Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Emotet Malware Document links/IOCs for 04/11/19 as of 04/12/19 01:30 EDT ##
- *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
- #### Epoch 1 Document/Downloader links seen for 04/11/19 ####
- ```
- http://104.248.148.224/wp-content/XZoTn-bZyInGox1pyxvCN_tkNcItfUH-Um/
- http://111.231.208.47/wp-content/RkgWi-xXIHJSgwGGn1Rm7_EypPtpJuT-mP/
- http://118.25.16.157/wp-includes/jXPM-y6D3hXoGfr0tKC_SKYdOboZR-TC3/
- http://118.89.215.166/wp-includes/HGPJ-7xqmbv2AfIcffw_XxlrytZSP-Kd/
- http://159.65.161.169/auz3rm2/xGkG-dDSEfXl8vXPGjFA_sBOaNuaMe-DO6/
- http://159.65.47.211/wp-content/uploads/QXUye-l5xikPIyt2dx0H_VCxGsyVF-iP/
- http://178.62.40.216/wp-includes/ybCg-Zw3yr4jh2XwwqF6_CWXBVxry-FX/
- http://3gksa.com/temp/MsEvZ-dwfpGefRGC8lbOW_qhZuzGYl-PMI/
- http://47.104.205.183/wp-content/Kizb-n3QVjal4u4pdnmG_hJuswwrI-78/
- http://4tarcze.cba.pl/errors/uSTVK-lGulHHeqqMbtpTY_XMtUYgpW-kP4/
- http://4u-club.cf/css/qZAL-5RFiWt5TxUM7IX_udjytkWtB-MH/
- http://59.162.181.92/dtswork/VWoHy-DcEgAtyphXmiaN_SZwJlWZL-O2F/
- http://acebbogota.org/wp-content/yDpC-nEW1Lmrq5wWnkau_DYFJSrKoy-gCW/
- http://adammark2009.com/images/bpUL-IgdOIdoDWyHH1t9_SlCFekIxg-ka/
- http://adse.yal.pt/wp-admin/UqDAy-FxBhALhnrY2XWUO_qfTBGBsP-EWK/
- http://agencjat3.pl/js/SIuA-0eSVetGwDKOB7C_nASiJxsgh-8O/
- http://agipasesores.com/Circulares_archivos/aDkTh-qxQoE48yNtOeGJ_ArObWbyrm-Yi/
- http://agtrade.hu/images/rjBp-KSqtO6gA255NzZ_rLUFnNlDd-Bz/
- http://aidos.tw/wp-includes/fgeE-1rQ2iUn0ooAg5QH_dPjqnjzBL-bEr/
- http://ajosdiegopozo.com/css/yctLv-YRQEzZgrHPcI2X_YRMiDdAML-mB/
- http://akashicinsights.com/aspnet_client/EGcx-DAGxatRcHoz8N74_bWJtagOR-5Lx/
- http://alsdeluxetravel.pt/cgi-bin/files/service/trust/EN_en/201904/
- http://am3web.com.br/jzJg-0aEqivPPp4EI39_hRmohlhzA-oe/
- http://antislash.fr/includes/facelift/cache/SNXrD-Q2SVsaDh44JLa7_TgmsyCPy-vi/
- http://antoninferla.com/OLD_SITE_BACKUP/progress/ifJGk-R4t7d7u4LhomTw7_gAUOHBWj-Yv/
- http://applystuff.com/personal/fShv-vHMm8fqaQZYZcG_zlFycdIy-sU/
- http://arr.sbs-app.com/wp-content/plugins/hSRZZ-yhUw0GUKgW54cD_uoEWXRtsz-B5/
- http://astrologskolan.online/e5wwcki/Xhuv-77Nul3PS7MdGHH_HWRLsIQjQ-gRT/
- http://atelier.anticrestore.ro/wp-content/uploads/KZxs-N2vHPgWPMpG6edo_swOFTjok-U0M/
- http://auraco.ca/ted/lPLeu-dYeWNWsnXwEA0Em_hLdynKgs-Q97/
- http://babycoolclothes.com/cgi-bin/dtDis-lsCe9BmoT3Gxw1_ecaIZpfQM-KJ/
- http://barsoee.dk/php_skole/scan/messages/ios/En/2019-04/
- http://bendafamily.com/extras/rBZW-zjDtsEVsK8YUVz_PnfvyfMFi-PP/
- http://beysel.com/XaaK-IZWqrsbyAmxS9X_yHrjsjhEj-a3/OUgr-7ovCnMM9gEYzrf_oAdglwGg-EQQ/
- http://bigbrushmedia.com/doc/messages/question/En/04-2019/
- http://biomedmat.org/nKtd-08tW7GH4dnNfRf_MzFePcfQD-oww/dIrB-gqXb3ghkqRZJ6tj_iHDWRDTT-Cuk/
- http://blog.bestot.cn/wp-includes/TZtG-RtFXcYgYEOOrsD_udRkbvpxI-CWg/
- http://bobvr.com/HXJC-vH5nNU0WAvQKZm_oOCSgAYZ-2R/DyHxn-pOwtsoWUz1OGuPY_sRiGcbMFq-kPl/
- http://booyamedia.com/img/aBOa-o001Za1KGFtKaYC_aJLTSlpp-uJg/
- http://bosungtw.co.kr/wp-includes/kjSD-H33j9DgplvYnYRq_XNXcKwAe-qH/
- http://broganfamily.org/EoRJo-hBFgQ8tSBx53K8r_sspwGPWPG-jr7/
- http://cad-spaces.ch/picture_library/gSHg-H0jmNm3vAHp1UHv_TpHkjTbfc-vjI/
- http://caferestaurantnador.com/wp-includes/qaRrF-rEVDFA2A8RbWX6_YtDVrqiJ-rx/
- http://caisff.finances.gouv.ml/wp-admin/uJwXK-GwbQeZYVwBloqS_IfBfoIiF-Lh/
- http://camilanjadoel.com/wp/RXLj-L2segE3SOq0sk9_XaBluVUF-wU/
- http://canho-ezland.com/wp-content/LTtAm-Rft7SpfHR41Ote_qjIHZpQCm-d5/
- http://canyonrivergrill.kulanow.site/components/Zlqm-4fG1whP9c6PKRO5_IWzeqELy-1bS/
- http://caru2.cba.pl/images/eeWWU-aVDhHRc78DQCPwA_KMSfYEJOa-RU/
- http://caygri.com/wp-admin/kakHl-kKzkDhxlJo6SXPy_GcJFOlmeJ-MXM/
- http://ccbescolatecnica.com.br/wp-includes/ThgC-h5nCHORPWwv7y4h_KCqOuqmr-gd/
- http://chang.be/carole/legale/nachpr/de_DE/04-2019/
- http://charleswitt.com/tmp/ivfPh-oAGLrInjWW9E64e_XtGSfFNsh-CjZ/
- http://chigusa-yukiko.com/blog/mpSbw-3QahjWMa5u7dgls_hztoOPOb-jTO/
- http://ckingdom.church/wp/security/service/trust/EN/04-2019/
- http://colemagee.com/movie/OLUp-zEv9BVudg5foWH_PQFTBDJHx-v4/
- http://commercial.uniden.com/wp-admin/legale/Nachprufung/042019/
- http://congtycophantuan123.net/wp-admin/xriHS-rs0mSSeOGkWeRi3_hItWmcrau-AnJ/
- http://creaception.com/insta/NGVXP-oeDp0oFNVvGsX1N_HbeymKZxT-rv4/
- http://cruelacid.com/stats/yepyy-8fvKzJhiOdx3ix_qYBNCrJnr-i6z/
- http://csnserver.com/blog/files/legal/ios/en_EN/201904/
- http://csnserver.com/blog/NvfB-zuvOokJZTHPmyl_lxDLCmmG-GoN/
- http://daltondooly.com/wp-admin/UunL-iXtgPiawEd4FmT_EtdDECon-vfr/
- http://dandavner.com/blog/nRTY-dB1QE88eFWyJ2H5_AGiCBvIyW-rmN/
- http://datatechis.com/dis4/pbEIU-pqAxm9V1vGbRgjv_ZDZBLERf-cT/
- http://dekormc.pl/pub/FNgvz-9nGKAHzjudqqeTv_weGawwdq-9r/
- http://depot7.com/aflinks/klmH-wP9hpffK6ez6uh_CQWfMuPHM-WXs/
- http://designkoktail.com/wp-includes/fjiK-tyePIzo0aUBJQpz_gKcBUJdk-Uyk/
- http://dev.samuist.com/media/ahCBU-Z3vzLyDnZvBGjDH_xeRaFuMs-B5/
- http://diegogrimblat.com/flv/XeQe-IJtjktj9C11ad5J_BZmPgwXz-MwX/
- http://din-sheng.com.tw/layouts/sIFYI-mLX2wDzOEprCtxj_vEsxFbWme-bpy/
- http://disnak.sukabumikab.go.id/wp-includes/OPoay-JjP22NK0n4kU9YT_KvuWLhbg-4Ah/
- http://distan.enrekangkab.go.id/awstats-icon/nachrichten/Frage/2019-04/
- http://dramitinos.gr/images/NKXTS-CNMapbRwyxFJ3P_AMSyvMGXR-fye/
- http://drszamitogep.hu/_BACKUP-20190208-HACKED/qHOLQ-FPF0MBFY0L6ojO_tJeZivQBs-cU/
- http://duplaixart.com/wp-admin/okyJm-60maHqnY7Y0KGTU_urBDZMUIx-1Q/
- http://easport.info/wp-admin/service/nachpr/De_de/04-2019/
- http://eastbriscoe.co.uk/sysimgs/MDlS-kDqhvcdeWjjqY0L_JwVfZPQij-Mm4/
- http://eatonvilletorainier.com/wp-content/uploads/2018/04/wfXQ-aRl5D04kkLJV6Y_jEvlQezIX-WF/
- http://eatspam.co.uk/4Fbfdv0CZTORJNh/suhr-fBSetee2JyVHPD_JLmAGXne-9o/
- http://ecube.com.mx/js/rxUtb-mLFjWNPjejbQF9g_woruhxgOU-FqC/
- http://edsakaindobubble.com/wp-includes/PxXT-n7u5xVz4wTGBgx_QRDrEywM-gl/
- http://efh.com.mx/css/gRmM-RCkvQCccdtxSTe_bPTKnttg-mAu/
- http://eft4life.co.uk/apple/mxnjs-jcxgc0nj4glozs_iabrzlkp-ct/
- http://eiamheng.com/aspnet_client/Lbqi-W4hVwcYYghqaw1e_IJCOMGRNI-Oy/
- http://eiamheng.com/aspnet_client/yxNW-YjiwkoBobAh9w8_qylNsTSn-jR2/
- http://ejder.com.tr/iuLYqpe6E/pKQC-KYTZqZdB1LJKTv_cLErOKYru-rPy/
- http://empmtg.com/guestbook/ZCHA-ndYdurR9ssuRJx2_yCboBEiK-ZVY/
- http://emumovies.com/api/QPTD-ns1RMZxGPP9KUXc_ZJtdiARvZ-AdO/
- http://engadgetlt.com/4zlr3t2/uuLoC-G0Y4pVRYvJTTq5_LfTIoeMGK-ylp/
- http://eno.si/plugins/pjJYN-vefjvPwi4AdxCM_ZqXFreBI-Xga/
- http://esenolcum.com/wp-content/oWMXm-REjfgJHczPwj0Rw_SkTqDsgWR-hA/
- http://espacerezo.fr/wp-content/languages/YPrH-p6xMZFmlo6XH1fM_qqhFRTcyc-iWh/
- http://estasporviajar.com/afiliados/vHfcd-skMFJLK8KfaQO68_zJAfiJAD-Ln/
- http://estudioillumina.com/MAGENTO/uZmkw-Ya8IH8RuHupiR6_TkeCiwyn-1t/
- http://eziyuan.net/404/unqO-ZTkZPHSRGaU8iA_rjdOsJGJ-euD/
- http://farlinger.com/wraTc-9ThHcVvzu5CnPf_uwvKgLlr-AId/
- http://finniss.net/temp_dc5bcf9d42ded3370fd9c92a7bf0d715/ELez-98KcOt8218hpqzq_IFhsmnbh-w3y/
- http://fokkemamontage.nl/js/yyxR-tPZPkJchTNPxBnk_jnNiOMVx-W81/
- http://frtirerecycle.com/images/RseCL-SM0s9HDmNsxIEM_iZbgiXyXW-hK/
- http://fullwiz.com.br/jbmix/xhBK-NC3rOuUWFNZiG1P_LisZrEmKu-qJ/
- http://further.tv/trust.myaccount.docs.biz/KSUbG-cpGGZEsipTtQA4_vRELKrFC-Mq/
- http://g20digital.com.br/cloud/bVZY-7eXY1u5CcsbS4n_YPTMLIRC-dZF/
- http://gabeclogston.com/wp-includes/CzYD-igfbyg68Eegqm0_IuknqYSZ-w9Q/
- http://gamvrellis.com/MEDIA/iKlUb-ZImFSwyWl1511m_JVwwAblkt-O7/
- http://g-and-f.co.jp/photobox15/fCVjp-zBv0dB1D3QFbAyX_CmYCNqLrA-yr7/
- http://gauashramseva.com/wp-admin/QoVN-Zq7aM5dGA5lHrm_RbMvfQCF-lXa/
- http://gaz.cl/FhXY-lQk2ZCuhx3kUnDT_CISswsvvk-p4b/
- http://gcjtechnology.com/_themes/kVEV-lCikhuqYQbu0Epr_TmYIPZxSj-F3/
- http://geolinvestproekt.ru/wp-admin/xKWi-9ZGDI2ylH34ndQ_qmBWpXjls-V6l/
- http://ggrotta.com/ApRZu-byMeNiCPp6B3W0_pABEvcWF-Lt/
- http://ghostdesigners.com.br/bin/ANPJ-F0Wf8qm5mOPGgp6_aGVyDexCe-1n/
- http://gmsmed.com/wp-admin/EHdWd-EiEQqdVguYHl1TG_bkPRHWATT-zC7/
- http://gozargahelm.ir/backup/sODnx-7gthlQHJeiC5dA_mHuGRikU-55/
- http://grandautosalon.pl/YVczT-5cXF_TzzA-LqD/NGQG-1kXn6uU1ktXp8j_cnktVZtNd-oX/
- http://gwangjuhotels.kr/wp-content/themes/xHqyq-iiAttgPor6CqMb_uGjvtvGq-uh/
- http://haek.net/admin/NBUdv-3Vp0RxVbkX7Cwy_AWiMVcTda-7D/
- http://haru1ban.net/files/UmjK-FqJTnpq97m3dcy_UhRoCKHA-Ae/
- http://heartjoutfitters.com/wp/OzGM-AoJhSJUNROZ99z_KTEoXXjm-P8/
- http://highcountryblenders.com/wp-admin/mtzy-ZLmUHQm6gzirYDI_ozXIEfhRg-hI/
- http://hive.world/wp-admin/hkUFb-GZxBl4c9V3YYzk2_wTaaVHZxn-nA3/
- http://holz.dk/awstats-icon/HTvrc-jnVVguMRLcYrxNj_BHdNXXTL-m3v/
- http://hostsoldat.cba.pl/skins/pcehY-FUl2i1wsQvHSqP_rKPdUmMKp-HyB/
- http://hubspotanswers.com/docs/legale/sich/201904/
- http://hungthinhcars.com/wp-admin/gTpz-X8Z1MftcyezehzR_HqfWouwPn-IT/
- http://i9suaradio.com.br/boleto/iRcek-8ZI9ab34SofN3R_GAaCUffve-07s/
- http://iktprojekt.si/js/ocVq-dhPp8M6Z3lPYHRk_mZUHkLfM-F1/
- http://imnet.ro/wp-includes/veeNI-6UhIvncyiuZeWcE_PVYzJTRe-yd/
- http://jbskl.com/calendar/oeADr-BlyG1mBX7aF4hM3_vTcCAShrQ-WL/
- http://johnsonlam.com/Dec2018/doc/legal/trust/en_EN/2019-04/
- http://jorgeolivares.cl/correo/GZetw-zZFNzRBV4zeZmp7_mzWBmrrUc-2SF/
- http://jsya.co.kr/@eaDir/security/support/question/EN/04-2019/
- http://kamir.es/controllers/RDZx-vIh5s9mhx3YeNoY_oxYVnwTZ-Q0/
- http://kamstraining.com/wp-admin/Jgndv-yHU17yDxY6oIhf_cQBkvBlqD-uvK/
- http://karalamadefteri.org/secret/sTtX-BinTXe1gYWrhGmQ_yrFvnXwp-eG/
- http://karin-russell-wiederkehr.com/wp-content/ynZU-Doq0t4nRHmR8Zk8_pqBKYJzP-KQ2/
- http://kingsidedesign.com/blog/RQGqJ-ncmVOn3pRz44m9Q_GmiRGnip-z9/
- http://kintore-daietto.com/wp-admin/bnOXa-SwvcKHZj8IpVhyA_JeIkLMInZ-TRI/
- http://klanelkhamoowo.cba.pl/errors/jRme-Hy46VYQAKR6Tr4_rBzrvBRc-In/
- http://kometpol.cba.pl/override/privacy/service/sec/En/042019/
- http://labs.omahsoftware.com/finpay/wzLEM-17xMJxSQMj4oY4_eYAPmmuTU-of/
