6585b4a444ed628b324db39e0cbd685f330dc422c9b9e6
  439. b6d663e7c98c2cba2487ec427c3d6a3561ccce56f065d65c11d37d741cbd2875
  440. e4afa95e6d8fee739beb203e0d5b3024432e1772d6a652ee08c090de54327383
  441. f7125666500137305cfb74c64be7937230d562590a15ea6bb1762ec0dc7c39ed
  442. 5cba4db50d312712ba3db0b0c0e8d752a329e680a55c6a43d14ebf60d3f28ef4
  443. 5b5e8d48ab265fc865ac55b35006a054d408b2f6ed6ed9e7b0a29327d5f075bc
  444. 6c963120cd298e8d4e9c7370657c00461b7d0e3fb6d670cae2ba508935f913f1
  445. f69f1b42177a9f8ddacec146f0e2225784d9e73b69f413f2cc6bf131fd6841bc
  446. 854a9e2ba9fb300a1d20a120aaa4f2fde1d76ad4f1fe1e6b366e51f30fa5ec1f
  447. 1d4055ba61d59a306a5023af4cbf04b044564faece02d908bc096dfa24c47683
  448. de53350f67e4351b7c2eb9c1a3d93e0920d92303d46746aca7dabc90871858eb
  449. b7ea8f64cc8dc5b1ce458118d361b981e244a5ba376ebc836246c1fd77f81a75
  450. 2939512fa557f4e50449965b72a05d992f22ff9710241744d3c0e91c76d9295e
  451. c828f048e3a3adbc6c584e3b296aeba067fadbbc8f50c86230a4b04fb1d2fe03
  452. cfdca182492672248a7f3af9ed3ed4ea359711f31936f674ad629b92b7f5c1dd
  453. 692541a096a21584f1e2f1d88ef3fa9a185be41734b9b87c996c1518bbb4f5f8
  454. a147cc6e92ceb4db735dcd63162789ebda78cf5f9264d2e6b9d8cec01d26ec01
  455. e1e8d905f122a48fcdf692f1f67903b72f9ee7bbaab609b40794ed94051f5b0c
  456. b8b9d94290ed2a1f33388ea5b3524c85fff648d9c621d871a3ecec3f520a1d6f
  457. dd1ec24587425445d7e480e14cec5cc8b6bfc13c9f07899f4f2f8745bd126ce6
  458. 75071845f59b012e89d2bd268622920152636053b0a0a4144597766d048c0fa0
  459. 9ae71c28b40c7679aea8330082b9512b74f6f2466b31600cd55ba82b98d5d24e
  460. 1951ba12799c5ca0de175a132be0100caa97a26d04c7fbd32db9a208428ecb47
  461. 1a113744b019171137426cb3f81af6866b3d68ecbd1e1f94d785895ca8011e42
  462. a0192530ae854c9140727d720158a5935ef2682d6c8719492d4b8cd6da2df3f4
  463. b643a9933a79746544cd3c2002ea0ab2c22c1ec327e36b2dcdd0f81c96be0e4b
  464. bac4c7d853d8f5cb3a5779926f957281aed52e71f2b17bcef4d8d83f8adfff89
  465.  
  466. http://munteanuion.com/wp-admin/8ny9evo5/
  467. http://healthytick.com/wp-content/uploads/w85/
  468. http://lafloraevents.com/wp-includes/q1/
  469. http://giumaithanhxuan.com/wp-includes/m3455/
  470. http://kulalusramag.net/calendar/wwql8uc746/
  471.  
  472.  
  473. Creation Time 2019-05-17 14:30:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  474. SHA256:
  475. 819ab52e52c297347cd1bad4084e8471ba9c93d703ba3cbc876fab73563e8e9c
  476. a13ae5724a99c6daba33e6315062f22fa4626fbd7bd3e9957c50a043d4b1e654
  477. 26c075cd553a10f85fdae3549e13dc89a7eef19a18b3923a9df5d98484e36369
  478. 3a6367008f935eb38f7b1427cde51e227984cd70e4f0ce1a780c9beb588a6c74
  479. 7b78d8a43cc4679d957c96adc9f47f02737604f467ae0006cbbaf2c1705ffdaa
  480. 2e80025f194a852888956538135b099b885b6bf4aada5db2e2399205757141c5
  481. f020cc5d9e3f169bd2c155676e6c92ee7b14e12f5643a1ee6284f14b9603fa37
  482. 2ff9e37e83e0023bcc678ac743ff3217f41042b2e98bf82d31e6eceeb5fd722c
  483. 4a9d62214f2ad64fea06f2ebd732c63d1474c2a3811302e984e39528167ed835
  484. 3ea1cb216379b980b98072a9b216b05a4d90bc9ec5ebd35d0538bdbb0239c0fe
  485. 24641c1a99addc0f9f35309a36953bc78939f5dbc7e802dea8f215a96582a979
  486. 8fbb5a1fbcc888bc4f8f570c85661cb4b9f6c034b9efbb33dba2ff49ed8a8d55
  487. a0c791d868397818483f64ac74c97c0467f71f9e226ae6a989a1aff18d590fc6
  488. 70e4f1456e99d0d44284aca59a395e5808c30f781a34928d2f80fd9989c2a06c
  489. 8772a7e196e9bd918200036694f2766b70994b07dc8c8cc1a8f6fe658853f454
  490. 61a9446964a94b7814b05638ec873a1c83ddaf04d82995ed99a92c1db84b529d
  491. 783f1613c31b05278f66692cc9cf4d8186237833a95103e13ef4bd2e70a3d277
  492. 1a806fd396b8823785f6ba871e95955ad76132f1eb0fddd88a66a960fa4ca157
  493. 7a56e929bb472531ab37c188968c61eb697ad6800eba77252d514e05b122da42
  494. 3b7514aa510415630f938206f77f157717c0deb55a0d2700291bf6bb2367e526
  495. 615275427d4732b3ffd9abaea16457fb6f6627e221555a729a404953117c6e01
  496. a82a5bb9f568bf1c2dbb0cfa775f6d86a71cfca1e783dd790434c7691d3c573d
  497. ce0415b6661ef66bbedb69896ad1ece9ee4e6dfde9925e9612aec7bbf1cb7bc5
  498. d1deaefc8538e4bda63e23fffda9b67a7a83c0bd330581d95f6c00bf661f933c
  499. b332cc2f9f0e8a460d1b69de6debc0afc98a5fe9724d2ddf4448e8c9d0b168db
  500. 634dcb0a5ef30ce7fa66f49c1f2e2b819531c20bebf1ef6110e393893b70b0f6
  501. e5bf1f965ee66a7b0974972ca92977e8534afedcd839b9d8ab131ee10a9e4f17
  502. 4f140a17756d5254f1e5b5792d50b9b3ea22574ea0ba9baeb68cc1981fe7d77e
  503. a350b81ac763eb36cdfbd0dc52449af7223059f4b00a85eed43a58ff871bb643
  504.  