- http://likeahair.com/wp-admin/RKeS-nCXXCRXYE7UjPT_YsESOXfX-T4a/
- http://limkon.com/aspnet_client/system_web/ehczl-uh8rhoisaelkqic_mjkiofvil-snn/
- http://lswssoftware.co.uk/Accounts/secure.accounts.docs.net/US/service/verif/En_en/04-2019/
- http://machine63.com/vpnoiehr/wzLTH-1doUQobSJ1eZrrX_HAtNhJSL-K6h/
- http://mail.mtbkhnna.com/oqfi4kksd/mYWhc-81UVVx2gsfOv1wY_QZZQSDZa-Kv4/
- http://mathew022.cba.pl/ajaxvote/support/Frage/2019-04/
- http://maxindo.com/verif.myaccount.send.net/zxtU-fo3zaITvO1i8qCo_NPoEagaC-N7/
- http://mobilitypartners.ca/PhotoAlbums/verH-mbhX2G4UftZAUS_ZjtyuSVK-w60/
- http://moes.cl/cgi-bin/mrZZb-aVmCdAvt0VF6nx_QmkICFDHc-ib/
- http://mrupaay.com/attachments/YZAzD-mMLsNKmIeFhTgX_WHIeBZgKY-mKO/
- http://mustafaokan.com/wp-content/uploads/RYCIf-dJlwN5c1299S8q_swdQqKGmm-8c3/
- http://mystudybay.com/wp-admin/lpcuY-hFsDhyJVXwa6ZsT_RkBVjwbry-Wb/
- http://newbizop.net/assets/txQq-ctpKtwqGjXrqOGT_IrPxOtkO-62C/
- http://newsalert.ga/wp-content/uiXx-2rnduKIzDFFtLH_cIxjKPriO-tBR/
- http://newsmafia.in/d/rsiY-JWPgIf7ytoxMbjE_vkofmjusH-lcj/
- http://newsspe.com/fvefbd/uWiOu-hgALRj4KjhLghy_NfwoAtji-utg/
- http://nexusinfor.com/img/doc/support/trust/EN_en/2019-04/
- http://nikolas.com/wp-content/lFHqk-eM4EEjV6ojPUZt_yDqxoIUHj-aUV/
- http://nownowsales.com/wp-admin/GDqS-kd3WlZqJccx0dR_oBuREUPET-3cU/
- http://obkfah.com/wp-includes/WXiA-h0Z1NWC46U6VbPW_kIFlBoDK-4Ki/
- http://omegaconsultoriacontabil.com.br/site/IuGwq-sCLhGyY6CcR7A6_iaOqParo-9Ix/
- http://ozenpirlanta.com/blogs/PoOv-m1NNwGXaFMY7BO_iMOoLIGX-9jH/
- http://parth-traders.com/wp-admin/gsZV-XelLFA0fKARe9GY_IpBQRzcJ-MzQ/
- http://pepzart.in/byczowa/PzjPQ-gF5nFSaPzVMQFL_uKlRDJnU-6x/
- http://pernillehojlandronde.dk/old/Bwbnt-OoybqCMj2vN4DA5_gbGWMIJa-ru/
- http://pllu.atkpmedan.ac.id/wp-content/uploads/WuEN-pbsKziitgeRNGP_hLptGnAw-kX/
- http://poomcoop.kr/wp-includes/LtqvV-zgmELLR9z5dosPP_gVwuwkarp-Ge/
- http://potterspots.com/cgi-bin/files/service/verif/EN_en/042019/
- http://potterspots.com/cgi-bin/wqnr-mVzu8UbphstZQgD_ZETwgCMsP-MgG/
- http://projekthd.com/galeriagniewkowo/Tpru-12owK8cisoI6UBL_TzdmEtMIV-xPZ/
- http://puntoprecisoapp.com/ypb/CWaLp-ZvMdFq079BYzYU_FwcfChFo-dU/
- http://qservix.com/wp-admin/mIMqZ-ypKBIJ3JFRze27_RoyrRXEjg-8eZ/
- http://remider.pl/bwp3ibr/LjCYG-tPZPkJchTNPxBnk_atEWfGpHB-6JQ/
- http://roxhospedagem.com.br/chatonline2/TDbPC-ZMCayhNuo04MYo_rBvhrevp-Fiy/
- http://rudzianka.cba.pl/wvvw/Hntyj-RxigEDF196QckWf_zSNfykzj-G4M/
- http://rumahminangberdaya.com/wcfv/XrNZ-9k6CRK4LpiwgtDr_OjIlcVno-iB7/
- http://samasamak.ir/wp-content/uoOL-ExHopj7UR3l0dPF_HSxlQJVI-7a/
- http://sevensites.es/D1J/htOvY-QBZYhnFfbHGEtiL_aKUNoETi-8H5/
- http://siamnatural.com/anchan/gIvhS-R9yLupvDnCBKBj4_AKmuKbuzL-xN/
- http://smc.ps/ar/IJAk-uDEwicxyP7lTU8c_dqufrQmi-yY/
- http://solpro.com.co/wp-includes/ZqbO-0BGwt2WEzQq8i6J_sxbVRvhA-3XX/
- http://sonare.jp/LivliSonare/inc/messages/trust/EN_en/042019/
- http://sonthuyit.com/assets/iJTf-jd7yTuUmCIBHxv_KBEZxgIwI-Di/
- http://stateunico.com/wp-content/lwZY-KA7oxL9lilkDxD_eKyaOkis-gdh/
- http://stsbiz.com/js/AUZk-uBJNsKgPPLu2hFe_jRPjWBJm-MD/
- http://studiopryzmat.pl/cgi-bin/lBha-AY33SFNJeTn6X6_wcuEUjhzZ-YYH/
- http://sudheertaxclasses.com/wp-includes/BNuvt-kjlSAG7HxUH4Z4I_rUpJLIkZ-k6T/
- http://swiat-ksiegowosci.pl/attachments/Tbkme-I6ICJ4xwnvX5IcZ_ZthJMRlIR-W70/
- http://symbiflo.com/PJ2015/QUlL-ZfGfyU4lUfZQWhF_WGmEIjcap-ZXw/
- http://tasawwufinstitute.com/pxtguwk/PHBHC-fYnDKHBXekNz7u_APIfxAhn-cPx/
- http://tecnauto.com/css/Egtg-KcavRuOVviWaJn_kcSUAxMW-RTu/
- http://tecniset.cat/docs/HVyE-nv4nkVABFPJ7oO_cIjIGQsI-aB5/
- http://thepropertystore.co.nz/cgi-bin/toHlJ-yjAREBDVRjL6G7I_LBJXNNFwM-Ae4/
- http://tomsnyder.net/Factures/kzYS-N7sji9DO7Hxg7Xy_auWrRGYHY-48S/
- http://tongdaigroup.com/bill/DGsJl-dbCPw8iSSWaNhUi_vAZSQfzb-51/
- http://trinitycollege.cl/images/pZhC-8JslWUKAuojZFGP_PeydMPhle-PwN/
- http://tsk-winery.com/wp-includes/NXChi-mLdpjlt2zOZjXH_DQeXHkxKX-ShN/
- http://tubestore.com.br/wp-content/GgmNc-f7eu3mTaTaYQRHV_RevPxwmm-5a/
- http://uninest.cn/wp-admin/wfno-wC1XuouoYzuxxXg_VjVWgmEdl-yg/
- http://valencia.mx/capture/fvcwv-xiA6akPQhoH07n_ltjRFMSD-Q3e/
- http://valentindiehl.de/writers/ZNtM-SzBXZJDAm1Xx6iE_QJZxOgpVf-0i/
- http://w88bongda.com/wp-admin/XxFT-fS82PddC3lneCg_kKMrBqMpS-MUR/
- http://wb0rur.com/certificates/eyQNv-ZSlkq90fYT1jUy_ohJSpSBG-h6G/
- http://webofmiscellaneous.com/wp-includes/QGMfj-5mnLWABov1CNbsF_izNLHHsN-3R/
- http://whately.com/google_cache/nBhx-CVMD2wCMHkKxVa_URtsqEjf-uQ/
- http://winast.com/drupal/nguh-YcOiqV8fWAFiCW_mBwnSmwjX-gC/
- http://winast.com/drupal/QFMhd-ao99dlWcS9KTun_ibkwdKZd-ah/
- http://worldclasstrans.com/admin/XwUo-DP68ASGpTzsZxGo_lhlaWgdn-8Gh/
- http://wsdshipping.com/callback/NyOy-TYuVwUb6NBCbEZ_TrMporFc-Qk/
- http://www.beirut-online.net/portal/security/legal/ios/En/201904/
- http://www.biomedis.lt/yowwk4j/nachrichten/sich/042019/
- http://www.bushmansafaris.co.zw/wp-content/service/Frage/04-2019/
- http://www.courchevel-chalet.ovh/fbmyql7/Umacs-vGYF6TrzK0MleU_lRxFRzYu-mKq/
- http://www.din-sheng.com.tw/layouts/sIFYI-mLX2wDzOEprCtxj_vEsxFbWme-bpy/
- http://www.highcountryblenders.com/wp-admin/mtzy-ZLmUHQm6gzirYDI_ozXIEfhRg-hI/
- http://www.jbskl.com/calendar/oeADr-BlyG1mBX7aF4hM3_vTcCAShrQ-WL/
- http://www.job.tkitnurulqomar.com/wp-content/CFmGi-uYtUcACXj5C22El_KiSojpuHc-him/
- http://www.karalamadefteri.org/secret/sTtX-BinTXe1gYWrhGmQ_yrFvnXwp-eG/
- http://www.kizlardunyasi.com/wp-content/plugins/--gotmls/images/TiOxC-IozNnSWwzSxLUX_OiQOUmLMC-j8/
- http://www.megawindbrasil.com.br/css/GEOg-P72ybT4POeLwPNX_KKGtCIdX-6K/
- http://www.ni-star.com/wp-includes/xeWa-zvtLPvBA9bRoKuo_gZmQqvmVc-xf/
- http://www.phenoir.org/homemap/Xqipi-sLCIsEo93yEsw8_IaigvXxO-tq6/
- http://www.skiploop.com/blogs/itEMT-kFZYbPA5endO1l_mBfwRwzLJ-X2/
- http://www.smc.ps/ar/IJAk-uDEwicxyP7lTU8c_dqufrQmi-yY/
- http://www.sz-lansing.com/wp-includes/ifDEV-kUYN7Atdfug4lnC_MEMGgJkCw-iH/
- http://www.wsdshipping.com/callback/NyOy-TYuVwUb6NBCbEZ_TrMporFc-Qk/
- http://zefat.nl/stamboom/CuMe-oyI5sgcPksusUq5_ZZgnZPOH-Jd7/
- http://zlaneservices.com/fashion/aELr-OyQNQDXMLVVVtam_xumVcMorx-A9/
- https://aidos.tw/wp-includes/fgeE-1rQ2iUn0ooAg5QH_dPjqnjzBL-bEr/
- https://caygri.com/wp-admin/kakHl-kKzkDhxlJo6SXPy_GcJFOlmeJ-MXM/
- https://disnak.sukabumikab.go.id/wp-includes/OPoay-JjP22NK0n4kU9YT_KvuWLhbg-4Ah/
- https://en.dermakor.com/wp-admin/yUOqR-yuUMeZcCK19VddV_GWjXyORw-uuW/
- https://fishingbigstore.com/addons/EwRc-5aaHlkpe793CoDF_LCtnczPfJ-sN/
- https://hive.world/wp-admin/hkUFb-GZxBl4c9V3YYzk2_wTaaVHZxn-nA3/
- https://hwx-group.com/wjwrtce/legale/legale/vertrauen/201904/
- https://loh-tech.com/sitemaps/MSqEP-ghZ0usabEh8GdNp_EXZAwGZrw-5Qq/
- https://pepzart.in/byczowa/PzjPQ-gF5nFSaPzVMQFL_uKlRDJnU-6x/
- https://pernillehojlandronde.dk/old/Bwbnt-OoybqCMj2vN4DA5_gbGWMIJa-ru/
- https://profithack.com/wp-content/service/Frage/De_de/042019/
- https://refikkorkmazmucizeler.com/wp-admin/support/Nachprufung/042019/
- https://solpro.com.co/wp-includes/ZqbO-0BGwt2WEzQq8i6J_sxbVRvhA-3XX/
- https://sudheertaxclasses.com/wp-includes/BNuvt-kjlSAG7HxUH4Z4I_rUpJLIkZ-k6T/
- https://tasawwufinstitute.com/pxtguwk/PHBHC-fYnDKHBXekNz7u_APIfxAhn-cPx/
- https://tubestore.com.br/wp-content/GgmNc-f7eu3mTaTaYQRHV_RevPxwmm-5a/
- https://vdvlugt.org/lepeyron/pkbOv-pE6CIM5pI8oc6GY_MRmGEgRw-ft/
- https://wordpress.carelesscloud.com/wp-includes/NUOX-m29FwTWGpXDFLLh_qumOcRfh-AO/
- https://www.blogbuild.online/wp-includes/JhgN-hevULL6R9QfXzkx_CLyyVvVq-cI/
- https://www.lifeandworkinjapan.info/fnlk/VOxXd-8qvjiXJbSlDypVH_BTiekCJv-7Q/
- https://www.ni-star.com/wp-includes/xeWa-zvtLPvBA9bRoKuo_gZmQqvmVc-xf/
- https://www.vdvlugt.org/lepeyron/pkbOv-pE6CIM5pI8oc6GY_MRmGEgRw-ft/
- https://www.wsdshipping.com/callback/NyOy-TYuVwUb6NBCbEZ_TrMporFc-Qk/
- ```
- #### Epoch 2 Document/Downloader links seen for 04/11/19 ####
- ```
- http://107.178.221.225/jxewyv9/61k9rt-8ya9h5s-fkob/
- http://119.28.135.130/wordpress/2zmzf-irekbpl-zrgbww/
- http://140.143.224.37/fb5sreu/r5mxmmh-fugkphd-soynax/
- http://165.227.140.241/wp-snapshots/Cuaop-b5vOtaUZ6BIfao_viCZSRyil-CZ/
- http://203.114.116.37/@Recycle/Xauo-xqulY3WMMsbCDBd_sknIzXFx-0U/
- http://203.157.182.14/apifile/mat_doc/lBSu-TcHE7427hNObkub_UlYAvOZRR-etP/
- http://35.244.33.247/0pgfs0p/brfUY-N06tPCXvQupDrMV_PaRdlEZL-lq/
- http://46.105.92.217/wordpress/qyvVr-k9htW0iSBWTqb2I_XXZJcrAG-eJ/
- http://7uptheme.com/wordpress/zc0dnv1-srpr2yh-keryl/
- http://94i30.com/cgi-bin/KnBk-Ot6VI3sBK0sFjr_DXClAUpS-0cF/
- http://99sg.com/zen/zc_admin/xiAoM-wpUY5m3PJRUh9pq_WstuHCIPH-vw/
- http://aandjcornucopia.com/payment_options/vd42v0-ve7re-zuzzv/
- http://acteon.com.ar/awstatsicons/ukxtO-nDdWDjaZ1IqCpM_hpLQEsZNR-w1R/
- http://adremmgt.be/pages/z10n-0t74tp2-dqvar/
- http://aegweb.nd.co.th/wp-content/FBirs-H0XiQJzz6VUJf7_NAjoLnpxw-Tc/
- http://airmaxx.rs/nulvt-xbrcbp-yfcpetgo/VZcjR-5TStHqkxrGDnY8B_xWRWNJTMt-Wz/
- http://airtechscubaservices.com/wp-includes/o9aa-kcldly-vssncy/
- http://aktifsporaletleri.com/assess/xUezr-9llr0J37rjFTPWr_TRBcviot-2Ue/
- http://alaattinakyuz.com/wp-includes/a7xha80-111co-ycgl/
- http://alexwacker.com/nginx-custom/g2s89b-jcofbdr-dvqywlq/
- http://alfaperkasaengineering.com/dokumen/xHyL-RgFeuEVQ9Pnf1EB_IKSVBCbWA-Dnw/
- http://alokitokantho.com/calendar/892lcp-5tm19m2-xeoivib/
- http://alry.com.br/wp-includes/g4ju6-bco3vt-shseeqn/
- http://ansolutions.com.pk/US/CGfS-Jeww2O12FWBMXD_YxFkhUAw-ww/
- http://apecmadala.com/homemap/tffvarx-0ci5enk-ixsu/
- http://applianceworld.co.ug/cgi-bin/PtLTZ-grJ4bK2VxDEdJh6_SbMlRwunz-Eyy/
- http://areapaperjapan.com/ww4w/2uqi-ira8lm-eoff/
- http://artificialfish.com.ar/lXpeo-EPNWYjrxjNfOmEU_XwBuyNFy-nCG/3otqui-5f53h-jyzyqk/
- http://artvest.org/roseled/cCjg-7NYo9QKN8uhCHF_uZSLrgyqE-fj5/
- http://ashantihost.com/hsrr0i0/e8necdb-cp46so2-cwtup/
- http://atelierap.cz/administrace/kqaO-caQlCSo7aiz99mE_fqxyowPUE-U3U/