  505. http://hpaudiobooksfree.com/wp-admin/6ns631/
  506. http://aldocontreras.com/wp-admin/hqw76y14/
  507. https://irismal.com/tutorial/addnews/css/25301/
  508. http://irbf.com/baytest2/3zf1ba7569/
  509. http://hanabishi.net/rikkyo/kw7/
  510.  
  511.  
  512. Creation Time 2019-05-17 07:25:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  513. SHA256:
  514. a4db63ae9370261c1584e603e2d082858bf0ba5c3aef0ac620e76178fbe9fc79
  515. fe856c6ba05dfefd57a384cc901c94a03402765005687f06f927f39292970935
  516. 333001a58a1a60a14661a9db36c44c14a66c1bf21f3c1360a22ea7d94f6da02c
  517. cb3f1f122e3a6c11554d22de755c6234ff3c97f10678340536ad535bac5a0604
  518. c96e00e7feddf086c07dbae67794e8b3229c3225c9d5fea5e3bc30fe346afb58
  519. fed668eb24ca328b99050e8356c01eccd0cbf390855c763c46fd869e0905e126
  520. f0fac2d475cc31f62258c513432d4fb9db6505a8527d54b69b6290fa466541a2
  521. b335f1f67f8755a146974796fea45c3f289b8e75076f549f1d7fcfabbaa21fcd
  522. abc11c290e52cc53cf38892bf89b0ca205d0b329358ec2eec9b087418d6db701
  523. 2b99c802bceea92b291ad6afe4d930d575cded3434eced458891bd164f242a68
  524. e5f8e609f1489702a1b2a793ffa81996c8602499b73cda786691a28a66e3ba3a
  525. 4d6e52c9502c0f48da275a910b0c47b3c3a016ddbc4ed210e3fa13c8e8172556
  526. 4fcdff510ff87238071a015044d840627c95aa7030d47928a7ba177d0b47977b
  527. fe86d7e431d22812fa2ab998fe70de16517dccb0f2f06d04f8d47b19c0d7fde6
  528. 5543e676a138bc104a3d162aadfe9566cab3df165b7f8180be18764346eb5faa
  529. b0016e459a1f4c30a38fd5574090e696989fca9e8d9cd6830ab52dbfd71dc497
  530. ca88b0fb77bf59490d06ae30c49d31c358154f2787f1ce9c99d3f5daebbcfbb7
  531. 998d693263dc3d5c32e70964e6ed43852e7a88da9951f085c5d67fded13f21e3
  532. 923977f74bc7c5b466c53d1c76961ff3c2f860d992124ccc1eb22aafa2ebd35a
  533. ef6ec6ff2febf1a15213a7e0064746929a2fc40e0a3bc946c2115a53ab04961f
  534. 68976bbf2c8706a73fde0743c18e207f853d9914b7a8f55b4ddda1a8a88e3a58
  535. 241ef2cd9bdf1b105b51eae5b58b8d11e2ab34306781ba926eadeb34898e5379
  536. 3871ba5f1733ba61dad62fb43b7c649e392841b326d85ba63d50c0d5aa10beed
  537. 044d13f08d442a540f2992030f6a347e802fd2a07e956e860baa7bad0eca81f5
  538. 2030bb87b7253368bd608882d2c4d2b365aeccd41e40679148d171a1fd96f9c7
  539. ffed5e3a535a2df46b55302304840c96928d5f95cc71d4d209a7134dde25f959
  540. e128eb718262620d14e9a6ec6d2ada7c3644f0a92fdcef0d68b988a44b9d8713
  541. 5f4ae2baaccbf0412d2b428b34cc713cd53eec1d588145b5f3caff4103a1e8f1
  542. fe1275d3cd0cccb635d03a4ab67605d0eb23dce52dbd5197c25a85770d003f30
  543. e784f59fbfa82821fbbbec7caa6855156f339f92203087870bfedee386dc98a8
  544. 57d724dec8c4a24618c1d3b04e6cf7f990a0d1bc48b4f08572e453e267f3a17b
  545. 704b1e097d9c913acd3429ba8c34ceab4208d451aa610937d8f4f4985fcab831
  546. fefb35b7b73be4dc4723c5f5eb6e24f6bfc6f307d0f60bce3eb1960f321aac6b
  547. f96528dc70948567aeb68026441b4c4a14bd25a45de50d4fec675c80c91287d2
  548. 12b3a4a90c5b27134dc54ef4f9fa56627da81b4b88c8807fce8cfefa61c88986
  549. c6e1331ab2b2997aa81bde34cbffc9479637b29a1c909ae8ec0283961c874a81
  550. a26e5443d48b38cd364c21057352d743b8e54cad7736e499a4559e41a1ca8a36
  551. f97ab5ebe08fdb20dfb7187effcc64fdf703c01310d8a2babc2c65c6707fb129
  552. ac3940724e8a2fe9cbcc9f3455ee1fc1e85644cece587f91f11967073346a23d
  553. 28bd3b3e923db6c93c8ca04491e07b127dbd0ed01fb3cc9481c0ab543b447a3f
  554. 035759420aca3b28bd1352f166a4cd34bd0ec2686a8ba6d9177ba500087481c4
  555. 881952be84631f78e621548c27c17d98ad5e9d28e59a4f52217b312e6a14cd29
  556.  
  557. http://gadgetandplay.com/wp-admin/0q7eb83365/
  558. http://dragonfang.com/nav/1ogg550282/
  559. http://everythingguinevereapps.com/t70zrh7nk/b0099/
  560. http://goodmusicapps.com/gc41e1/t44/
  561. http://brahmanakarya.com/fonts/euq6651/
  562.  
  563.  
  564. Creation Time 2019-05-16 18:54:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
  565. SHA256:
  566. 10cb461f034cbcfe4faed747d91b826aa9459acfeb93cde10cbe68659b8e62dc
  567. a1b9ac9217d6974e6fba559005534a5df695732ced4c919c96560e672e9d6463
  568. 552bc3e2c64bf4966c50d3dd384356a840d131e1e6b687aff806ba9cca0d366d
  569. bdf95e634aefd58257e8ba9ad6d91d8d0cde6adc56e8a5a75f83c57972929c36
  570. bdca737e9e2d0bba7e5ceaa9972f2fc6dd20b70d635441ae29347df9f9ce41ea
  571. a7318799a7df2cbdbae4f5adfb9ea79af117c04bd3efb2aa8a1dfdf8e69559f5
  572. 82064cff056fb6514e7a6e1c7d53a9787d781fb2ddc07ca040cb16f3c6510ae3
  573. 0f2a584014289c47cdc796976d2a965fb8328ff4f3c5c33a770937e78be221e0
  574. 0fe8b5e31ca7373c954ddce16f94828262118c54cff6babd27d105b78b4173f6
  575. 2524b9bd80954153584086257665967b6e50366599589a4c249866b0c447a362
  576. 6ff2fdb711f9b0755b5b331d66f0d43102acdc4ac3c711921d7c45e653b2064a
  577. 2a3bd111f0dfa423f6853c241293d3de96690a35af46140e291bbea2a23a2fe5
  578. c6f6ac66b02f2fe931c8931c7d188e4cb2d731349797acd4230a81fa99ff8e4d
  579. 70063b8eb7d523ef93c96d5fe64c94ca44e48aa015f0f047ffb7f7aff16f3270
  580. 0a64fe70e950c0f6ff25eec15840a49a1d0e9872de204c856a94f63b69fc051c
  581. 30d2d040ef433edfdc2024e7e73a6c7832a790da66d7d913c0544e721bb0f5d7
  582. 427f3b9394d9a163cb762d1f2db1d7d5b04c04a3c70f87f1be6e61a7190bccfa
  583. 6583156133cc0f82d096684680d2aa8edf3b696051c600b1d966c540042bd251
  584. d9deae5480a330b86c1b08bc03ffa5be028f96d22f6b3ad945faa5ee6d8afa8b
  585. b01f9590c9ea1ef7fb4077234246f064aa0f51eab98524d80ba6ae90a6a46e0c
  586. ded971a239028a87f70c2c0b50c1f7fd7d18e620531363d521d69a31a7b5fe29
  587.  
  588. http://blog.apoictech.com/wordpress/wp-content/9on272/
  589. http://blacksilk.xyz/wp-admin/4b11ihx1465/
  590. http://cbdpowerbiz.com/www.thejourneynew.com/b4bqg3/
  591. http://vmsecuritysolutions.com/cgi-bin/qh6/
  592. https://itreni.net/acc/7fk45918/
  593.  
  594.  
  595. ```
  596. #### SHA256s for Epoch 1 Payload EXEs seen on 05/17-19/19 ####
  597. ```
  598.  
  599. 27b2bcb2b0bf777208f330b3c6cc92fa40875b1cf6c6294919632d3bdd189d62
  600. f1c04fe9bad284c27802f68bdbeae1f8fa8a964b25fb1daf251435273549210d
  601. ea476bde26c2ee905eebec36b92c2413fd44bca34038c12c962816238ed3dfe1
  602. 89007bc0d5b127eacd69f2b7b2308060a2d3d9f0a0fcafb43f039996f6e953fd
  603. 9e2afcf53b382a27c6c4b477ca5f2de1eb2e0dc25bec9eeae30ce64166d0c616
  604. 8278580d68600f0e0532774bff62fb86a4844b58e4b49d0f18338233afe21cf4
  605. 63a48b87df78532280c3da79a79d991df5087731b17cf6404f7edd14031328f6
  606. acb60482f0df85652bc524fb8bc21a5c9804afee122c65836da09eba6942be99
  607. 2329223b71b5afc522f3db436f3f494b00feef6390fa632738a068b35ea1b2df
  608. d977f8609ea47b593773b374db94ce929479d71da28e5a602e155557460378db
  609. d8b22d6379a1a133930f65d94a0337c800180fd9cc3b161694cddc9099a73342
  610. f9df457b3295195f81df180949d8da34854e3f7923078b899d3b8bddce14173c
  611. 29c33c50123e01a4b87f834ec7c106e8c0745aac0bfacb5694401c8239ab44c0
  612. aa0a18052aa46a75d0fb371673fd91d6caf7a11f49916b2f2223ac779795cf09
  613. 42c790c3de29f086a6d352a293335009599d2c9157575e4b71143be37af5dbd8
  614. 7c25bf4029f7f448a6baa757bf8d75a381d3d00a3bf0791b3d885f0e707cc061
  615. 753590e3ffcc3be801541f9eef7386078037a3abb310e7189a61ad5ee5ecc716
  616. c357fdf1671c8d08b9af9327e39f888f1867c6eccd3495b974a3a2743bd878ff
  617. 2ff49f863d244723958e7d0d18f44729b361b91bd711e07182ec7ae44b3f327b
  618. b3c9f36107f11c0277a984cabdfee49af052ba176df5153999ad1978bf58c642
  619. 19a4827d85259f0525409fefb00499f1786bc807020c707575b3f5c22ab5bc64
  620. 1b31921596c3e7cf290d2209ad19bbbe62353b3082b0aae29e71360dcd75a64e
  621. 9f163bfe37d14f227683e7878c90f4220e0c358a50d8c363ce73fdcb6022b8a0
  622. 64f1f0fde11122c44a4f43d7b9b72cf032a46ac053122ddf53b3e26ecb1fac28
  623. d6bb3261cc8c42de3557463c86f188df9c22ffb65d50a81a8c909d8768aa9017
  624. 6a061b18a6e7b05eedd4d27b36d6df01b9660b3d18b9134177ee49d46eb07635
  625. 382b4b101375465169585da7be2b555d1cb7d67bbf46666b6b036b1ade8b6047
  626. b0c45827c169df0b99fa9cd7be05dde1650bd2bb539902ca97168a3a515fd6e6
  627. 02335a161f82a00e49236eed60fde62d124bc49f2f3a777090298f2e53c46597
  628. 91075e5da3ec163ce0de1566cae48bfdd4b69bae778b6e99a9cc8b406e2b83f6
  629. e42e3d5a450e717be1bc370931821bf5abcd5f571874010e25b9d3c7bce2e759
  630. d6689ebcb0560cd3d08e650ec460f867040857e11c9d4a6b25b7f1424dfa2562
  631. aafdc5d1587830a073b05484d1dd2f05c6289fd29144fbb5983fc2af323eac37
  632. 2ee191e046b9650bd6f89a9abdf531c5a188e8855c14f3db9965bdb2c2fb5259
  633. e65f453ad8fb27e7f673a01fd7258674e64184c14bba14c3ccb387583f5effc2
  634. 5e4c8f10aa8ec434d61ae7299a2d5b49e9ae2e4c28cbbc7ce0d56ec06082cb53
  635. efce718eba8c612661b25bde99e259b20fee3a53cf2e8855aca0c160167aa89f
  636. 2f04778423745d878d8a129da28c3340b62dc5e0fd623eddddb30d17cb139ac1
  637. 1606ed13d2db767ff25692fd698da34d161f36d9b8e53fa72d3bf53538007688
  638. 217835033f5bc59a6bd0eaf6326d2c2c5d5e5178d37d88dd1a3cf4682f0c10e7
  639. 02a319c6e82f38c2a58cb0333c3e986730209733a144c6fea6dbaf9edb3387de
  640. 4dc7752758b6e1ce1e0b6c987504a5281581986ae53e7d78c6a9cf6840be61a9
  641. b42b15274663dfa85b571d1aecd241de5da0aea1b6ba2689d420d4cd78338d69
  642.  