- http://banglanews24x7.com/wp-includes/0kv1v7x-i2fva-jzaoc/
- http://bayboratek.com/28032019yedek/jpcj-u3WUi3wRKpVQwPE_twbkuKxQ-kr/
- http://bbfr.cba.pl/errors/MRGjk-u0uwNJE0zLAF6R_DoglSsFhJ-Q15/
- http://bcdc.com.ph/image/f2vl-gohnfk8-hvvkgq/
- http://beljan.com/images/OXZMQ-otGAiktyn4XXvmZ_UOOjsKvCe-dz/
- http://berith.nl/wp-content/YmtLF-VL23CRsMg2wiMeI_geAVKvDq-D3B/
- http://beta.chillitorun.pl/pl/kbxgh1-2jy9g-bijue/
- http://bility.com.br/agencia/owgw-aVQ9V1pzRTTOZq_zUzLBltGC-wI/
- http://bk18.vn/homemap/atqh8u6-2yl1c-kxfr/
- http://blog.almeidaboer.adv.br/wp-admin/KrIEq-drWGxfuWUy6QMN_nfKxPvkv-NE/
- http://blog.postfly.be/gdyk/fnfBE-9mc5W0qSuzuhs3x_pAEjaQzxd-LOC/
- http://bomboklat-online.com/mphoi5j6h/zpsp-tpgcp-effdj/
- http://bonsaver.com.br/sendinc/HBHOs-Yb6WNN5L5YBEbDV_TpgeAPpge-2p/
- http://borggini.com/pages/TYuu-QcfxaYRNtuzjNe_nOfTavVR-rD6/
- http://borsodbos.hu/kavicsospart/ongyT-yyjRD9kj1R2glL3_Yblyxypuv-COE/
- http://brainzoom.ch/thetahealing/0j8mmnq-78hg8js-idiwcd/
- http://brelecs.com/wpp-app/TSBa-5WLU1G7RRffMrZ2_kmvPIgbI-nDl/
- http://brutalfish.sk/dropbox/dUfX-D6Poz0M3Jh9eOoL_YJxieAtkx-xI/
- http://bryanlowe.co.nz/blog/sQKji-vhQKpKHxqhzZFCn_pmLuXzJi-KQY/
- http://businesssforex.com/engl/7jhojcj-px6yy-bevv/
- http://byworks.com/wp-includes/p0b8-crvw7a-brlh/
- http://campanus.cz/wp-content/isRbk-SvOleLctyW4T0p_YLaoLFib-wEB/
- http://cars24.org.in/wordpress/yi66-k67tlx-yqqx/
- http://catherinetaylor.co.nz/Self-publishing/wUJNq-0drRFahegBaS0E_SnTcuixWj-1n/
- http://cdmedia.pl/wp-admin/Lkil-aTP0inyHzTb098_rBzfPQen-o9c/
- http://chanoki.co.jp/Library/7kzy2ua-j0n0z-xpng/
- http://chedea.eu/IQwK-H3ozxvddE7COI2_JSFxHwyu-e6/roIg-oodyvdCkpHxV44f_NzKgaZgsQ-fp/
- http://ciga.ro/jgOE-9cfplM25WsdqpEV_KtEXmnrS-JBd/
- http://classicimagery.com/System/mfEHo-AarKdQsJcsCKyt_eDszeDmgJ-B4p/
- http://classify.club/wp-content/ihjwj1u-b3xpxkw-vyargp/
- http://cliner.com.br/antigo/2tmle2-x6mb8e-fwbyu/
- http://closhlab.com/Footer/AwYX-EDOf2FKxWPmTYv_ZyAJzuWhL-2Cy/
- http://cnhlwml.org/wp-content/xGyBG-iiHDEVKY9SpUZq_zsdBwbkU-Z1/
- http://connectedwarriors.org/owbbryy/qm4i-kxvr60-nnxvm/
- http://conormcbride.com/wp-content/QLpJ-RsS95KNcPKS974_KCwbdfKcI-Rx/
- http://corpmkg.com.au/cgi-bin/iUBz-TkJWyIHueOGZKgr_FdQWzGqY-VmV/
- http://corredordepropiedades.tv/videos/Qvxg-UYtD6hVpTPkLqyg_wMHoIFLJV-EW/
- http://cortinadosluft.com/loggers/sppza6-7970hf-dqowfqx/
- http://cotacaobr.com.br/application/0xngof0-8e9yl-yvjnta/
- http://creaception.com/insta/IIwD-ORWvCYkURIJbzuN_ZRRBNWPPQ-U8/
- http://cuviko.com/wp-content/uploads/f6wa90m-jgjrq8p-piehqp/
- http://cyborginformatica.com.ar/_notes/g9dae-5fnty-xemw/
- http://danielahantuchova.com/wp-admin/fz86w7o-j25amn-zcbsb/
- http://datasheep.co.uk/www.skye-tours.com/MhzEd-U9M0SONwohw1Ubz_oDNLLFGN-3J4/
- http://dbv.ro/mphoi5j6h/ezgK-ZfP8iiL7q3bI1B_aNhUYqNLQ-lhH/
- http://deepindex.com/wp-admin/KkPes-V31deF4mwmdcNO_XsMQlVpHT-toE/
- http://denmaytre.vn/wp-content/juLsk-qsxnvQMElpq15P_ieWrTWMwP-rY/
- http://denocreer.com.ar/wp-content/cb3r-0hlkel-tgdbxh/
- http://dev.livana-spikoe.com/wv4gres/9wpc9y4-naic83-dykcnzi/
- http://dev-en.rewallonia.be/wp-content/CIdk-qq24qMNGC4XEZ8_ZhwayYAfZ-5pu/
- http://dibaholding.com/wp-includes/thjgp-45p577-zvno/
- http://dierquan.com/wp-content/4cvr-tq5fz1k-ihqyut/
- http://distorted-freak.nl/html/el8hqq-dfhpjt-gldxxgg/
- http://diy.ldii.or.id/wp-content/qbkm4e-06sksy-fxifvwb/
- http://dmgh.ir/wp-admin/WhRs-iPLJ99haAM471xB_lDSgkzcK-BEP/
- http://dobrojutrodjevojke.com/wp-content/jl7v-1112zg4-rkvf/
- http://downinthecountry.com/logsite/wUaQ-z4ywQr6GFvLxWSf_YsCVXFmT-wN/
- http://dracos.fr/Scripts/se3gyh-hjwvd-rwarb/
- http://dragonsknot.com/cgi-bin/FEhYD-Dy5sZQzjctfE5E_rrwExwNd-FZf/
- http://eastblueridge.com/page3/PtZyv-vvVIacKrLWJKzP_gYlxqZDqk-yC/
- http://easternmobility.com/js/HDJXM-PaftjRX8VrrVFKt_HuUxykyri-fem/
- http://edenhillireland.com/webalizer/iJti-n9n2Q1kQaNXvZN_raSqSoiXN-suz/
- http://edisolutions.us/tmp/jVxm-ZEZHG1tUWXIYCwh_dpuizYtCu-ka/
- http://efcvietnam.com/aspnet_client/qQQed-s2rnduKIzDFFtL_lvstxZnFi-E7/
- http://efcvietnam.com/aspnet_client/qQQed-s2rnduKIzDFFtL_lvstxZnFi-E7/./
- http://elgrande.com.hk/xxx_zip/0jl1-ynjv9g-ntrvmq/
- http://eltnest.com/qsuf3qv/526f-vk47qj-yfua/
- http://encorestudios.org/verif.myacc.resourses.net/Dhce-wSvaVoeRR2lOLIq_yCbREXuAm-QH/
- http://enginesofmischief.com/loges/owKC-hGwppnuQyTlcPwF_bualNZckU-Hj0/
- http://epicoutlet.ro/engl/37kzy2u-rj0n0z-xpng/
- http://erlcomm.com/BNzC-VgDgOLD9aPylaRI_sdwzsBjeN-XK/
- http://essyroz.com/wp-content/q4xao7b-j13tpz-chqs/
- http://etherbound.org/test-images/DCRl-zvVKSUvBoF2bCB_FAnTHIFL-Hi/
- http://eugroup.dk/bal-billeder/fFpL-U2pwwipaOxxcCIG_HAmZqTCt-mUs/
- http://everandoak.com/css/xtjithd-m97y6ph-yelmiwi/
- http://exotechfm.com.au/YDmHx-wlaRWdBx0K3g9n_PDbPkfUl-iT/
- http://famaweb.ir/intro/CqsjJ-kTIeifGZpFxDvR_iYvvziNGn-iKT/
- http://famillerama.fr/roundcube/vendor/pear-pear.php.net/yvrNh-CzM6wQb7OpHHuud_sDKOZaYwc-2Ml/
- http://faroholidays.in/cgi-bin/brpV-OQZ741wYiyKgWgO_jUOqLXAB-Ub/
- http://feryalalbastaki.com/kukuvno/b6br32w-pu6plc-igxe/
- http://film2frame.com/WEui-ZF9HB4OtuNl1abl_yhQccdXgi-dA/WEui-ZF9HB4OtuNl1abl_yhQccdXgi-dA/
- http://firstmutualholdings.com/wp-content/pKPv-7kSNzvrNIUVXV77_EVCIYjGkT-Mc/
- http://fit.yazhouxingti.com/wp-includes/eueaoh-nud2vog-iogytz/
- http://fk.unud.ac.id/bicp/05cyhb-k53zv7w-pigkyw/
- http://flynet.travel/sqy71uu/242fkw-4ph8ys-obvdghe/
- http://fmlnz.com/wp-includes/pFlD-BRVcswx1qkJcIn_azBLlwEnY-M5I/
- http://foodphotography.in/v1/WVjVi-P0rfOXzLcY29LJC_lMafAvpi-ku/
- http://frameaccess.com/wwvvv/XtcM-nhHn1hqxCEtlgW_yXSucFGkR-wX/
- http://gamarepro.com/plugins/jfNl-GgsP8XQkIpaStDr_uFGYeJDAc-L2/
- http://gamarepro.com/plugins/tBtiE-6gQWuklmcGqENc_qwEKwjoXS-cx/
- http://gamemechanics.com/dbtest/71iwuf-3rfj2-imna/
- http://gccpharr.org/assets/JNHN-rSasBmJrxmcTol_qnxCOsoZ-WS/
- http://gemabrasil.com/mcassab/Mqdz-QwuZNxvQgLRoOo_eSRzhaPG-TEQ/
- http://ghostdesigners.com.br/bin/HZmcM-7a15g1pdER5aARv_ZQBwFZaIE-FNy/
- http://giftlog.com.br/wp-admin/oswv-6o00s4G8xgaT4EF_KryPvdGz-x3T/
- http://glaub-online.de/TKXX-uimJ7QIvYAeTKe5_amjYqUvx-n3P/
- http://gnimelf.net/CMS/32vtk-64vsa3-fqvqm/
- http://graficalura.com.br/hinode/BziK-8MIjHRRhdWIIfC_iyCctuHRN-sYo/
- http://greenhausen.com/cgi/tvnul-q0y7xo-bwvzibs/
- http://grondverzetjousma.nl/cgi-bin/9d0n-hnswlg-onsazv/
- http://gunpoint.com.au/jqQB6bFC/vKDMG-0YMGBBMrnvLitEe_wWVuGgfJh-7Xo/
- http://hadrianjonathan.com/floorplans/AOzi-d2HfNsEVTe6p1qp_SqPuosiuJ-8g/
- http://hagebakken.no/loggers/z94f1x0-2669du4-cyxvi/
- http://hanbags.co.id/layouts/bSAf-Y772OSbSIHsaxf_EQHDIzRp-gW6/
- http://hanifiarslan.com/wp-admin/88cb6-n4zn6-wqfffyl/
- http://hanoihomes.net/wp-includes/cdyry-cmgbwg-kbkvae/
- http://hawkinscs.com/wp-includes/ziuC-zHS6BiR8XVVV1V_DpqydMduV-xY/
- http://healthwiseonline.com.au/wp-admin/MXxr-rw4MeXzC5HLeISL_tFLLfKMp-gPm/
- http://healthwiseonline.com.au/wp-admin/NoGH-3jyhcs9GhXV7FvY_MvPpLARzD-HPu/
- http://healthyadvice.ml/neio2mv/6ork-8cp3j8-oylcko/
- http://henneli.com/Telekom/HbkJ-n6tqYr5Cvccpsz_dpCLtfUQe-Nm/
- http://herflyingpassport.com/wp-admin/sAzeP-97YZrc0sCFDvIS_qUjpnxqh-PA/
- http://hgrp.net/doli00/7kvu-ncjnnf-rpkkgk/
- http://hoiquandisan.com/wp-includes/sblu-ia69v-mwagvib/
- http://homeairmachine.com/wp-content/uploads/752f3b1-5slncd-ftbtm/
- http://hqsistemas.com.ar/img/p03qudg-l1c93-kubqxmy/
- http://huisartsenpraktijktenberg.be/wp-admin/vCfsl-lRzUYBMfFKzAiQW_nUSJEyBfm-sr/
- http://hyboriansolutions.net/wp-includes/zRjjf-tmsOSoKYIAM8FAc_mryIaBWST-Eru/
- http://imenergo.com/wp-content/mmlz9q-3lhgzn-tqqjfhz/
- http://impact-hosting.co.uk/eeba775940ac3c2fbde942cfe06d657d/eCDf-0qYgRAAOBqQ10n_JiXIxMQHX-DV/
- http://indiaautentica.es/calendar/wbtp5-0awptpf-mqolfom/
- http://indieliferadio.com/loggers/HjNQm-rPhEVLUlrBea0Kr_YLtTYFZF-Y6/
- http://industriasrofo.com/Connections/sk54h-6xuzxbh-etbahl/
- http://infoteccomputadores.com/bin/5esg0w-ab7u2-afyj/
- http://inovatips.com/9yorcan/mts33-18ob6hx-frmyru/
- http://iran-gold.com/BzCYu-9u_ldXkubCA-K4/jk6hy-ql8wf-mxxe/
- http://irismal.com/ecsmFileTransfer/6jlw-d5z832-rgmy/
- http://javiersandin.com/wp-admin/fnlkg-d52q7s-vyho/
- http://jkncrew.com/d6qqocv-nyrbbg-ldkgwkr/
- http://johnnycrap.com/verif.myaccount.send.biz/att41-8i8z8jh-crxvtiz/
- http://johnsonlam.com/Dec2018/DENWM-dwUV27Vkol90zs_vITVRNAe-aqx/
- http://judygs.com/there/nVXL-zAbkn8l0MQUhU2_VZSKTelJT-n16/
- http://jupiter.fabatech.xyz/toolsl/j6213-yogzqv-eyfoz/
- http://kamel.com.pl/wp-content/gmmosm-d8h06-uuxcqdi/
- http://kanttum.com.br/blog/wp-content/uploads/WYsS-ktOMRYOXfEwZXMx_kbURpZCk-6A/
- http://k-marek.de/assets/h33lr-dbz3ll-ybbalxm/
- http://korpushn.com/wp-content/qll8coz-jdm9n6-ygajgy/
- http://kowil.com.vn/wp-content/uploads/2018/HYspj-do61RUgIBFbOQg_GgrWrOLm-vw/
- http://kuss.lt/uploads/2zhg-4e0l9oz-ibmlsk/
- http://kvsc.com.my/rtrtgtm/PApeb-njjPlYeH26E8SA_MPiUKYif-43b/
- http://lagemann.com/Nwkhj-Z3dda24aAcEBSE_pYEytgnab-Y8/9bcm-162vljh-jkbwk/
- http://lagilaku.shop/lebct/hmbin-nlyitq-mhklqnu/
- http://lavocatcrochet.com/wp-content/yyoDY-ViwiG6NW5yxgle_XYEdHDBYe-aWu/
- http://lecombava.com/Surlenet/u717oo-68awtw-cijxil/
- http://lefaturk.com/wp-admin/l0t5-s0wy0f-gmkfj/
- http://livecricketscorecard.info/engl/OMfu-AGe7KBavyydPte_xDKiuOhn-o0W/
- http://llona.net/wp-admin/hauqu-ig81win-imdstuu/
- http://locagroup.club/p/baj5-6oe6y-uaexk/
- http://loftmebel.by/cgi-bin/8flesu-z9rvhje-xxuw/
- http://lphmedia.com/ardbrookStripe/5chovl-tt6jdqs-zryp/
- http://mail.mtbkhnna.com/oqfi4kksd/n3jo-wwtpd-rpzj/
- http://makepubli.es/tshirtecommerce/0mzfjk2-flqmcqd-glec/
- http://mangaml.com/jdownloader/scripts/pyload_stop/y3jauw-olcpgd-xslsep/
- http://marbellastreaming.com/2016/a1hs-ddega-rnctkzk/
- http://mattshortland.com/OLDSITE/ksbn-zhmf4-hhvewc/
- http://mazury4x4.pl/galleria/kcdln-gsl0viu-tzdhlrz/
- http://mc-squared.biz/note2/ljtuvj-xd3z9kj-bwzifza/
- http://mersia.com/wwvvv/OFmI-tmuqG8UQg0PsMDu_IcVcFLXs-9zR/
- http://michaelterry.net/pambula/VWhV-MxzBocitppJV4U_etzKQJUfF-pN/
- http://mktfan.com/admin/mQwM-T44MiJLt8hD1st_ebDHKvgL-ll/
- http://moiselektronik.com/css/ayVwW-HS9rtXdqI5gbMXN_GHZrFBjK-Saq/
- http://monset.it/journal/mvlJF-8bvATqgrpJrLss_EASuAdCS-JKK/
- http://morrell-stinson.com/wp-admin/iAMz-cvWgTMkHYY1I7nV_froTxOFu-fW/
- http://msecurity.ro/sites/8894bt-u8wb4-dude/
- http://musicianabrsm.com/8uhpkl5/6xzziw-uf66m-ozjyrq/
- http://mustafaokan.com/wp-content/uploads/kjlb43-pgqbqxg-bynj/
- http://mymachinery.ca/DI/nDIb-GhJy36OJ74gA8X_NtAXqmdy-JQ/
- http://netcom-soft.com/eng/mf02s-v87n7h-wdsff/
- http://netimoveis.me/wp-content/w65332x-0s9f3v-fxdkos/
- http://netimoveis.me/wp-content/wa4ps7-zuytpyo-ljeyawg/
- http://nickawilliams.com/ownthisaudi/79pb-qrmvt-xoosau/
- http://nitech.mu/j0i6bm-o0urb3h-weuuaic/
- http://noithattunglam.com/wp-admin/UUCk-gLOJPgYsWSgPId_hUcRvQLni-XW/
- http://nomore-nomoney.com/wp-includes/uqjb8s-tb8il8n-cvryfmc/
- http://nongdon.saraburi.doae.go.th/wordpress/wp-content/uploads/2019/3jcsn8i-uc31b0-ylxko/
- http://nonprofit.goknows.com/wp-content/upgrade/nhcgspn-4baxn-ovea/
- http://noordzeekranen.be/video/jtcp-hdhq4vf-cspuptx/
- http://norperuinge.com.pe/norperuana_archivos/kb8j-dzfsd-xxswlc/
- http://nosentreiguais.org/rsjnvui/tifo5-ewulcm-xnxmh/
- http://oushode.com/wp-includes/2hvfxs-cnlvc-lnmnsl/
- http://parbio.es/bjals-dfFqucV9CD0cLX_eJnSTzxi-cFP/wnza6k7-zlv2qg-tjjcci/
- http://pasirmatogu.tapselkab.go.id/wp-admin/KBAsu-wAAsMxwm5XwQDcP_GsxyMWRW-4ri/yQBlK-Qcy15gEiFYzIvx_AGDrhcYKC-EEU/
- http://peacewatch.ch/fileadmin/ONCC-J2W6jolNJZufTX_gwOdJdkBl-k8M/
- http://petr.servisujem.sk/81.89.61.188/pqcy-15icz1-geucmn/
- http://pilota14.com/cgi-bin/WYFEX-tgZTHS77HqUhWiy_MMhRHjuUP-9O/
- http://polytechnicstudy.online/wp-content/pfnyj-1qdm0mb-tixvrdq/
- http://positiv-rh.com/xy4zpct/xJYXY-TidLXaq7ti1N7sQ_OQGjxxmY-IC/
- http://potenpet.com.br/lhvf/9cxwz-hz7i5xb-tkvgk/
- http://privcams.com/screen/HQWi-Ml9qKSyqqP9r1nX_WjYqZOFa-NT/
- http://promo-snap.com/p/ffRS-eObYdTN9BU5wtT_eojxtpCL-Bg/
- http://provio.nl/collector/vt69bfy-g146p0-hxeaik/
- http://provolt.ro/wp-content/cmsuq-7x6eho-ssmxm/
- http://psicologiagrupal.cl/wp-admin/9s5yx-f0th65s-auxjxh/
- http://pulsejobs.net/aymr3lj-458ju9-pnvqie/
- http://quatet365.com/wp-admin/i3uu-mc5tn-dpdlgma/
- http://radsport-betschart.ch/sgqlzly/1g3wc0t-ozfngvc-mvenrtj/
- http://recep.me/welovemilk/GIMEp-CL7m4P2bDnJT1Mx_hmXhlpREH-Uve/
- http://redklee.com.ar/css/mLTk-pZRLMLSQa5v0rz_PyfprCQN-sCm/
- http://rek.company/components/avFA-wIAtwyDBtNXNyvU_IqAnZiElr-ga/
- http://reviewhangnhat.info/wp-content/toAf-5bvZCsSKUTiRsr_ONlhYoNF-H8/
- http://rvo-net.nl/awstats/8sqpl-7hl194n-asvsumx/
- http://sainikchandrapur.org/wp-content/15j4-sjj8764-vtfrvvh/
- http://savetax.idfcmf.com/wp-content/rpfjcf-7yhqg-eexvzms/
- http://secomunicandobem.com/wp-content/aYMU-2bgmPfZ1JgX4kd_xsvovMFFa-cme/
- http://servintel.com/newsletter/6r8z-cuctny-qang/
- http://sikoruiz.es/INTERNACIONALESMUSIC.COM/x6yxo-khzgxd-mdykbl/
- http://sim.ttvmax.com/__MACOSX/fj3o1c-ptmsr-barzptj/
- http://sistemahoteleiro.com/libs/cwqut-poog3nb-jlzwn/
- http://sixthrealm.com/dee/kasmh3-fg2cfvw-wqtqtyw/
- http://sjhoops.com/nJVH-CMEKYjoXf0SnUO_CAtCGxtN-lvw/
- http://slcasesoriasyconsultorias.co/l0o54ka/b4wxt-798nk-hsnypfr/
- http://slovak-cts.sk/wp-admin/z99og-rxg6k3-ojvfya/
- http://socialpostmanager.com/instantinfographic/tqj32-5y8ge6g-hwnvwqb/
- http://solpro.com.co/wp-includes/lphggti-7261cqj-pbkb/
- http://solpro.com.co/wp-includes/z6w5-2qq5cj-sstyfbv/
- http://sorimanaon.tapselkab.go.id/wp-admin/4xdgc-uwzyo-baqnfi/hwtl-p7MJnsGuz7nf8L_zRbzvCFo-9N/
- http://splejkowo.cba.pl/errors/kfsx-sUvesbBNBUFks8_vNloNeYE-yD/
- http://sta.ossia.com/wp-includes/h87ited-g4pwgz-kjjdqdh/
- http://stelliers.cn/demo/CADU-cdNjYo4bnsKzng_gJxwnJaWl-Kz/
- http://studiospa.com.pl/images/kYQPS-uW1tRvKxicHJYE_odQoDOpi-MU/
- http://tapchitinmoi.com/wp-content/n13z5s-9ls59o3-svkk/
- http://taphoaxanh.online/wp-includes/a19f0i-u30ac-sujxis/
- http://taphousephotography.com/Anna_&_Simon/bldnuyg-j57yi4-vqirey/
- http://t-comp.sk/qmECW-FkeQnzxaezI5E1_jbhgzFwa-c1w/1qofp-tzgpt-woevtum/
- http://teams.fanchest.com/wp-content/9z6s-xbu1e2-rfdtmw/
- http://tem2.belocal.today/optometrist/h9h5v-yxz9x-qyyxner/
- http://temp3.inet-nk.ru/be5hd1b/XBlHQ-9fEdFsSvTIQQRXU_JLcSYvwXu-2K/
- http://thinking.co.th/styles/iqx6d-qa5tlm-ympzd/
- http://thoratindustries.com/wp-admin/HPkt-6vvbyllpA86UxqM_GyYEXGTp-mU0/
- http://thutashwekyal.com/o/zAArn-x9h4jHhh2EiY68_OjKjkVLTU-Ke8/
- http://tienganhvoihothu.com/js/d5rsl4-at5ja9-sqntn/
- http://tienphongmarathon.vn/wp-content/bo9h-l5e0s-fzge/
- http://tigerlilytech.com/fUaR0ijAH/IkGcd-00kfke917O48zzh_WfkhzIPYZ-Rb/
- http://trangsucnhatlong.com/cgi-bin/6ssndee-6vdxrp-abxkkgz/
- http://tripperstalk.com/engl/z8khlr-x82ef2-lzitny/
- http://tristanrineer.com/sec.accs.docs.biz/KhzUX-YAVVL5b7a9OWGY_GqjasSikK-SJ6/
- http://turkexportline.com/e-bebe/tkjrhv6-zj4bt-mnxa/
- http://tuvidaysalud.com/controllers/bnpj-IOF7Jqmq9pF6mt_vEHgUqWe-JU/
- http://twistingdistance.com/wp-includes/421c-0vrd1-fhhacc/
- http://upick.ec/wp-content/1or2ew-p0rl3qe-dpogqdz/
- http://ural.today/wp-content/uploads/n0pqws-x81sfa-bwpt/
- http://urbaniak.waw.pl/wp-includes/BqxeC-xBPjfxzv1Xieg8_RAJxRoBD-SP/
- http://vanspronsen.com/test/XGjl-T2mO4VZ0AFXbpF_bUvMQxAY-0v/
- http://vcontenidos.com/inspiration-break/lvuj4-en42a-qtdrvg/
- http://vfxfesst.com/tjylctp/FNML-v8wIn0ojFsQe95P_lORfecSQx-KR/
- http://vistadentoskin.com/wp-includes/8917-7uiutv-tjxvy/
- http://voumall.com/wp-content/uploads/lsx2-o6qt60k-mxeeo/
- http://vpacheco.eu/xzds8sq/8duk-vixybm-yfrq/
- http://warriorllc.com/logon/oYuwh-lm4Ur8ieEKXwoOn_ANMBXfJCa-2yJ/
- http://warwickvalleyliving.com/components/xLov-PWz2jQQ2gCpL1Uz_sHqCKllh-PZB/
- http://webarte.com.br/css/nwrb8wm-wt1s8q8-fmbv/
- http://websmartworkx.co.uk/site/wp-content/uploads/a7vc-cypggn-pcjg/
- http://wittyhealthy.com/wp-includes/14hnes-gvi07-onru/
- http://wordpress.demo189.trust.vn/wp-content/uploads/1aaa-6utx9-tegvf/
- http://wp.hopure.com/mphoi5j6h/Rlou-eBiYEODKo4FRZmD_pAKRALyjf-it8/
- http://www.aktifsporaletleri.com/assess/xUezr-9llr0J37rjFTPWr_TRBcviot-2Ue/
- http://www.am99.com.au/wp-content/uploads/dta5-dxq2rg-imqxt/
- http://www.capstone-homes.com/wp-content/SGvb-2ttJ8XPkP4LVjBV_tJZWKNytP-G6/
- http://www.cei-n.org/wp-includes/8chtt-a1rl22-xwjcdeg/
- http://www.cottagesneardelhi.in/includes/HloA-tgo1socF8yYLp8_BXkRtJIT-0bp/
- http://www.dev.livana-spikoe.com/wv4gres/9wpc9y4-naic83-dykcnzi/
- http://www.dmgh.ir/wp-admin/WhRs-iPLJ99haAM471xB_lDSgkzcK-BEP/
- http://www.dobrojutrodjevojke.com/wp-content/jl7v-1112zg4-rkvf/
- http://www.giztasarim.com/wp-includes/kdSK-QdWseNNSZM3U1N_dhwAQkJM-SF/
- http://www.goldsilverplatinum.net/wp-admin/pVIGz-npN2pcs2q5bc7c_LWAAydQN-Nf/
- http://www.grondverzetjousma.nl/cgi-bin/9d0n-hnswlg-onsazv/
- http://www.hanifiarslan.com/wp-admin/88cb6-n4zn6-wqfffyl/
- http://www.karalamadefteri.org/secret/vahtc0-s2rdhb-eezguv/
- http://www.kvsc.com.my/rtrtgtm/PApeb-njjPlYeH26E8SA_MPiUKYif-43b/
- http://www.lecombava.com/Surlenet/u717oo-68awtw-cijxil/
- http://www.mustafaokan.com/wp-content/uploads/kjlb43-pgqbqxg-bynj/
- http://www.promo-snap.com/p/ffRS-eObYdTN9BU5wtT_eojxtpCL-Bg/
- http://www.secomunicandobem.com/wp-content/aYMU-2bgmPfZ1JgX4kd_xsvovMFFa-cme/
- http://www.sonmoicaocap.vn/tdq5mpz/luauulk-2wwilj-uinsb/
- http://www.vfxfesst.com/tjylctp/FNML-v8wIn0ojFsQe95P_lORfecSQx-KR/
- http://www.xtime.hk/wp-admin/ufFLs-Wp0vYMyac0mJBV_efmZzLru-QL/
- http://www.your-choice.uk.com/docs/TdLT-OhAh7irjwCgdEg_xbaQilZt-Vx/
- http://xetaimt.com/ooecgp9/98w5ghf-xgcxdi-ncmg/
- http://xn--80aao0acd1ak7id.xn--p1ai/wp-content/themes/creattica/eap184-lz6890-rbdqxhk/
- http://xtremeplay.co/phpMyAdmin/tmp/pzbxu5-otdslm-pyjtzqt/
- http://yesimsuit.com/ajax.googleapis.com/wgtpz-5hdib4d-qvbjrlt/
- http://yjsys.co.kr/wp-includes/oqVP-HWP6YaD1FNo41x_HvVqylmq-qE/
- http://yourmarketsolution.com.ng/wp-includes/w9xfq3-rylxr-uzdv/
- http://yucatan.ws/cgi-bin/lytcql-xhgau-llyyqh/
- http://zinganet.com/cgi-bin/LMKR-kQ2bYpuM3KKy5Q_TWJIqWqOT-28/
- http://zoracle.com/verif.accounts.docs.com/dk9vd-gaa5e0-qmbqz/
- http://zuix.com/leads/dttvl-ot94z-ugvr/
- http://zulimovil.com/p/b11btzt-luyri-krxfba/
- https://aabbcc.gq/wp-content/z5vmjc-hb80vnx-wqiie/
- https://alry.com.br/wp-includes/g4ju6-bco3vt-shseeqn/
- https://altop10.com/wp-includes/m2xu-jxkyu-ycinc/
- https://banglanews24x7.com/wp-includes/0kv1v7x-i2fva-jzaoc/
- https://bomboklat-online.com/mphoi5j6h/zpsp-tpgcp-effdj/
- https://cars24.org.in/wordpress/yi66-k67tlx-yqqx/
- https://connectedwarriors.org/owbbryy/qm4i-kxvr60-nnxvm/
- https://datagambar.club/xerox/LGCpC-HRwOhoIX07uuiu_ckgabWPvp-cHu/
- https://delzepich.de/wp-admin/sWUx-ktPsdQCF5uWnPNm_PwVEsvPEr-9B/
- https://dev-en.rewallonia.be/wp-content/CIdk-qq24qMNGC4XEZ8_ZhwayYAfZ-5pu/
- https://dobrojutrodjevojke.com/wp-content/jl7v-1112zg4-rkvf/
- https://ecigcanadazone.com/pages/YOQL-8c2Fe3t21pjYsAi_zHcZndaRE-IPO/
- https://escuro.com.br/ckeditor/REbsY-hO5q5yM1hDogpAV_tSNqAyKZh-HQ/
- https://fk.unud.ac.id/bicp/05cyhb-k53zv7w-pigkyw/
- https://flynet.travel/sqy71uu/242fkw-4ph8ys-obvdghe/
- https://glaub-online.de/TKXX-uimJ7QIvYAeTKe5_amjYqUvx-n3P/
- https://hasukovillage.com/wp-admin/9yp14w-5yq5b66-ztpewoh/
- https://homeairmachine.com/wp-content/uploads/752f3b1-5slncd-ftbtm/
- https://hwx-group.com/wjwrtce/dxke0-5q5bg-cecuome/
- https://ingelse.net/AUxDp-b4CSupAMfWu2Ne_jRJanUStb-P3/
- https://inovatips.com/9yorcan/mts33-18ob6hx-frmyru/
- https://kanttum.com.br/blog/wp-content/uploads/WYsS-ktOMRYOXfEwZXMx_kbURpZCk-6A/
- https://korpushn.com/wp-content/qll8coz-jdm9n6-ygajgy/
- https://laarberg.com/test/BRbg-A0UufkZCWovQ9HX_SoCPyszp-YBd/
- https://lagilaku.shop/lebct/hmbin-nlyitq-mhklqnu/
- https://lavocatcrochet.com/wp-content/yyoDY-ViwiG6NW5yxgle_XYEdHDBYe-aWu/