  643.  
  644. ```
  645. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
  646. ```
  647.  
  648. Creation Time 2019-05-17 15:09:00 (DOC Based - ENG - 365 Blue Box)
  649. SHA256:
  650. 4a0fd4461dea1997cadda12e640ac903a00804f0b8043706cfa2f6bf0a629489
  651. 3eacfc188d4965afc5a7859cbfa609b042103c5d259bd5e06ac9b09193407e5d
  652. 149491df7598cf25ce82f3d2246e38d21e4b58405a46d01f31578e74d14c67e9
  653. 22f7d6e09e2f04ef2ba9adeecb526bf08fb557ce34d903ac78b3be990774d1a8
  654. 9814ca1124dadd3009d9f097df9c035c5b45a06259385522d4dce2e62b532d35
  655. 27a7986a402e6037a9e2a4306d260c27f9d1cf071f59dd3031b06b74e7c4741a
  656. f0be6dfb361a60ce3770a477d552bfd3d81359bd31bcefbe514136f3ccbbf26d
  657. bf3dc06dd46376f323b13db12632c039bbb98306965f2feaf14de148a73a5b7a
  658. 811e5c04ac9ada5df45bac988186d05c49fe5f30e6f54f96cfcf3b75701f8cfd
  659. b8c88fb199d1b85bbdadfa6eb18900e10b45d9648d58813a3299bd78ffff95ca
  660. 03ea657e32c37a7d18bb1c8cb7e56f009698cb62a588957ab74dcd8d4a93add4
  661. 0e06d29508e63b8d72fef84f963e5fa2c17a7898a3f763bd30e614cc359ba0c0
  662. 905054a52591125d76babef888817ac143acfd554b34129b3eefc4ed3354f63e
  663. e561a0d7b7b38f5d8be3cb5e975490f9bd7c41a9a355f10f3caecae7c1266623
  664. d6d51555cc035085285e322944c51cec777dffa169b38eb06ab1c9aea8160d84
  665. 203ca10e70143c45ef9d4b69d0a3bfa2f6f1a7ebb736e03c112a3d9258938b0b
  666. 17d1c9a1c70ebb895138658772dbe0665ea167068a2bdfa9f33fc384f9c10e1f
  667. b25a8e099d490509c036caee67954897a8640a214b708325802f61828f8053c4
  668. 4bb22eb17b6ba8363d24def18eb31eda7b7ef4b1ff153d0404c064f8cd678593
  669. fe2e69bb741ee10c1a6c2252c9401eee09ed1676ad5520be302d5432ce8b355a
  670. a00d938cc78698d9d5c30a475c012748592258d6a5b9a98c5760b6c4f818f1c9
  671. e7c7c35bf00046380cde5ac06b2fead195e24e5498b743ab4d805f196fbf4997
  672. 476cee5037d63ab853ebaa427f79f267a9423f7822939dcd094ea6fedb9ca9e0
  673. ea33d741a3e4ad54074d248ce9d1d759470e56fea67ba20c18b6ea3142abff55
  674. 02cfd79618fda7eade1d4d54d40e00a15a73449c06a3e97b4b121a8d4d6f040c
  675. 1a6515b41a9ec86c47a257b04247296b888d0936032359e6595f73ac37938b84
  676. e9e9f78904bfff3c083ac80f14b6b67eb9548de76c70c074436c5c3be0fcd6e6
  677. 5aaac9264dfedf06565656951652b0afcc57e0bec7f8419bc0b0c7c601e11884
  678. 1db77a45f15a989550dc663bd1b2a564928b08cb6131c190448ed24308bcfb6c
  679. bf87ade5d3fbd0a6cd7b0f8df8ee288b908db87a97a7cfab811932b9f33daefd
  680. 57ec5c2b96dcfcf8d25079d2b8ca1580f02fcef60cd4f915e68eaaa73c830b4b
  681. 8da733b501bbdf4d70a053a083bd0727c9e3a37e0fdae3746e9028f852070a44
  682. ea84a2a33a8cb668fa85132c86063a43bab138500d3357e06e695815f8195e40
  683. 8cc4b7ea51080429a29be059d5b9e7f6fad8756cd9b4a216e6862de2a1ca178e
  684. 867694a9389b1ccb6e0398fe65cfce4abb2342dc96227a70e0752f4674c31b3c
  685. de7a0ce73512161a0e4b5541199a1054b36e72cf54d29c76e64b2d8bb3cfdbaa
  686. 9dac448f232b14f9ad5c55c1b3c0fc014fc087b9169395d3da26b37505f757cf
  687. 04131cea09deb5cdffd93baf65ba690287c452d65f0f763a7e3551f02fb4a6a1
  688. 04ad51702e9f3cbfdf956a3bc4eaeb69ff16f23ea9b7b981d023ee11a15b9dca
  689. 882ffbf086e84f11e69e931eecd74ed054a7e16c45edbb9a060e340411454eb8
  690. 8116959a8fa860ca947bd8d9ac9969e0f7f5916e906485c29b0ea0213f498a09
  691. 948492b0d42ef7a7ea0826d3d9367e5b0bb81f24a7b4f81b5853617b342b3d5a
  692. 3b916160839e3b5e737f8942687f521056c21076e24a11edb927dde7b8384464
  693. a806117a0132df55020530c7745b81351a3ba2aa71116e2ef8a31cc0e45d9398
  694. 7dc3a96aa7e9be4c64c1a02ec364be0a46d3f417cba20a5e1d00efe801ee02f1
  695. 1284f9d42544a53cb472449914be3819ad74ceaa4d663bcde8059cf1c9311223
  696. 185d29bd2b5d6ddd77b04851f905fd4d85b36f21c3e57f613d07d7f88f576ec6
  697. 4787a29c36f495b4260c86542625bfd1f887982f9cd1cba4d9947f0bd2ecb878
  698. fc77369ca75960fe87084b42ad52f1eeb681a77a723f4dcf1dff20f2c837a5a5
  699. 241a37ec6cb4c435bcea7e4f9c74edec59a3d8bd803e271a32f2a0e8e1f88549
  700. 9e0a52655df1a1292f1015fe045166e47a93ceba2cd479e88a129773f0dcfe43
  701.  
  702. http://naft-dz.com/wp-content/cel3xz7ik6_u5a7be-354524163/
  703. http://fullinnova.com/video/AXINpXSB/
  704. http://novametal.cl/wp-includes/3r5l_nt34dqjxr7-3/
  705. http://ortodontagliwice.com.pl/wp-admin/TIPFceap/
  706. http://avrdevices.ru/Soft/ZIKmwKarDQ/
  707.  