- https://locagroup.club/p/baj5-6oe6y-uaexk/
- https://lphmedia.com/ardbrookStripe/5chovl-tt6jdqs-zryp/
- https://musicianabrsm.com/8uhpkl5/6xzziw-uf66m-ozjyrq/
- https://netimoveis.me/wp-content/w65332x-0s9f3v-fxdkos/
- https://nonprofit.goknows.com/wp-content/upgrade/nhcgspn-4baxn-ovea/
- https://polytechnicstudy.online/wp-content/pfnyj-1qdm0mb-tixvrdq/
- https://provolt.ro/wp-content/cmsuq-7x6eho-ssmxm/
- https://solpro.com.co/wp-includes/lphggti-7261cqj-pbkb/
- https://solpro.com.co/wp-includes/z6w5-2qq5cj-sstyfbv/
- https://stelliers.cn/demo/CADU-cdNjYo4bnsKzng_gJxwnJaWl-Kz/
- https://tempatkebaikan.org/wp-content/zarkgjo-gtpt6-miltfvz/
- https://thutashwekyal.com/o/zAArn-x9h4jHhh2EiY68_OjKjkVLTU-Ke8/
- https://vistadentoskin.com/wp-includes/8917-7uiutv-tjxvy/
- https://visualhosting.net/img/Kunn-gq0qbn3cZg6p0y_PFxmfJYPx-N4P/
- https://vpacheco.eu/xzds8sq/8duk-vixybm-yfrq/
- https://worshiphubug.com/p/to7qp-422w3xx-auku/
- https://www.capstone-homes.com/wp-content/SGvb-2ttJ8XPkP4LVjBV_tJZWKNytP-G6/
- https://www.dierquan.com/wp-content/4cvr-tq5fz1k-ihqyut/
- https://www.essyroz.com/wp-content/q4xao7b-j13tpz-chqs/
- https://www.goldsilverplatinum.net/wp-admin/pVIGz-npN2pcs2q5bc7c_LWAAydQN-Nf/
- https://www.herflyingpassport.com/wp-admin/sAzeP-97YZrc0sCFDvIS_qUjpnxqh-PA/
- https://www.indiaautentica.es/calendar/wbtp5-0awptpf-mqolfom/
- https://www.lefaturk.com/wp-admin/l0t5-s0wy0f-gmkfj/
- https://www.netimoveis.me/wp-content/gcABx-dxHHevlAGfxfQy_DbVHvajk-iV/
- https://www.netimoveis.me/wp-content/w65332x-0s9f3v-fxdkos/
- https://www.promo-snap.com/p/ffRS-eObYdTN9BU5wtT_eojxtpCL-Bg/
- https://www.promo-snap.com/p/oqOg-o1lcCHpxL84HvMZ_mwZOPhra-mzc/
- https://www.sonmoicaocap.vn/tdq5mpz/luauulk-2wwilj-uinsb/
- https://www.your-choice.uk.com/docs/TdLT-OhAh7irjwCgdEg_xbaQilZt-Vx/
- https://www.yourmarketsolution.com.ng/wp-includes/w9xfq3-rylxr-uzdv/
- https://xetaimt.com/ooecgp9/98w5ghf-xgcxdi-ncmg/
- https://xn--80aao0acd1ak7id.xn--p1ai/wp-content/themes/creattica/eap184-lz6890-rbdqxhk/
- https://zzlong.xyz/wp-content/tl2h-n73gl-hdzl/
- ```
- #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-04-11 22:10 (JS Based - Fake Error)
- SHA256:
- b6cfe1983ff1d2fb772c8e68fcbd69f805d5b488ded023a6c13de39965af95f6
- http://sanalgram.com/wp-admin/ERHH/
- http://hongvinh68.com/wp-includes/KSEb/
- http://shahedrahman.com/Backup/pypZJ4/
- http://tomiauto.com/sec.myaccount.resourses.com/uL46z9/
- http://sangpipe.com/inquiry/Tjz/
- Creation Time 2019-04-11 16:11:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 79ccf889a234b30293d922a450cba0cd0cc1df614fb05bc57dbbfe08cf808df9
- 7ca4540e7f5caf44b46378c7861c9403373c7b752034f5ef7d4bc06d2c1e28fa
- 941288646feeefba41274ba6d76ae9ef936a4a75265f4b76d812d2c762d82d59
- e2a11a63b4671b0f5f73973dd064e0bac6e5b79ccafef064488da5a3b885146d
- 7712ca3ce8eaafbec596710a4164a651155ec63070955212b6c770edb7f13c1a
- 56551134c8787e629bae380e03f286b5060d0034375a843cb736ab53a4de8b05
- 6d2fd47dd288e21a673b08602ec959e624c3a711ca9e2ad0a2c44ccbd9a69738
- 4cbf340b5b3e21206fcdca35016b0d5045f2c509f982961585407c451ae2a238
- 5716bf4aad603aca391522b87fbc5eba36fbbce5281df92c5ced5d59fd79b7e1
- 220dd039e243cabe205a5d7ec82845bd22998d36859fffae2e0d9b22c9e6a662
- 3501e4e4c86e7f0acf77d18b68f9adce40422224d04d148e27ed02578df76c92
- d4503e43caf7492232d2b491140499bd4da6a3c09ccbbcca31849dbfa01b1c51
- 24c4aca484e4174e45a83c270afe1ed31fe710f4ce8285ea9084fbcc0344a6ce
- 2c455198539fef7e43c06f1715f7d947896c98f3b3129c792cf086959edbd295
- a5ee1d697ca24e67bbd9dead396d2fd94f3a785bd8f9969ce51e5a8cb8fe6bbc
- 300650d9887fbd102ddf55a830136ddbad73271497e560eb73b666aa29ade2e6
- b1a6afc983ad35e8c5cae8e6ef315e43f6555983a863c141872698c9135959a6
- d194ff91d5c737ca5fb69b24e3118a426e54b65e968824691eb9bd463f6cc4d1
- 713f84fc17d6c37720e731f364ff47c9dee7f3142872a24d35f81b86973b3b1f
- 181915f7fa382ade554714cab6f2819e9c9ff984d466fed79d1feab803cf50e7
- 4a6ddeb9d4f38ed9a77ae3fef4d181697104ee065e3a1d28a620bb3f995f7469
- ad23b779d4003171a8b5780144004d88e5b01c16e74b2d6ec91c2805f57e6da7
- 7184986780a4c1f14b49e53f064518f0c5c12b47d12a5ad687a0df344b6188f4
- 48e3f8e6c681906cd7761367509c928ac0baef0060568a9bd5bb5abe3f84f30b
- 2c7146a994115c681aa8233732d8c69b6981bbe020f139955a6a537db6f7fbe3
- 4108d75540b3dd19fe9e6aa8024cb2d9ffc62f42146ca745034941dc8d33f0cc
- 8a1a1d1ca48c3886c2dd482907ce8981495899d7e19bb0c2e0b873bcc7e62ec5
- https://etprimewomenawards.com/wp-admin/G63C7/
- https://www.ninepoweraudio.com/wordpress/6NA4/
- http://healthytick.com/wp-content/uploads/PRBF/
- http://servidj.com/cgi-bin/KC/
- http://matrixinternational.com/Site/Media/css/5Yxi/
- Creation Time 2019-04-11 11:16:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 7b2a0b61f399cff8642376258f775efa0e6a41e4738f67cb325ace0cb19f5239
- 71d3f1735aa96e8f7a858361d0e50b6ad9b4bcfce0947a23e473d7788a034d8f
- ad608ce9d7e544f8fa1e7542a35dab08028121f0cb6628d5122196de6c2f21f1
- 8ff871e80c34f355495850fccb410b081f5864388dbe2bedcdbb42edcb2460da
- 158d252f55e7c988742a96ef3b4b7107a7160d691dd3cafac003135daefd0261
- 700233317224ddffb5758cbb56b47c96d4c64ded3c36c323166332f0844cb6ad
- 29a6c47667ecbae40b103c6d227b57395b4282d5731c6aae1e11435f30d12f80
- 1c2f5b6c9d595a323357419ca2a48ad6052d4e57b22b34fd1bcb8922726967aa
- 9dc8b7ede9a1ed639e0dc5da40dc9fdfb9f018ab65730d5c7f047b67f6ab2dc5
- 9d7fd5567f281343156d80c5b7839847814580d51998ee6b46bf349f243134ef
- 63a7da3e7d14a23680ad39ea0032b70ea050db8ae3a330b98f3a1ecbd7bd7b40
- d3d78c3938d6ffc08c85615bed31fe15c138562d7166dd7cc389ee8085080462
- 031a13f8b3d2c6cc24a9ee7fdf1b46aface18643b3288023b6f7a8344467fac1
- 4cab7e0976d4aa657ed879862051049df634fce4ee89e5ab2a564cc4cc1d03f7
- ff77e443ab3da421e88bf69322ee7f5e8c433737116f0028c8b1ac4994c4c45e
- d4ec3551dab4cf9d9ac57c3b86edaa7d11142b140a77b328501493334eaf5fa1
- 6c5bd27f8a935692b8ae2032d53bc25f5aa35ccccbd8d699dcc299e913d1f700
- 2ec7e8dc8b7e0eda7ec0d2721c7ec01c7b43a8ffd66351661a3b0716d139ad9a
- 325c1bcff4186c22d990c7600d2daf9692071d8513dd34e534aa47133a2e461e
- 51b932181b9deb019da2419bc372f8de65534f3e9ad755dfbae7d0ec598144ca
- 316a16f472413a134de4059c39aa06e8a572d40b5ede0d6c5f1e1d98a89bed27
- e5b27847ab84edc1e0de1fa9d26aa56413cc944f5ba316bda27b072405a8b38e
- 7464e95cb2189b4fbd01993afae23f52049916dd7dd6d0f4aaa6f5a34d5df21b
- 2204ed4ad2b67ac75d71fe70ac623a79557ff7cbf934f8e0c8c14b2dcc521025
- 0e93d5f23fa1f6443b5175cc7d9c042cf55b7c67f1d96f0d8a7cfba42409bfa2
- 096cc19cd18c9c37053ac37d443373568485da432589dd1d0f3a2912e4ec3245
- 153adfa6d577cdd7d605358bbfe7e2a4487e328343938d12beb7d95b1fce7fc4
- 0d361738542120899be420d3ee578f8b7699f6668b69233889b5a934d4f145bf
- http://taskforce1.net/wp-admin/BoY/
- http://twindstorm.com/wp-admin/d0pHTF/
- http://offersgod.com/parseopmll/CH2f/
- http://teamsofer.com/store/0zb/
- http://tubbzmix.com/07u6/
- Creation Time 2019-04-11 07:20 (JS Based - Fake Error)
- SHA256:
- 5a2758a184e31e068584766b5abe5843f3d6327714e60ff4b8888be2809d2f03
- http://odiseaintima.com/wp-content/zmHNG/
- http://bussonnais.com/images/nDRhx/
- http://carcounsel.com/hid/NhU/
- http://pufferfiz.net/spikyfishgames/4BxRZf/
- http://hostzaa.com/song/mDqU6/
- Creation Time 2019-04-10 20:10 (JS Based - Fake Error)
- SHA256:
- 7d91ca89ded649dd8a7f691d603d22435d13fc741a7d78b3f587b18370184029
- https://abaoxianshu.com/sendincsecure/DfS/
- http://flcquangbinh.com/wp-admin/baG90/
- http://nealhunterhyde.com/HappyWellBe/joLiO/
- http://pemasac.com/css/Uy/
- http://uflawless.com/kceggkl/zop/
- ```
- #### SHA256s for Epoch 1 Payload EXEs seen on 04/11/19 ####
- ```
- 6b7522dcb9e8ee1c4e2c35ac6edb265d06f4ce82ad6d0f81359b2acbc6cfa285
- 2dacf0c3d9677908231639424084e7e97f45eb523ffeae96b3156edb9074099a
- 29eaaab784e347432d45c437acbd0c9c711564f44dbb65a6c3d61ee2566d2ff5
- e14dbee023c7aad73fc6f7fbbe88646809e8e99c480540d29420d5ae62c8c37e
- 0f3c0cce37107a32ee362da30eca7679a4c1566f1ae268be8951c4b8ce992644
- 24afacce36917855b756dc31f3b8597bbfc07cdf6433f0d1037afd54bcb5be78
- aa0119d31a3ea83f5e913c4ec28f8e0c59b1b5f9e39040003a81f10923d214bc
- 548a09200aad86eb38dabd6f073cab5a8feeec25b5b5e8bbfe43203888c7a958
- 240b910b1f7038cf3b5e72a3f8868d0c827ce2a44f4b9dddf54552627c509c96
- d2f6303b3aa3affd66b093fc8bc79d6b2690854abdaf223fad39fe8a7b3355ce
- d4268807cd937572054cc5b362e5d45ecf33098b9a7844cbe8347c6cf5cd393c
- faac2cfb5c8befb7fe082db750eb43c808c3cf14d2ef0d47ed96f140c7e3defe
- 5fce24f19b1f7677eb62a7929d0e9cef3702e1426a5e5523f5ce24a6b5fcae30
- b728f143ed6764d59938a73560537f0de3e8d294a873fe61ada144788660a121
- a689b3a6a3d09fe5c0b5d5429f1c06df88524a7aae5be21559bfac9e77b2a488
- 173c2e89ffff08078270b5d73e3ed7c8662a69c7a3c4706401e51eac7a8c390f
- 1505d636aa32660d009f5c8d4d84dd3e45b31336a83e125f96e66efd4017a04c
- 9d4479eaa73256ab83b09741c0d70d1f2c9438c51ec029a6c60e887835ff20ee
- c24ed3fa90f260ebf5b756d59481c2c09355a187dccc5497e3e902c508363adb
- de60bdbe77a110b2176ee96ab7b9e770b250119d42023a1a86ba14d698c9bd6e
- 6759db336cc161f2c6b5dc47898a1446af9eee8aba47d6dcba2dc47049500630
- c121518afacb81814dc58714c12ad3f306d54623528fe03a789d2b94c03241f1
- d6fe77b9fa932475a8a26f1ff2683686a374a07b50b1260e040370f2201174f2
- a4314a71a63e1f7d664303c7e7df25b86da9cc94b97451f1be3dcd401a293881
- 4125e9ff86a4932db1e7470c071dec86d4e9bdee40e693e7da06b7e9cfbd5feb
- 6763f4f11345627353843cb2635483b637aacf6308b427427c831c9310fb18f6
- 02013b65f8a5baad15a3eea05af67362fed48b28d67c95dbc3ae00722d5fd104
- aa3ca23237b1ecee6e97292fbcabb7b8e16f7b6fcaad673948dd7067a5121116
- fe0427407be84f9d6577fdb1ed26615bf3d9059270606ef719e98d3f5f1615cf
- b7480235e3e66ff6e8385f97c5f871342cac6cf48179613cd6887008c1811ffb
- b4fcf18d523bb565a1d85b7ff25afa79ed0159a8cf365e9537914c5f1226a2b8
- 4bea6fb74ea7ed8b73d1f7f229941467cc99bc0e15f191375eafb88813e08ed2
- 603c06c4f00206dbc8ff178d5a251a18bd8c505669dc1d5eef44823d28139403
- 8815420e29d36306809d84861a6c8906118163fcd3729ec4d12dd748e928152b
- 8187f5fba883dfd795d43c97fd6ed97610f28bf31a8ab9aa3a185720ae2220a4
- 6e37555123703621a47264735b409e3d044cd426d36b8c7b19d4b77ad262f1d4
- 7658bcd9ca95be1334af799e51617b84527e7498eabf2f2c1d302985ded68dd3
- e2b16ff24898a908dcf4290d50fa9228c44c5205543b523b9eecdce77f58f154
- e4a2a1a74d17ef7c5b0571d1601e3c51d0771b32a3ca61eecbf3d2e3f8b430f7
- 21195230d30dc24286f05e94f49edbd8e764d4bb62e564ee6cb203e4df3ccd60
- 703478c4e55e91cca4908de93729766ac4d7749004fa8affe3a73383934a800d
- a08f98af429b5685aec6652eb91f45b7c7ffd215492f3b2d11f88c3618657c49
- 7bd8c818f3540bc2620809431712dd73988fb453e9fd6e0b644fa8991b9edc03
- 0b10c9254a17348ac2ddaae702655d882533e06b35b40e2d69e751db63f77db8
- 33a35b72c0d8084184294a679605329bd01e50dd8f793715546bf0535a9262c5
- 0741bbcdd08be1deb764708d99a1af27c88a2529ba7df8492cd3864ff82ee3e2
- 3d463ce5c7d88a47f8987a51cc17d50c136be4f29e6f93db895d17f49c3ed60f
- 8bfd6c915b631481bafef3f4f49ac55d0397cd52a41ebfda91890d5e1a922806
- 007166c842c585ace7d4503f320d0951eecdb47cbdb9d482e72976a1e0af06de
- 96673d69da59de2277fcd11cb11250f48e7c65569d3dd8e81e92e00b0db21445
- 0351450c897a72681e635e159920d23b607770c4166b474c0935e5bf7666fe13
- 40934f4ff10fd79ca2dd256c03ba2483170ffd6b9e6ca810ca30e86cb26b4bfe
- 58d06b5729807dca0296b9c67a98bcddba9fbb7a28f08928f48daeb724b1c744
- 27ba180cd5c7df85a02f49497ff0625c71cde29d78774977d0bc17e2676d299e
- 9b7d63f1889716a08c3560a76ea42f28101180d1dafc7fc4c86ae10b7f89b5a2
- 1ef9a6dfe3ee834f10d373e8c1171d6d7fd092d9e66ed95b1e30729cdb0c34b1
- 36129cd82ba21426c9a84fc3fcf04779320bd0e4b75c74c3c7428a26c5c7dcf1
- c7d08c81c83477c8c289c585f5ea123ab4422328aef679a588f547a1400ce209
- 3e16ba9d9c257e7b9a5d5dc8cecf05c1bfa66878797e312e84eb3aecd5946fce
- 625b0989216c47498c2188ddd8a9ba92126985608e62fa53a673db3092133c77
- 29c22f2a30958f51e9532b2eec8c262328c05239872921325f30771432c6507b
- 6cc626865bc49b3f22c62acb69c841e7009b777357338ab62f9fd4e878c802da
- 836bb42bffbd2d592cc300149c0116c301c04bbf6b175e959e7cee6645329c24
- 16beb7427b205a15769d82e51f57c23cac8209ba104d8698fa16f2199dd54270
- df84007104853cabc02a3ca8eee9312e2db2a6f025b44fcdaf3bb2a0d6aea280
- 3913f4c3ef81807c46886926b5e25548fa88697aa69851de96844aa714e368c4
- 30ff9000985dabe51cbb5a267267168f0ef7ef68a88c38c6ea7a35939727b16c
- af16ec8cadc8fcbca8690f8f725c2612103e7e6ac5cd9b448fcf9d4ce77c38e3
- 44d8049930716c28b71e4dcfcb8528c94abb53365fb705fb579a7feb5d3b9c90
- dcbfa91463169f1f91ba3ccdf40e2d6220a5f0696d72f6fc799ee9ea90ecd4b1
- cfbc311f366b2294eae190c01a66251edd2aba1ac0a39e2d59709d06988cc19b
- 87a8aa83b250bb0d47d489c0489ec7407cfc24f51474158a5128e8ac42548492
- ea25015a3a8a60b4fbd012ff6e9e0c3923adc63daf41168e5f30fb08a39f9c59
- a0fdd324947fb25dc02fda92a6c859ba2c5dbbae2b1e840ffd8f0f5f642ef336
- 0ee8504c8b3886aa5bf6a41b352d779e05fd963ae8810a35856ec7d72b28b885
- 49875477ae9244e9b43cf190645db72974455e30a5f0d8dc628e9a3b4c463c55
- a0936d4f848f2d694d7ddc94a06cdf37147f21d1c718f6cec29eb01bbdfbc608
- b9c98ee33fd64c25fb4d87e46b8fbe80f1c57adda70e72e950e1ad75cbb79867
- a7cce0c24085385aa0698caf08bec71070b012ab9e7e67378acd5b8f66a95de4
- d0b6487b438a794348c573e4bcc27029a64fba28bda222eab6a15ca2405ef772
- 6d53a48f30d4363b1f348ef88aac1e016b9510193efd06fa5b98f1f301bbd26e
- 6d53a48f30d4363b1f348ef88aac1e016b9510193efd06fa5b98f1f301bbd26e
- 91ccfd88ee442ccb11ab753feaf4ec7e1a9d96e2a1c437b463cd4d6e5d556529
- fdb6d3e319c6dc24f1761f572dd2e5e9ee9bb9bcbe5da03ec473e2fe3c9e488f
- d831d6126023229a8b1535511e3de4bb1c80a2ffcb50c403ca66d229683f1afa
- 8e2f6ad35195fa44015e0cfca7b7fedc6959c6303a152c497ef058a1cc68616a
- d0df7f23a3e596f8d7572e128bb3197803cfc19e674ba6cb954c497a5e5c9cb5
- d2dd5c3334f7198b0763cff611d99b643c785925d8f3619cdd33828923f503b8
- 91ebbf5c7cce26f86fb23561076b5ac611989c6150efaf8f6f678619e953c92b
- 3521f9acd6139fb596a07a1292da86eef4ad2c47fca1619903d41bc4fe23e7a7
- ```
- #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
- ```
- Creation Time 2019-04-12 00:00 (JS Based - Fake Error)
- SHA256:
- df444d6f7bbf72f606b7abb628ea22bb86c81121c2d8d5f8a0238e0e377dbb33
- http://goonlinewebdesign.com.au/css/H_s/
- https://www.thermalswitchfactory.com/99jxom2/W_SY/
- http://xianbaoge.net/wp-admin/w_e/
- http://onlinelab.dk/7mobw-hnwi83-heuixzh.malware/ZK_0K/
- http://ngowebsite.developeratfiverr.in/images/0W_E/
- Creation Time 2019-04-11 21:05 (JS Based - Fake Error)
- SHA256:
- 4836a7a17364de19191c0dce25ed5ef4aeeb5c93db72b9e6a72f8ab3217c39c8
- http://goudappel.org/errors/y_lO/
- http://hangharmas.hu/js/R8_k/
- http://on3.es/aedv/O_wr/
- https://zhaozewei.top/wp-content/4f_an/9_YO/
- http://icoms.fib.uns.ac.id/wp-admin/m_DJ/
- Creation Time 2019-04-11 17:14:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- 9aa61029c94de80d07f6b17068e8977b75840339e2d553f0928ff1ba45e4c593
- 8637f251b6c1b61aad5aea960d55e955549f45269279b125e0a3128b9af31263
- bead72401df1456e15d07a76d9f93e8a0caff84575efed6c7c36567e19b42ee4
- 74f57302ce146547d209ea14f33ce4dce34026f1906d2a6487055d69100db658
- c0757951369d0015da795f30649f2e115affc6ac7c45aaffd1593c68caddd60c
- 69ac602fcd6bee7f17fc88fa1fe47fa4b98a09e566111fbaa0804242137f34d5
- 13af9da857f2ae4548f74d6c009109b1f9230c81c3e14669a6716c93bf6fb374
- a861215e554fe30e8532be4191e8028865d21fa66279f92f5f58ad18ce7fd2fe
- 17e687b094595330b664d05109e161b14284b8a056633e4dc3a58c8d80eddcb6
- 0dbba8ccda2640f86384928ed39b78e098f74fab063e6f01fcc53f41a3b2da20
- 9152aab8eb5860a922509a8711ef50da087ae1d5357389f5d03613d360aa3eb2
- a6593a43a018833467ef9f9e01f9ddf462dd53991ff1d4c6869dd047be6558fc
- 9cd061986718346b19c1a06298768c018c8a52599582c848583d354567a28f83
- 01c455c6bee7ae047a5864e3b06780430647c79105988a8bff405732d98eeb47
- 005193acf210d2377c2aeea52beade0e9bcd7c825874a52ca5feb04e86e031f3
- a01df3077d598be21c483cb7cc47b8fe4f8c9e4b65d6b89a4c0ca6aaf53672e5
- 237be707d46ced206a6021b22498783ef64aa545bc398513959ab730ef527459
- d58e175fa049aac7ed8fda25e890233d415d610227381698caff837ee325e3d9
- c65f0c7cccfe4c067e47b06059dab20e234076466db609f172b750411f91d3c7
- 30f0966d32216417b94f6f7c22e738c04b3ebfe81c9720bef0afc49837b9e541
- c47918909d86b08604ad92b591e7a430187c6b33da6ffdc25e7e584d41339c04
- 76f4ec274fb2b6a7633f65e39278a97ce4f77dd57880036c23ac8431f5f6c9a2
- https://villasantina.nl/y2nch7d/Rg_XV/
- http://ryedalemotorhomes.co.uk/wp-admin/RQ_g/
- http://maxmacpc.co.il/js/Yz_7/
- http://manioca.es/wp-content/W8_m/
- http://sarayaha.com/ad/hf_0/
- Creation Time 2019-04-11 12:28:00 (DOC Based - ENG - 365 Blue Box)
- SHA256:
- a50dc451c14f00f9a61b948b1ea4154e7d1b4786081bdb25184b623c3963d669
- ffdc7a16292d11a65c6998018cce0a1ca8e7ee21f2437b0759624f3ebca978b4
- c418e3032903c7ab503f4f3decf8808c61602ba9659990209c46e2bbc26dfff6
- d663cce4a71d43672242fefae90dbcdc528cb60c37c55e8c3ad76c1888cd1ddd
- b209f107dc4bba8c3edc66d6cf692b7dca2e931d8217af084837e1e73d838468
- 071f247da783056ce906911186748ec8410b69c3b30039065ef576b2bcc6cec3
- 2f86a4c3c258e1f4071e085b4f8941246f568cdf121b4bc5de0ca12f732ccfa2
- 3e2b4e68ac973039ab0a3da9e7dae82521db17cb1ace27c230a1d3cb0ae430db
- a8cd9d3394a9c765a7eea7dcec2a4b90154ccfd234cc9e1f962581a5345ea664
- 1ab824500f50a31147e1b67cf1a2da45fb40a82e1a827652efabc92d2a2d7912
- 991b13525ed868118472f35bf3dadb52f07f682501231747fcd4a86c95239a6b
- 8cfd8b109933b505013ce3217c76009b71b4b8fdb9681cce24ecbc694a789095
- 566e0420c14b064a758e68e4e2f76cdd965cca7c6f7ca5374420b0c88d1b0208
- e451861938f376c93e3dae47ea64064c5d7678846f9039d163a342ed368009cc
- f7c14374246980730264fca014d0a1fcbbbd21f35c3b9b817257b1a752298f03
- c4ed4799831af5c9aba8e8f49e684b9778ee5129fbea23a9edc6ebd6b80fbdc1
- 4ea86fe9517aa55e4198322fb6eadd5e398ef53adc291d1c790d858b8dea5eca
- cabfedf2ec07ccde90363279da62138270862a5bc63e4c9a736ae49d704bf964
- c4902a7a5058fe9b65d47d59dc62e36f5049146e5f551c1d5622226649da9888
- 0419ac6c0309f36fd63d5f34038df44de6d89b5a1797084059c3be05ae838b7c
- e545d48c26acb8c2fc205a5b2ae00f215d25d074e923000f7d4c546c3c7c795f
- b42ee190462d61c63f397a58597133d38e9b28c5fd1cfb974367171d7d2dbd2c
- 006bb971d4f57de34df93b504c04b97d0820b2e6298eb0968d941cf99f462ac4
- bce885c9c3c74716c2698e5052915f0c84e3fe941154e453ec866767bb58f8c9
- 1e06508e81d7c11cc9a34b19040b730587e6abf5c0b993fa81039ade1309f86a
- e296fe858e074b9885b0606e5419537c6d220162e49c5605c9b9d7b843744b8d
- 1dafe95faab5b4c1091893f66dea98f312fdfae6e9377dcfc73ce8fa5053de2d
- 5873729a33644ad485c78f19c464eddf0bcede944c0cb70744823b33e822358d
- ca500bf2c0437ae2d54530bf3497b2306f6a243edd0c973ba06d6b61adecf2d1
- https://ahuratech.com/ei9u4vn/T_8z/
- http://mindigroup.com/wp-admin/T_tB/
- http://extraspace.uk.com/wp-admin/i_Gl/
- http://nuoviclienti.net/hanemdg/Es_wv/
- http://eniyionfirma.com/wp-admin/CI_xj/
- Creation Time 2019-04-11 08:10 (JS Based - Fake Error)
- SHA256:
- aa916ff4533ad38717e8af1c9a14ea72ab26ee539b3bca94a4623c642c60b1cb
- http://www.stephanscherders.nl/koken/K_qr/
- http://ceffyl.co.uk/h_C/
- http://cupartner.pl/izabela.gil/h_se/
- http://doretoengenharia.com.br/Lw_76/
- http://drewmaughan.com/datwheel.com/y_JR/
- Creation Time 2019-04-10 23:15 (JS Based - Fake Error)
- SHA256:
- b3fe76513ecc54e0ed1c1a4bb1f12db47bbbd25b42ee85cb2336187cc85efdf2
- http://grupomma.com.br/divina/Y_A/
- http://dragonfang.com/russ/j_Y/
- http://clickdeal.us/globalink.cl/C_e8/
- http://cityplanter.co.uk/site/8Q_q/
- http://sanmuabannhadat.vn/nqlnlysz/4_IX/
- ```
- #### SHA256s for Epoch 2 Payload EXEs seen on 04/11/19 ####
- ```
- bccb8dda9eb99c1aabed3c2f778cbd113bc3f08ff9c6e5baaaac952d9cdc5d14
- 4d489c9ca5492c8d0a227acd068a87d09b5138e15f609790637f90df0b1ae54f
- 5fee364c3aa9c6d4d484ed75946f08befe96f00d1f2d11d2885d1dd13953c5e2
- 8574dd9172306021c951dda7fca721df6337d138c53964b04a92554a8095041b
- 8c614e012dbea9abe2bd661b195e141fb2edfc0249c9cbcdea6c0782b1de5b80
- 6d56d585c42941aa4d46d108b389c324e76d183b13129500de36ae6ac63a4782
- 225c36dba434472ed91e71215a661a1ced849f0260818d0bdfd590778f8e65f3
- 4dd0be546adc42f4e3759c969a478928d939026d7fe75f6af76c623103f6d567
- 4aa11f6173624c049a711749d53d784de7e074d5d31f8817b44b025979bac7c4
- b12a68abb69358e95057d3d0e20e39001e53c762cff7fa9677027b32534837eb
- 23421587076072584d1bd660cf8d7f01545f139f35d50d03c2a70fd042bc7394
- e04ba14197a03f8bd13daa202aea1abebe6919d37d2f262c2be783f648f48d7b