  708.  
  709. Creation Time 2019-05-17 05:55:00 (DOC Based - ENG - 365 Blue Box)
  710. SHA256:
  711. af6fabaafa47d6413ec3d4f4e17147baf9ee8edcfec6e039aa6209704dd71caa
  712. eb8b638faafccbbdb03c1f1b88330482eea048ff20467a65f7f9aa8c2fabc829
  713. 701fac449cb6911f208c69f0d108b68890db9a4c9c579f88bffcbc2a7786983c
  714. 7cfe416b21c8f7637e9deae7a76baec5d7aaf28ec2a5af339bef9df852066854
  715. f33a16e2cd688471babc7e21efdea5b44b972a440eb505e04f606586d3548596
  716. 590233566df677701505fa92488b69a803482f2228bab2ab5b31e84ee6d56e83
  717. dec2820e893385e609fb5a1f2edeaaf7d06bbbc4fddce6499f5e034d4d8df346
  718. 89d028c23624816d3b1c34f28acb7ae32d92142060c5a43ac19a03a5fe041ef9
  719. 01f38b6e3c169901189bae59a2b7d5d61be6998a8b9a79bc1198786e36f90006
  720. c95d7dbdaca7aa20fc8e384aa0fa99a3d8f9cc426c8a8b956e8751759dc98bad
  721. 46a7c6fbc6556569e46de0eab69feaa861ad612f83e29bbeff301b51549a8717
  722. ce0de64b9421a663165e5edad87c2d77e530a1c55c8c7323d13caa898d5d0699
  723. 28d9332fd2b107a7579b147dfac9fac3c64b4b84a900b0f7b4d9825729c02f31
  724. a12309c590377f6fef758f1957a797959a7b82723b2835c69c0018758931d306
  725. 16b073a56a77d960ee2a7c6426a4da145ca030e2fe9212df4ca41108ee86435b
  726. ff103d14150140826c3cf984f74a8ff1cd150bd97ae36c4d2497e134072e4b49
  727. 18b46db60e8072005dd984000486ccb230ffbf2db1b4dbc7051622ea546a7f00
  728. 24b50a35f37950ea20fd32c7a206e7e75a16304fc5740a12e78a5b051354cae3
  729. ca6f5a2ad809fb47c66425b4dfdf8e68e61f602df04858c211dcf0b680a74e11
  730. adda97c27fbe9249055b0af372e69209d755cfef5246f23f740a6d9e8b658231
  731. 2abc288e11628e9af9cfe5aaf602f512abf6ffcd72d3c446c41ac2dd620799c0
  732. 26b0b2660be3e246f487a7f824efb63f296d6221aeae5fb5c661adc82c78dfae
  733. a38153871ccad831b791c726e169a8750203aae8f8543f013336a4ee02e95893
  734. 8e00a33702efda087f6971215696e0433ca9521b3af2ee39d2f53f780981d397
  735. b7b8b52b5f519a6c168912a84b61360631ee6e9d9ebce51fe8b7b380809cc8bd
  736. 904a35d7f7d6e22d6002a8b8e13aa1ad04c828e7fb4148ddd393e5f1dd713a3a
  737. 2d702bad28921c0c1a8c3d99f090670249f16dd593d70c50127bd54e35a98f93
  738. 53540919e8052a5a6230432f0f0b56c36b8a20f65c8cb8003711aa6ea3acf6a9
  739. cf9168f4fbe25b2e016f76b00f0fb8983dd6dbcac9d3a33a2917efaf494f7936
  740. 34df5911c1bba87333ed40548fb698052a46159e75029291c0c006730c4dc539
  741. 189340825b7d2939acb8b4b65cbc19539f94cb984116a08e643ce24a70bd8397
  742. b9596c878e0d90bbd5fd5462846626f10333f993331b3ab6b6b08e578da9bc57
  743. ec32583ad17b097816c35c7a796813175f0aa8bc08bce768e25972e5b73a7f2b
  744. 2bf98481098d5927da4199e7665a2d8842cb1ee6375e08f816692299cd4c84aa
  745. fe4876086c674ae402a39e5b7ddde8dac211c8cdb752ceb7a142a06450274d43
  746. f467517f2fbc08d4443a80f0c2843fb40393b61b06fd16af5f89a28e7344d7b4
  747. ddf0b4acea25137a223b60140a358b67b90d40ea8ebc934e5a6b07ae6c2832aa
  748. 362a64ac706cf9696784029c5e5986931708ab119aa27f80ec9a872c54e0c08d
  749. 1959c9bbf9e403822f83e760ea65512f37203e0a9feaa18563d225d227cf98c2
  750. a4919eb78c8ff12ce6a5e5bf2916401075803aa17c52ba794547d2a56f0d0834
  751. f26778f3956e663364680c130d32266c7e134d7fe03b41727691ee3ef9feba69
  752. 6adfbcd91edab98c5ae5c5a0c62cde56e87850170b3796cc3c2e1ddb91b24e7b
  753. cc3d8fd0922892a2853fc70d776ff73ac0e06675feadc37931f94161fe4cb01d
  754. e2ca9436ba7167fe155887227ac0c5d43f62afc4d00d607aba14aa37b6804988
  755. 311b029bd68850d06ee38e92aa4953fa1f2ddbe50b1b784cce071da5951bfb93
  756. 8fbbb4a8adb4695e6d1fda756ad74ae0af09ffeae168943b18a86521a17430c0
  757. 94b81e4fbf93a7895f9fc71936fad29ce4a65bf6d3c61689d066d06b2371a8d4
  758. 57280eeda1321fbb4652f0e76b8ab6d069aaebfea15609e8590f5ee98f819d66
  759. 65b353cfc943e115e97c6934c0aa6cdfcac487f55e7f012bd2c0d335a5b05437
  760. be600bba7b64514294d4fedb1c5f5876cf59e0ed5da54804601bd0c901a3acd1
  761.  
  762. http://classicimagery.com/business/iAGKbxfsk/
  763. http://edandtrish.com/blue/8wse_zrdnx2c-9775/
  764. http://finetrade.jp/data/mFapRrNGE/
  765. http://meenakshimatrichss.edu.in/wp-includes/zRunsGcls/
  766. http://tanibisnis.web.id/wp/xa9o_88pj5mcr-26/
  767.  
  768.  