- c21e599300f219d42971a9052dd1c44161ffbeffce9913e488484fc7bd94ad08
- 9aae4f8ced53039132855595f286dfce0c0de836328fd9a54450368c2bf41066
- 3f6c7dcdacce74068e7b594ea99ba294d0a0b122d59b8d45aaedde1f823bca8e
- 3ab3d1dd393ff9060f1ba3ff405a73e0371df6cbe1283949f4fa5abcf66dcdff
- 617199dc689e4306f56d255ccae1fea7d34b6f8b59c189e1e587f09238cf3d9d
- c5efa0bad2eb9cd826db665e24ab686396af9ae49c6aa4ffc3cfe80d28c87947
- 3d58cd46c4c1c0107212182e79d47cc673cb69f4930062a47aed67e8ab569305
- 6ce6b11337f74156332f0a1cf5450c60a0888c46756cc8eef1b01b89986fabe8
- 179ac6a40323c17dfce919ab62a0087ebbb45eef72cd6f553e8ac6c7a4c916e7
- 60cb1f8bb634d2c98719db2c5f1718efa04ad2423d9d98ba92c62bb35f2750c1
- 82514208c61485b00f195a78eaed29d3b075c850b34ed3bcacd152136bd0ef9a
- cbc368283e48f17f1ffadfc032af5754a625f1ef78f7c462ae832305e3eeb712
- 17b19c2bd1d3a20d96d42c9d844108a2856a50872cf0475aad5e2801996da38e
- 68bcadd7ba2913e568014fafa099d59da1f4fdaa97600cb5aae66cf17a71f386
- 7f8d09ada16ad5af40b39d0c5e9b51b3552aea6f454a9ff9123b3bda882f8602
- e65b081b8f9c1e5c6fc20ee11de6d651cb0475848f9795b5a20c0a50d2be0b6c
- fe21b2b16e98c39c29e849a8be31178c8bf1d3238fb37a4cb0b6d9d17e5e1acb
- df92b20e6c7ba24e760b462f5d4347f50ef6ea4a0682a47806dd2474d779f07a
- 8ba0003bd34c080cc40c80154f4d5b2ac1aad53108cd55a0b8531bd82766b858
- 8ba91e389f321fc843607fcb6da3407419ec8a0af3438603f70f600ffd37c854
- a2d9466c9fb5238b4220cae4f66b5b27980b8898266ddc510fa815a66d73a917
- 28d31cda066a782e14ddcebd77e15e848dfd2fb48d3f37d8824c6029c07dbc6b
- 6d8c727d46970e9d8fc85eb71c642faad005c44a986a38e6186e2767af75b75b
- 22ed4bd0dda5896fe0aa264ad84f26dc1e74982a9284f6d61d21e3a7932e8914
- a6136fb7a9dac83c57fc65d1205cbc1259878783f6070216214c5e7945afa33f
- f2d7ce05f52b11635607532b977a1e15e37b6808d71fd696eebc0fed4532f99d
- 0ee3a5df26938818313a3c8ba734fba7a882aa1fe7573f16253f26e9961b9f8a
- ef904115d80a722e3a3b0d2cdf1b5bb7872dc0153b200c53b98df6aa94d941c9
- 4f91f9b80eeb1b8ebc20ca72b65a30e513142eba990cccb720e93cc8cb17c90f
- ab856d03c3aa6756553b9f78eaa08c568ecb23dadf7624979aa100dd3c69a98c
- 59a06208ed952786fda659e2e29ed5e3128fa4920c956ffe817814441a84f256
- f3649a0ab0068c11b7d28916039f873fbd082709e46cebc2a20709471f86d0e7
- 01bd8997b64d5d1a00ff2af084c08793f12c9a6e70f071c411b1c86e6daaca25
- 0c76d6bfe5d0df425b630f7072a2ea3f0492d2a37db98d5c3164fe52abc79c2a
- f10ba835427648c1c73c53841d4d2b4a78f439fb0ede483f88542255e6f113d0
- 17e3a91e97e4a4ea983199136f11f4c0368eaa929e16fc45751a00bc0b3517e5
- 08976c4f5ea1f5d704ffbcd862de9f00032a05b3ddc04e13a9fc6de4a78d3a08
- e589f89237672cb6a30d8bd7305283c2d1dcd466adac1551eff06c3e5caaa8ff
- cbf386871934af26e2f52efd2aa0f8a0b5d86e67cd81044a3f16d8f9d79e4992
- a84e12245c10923087a7b0ca0df4b98a80d353d510161daf582485576c29fc64
- 1febf4ebc138dd01f1a4e9e302ffaeb5207f8a3e7de9e790a8755b5d125d67b8
- ba0aa3eda413204ce110bd292af63a939e6d7daa68c0e38d94db26df4f76baa9
- f1b32be6a100fd65330cdc542bf2b748974e8a8b006284a6d818406c7bef3b0c
- 9a06eca48472f70c65c5a92ed2b92ba86b0496beeca01dcccba747325ee87d79
- e2373842d19a774f8c844b733982dd88af68f2f4cee5f8fb317071db9783dd9d
- e5a3e098a954b9d9142def598f6354bc03a6c40b2dd6ec97e686272f9129b32d
- 314a2caa357ef54a49e3a92f213a9bbff2768de537772c7210f7ff729500f4df
- 29746f5d709e39cabbbfb8ec99e64484eac31c67ae5d636e3a6800163a285a11
- 8fe1b648bb963640509516b6eebabe1b6cc52e501a947969c09f144daa50600a
- e34abcf8d819454cde7db9783860c645361745361b0f2055030a141afb2e1bd1
- 9f49cbfd1829975873daac3ddacfed2ae014ec32951749b94ce2199501145e43
- 0f5f68fe44e533554031b12424cc1e963073f63953b620d5d556b0bac1c081c3
- 47d370e9d230aa4c138a24e013c56c4dc4b9b11bc59fb8361ca884ac93b7fc5e
- 18137d4455b629d8773c6d07063b7e5511fb29d886968426b0a4feaeca884d2e
- 0eccadffa7341c3cfc3616e606ae6321628d163e01f286f34665136f41f9ae26
- 2aef44b6a6c4930a800b94ad9bcac822e9f35336f05bcf7f3f674a893f825281
- d8ad54eaa47d6b67cd5e12a1f82828220714e722b46ac5d0574f47da47ec6c76
- c8853c1dac9968b936b915dea200de3917922f38fac823f21527bc964660d0b0
- 5f46839ca9bbebc3ed7fedc897bf8a1599816360abeac04e19310a1eae3deca6
- 933c33f00f2733bec01b04262756adcadd4273972ed2cbb9fb3e4c8840a4d58f
- 8ba86faea8164cef76893cbd3a2c111f17fb85fef2612510a3b004a8b25c0fd0
- c3ad1c3d5ce05a276b3a37d1bf359a165b5f6128468527b52a9f3f9bf8b8fe9e
- 71c207200ee338ae9e1f1c98d1660a7d9af43b5a27ae36ca9f092f7e36b33d5c
- 271c28540688faf816eca194f83c821b1ebc1d2d69ce4b94948a3aa2b2f7ca29
- 1321e25e485ec996017836636c567c051055b3e055562f893ea1e616994590c7
- c0967d44dcec2b48487953884387bacefec36cf2c299c4ab997f6feb5018c0d8
- f41fa0f4c36dc4339775f88be991ba44167912ffbc4917bc344c9e57655a7a24
- 9dc825be878e1d2692c896494819883961de3661cfd0bee29487c8e6f9534e18
- 8548169d30680ccc506b507e6cfe34b7f1a89c213a3f6adb51f668ededa27588
- aa7c25775ca13424b41341c76047a22bf25c8964745db28e02dc6ed756f64f13
- 7a2c91f6656e534cd61abecdc1d6b9a472a7cd82a1ec277384394a6b29957df9
- c4e3ec311ed4b5e3fe87e8823dd2cb0177e81faaf302b3d46742d8e1b2d9740a
- 58eb3bff64eb8036feab274a5de163ec70024fed5d6e17e1db67b74c6c9f1994
- 132bbb438fecfe86ad156d8770e899d69d5a3ed8593ce4d8337cb237792581d5
- caab796da03f89d55fd79fad9470fcd2a525107c6c2493ba8ab39e60e7a11f8c
- 48b58cf1fc0462360224ff89634ad734551652710643c03460166a04cc1d5741
- dd58d8a77d8c6fd0b930385cb5f640593d30653ae88bb8d20a147aa9469a48d5
- 25d25692674bab04bd7626a3c342203488abda09bceda8e8290dc149b8b37c75
- d576f451e8e0103ec835696ebe6ba7e2a8a29af2cb22812d87d4036a0b567d61
- 6dc802dc925491f5e39b37cf41991d65a4523134effc3c5a2860c7ecba9c1bb4
- 6cd878c98e8eec69fbf47f22fb4d48a7368016dde8a7a058b6b5fa6344ac7f82
- 63d01fc17d8cddd13b71ff563382b060524a7674000195a73acc5125e060a135
- 35834e912d9c747a6e50a0287e2ae0ac0ebe4ca59c30198061776efc98ce6ddd
- 1cc154ef948f4200a8308bf8887c25136f059666b20983f034aef0356378bb7c
- ac1624b7f285d8ca4f0b09d8e47e78787eb99810145dd8d942d5e5d50332923e
- e43c60b7ce50df076a72301d06eb863f2bcb35cd5a7b045a56273bb63ca6d7c4
- dd803764d9722d766ec91998ef118005087d035762b4d58a629ee6b6652f133e
- 01034672f6dd779ef2c7a6f26bb815c64666d8036eb5ed7eac52dbbd6afd9771
- 635cc3637c3f777b9c4a827833a09672b0491a08e59c9fba61be879d32aa8a06
- dabbb629e95a95fde13bdc67e07332aa4422a5560fc43cb24534bc07b9029579
- 7d4e4bce4c6efd54b975527ea561da16098b65ae3bdbf897d4d5a281e74b0d72
- 9c03137bd6f163162bbe0a005fe448052b5a2b86e7c75aed377452afb2d8e4bd
- 6a40327ca4c09d0b77fbde371a9d1fe5dda8d3570d06f7b8c652b8673fc65e76
- cde66ab5fa78ce30eb2512dbf1de179c831a410f1dfff273c433ca35b96a8466
- 49322bdf90aee72a6b9f4e6b7e03bfee6b24ddc31d48ed1241688b840becbc99
- b5f37fc61e608026ffde9bdd4fe5ca239f096bea8392049d706cb523d0bbdef4
- 4d0b6236045cbf4950db968d6ed6874623b4086a482a9997cdc2a8be0c60e8d0
- aa5165f4fa2318dfeb3418bf9c1641a907c5a5de742c12069e5a32df1780a4fe
- 5151899e9647ccd975e96312bfaf04c2a71f4dc6139bfbf31d0f3a25ce9a5593
- 94530d502c2247ce8914d103880f6c4fd948d17795d3ef61b2bd88366b0554cc
- 30aa1ed6c249f61ecbeaec8e80baf46736184f5c978d5454f0e7226f667a87d8
- d2a803d7ea205fdf2c3c353a6607e0e8918e807c279a84b1f7eb8fbd74280ba4
- 9aff108db362f60fe95c0d60e901dbe8060f0ae56e5a2d41558f43702a77d7d5
- 4e97f6f19149f5d07576c3fdb54c6bd8fdc58987e0cb90594d07795fb0ac19bc
- ea7d527a5243eb78f3592ac48cd1900ae89bfbfa90d1494dc7225d3f80f861aa
- 6cde9a7c7131d3fbe67c702e347bbf958701ff7950b2ab35f03da31ec7dd4405
- 23c5feca719555e6a94e72d9cb1c797b6932a1f3674443609c38f994f0f12435
- bdf5d2293f4f7f0cc8ea11c15f767d016ffdce51b1fa171559c9eeb75f57249b
- 83e46a73aee165944034de90ba01c5de62e71ff21219f1ae55c38af28b87850e
- 8ac9328dbdf71b90d18d21fdf726a4ffc16bfd90af4fbb87dcb73ea8a39da23a
- 9430311b0db42fdc51130b7cd0f587ff7e5c4f0eb6a14c40c5b08f00519b9147
- d7670bb7f6477abae3c017c95218c159cc6c78800bd814f66e960f79be25e2d7
- 3a9d250d4d1f1ead2627b8569f9c8454f22fcd50890fd02193d3f1338521425c
- b1fc5109275b269ff39b9fc362aec6bf90e074c531cdeafc59197d03299299f3
- 5720b1a89c3f5066da0326e5a6b1cb2305dbaf96460fe827394670e7fa3ee8f6
- 6a39ffbdc5b9817c87801bfc795e762b0d879a95c651f79d0a123703966111a5
- 5e0b32488eac395abfefadf981934ed62a0c0599f8424d70689d498ce1139f9f
- a64f80305a1ed1ada59be456599c580fe9b046437c2769b57a3398f40877b3f7
- 7d57d03508faf70b5c1d71111a3663bd4b589aeeab88071fdedb74e12c7f8af2
- 25d42fdb4c833e79801276182ef1d738d3b0100be8e42a36afe3f673832c797d
- 3ed5b5a24e257dc84ea17b19315c7249fd0a8533d619d366dd9c5637d916143e
- 11709aead4fce4a3dca915596130eca63f612fcd0f647f7eb7a6596318d98709
- a34d471cde7a3d80f89555b336e7bad456dda86354afdf4f2731610d41dab879
- dd184549fa29574c32b198edf8be022259dbd27f3a65287a28c3e3c4acc3743c
- b5f5cbe5eb5eba182046e9418c343f627e7335f3d083cab9ea510782302bf84d
- f404b8202a5d2d7d8f20f7c238cd93787cd7e0390e3d1971e3c810431c247b3f
- 21da3ba8076712ac5824dd720d00eecb8b4820c6d3e82c0ff8fedfbeb17ba085
- 5be0519b0a50f4604003fee7af7f9b1ff8fff44952f17def036ecde8a86e275f
- 866f818d571554f028726a7cbf6c2089fabea1e0f3bc5c3fabd221aa42cf5125
- 25ec80c0dfa40b3b1424273880ed0e1b229f418ed00861c5879bd4836b313716
- cb0ea6ea6264855b981c65b24f89a156a1ce118f59e354c67b706785f4068595
- 3943a5328c502e89598b2a2ce344272454310e9a99690a6b87f6934d07794d8c
- 79bfdeb8e26c990fe2350a1c8fffa07f89f5edf322453449e27af69c1f3b1f0c
- 885a268b32d9fd560013fbad140a63c330aa39c27ce71f1c266b61ed6984e223
- 64986e06eb17e3fbc4437c04448d5189beee36a75e1ef0d1c526f7efebf2a587
- 4978be11e87d8952ff4bd8111ef790cfdf0f3dae550d9d45cf07eb5cbf41be48
- c68a8ccf90007fea627ed7f4448839cd56b24a3cc3cab67ff2bfeca5238d9028
- 57d0b683345fb404c390a27578cc976630892ca32b50822a05f2cd517ee50274
- d0901c4576f6a74642f337757c7f46c121b97c360699b2282ec50fe01e451f86
- a79d2e68ad15520db76307dd3fcd67eef5775aaffdaafd925f11d6c5ac6b95bf
- 659945c138049d7f970b6ea4a34601e36ee80d331d07bff02d2913c7a10dccea
- ff66096b4ad137d89ecdf00c6964bde21cbdf50ab35c04532642e9c2219b0bda
- bffce3b9045c249659d41f68d1228933e4850e285eb9a49cacd684f4b23f2686
- ea1a71343913bec97aca98d12f8a6e7a712ad8c6cd31acc80a9630c07dfd0337
- ```
- #### Epoch 1 C2s ####
- ```
- 107.159.94.183:8080
- 109.104.79.48:8080
- 109.73.52.242:8080
- 136.49.87.106:80
- 138.68.139.199:443
- 139.59.19.157:80
- 144.76.117.247:8080
- 154.120.228.126:8080
- 165.227.213.173:8080