  769. Creation Time 2019-05-16 18:51:00 (DOC Based - ENG - 365 Blue Box)
  770. SHA256:
  771. 185fa1380d4b9eebc11ddba1d58063b23cc6685b7d0958f12551b6a53ee8c448
  772. e5477afe73e59b8b7425b59c6747842d34c5b9adec829a2f5cb0f7c612af8401
  773. c66f97732d8e95bd54ba80858d4bd75bcc65410a310a7aaf83857f2c64ef6528
  774. beb226928f863ec63aade13e7a676ebafaa5b1c1f74e796c4e2deabbac939f48
  775. 0794d6c309ff5e047307be22373c6f9211575c7c625c06c64f9c159d9b46e207
  776. 01fe579a4662383f97070270f32e36a83af02e5815de65440333cdab3d982d3f
  777. fbae6682dccd5c48baea8e3a6c710f10ba9adb63b968fb15e361a57dacd24252
  778. 64d6dd8cae1111f471ca600828fddb8c73e3186f064338a58465a47d91a0c208
  779. 1efb0018ba2d5facf16aa1307bd349af4eaf61925d05c8e445e95a9a0db0ea74
  780. a2256001c8036708c781f69a4e082f649bac0c8222ea3d4689f8d1c0d7bf2f74
  781. aaf5278609df25c2d31ef2310f720d4fdcb5601824bdd827e599bab8e51f234d
  782. ae5bb6a0f5643213b70733207a024c1d18b0113b8c6377a642e15f59b0c308ee
  783. 30ad69b359df6bed53c2e6acff205d81754ee36bbdbf36ef90f60ad1eec7f99c
  784. e90d542a11be7c8295bd63c58d800c9acb93f1daa2504009651d9af98361a6af
  785. ea6a8d54107aa9da030dda914d682912a6a3f9d8f978a5ded09e160b75baa687
  786. 92e5e4a608f28eb39f833c84655267009c31996a515d3101746f1f0251487d1b
  787. 25d8d626d420204a2821eccb8da309cc9ed4f0f4a9f31d1e15d760da9644c111
  788. ecd1d2c25fdf788170749b506ce3afd1bf711411b12258e0debf82cbd8102ddf
  789. 05adb931a6a81a896f64e0d66be0fba92e7d117e660cad0dcfa1589f449950dd
  790. 378296ec7636eb0fd3af3bfeeecb5eb2128356f3200f50a48dabecce4113d66b
  791.  
  792. http://legioncrest.com/wp/pyepn1uq0u_1cn0tfaqg8-54319762/
  793. http://rogene.tk/wp-content/lDVAyrLa/
  794. http://electros.co.ua/wp/ln720_ugcn2s1wm-93/
  795. http://modeloi7nove.cf/presta/oaFqMJPhd/
  796. http://deviwijiyanti.web.id/cgi-bin/rbfyme7h_yctqp-7/
  797.  
  798.  
  799. ```
  800. #### SHA256s for Epoch 2 Payload EXEs seen on 05/17-19/19 ####
  801. ```
  802.  
  803. ff7283f7b9eb077603a6963f1c6f95abefd0d5acdae4bddc691ac57c3f6a8e05
  804. 20e2cc851e44161e7fa821ea731fd64937f571878dd382f1620636a82de4355d
  805. 3cc8b8f57e89e58d5ad07cc3ece6e5f33c93369ade7333390f7c0c4f034f8ff6
  806. 6dbfcdafa6bbdcad57f7fecb66ac35b425dd37040cf6f019f02e08d8322ba9a0
  807. 415342ef18bc4ee2d492937886fcb388c2fca0e7ec3b82ab710b1e44a6078783
  808. 5003644186b5b4432496b335655c5efdb873d1b5d01abde1dd0515492225f01a
  809. fd885abd3c3895240c31fbdfba3d7126459b13cde19049b75075d5c9f3429a43
  810. 6947f554d7f50b1edbed490e36b4c605feb7c27829be16976d036871c9f88c1d
  811. 388158cf5652578bcc75be136a5429084df1384ab0c1abacd2c8a989619229b7
  812. 3a55f6c56e928d658f0ff035d17dc8761e1ff095ba80db6d528573c26abe9ba3
  813. ed96364977f181ef7733a8b9a4940d2a529c7a1fd6cbb78130acb9c3cd60d4b9
  814. 204945ee1e17cb2684da4b1508ed2117f612d41b7f2f59d55a625db7fb5fcf36
  815. 5502789c6c29ebbc46628869afbd7403bf0d19444209d88e3aa743e2ee620981
  816. 41c552f75c1c081bbd6e1373960551b09acc3ab4e4f564a14cf19d2e94deaafe
  817. eeaa43d154db6f483d7c70dfd79897cd5fd7555439219c8bae46cc2de700f074
  818. ce2617f0cfff7d66c227cafef0f5b0b69bd8816fe392b1d7d5cef6e80123bc65
  819. d3087e7e30f9bc1650c54c5b7398a195d27d77168023db8002c90b4ed9a5fb90
  820. a75409c3e5590c092af6770e88b632fcc85e93ae3b2985d3520e981e4926a4ac
  821. 1001cfaa1f9df7bee979a80241bdc0dc69fb03870d18a095f7125d6670db9597
  822. 40cc9179fcafee740c01c18ac18fe12f5540699b17a65baf8e614661739aa004
  823. 4925e099c9cc7c804d88ea55c61c60054542a50b10ec7b545104971344793274
  824. ecf2761f512e8508644abaa8b4b6eabcd526fa1199a840bf6a1376a58875ffa6
  825. 5be286b25a6db0ef6799547bde0e7fcf41587f04164abd5290751aa62d13696c
  826. feee487ffb84ccfaf11643d2a8a84c146c6caa2cacefa41dfa77578ccdcd0580
  827. 74cb3663a5403993d5df536da6cfaefc73249fa19d0a11a49e4ff00a31595359
  828. 26fe1af30cc991c29c519bc2941c545026c077edf4b41c3eadb93f9d577f2bc1
  829. 408a6ca7d52f20cad7c9e71a06f41d38e9fa1dbfa9595b29987739cabc152e7b
  830. 6b41d80cc553fe9cf5bd205420da184c8f2e852192448302e9c053039190e806
  831. e714d77f133da5e759a61ea1e696b0b0778b2d933596697fe4b756628732d1e3
  832. fc64a7f68969210d1cc6a382ac9ccb9ee44ff1e661ae7e95fc21c87aa09bfddf
  833. 5e636eaad07c41e658980450b73c0a05103fd05f06d2523a2891b242861f6771
  834. fd150c99a4ede861e01f0afcb0d6d058d28cca3eb2c6efd4389477adb2e94c2e
  835. b07751e2d8f02638024ec922a8db2a9071c8787eaa353425dc795c0d45114bda
  836. 69415dca4fbaa6260cf2ef4813c96fc4dc7507b1d5d35d198c6ff5d3d34ef8e2
  837. 4415c821d0d79d7aa1da02200223a2ea40ce5b7f2c074d68dd14c423c7912124
  838. 7b218b86c4386b46122ab1692c9cacf18e67f78a88799b6f660ad4f1f98dbc4e
  839. 86115ddfcdb2bd7813c6709794a810d5e3d9f1c112f4b9759d14f4489422a121
  840. 8800bff90a5fe41b917e41b6b2a22bb3caef8cbd801ec212dc89ee53579d3799
  841. baea1d3a3ac681b1ee4df16c86614f9ec005a6c88d29a2c91373c430c8e6285a
  842. 27aed9cd088b7ff8c2eed3e34427028ee4adaba5b410b3b79bc1c904d2556337
  843. fad7b12ddbd41d1812846329bc29d1c471a33611e4eab0f8795e28eff891960f
  844. 6f46b194cf2e55c06686748b3377df2b436598f6019d0f3f8918c27ff5923743
  845.  
  846.  
  847. ```
  848. #### Epoch 1 C2s ####
  849. ```
  850.  
  851. 103.201.150.209:80
  852. 103.213.212.42:443
  853. 105.224.171.102:80
  854. 109.104.79.48:8080
  855. 109.73.52.242:8080
  856. 111.67.12.221:8080
  857. 134.101.222.153:80
  858. 154.120.228.126:143
  859. 159.69.2.128:7080
  860. 163.18.23.242:80
  861. 175.107.200.27:443
  862. 181.110.239.26:80
  863. 181.143.101.18:8080
  864. 181.15.177.100:443
  865. 181.15.243.22:80
  866. 181.16.127.226:443
  867. 181.164.227.212:80
  868. 181.198.67.178:20
  869. 181.199.151.19:80
  870. 181.29.101.13:80
  871. 181.30.126.66:80
  872. 181.39.134.122:80
  873. 185.129.93.140:80
  874. 185.86.148.222:8080
  875. 185.94.252.27:443
  876. 186.139.160.193:8080
  877. 187.178.9.19:20
  878. 187.188.166.192:80
  879. 187.190.237.104:8080
  880. 187.230.83.149:443
  881. 187.242.204.142:80
  882. 189.196.140.187:80
  883. 190.113.233.4:7080
  884. 190.117.206.153:443
  885. 190.123.35.82:50000
  886. 190.13.211.174:21
  887. 190.147.116.32:21
  888. 190.180.52.146:20
  889. 190.85.206.228:80
  890. 191.97.116.232:443
  891. 192.155.90.90:7080
  892. 196.6.112.70:443
  893. 200.107.105.16:465
  894. 200.127.0.8:80
  895. 200.28.131.215:443
  896. 200.32.61.210:8080
  897. 200.45.57.96:143
  898. 200.57.102.71:8443
  899. 200.58.171.51:80
  900. 201.251.229.37:80
  901. 203.25.159.3:8080
  902. 205.186.154.130:80
  903. 216.154.222.52:7080
  904. 216.98.148.136:4143
  905. 217.113.27.158:443
  906. 217.199.175.216:8080
  907. 217.92.171.167:53
  908. 218.161.88.253:8080
  909. 219.74.237.49:443
  910. 219.94.254.93:8080
  911. 23.254.203.51:8080
  912. 31.179.135.186:80
  913. 37.59.1.74:8080
  914. 43.229.62.186:8080
  915. 45.73.124.235:8080
  916. 46.249.204.99:8080
  917. 51.255.50.164:8080
  918. 62.75.143.100:7080
  919. 66.209.69.165:443
  920. 69.163.33.82:8080
  921. 72.47.248.48:8080
  922. 79.143.182.254:8080
  923. 81.183.213.36:80
  924. 81.213.182.115:8443
  925. 81.3.6.78:7080
  926. 82.226.163.9:80
  927. 85.132.96.242:80
  928. 89.134.144.41:8080
  929. 91.205.215.57:7080
  930. 91.83.93.124:7080
  931.  
  932.  
  933. ```
  934. #### Epoch 1 - Spam/Stealer C2s ####
  935. ```
  936. <not updated>
  937. 61.92.159.208:8080
  938. 104.236.185.25:8080
  939. 50.116.63.9:7080
  940.  
  941.  
  942. ```
  943. #### Current Epoch 1 RSA Public Key ####
  944. ```
  945.  
  946. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
  947.  
  948.  
  949. ```
  950. #### Epoch 2 C2s ####
  951. ```
  952.  
  953. 103.251.176.34:995
  954. 103.53.44.20:80
  955. 105.247.109.117:993
  956. 109.194.50.231:80
  957. 119.155.153.14:21
  958. 133.242.156.30:7080
  959. 134.196.53.52:7080
  960. 136.243.177.26:8080
  961. 138.201.140.110:8080
  962. 138.68.13.161:8080
  963. 147.135.210.39:8080
  964. 149.255.56.242:8080
  965. 162.243.125.212:8080
  966. 167.114.210.191:8080
  967. 169.239.182.217:8080
  968. 173.255.196.209:8080
  969. 174.136.14.100:8080
  970. 174.93.130.148:8443
  971. 175.100.138.82:22
  972. 177.230.108.144:22
  973. 177.242.202.30:8080
  974. 177.242.214.30:80
  975. 177.246.193.139:20
  976. 178.152.78.149:20
  977. 178.62.37.188:443
  978. 178.79.161.166:443
  979. 179.14.2.75:21
  980. 182.176.132.213:8090
  981. 182.188.47.206:990
  982. 183.82.100.135:80
  983. 183.82.110.170:53
  984. 186.113.19.171:80
  985. 186.19.202.88:21
  986. 186.31.189.232:143
  987. 186.4.167.166:80
  988. 186.4.234.27:443
  989. 186.50.124.246:53
  990. 186.50.124.246:7080
  991. 187.189.195.208:8443
  992. 189.209.217.49:80
  993. 190.112.228.47:443
  994. 190.145.67.134:8090
  995. 190.25.255.98:443
  996. 190.25.255.98:80
  997. 190.53.135.159:21
  998. 190.72.136.214:465
  999. 191.92.69.115:80
  1000. 2.50.4.159:443
  1001. 200.21.90.6:80
  1002. 200.85.46.122:80
  1003. 201.199.89.223:8443
  1004. 201.220.152.101:80
  1005. 201.238.152.20:465
  1006. 207.44.45.27:22
  1007. 211.248.17.209:443
  1008. 211.63.71.72:8080
  1009. 213.14.166.152:990
  1010. 216.98.148.156:8080
  1011. 217.13.106.160:7080
  1012. 222.214.218.136:4143
  1013. 24.139.205.186:8080
  1014. 41.220.119.246:80
  1015. 45.123.3.54:443
  1016. 45.33.49.124:443
  1017. 46.100.165.6:53
  1018. 46.105.131.87:80
  1019. 50.31.0.160:8080
  1020. 50.99.132.7:465
  1021. 58.9.168.7:443
  1022. 58.9.168.7:990
  1023. 59.103.164.174:80
  1024. 62.75.187.192:8080
  1025. 64.13.225.150:8080
  1026. 66.84.11.168:8080
  1027. 69.45.19.145:8080
  1028. 71.244.60.230:8080
  1029. 73.189.66.63:80
  1030. 75.177.169.225:80
  1031. 77.56.253.112:80
  1032. 78.186.5.109:443
  1033. 78.188.7.213:8090
  1034. 84.241.10.111:53
  1035. 85.104.59.244:20
  1036. 86.122.149.86:8080
  1037. 86.151.202.16:20
  1038. 87.106.139.101:8080
  1039. 91.205.215.66:8080
  1040. 92.154.101.154:50000
  1041. 94.76.200.114:8080
  1042. 95.128.43.213:8080
  1043. 98.142.208.27:443
  1044. 98.144.73.193:80
  1045.  
  1046.  
  1047. ```
  1048. #### Epoch 2 - Spam/Stealer C2s ####
  1049. ```
  1050. <not updated>
  1051. 198.58.114.91:4143
  1052. 213.136.86.219:7080
  1053. 91.205.215.10:7080
  1054.  
  1055. ```
  1056. #### Current Epoch 2 RSA Public Key ####
  1057. ```
  1058.  
  1059. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
  1060.  
  1061. ```
  1062. #### Credits and Notes Section ####
  1063. ```
  1064.  
  1065. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
  1066. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
  1067. https://pastebin.com/u/jroosen
  1068.  
  1069. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
  1070. I am providing them for your benefit in case you want to parse them to be sure.
  1071.  
  1072. ```
  1073. #### What is Epoch 1 and Epoch 2? ####
  1074. ```
  1075.  
  1076. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
  1077.  
  1078. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
  1079. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
  1080. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
  1081. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
  1082. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
  1083. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
  1084. time period.
  1085. Here are some observations I have noted since I have been watching these botnets:
  1086.  
  1087. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
  1088. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
  1089. being delivered in maldocs on Epoch 2 at any one time.
  1090. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
  1091. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
  1092. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
  1093. Monday morning/Sunday night.
  1094. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
  1095. Epoch 2 may have a document hosted on host.tld/B.
  1096. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
  1097. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
  1098. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
  1099. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
  1100. - C2s are never shared between Epochs/Botnets.
  1101. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
  1102. via C2 to stay ahead of AV defs.
  1103. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
  1104. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
  1105. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
  1106. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
  1107. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
  1108. spam template, word template, document type and even payload.
  1109.  
  1110. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
  1111.  
  1112. ```
  1113. #### Community Lists ####
  1114. ```
  1115.  
  1116. https://twitter.com/pollo290987/status/1129842897178824705
  1117. https://pastebin.com/KZ3iYziz
  1118.  
  1119. https://twitter.com/executemalware/status/1129542899098636288
  1120. https://pastebin.com/fUmUeWM7
  1121.  
  1122. ```
  1123. #### Credits ####
  1124. ```
  1125. (OC from @JRoosen and/or combination work of the following)
  1126.  
  1127. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
  1128. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
  1129. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
  1130.  
  1131. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
  1132. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
  1133.  
  1134. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
  1135. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
  1136. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
  1137.  
  1138. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
  1139.  
  1140. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
  1141. helping out with this!
  1142.  
  1143. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
  1144. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
  1145. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
  1146.  
  1147. ```
  1148. #### Daily Log 05-17-19 ####
  1149. ```
  1150.  
  1151. It's going to take me a little time to get up to the usual high standard and timing - @ps66uk
  1152.  
  1153. Still low volumes of emotet for me in the UK, not seeing many LATAM bots recently, predominantly European sources.
  1154.  
  1155. I noticed that my reply-chain emails were not using stolen bodies, only the stolen Subject: - the body is now a generic text as below
  1156.  
  1157. CERTPolska noted the high levels of #emotet in Poland, and provided a script to pull IoCshttps://twitter.com/CERT_Polska_en/status/1129382879195213824
  1158.  
  1159.  
  1160. General News:
  1161.  
  1162. <..>
  1163.  
  1164. REVIEW:
  1165. If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
  1166. to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
  1167. https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
  1168. or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
  1169. I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
  1170. You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
  1171. https://twitter.com/JayTHL/status/1126204098670411779
  1172.  
  1173. Email Template Report:
  1174.  
  1175. Generic templates on the most part, the usual body text listed below.
  1176.  
  1177. Review:
  1178. What we know about the threaded templates/reply chain:(changes are marked with *)
  1179.  
  1180. - Emails are sourced from once (or still) compromised users all over the world.
  1181. *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
  1182. to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
  1183. back as far as June 2018.
  1184. - Now on E1 and E2.
  1185. - Now seeing German based templates that are essentially the same thing but in German.
  1186. - The injected reply is usually prefaced with the following:
  1187. "Attached is your confidential docs."
  1188. "Attached please find the wire transfer form."
  1189. "Thank you for your help. Please see the attached."
  1190. "Load instructions attached"
  1191. "A printer friendly attachment is now included with each email."
  1192. "Click on the attachment to open or save the printer friendly version of your report."
  1193. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
  1194. - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
  1195. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
  1196. - These templates are pretty limited in run and not very numerous.
  1197.  
  1198. Link Regex Report:
  1199.  
  1200. Regex directory patterns - Changed one of the Regex's for E2 to pick up more common directories that were seen today.
  1201.  
  1202. E1
  1203. *https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
  1204. https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
  1205. https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
  1206. https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
  1207.  
  1208. E2
  1209. https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
  1210. *https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
  1211. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
  1212.  
  1213. NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
  1214.  
  1215. These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam.
  1216.  
  1217. Payloads Report:
  1218.  
  1219.  
  1220. C2 Report:
  1221.  
  1222. C2s DID change for E1 and increased from 77 to 80 combos in total. - recorded above
  1223. C2s DID change for E2 and increased to 92 combos in total. - recorded above
  1224.  
  1225. Closing:
  1226.  
  1227.  
  1228.  
  1229. TT
  1230.  
  1231. ```
  1232. #### Sandbox 05/17/19 ####
  1233. (all with fakenet and MITM unless spam/secondary infection)
  1234. ```
  1235.  
  1236. Epoch 1 C2 run on 2019-05-17 at 19:00 UTC - https://pastebin.com/kHir6JU2
  1237. ```
  1238.  
  1239. ```
  1240.  
  1241. Epoch 2 C2 run on 2019-05-17 at 19:00 UTC - https://pastebin.com/kHir6JU2
  1242.  
  1243. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!