- 176.58.93.123:8080
- 181.29.101.13:80
- 181.29.186.65:80
- 185.86.148.222:8080
- 186.139.160.193:8080
- 187.137.162.145:443
- 187.188.166.192:80
- 187.189.210.143:80
- 189.205.185.71:465
- 189.225.119.52:990
- 190.117.206.153:443
- 190.147.116.32:21
- 190.192.113.159:21
- 192.155.90.90:7080
- 192.163.199.254:8080
- 196.6.112.70:443
- 197.248.67.226:8080
- 200.107.105.16:465
- 200.114.142.40:8080
- 200.28.131.215:443
- 200.90.201.77:80
- 201.217.108.155:21
- 210.2.86.72:8080
- 213.172.88.13:80
- 219.94.254.93:8080
- 23.254.203.51:8080
- 43.229.62.186:8080
- 45.33.35.103:8080
- 5.9.128.163:8080
- 51.255.50.164:8080
- 62.75.143.100:7080
- 65.49.60.163:443
- 66.209.69.165:443
- 67.241.81.253:8443
- 69.163.33.82:8080
- 71.11.157.249:80
- 72.47.248.48:8080
- 77.44.16.54:465
- 82.226.163.9:80
- 88.215.2.29:80
- 88.97.26.73:50000
- 89.211.193.18:80
- 91.205.215.57:7080
- 92.48.118.27:8080
- 99.243.127.236:80
- ```
- #### Epoch 1 - Spam/Stealer C2s ####
- ```
- 31.172.86.183:8080
- 104.236.185.25:8080
- 50.116.63.9:7080
- ```
- #### Current Epoch 1 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
- ```
- #### Epoch 2 C2s ####
- ```
- 105.184.150.227:80
- 119.15.153.237:80
- 133.242.156.30:7080
- 136.243.117.85:8080
- 138.201.140.110:8080
- 147.135.210.39:8080
- 162.243.125.212:8080
- 167.114.210.191:8080
- 173.255.196.209:8080
- 173.255.250.241:443
- 174.93.130.148:8443
- 175.100.138.82:22
- 177.242.214.30:80
- 178.62.37.188:443
- 180.150.87.75:22
- 181.39.51.243:993
- 186.4.234.27:443
- 186.77.56.180:993
- 187.189.195.208:8443
- 189.154.67.254:80
- 189.208.59.61:80
- 189.213.62.223:20
- 189.223.228.181:443
- 190.147.53.122:990
- 190.186.203.55:80
- 201.220.152.101:80
- 203.194.46.115:80
- 203.210.237.200:993
- 208.78.100.202:8080
- 211.63.71.72:8080
- 217.13.106.160:7080
- 45.123.3.54:443
- 45.33.49.124:443
- 45.79.72.132:443
- 46.176.2.173:8080
- 49.248.84.88:80
- 5.230.147.179:8080
- 50.31.0.160:8080
- 60.50.212.17:20
- 62.75.187.192:8080
- 64.13.225.150:8080
- 67.205.149.117:443
- 69.198.17.7:8080
- 69.45.19.145:8080
- 71.78.158.190:80
- 77.56.253.112:80
- 78.100.187.118:80
- 78.186.5.109:443
- 83.110.148.19:443
- 83.110.207.126:443
- 83.222.124.62:8080
- 85.104.59.244:20
- 87.106.139.101:8080
- 87.106.210.123:80
- 88.240.18.94:7080
- 94.130.35.140:443
- 94.76.200.114:8080
- 95.128.43.213:8080
- ```
- #### Epoch 2 - Spam/Stealer C2s ####
- ```
- 198.58.114.91:4143
- 213.136.86.219:7080
- 91.205.215.10:7080
- ```
- #### Current Epoch 2 RSA Public Key ####
- ```
- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
- ```
- #### Credits and Notes Section ####
- ```
- Updated 7/13/18
- WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
- is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
- https://pastebin.com/u/jroosen
- NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
- I am providing them for your benefit in case you want to parse them to be sure.
- ```
- #### What is Epoch 1 and Epoch 2? ####
- ```
- What is Epoch 1 and Epoch 2? (updated 03/07/2019)
- I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
- payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
- Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
- rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
- This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
- to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
- time period.
- Here are some observations I have noted since I have been watching these botnets:
- - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
- Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
- being delivered in maldocs on Epoch 2 at any one time.
- - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
- Monday morning/Sunday night.
- - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
- Epoch 2 may have a document hosted on host.tld/B.
- - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- - C2s are never shared between Epochs/Botnets.
- - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
- via C2 to stay ahead of AV defs.
- - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
- easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
- spam template, word template, document type and even payload.
- If I think of anything else to add or if anyone else has any suggestions, I will add them here.
- ```
- #### Community Lists ####
- ```
- https://pastebin.com/thQAg8Ai - @pollo290987
- ```
- #### Credits ####
- ```
- (OC from @JRoosen and/or combination work of the following)
- Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
- @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
- @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
- C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
- @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial
- Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
- @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
- @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman
- Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
- Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
- helping out with this!
- Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
- @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
- @urlscanio and @Virustotal for providing services/software no charge to this cause!
- ```
- #### Daily Log 04-09-19 ####
- ```
- Email Template Report:
- I saw a couple malspams today. One was the threaded highly customized variety and the other was a generic template type.
- The threaded one was actually a response to a message that was a mass mailing and was a bit of fail. I am not sure how
- the emotet guys are selecting emails to respond to or if they are just responding to anything. This message was from
- a generic account that was sending a very simple newsletter so they need to update their selection process in my opinion.
- The response was actually different than what I have seen thus far and was an attachment based threaded message.
- It looked like the following:
- From: "Spoofed Full Name" <compromised account@brazil>
- To: "Generic Sender Name" <generic sender account for newletter@mydomain>
- Subject: Re: Mark Your Calendars!
- ____________________________
- <html>
- <body>
- Attached please find the wire transfer form.<br>
- Please let me know if you have any questions.
- <br>
- <br>
- <br>
- <br>
- <br>
- Spoofed full name<br>
- Spoofed Email Address
- <br>
- <br>
- <br>
- <br>
- ----Original Message-----<br><br>
- <pre>
- <http://d31hzlhk6di2h5.cloudfront.net/20190117/b4/8c/a5/5b/c7935620dcada0524e1d13b5_1260x662.png>
- January Is Full of Activities!
- ________________________
- Attachment was named "7927847272_April_11_2019.doc"
- Yup this was an email from January that was sent out of this year. So it seems like there are some updates to
- what we know about the threaded templates:(changes are marked with *)
- - Emails are sourced from once (or still) compromised users all over the world.
- *- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
- to the compromised party on or before Nov 2018 until at least January 2019. (may be up to present)
- - Now on E1 and E2.
- - Now seeing German based templates that are essentially the same thing but in German.
- *- The injected reply is usually prefaced with the following:
- "Attached is your confidential docs."
- *"Attached please find the wire transfer form."
- - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- *- Attachments seem to be in the filename format of *_April_DD_YYYY.doc/js so far.
- - The link is customized for the display text of the link to show the real domain of the spoofed organization.
- - These templates are pretty limited in run and not very numerous.
- So when I said "be prepared for changes", I meant it. We could see the above change quickly.
- Link Regex Report:
- Regex directory patterns - Same as Yesterday.
- E1 and E2 - https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
- E2 -https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
- E1 is still slowly change over to the old favorite of \/([DdeEnN_]{2,5})\/([0-49\-]){6,7}\/ but we had a twist this time.
- NEW: The German variants this morning had some additional wording before the date such as:
- /vertrauen/2019-04/
- /Frage/2019-04/
- /vertrauen/201904/
- /Nachprufung/2019-04/
- /sichern/042019/
- /sich/2019-04/
- Therefore I upgraded the Regex to:
- \/(Frage|Nachprufung|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-49\-]){6,7}\/
- You can of course change the group at the end to ([0-9\-]){6,7} if you wanted to keep this in place for May and beyond.
- Payloads Report:
- E1 had a normal amount of payload quintets today with 4. We switched from direct JS downloads to DOCs and then back to
- JS at the end of the day. Mostly links again for stage 2 downloads.
- In distro, E1 binaries are no longer stuck and are now rotating every 5Min again.
- E2 once again had an excessive 5 payload quintets today. Just like E1, all stage 2 loaders went from .js to doc and then
- back to .js. E2 binaries are still updating every 5-10 minutes in distro directories but did stop midday for some reason.
- C2 Report:
- C2s DID change for E1 and decreased from 59 to 54 combos in total. - recorded above
- C2s DID change for E2 but remained at 58 combos in total. - recorded above
- Closing:
- If you haven't checked out the article that Catalin Cimpanu wrote about the Emotet threaded emails for ZDNet,
- check it out here: https://twitter.com/campuscodi/status/1116389853065895937
- Tomorrow is Friday and I am ready for this week to be over.
- ```
- #### Sandbox 04/11/19 ####
- (all with fakenet and MITM unless spam/secondary infection)
- ```
- Epoch 1 C2 run on 2019-04-12 at 04:30 UTC - https://cape.contextis.com/analysis/64315/
- ```
- ```
- Epoch 2 C2 run on 2019-04-12 at 04:30 UTC - https://cape.contextis.com/analysis/64316/
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement