Daily Emotet IoCs and Notes for 02/11/19

Emotet Malware Document links/IOCs for 02/11/19 as of 02/12/19 00:40 EST

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.


http://103.11.22.51/wp-content/uploads/trust.accs.send.biz/
http://104.155.134.95/verif.myacc.docs.net/
http://104.155.65.6/Telekom/Rechnung/01_19/
http://104.211.226.28/secure.myacc.send.net/
http://104.223.40.40/trust.myaccount.send.net/
http://10xtask.com/secure.accs.docs.biz/
http://114.34.129.103/trust.accs.docs.net/
http://128.199.187.124/trust.myacc.resourses.net/
http://13.112.69.225/wp-content/verif.myaccount.resourses.net/
http://13.125.133.209/trust.myaccount.resourses.biz/
http://13.233.183.227/verif.accounts.docs.net/
http://13.233.22.226/trust.accounts.docs.com/
http://13.233.6.83/verif.myacc.resourses.biz/
http://13.52.34.29/Telekom/Transaktion/012019/
http://13.68.200.170/trust.accs.docs.net/
http://13.92.177.54/secure.accs.send.net/
http://130.211.121.110/Telekom/RechnungOnline/012019/
http://130.211.205.139/verif.accounts.resourses.biz/
http://132.145.153.89/trust.accs.send.net/
http://159.203.98.17/secure.myaccount.docs.biz/
http://159.65.146.232/secure.myacc.send.net/
http://159.65.83.246/Telekom/Transaktion/012019/
http://159.89.107.36/secure.myaccount.resourses.biz/
http://159.89.153.180/trust.myaccount.send.com/
http://160.16.198.220/sec.accounts.send.com/
http://178.128.54.239/sec.accs.docs.com/
http://178.172.201.42/secure.myaccount.send.biz/
http://178.62.213.188/Telekom/Rechnungen/012019/
http://18.188.113.212/Telekom/Rechnungen/012019/
http://18.217.211.183/wordpress/trust.accs.send.biz/
http://18.218.56.72/wp-content/secure.myacc.send.net/
http://18.222.169.76/verif.myaccount.send.com/
http://18.223.125.61/secure.accs.resourses.net/
http://188.131.164.117/trust.myacc.resourses.net/
http://191.252.102.167/wp-content/uploads/sec.accs.send.biz/
http://195.88.208.202/verif.myaccount.resourses.com/
http://1lorawicz.pl/plan/med.microsoft.net/agr/event-uat/gtDlnph6D/gtDlnph6D/
http://204.93.160.43/Telekom/RechnungOnline/012019/
http://206.189.154.46/secure.accs.resourses.biz/
http://206.189.45.178/wp-content/uploads/Telekom/RechnungOnline/012019/
http://211.238.147.196/@eaDir/secure.myacc.resourses.net/
http://217.107.219.34/ms.microsoft.com/api/drm/fsfxcD5GKKd/fsfxcD5GKKd/
http://220.230.116.97/sec.accounts.docs.net/
http://23.235.202.43/secure.myacc.resourses.com/
http://3.16.186.154/Telekom/Rechnungen/012019/
http://35.154.50.228/sec.myaccount.resourses.biz/
http://35.184.197.183/Telekom/Rechnung/012019/
http://35.196.135.186/wordpress/Telekom/Transaktion/012019/
http://35.200.161.87/Telekom/RechnungOnline/012019/
http://35.247.37.148/Telekom/Transaktion/012019/
http://37.139.27.218/sec.accs.resourses.net/
http://37.139.27.218/sec.accs.resourses.net/\/
http://46.101.52.174/secure.accs.send.com/
http://51.77.192.138/sec.myaccount.resourses.com/
http://52.15.227.66/Telekom/RechnungOnline/012019/
http://52.202.101.89/trust.accounts.send.net/
http://52.205.176.136/verif.accounts.docs.com/
http://52.211.179.190/Telekom/Rechnungen/012019/
http://52.52.3.72/wp-content/uploads/sec.accs.send.net/
http://52.89.55.218/wp-content/Telekom/Rechnungen/012019/
http://54.165.253.1/Telekom/Transaktion/012019/
http://54.202.85.204/trust.accs.docs.net/
http://54.234.174.153/sec.accs.resourses.biz/
http://67.209.114.215/Telekom/RechnungOnline/012019/
http://73.114.227.141/verif.accs.docs.biz/
http://78.207.210.11/@eaDir/secure.myaccount.send.net/
http://81.56.198.200/Telekom/Rechnungen/01_19/
http://82.196.10.146/trust.accs.send.biz/
http://84.28.185.76/wordpress/verif.accounts.send.net/
http://85.115.23.247/wp-content/uploads/verif.accs.send.biz/
http://89.98.154.157/@eaDir/trust.myaccount.resourses.com/
http://91.89.196.92/wordpress/sec.accs.docs.com/
http://95.177.143.55/wp-content/sec.myacc.docs.net/
http://999.co.id/med.ms.net/med/event-uat/M1a22AL8NQdO/M1a22AL8NQdO/
http://aca.natterbase.com/secure.accs.send.net/
http://accessequipmentcapital.ca/verif.accs.resourses.net/
http://adbord.com/css/sec.accs.send.biz/
http://afshari.yazdvip.ir/verif.myacc.resourses.biz/
http://allopizzanuit.fr/mm.microsoft.ms/med/event/dNhfd4yt/dNhfd4yt/
http://ameen-brothers.com/sec.accs.docs.net/
http://angullar.com.br/trust.myacc.docs.com/
http://azs-service.victoria-makeup.kz/Telekom/Transaktion/01_19/
http://bachhoatructuyen.com.vn/trust.accs.resourses.net/
http://batdongsanphonoi.vn/sec.accounts.send.net/
http://beautyandbrainsmagazine.site/trust.accs.docs.net/
http://bem.unimal.ac.id/verif.myacc.resourses.com/
http://billfritzjr.com/verif.accs.docs.com/
http://bornkickers.kounterdev.com/wp-content/uploads/secure.myacc.docs.net/
http://buonbantenmien.com/mmed.ms.com/med/sid/GNcmTlno/GNcmTlno/
http://cafevanuhm.nl/verif.accs.docs.net/
http://camilanjadoel.com/trust.accounts.resourses.com/
http://cangol.com/wp-content/secure.accounts.docs.net/
http://carpediemdiamond.com/verif.accounts.resourses.net/
http://cassie.magixcreative.io/med.microsoft.ms/cha/sid/KMHoRSfBNo0/KMHoRSfBNo0/
http://cild.edu.vn/med.microsoft.com/cha/drm/VDzJNeiePGK746/VDzJNeiePGK746/
http://cliqcares.cliq.com/ms.microsoft.com/agr/sid/j2C3NWCtZ/j2C3NWCtZ/
http://cocukajanslari.com/sec.accounts.docs.net/
http://costaricalawfirm.com/sec.accounts.docs.net/
http://decowelder.ru/sec.myaccount.docs.biz/
http://demo.pifasoft.cn/trust.myaccount.send.biz/
http://dentistmomma.com/sec.accounts.resourses.com/
http://dijitalkalkinma.org/ms.microsoft.com/app/event/H44YTow9oO/H44YTow9oO/
http://dijitalthink.com/med.microsoft.ms/agr/sid/YjV0pOXhYYv1F/YjV0pOXhYYv1F/
http://dwdsystem.home.pl/css/secure.accounts.send.net/
http://ec2-18-218-56-72.us-east-2.compute.amazonaws.com/wp-content/secure.myacc.send.net/
http://edax.com.pl/verif.myacc.resourses.biz/
http://emae26.ru/sec.accs.docs.net/
http://espacotieli.com.br/trust.accounts.resourses.net/
http://evilearsa.com/mm.microsoft.com/cha/uat/6Xghh8Y9g/6Xghh8Y9g/
http://freestreetgist.com/secure.myaccount.docs.biz/
http://gamesportal-gp.tk/sec.accounts.docs.biz/
http://ghost-transport.pl/secure.accounts.send.biz/
http://hopi.hopto.org/trust.accounts.docs.biz/
http://htnieuw.hazenbergtimmerwerken.nl/secure.myaccount.resourses.com/
http://industrid3.nusch.id/sec.myacc.resourses.net/
http://inhouse.fitser.com/BigImageAustralia/html/verif.accs.send.net/
http://irtk.kz/secure.myaccount.resourses.net/
http://isr.hr/secure.accounts.docs.com/
http://karditsa.org/Telekom/Transaktion/01_19/
http://kchina.org/sec.myaccount.resourses.com/
http://kevinwest.net/secure.myacc.docs.biz/
http://khaledlakmes.com/mm.microsoft.com/med/drm/2QPwFELb/2QPwFELb/
http://kianafrooz.com/trust.myaccount.send.com/
http://kicksonfire.xyz/verif.accounts.resourses.com/
http://krisen.ca/Telekom/Transaktion/012019/
http://lanco-flower.ir/verif.myacc.docs.com/
http://learntowinn.entero.in/secure.myacc.docs.biz/
http://libertycastle.com.pk/sec.myaccount.resourses.net/
http://live.bhavishyagyan.com/sec.accounts.docs.com/
http://madbiker.com.au/Telekom/Transaktion/01_19/
http://mangorestaurant.com.np/trust.accs.docs.biz/
http://matongcaocap.vn/mm.microsoft.ms/app/event/a2BuqXiW/a2BuqXiW/
http://mayphatrasua.com/verif.myacc.docs.com/
http://mediarox.com/sec.accs.docs.net/
http://merebleke.com/sec.myacc.send.biz/
http://miracleitsolution.com/sec.myacc.resourses.biz/
http://mlasuka.dothome.co.kr/verif.accounts.send.net/
http://mobyset-service.ru/ms.microsoft.ms/med/uat/MyhwLYHynV7338/MyhwLYHynV7338/
http://molly.thememove.com/verif.myaccount.resourses.net/
http://myloglogistica.com.br/verif.myaccount.send.biz/
http://myshopify.win/sec.myaccount.resourses.biz/
http://narendar.online/secure.accounts.resourses.com/
http://nt-kmv.ru/trust.accs.docs.net/
http://okna-lik.kz/wp-content/uploads/sec.myaccount.send.biz/
http://ordiroi.palab.info/Telekom/Rechnungen/01_19/
http://ortotomsk.ru/trust.accs.docs.biz/
http://otojack.co.id/wp-content/uploads/sec.myacc.docs.net/
http://print.abcreative.com/Telekom/Transaktion/012019/
http://rubylux.vn/secure.accounts.resourses.net/
http://saleswork.nl/verif.accounts.resourses.com/
http://sieure.asia/secure.myaccount.docs.biz/
http://testcrowd.nl/mm.microsoft.net/api/drm/U3P8hEjuEZXecO/U3P8hEjuEZXecO/
http://thehotellock.com/Telekom/Transaktion/012019/
http://tomren.ch/secure.accounts.docs.com/
http://urgny.com/backend/p/secure.myaccount.docs.net/
http://vieclam.f5mobile.vn/med.microsoft.net/api/drm/ZPnmc58dAzsXuB/ZPnmc58dAzsXuB/
http://viticomvietnam.com/secure.accounts.send.biz/
http://www.forodigitalpyme.es/sec.accs.docs.biz/
http://www.mardaschaves.com.br/trust.accs.resourses.com/
http://www.seksmag.nl/sec.accs.docs.net/
http://www.traktorski-deli.si/verif.myacc.docs.net/
http://xn-----6kcaceef5cqa0cjf2aojdi1c8h.xn--p1ai/verif.myaccount.docs.biz/
http://xn----7sbabegkij8byaeq9c3hpc.xn--p1ai/verif.myaccount.resourses.biz/
http://xn-----9kccsa1afbhzcgd9a1ay5l.xn--p1ai/verif.accounts.resourses.com/
http://xn-----clcb5aki4ab6afi7g.xn--p1ai/med.microsoft.net/cha/uat/ynpJhqL5GW/ynpJhqL5GW/
http://zolotoykluch69.ru/Telekom/RechnungOnline/01_19/
https://tischer.ro/trust.myacc.resourses.com/


http://104.198.73.104/En_us/Invoice_Notice/tLUhB-5w3_UmSk-WmN/
http://104.248.140.207/download/72250613818/TnHN-lj_Yzxg-V4/
http://115.66.127.67/download/aDPLm-tqNX_xcoeRtq-rz/
http://119.254.12.142/En/llc/UjBO-7i5MH_rh-hch/
http://128.199.172.4/US/Invoice_number/946924058146/omHD-D8Zh_S-xw/
http://13.233.31.203/En_us/corporation/Invoice_number/FcgF-sTeGi_PbAm-l0/
http://13.239.63.5/company/Invoice/MItGR-BX_YOeO-dF/
http://139.180.213.48/En/company/MLSD-5n8_NW-aGk/
http://139.59.130.73/DE_de/QRPTYCKAS2952593/Bestellungen/Hilfestellung/
http://139.59.6.216/xerox/Copy_Invoice/71723785755653/htJHM-sg_BZ-FL/
http://140.227.27.252/wp-content/file/Invoice_Notice/Maad-ZTqtr_r-sL/
http://158.69.135.116/scan/VGIy-LJJq_rtJTwGJ-loZ/
http://159.65.142.218/wp-admin/llc/04418048552093/nUfSR-uftR_NvMPXE-JKX/
http://159.65.147.40/info/iUQY-5T_DXgr-a8s/
http://159.65.65.213/file/Ryzo-3h_qp-jAt/
http://159.89.167.92/llc/New_invoice/57979132/ukUI-Avt_NXbMuPG-0I/
http://162.243.254.239/quoteandbuy/EN_en/scan/kgsnn-f3J_CVs-RJ/
http://173.45.124.227/US/document/LMzly-2CWE_sGDVC-Xt/
http://176.32.32.140/De/AFCXKM3339855/de/Zahlung/
http://178.62.233.192/Februar2019/KMANGTNNIX4458863/Dokumente/FORM/
http://179.191.88.69/De/WVHQJHGVLK3054354/Rechnungs/RECH/
http://18.217.96.49/En/scan/Invoice_number/fbSY-qCQP7_FTpCVWEhg-ip/
http://18.221.1.168/En_us/Inv/70722042/TxlW-3bBd_Azwqu-AXb/
http://18.223.20.43/US/llc/Copy_Invoice/202956035/wyZr-NIkXO_dEpTjku-0i/
http://188.192.104.226/wordpress/US_us/corporation/New_invoice/RVzv-BRhZ_cdjkq-9E/
http://192.241.145.236/US/New_invoice/ZoRXj-H1k08_v-ty/
http://193.77.216.20/En_us/39503764151217/GIBs-qatn_wDpNVKcp-oZ/
http://194.58.106.244/US_us/doc/DIpu-awo_KK-PS/
http://204.48.21.209/US_us/file/9953721/mOaj-POrQ5_FtPW-2r/
http://207.148.31.160/doc/Invoice_Notice/xJkcH-pXzw_ikv-yP/
http://211.20.204.164/EN_en/document/Invoice/lXKc-EXZ_YnnTIO-1pt/
http://212.47.233.25/wordpress/wp-content/De/YTELMXMCAN5556140/Bestellungen/FORM/
http://3.120.147.8/info/gLfY-53_Rjy-2Ms/
http://3.dohodtut.ru/En/86756718/xcwcO-tzz6_fGPD-h9c/
http://3.parconfreiwald.ro/US_us/doc/bNab-nR54_DwB-LN/
http://31.6.70.84/download/Inv/021844391348889/lldpM-cB_M-XWm/
http://34.201.148.147/download/Inv/rwUu-GoD8Y_YsGNacwnq-Wi1/
http://34.208.141.93/De_de/XEIDPHLAKZ2568324/Bestellungen/RECHNUNG/
http://34.220.101.62/lbnc-u6oJR_H-Bv/
http://34.242.220.49/DE/VJRCDGL1534972/DE_de/Zahlung/
http://35.165.83.118/wp-content/US_us/file/Invoice_number/387848224/mvrU-f28_sdBifmQ-65z/
http://35.170.104.162/DE/PJXLIBNDUK7169850/Bestellungen/RECHNUNG/
http://35.170.159.212/YBSRIT8577582/Rechnungs/DOC-Dokument/
http://35.176.197.139/KqrEF-qna_v-ehL/
http://35.190.186.53/EN_en/doc/Copy_Invoice/Nebk-gt3_ZZV-Ok/
http://35.193.106.214/wordpress/wp-content/En_us/download/Invoice_number/LsPHz-QZw_sT-x7/
http://35.202.250.4/document/Invoice_Notice/pnDo-aHDN_HzaHfarw-RWS/
http://35.204.88.6/EN_en/llc/Inv/pGzEf-am_UQMBer-Wx/
http://35.226.135.179/wp-content/uploads/DE_de/YXLDBCWE5819265/Rechnungs-docs/Zahlung/
http://40.117.254.165/llc/lLotL-gYw_VcoeSlLq-vv/
http://40.84.134.182/DE/FBLDHRLRQ6013107/Dokumente/DETAILS/
http://4drakona.ru/EN_en/company/Copy_Invoice/slub-i50fk_ROme-bHu/
http://52.196.225.91/wordpress/US_us/document/aTUC-RQb_nAQiekDLJ-wbj/
http://52.236.174.152/doc/New_invoice/OwcFW-cQVA_RD-lXj/
http://52.63.119.3/En_us/doc/Invoice_Notice/1095987397054/IIPw-Eoa_M-au9/
http://52.63.71.120/US_us/corporation/Invoice_number/45951863/OtwFS-R2FA_ZrXS-v72/
http://52.66.236.210/HQHGLKQXFF6297535/DE_de/DOC/
http://54.146.46.168/Februar2019/JYZTXITFS1861033/DE_de/RECH/
http://54.153.245.124/En_us/Copy_Invoice/YhNNA-ZeEBY_ek-JfG/
http://54.224.240.34/Februar2019/FDJASWPO8400835/DE/RECHNUNG/
http://54.250.159.171/En_us/2446830/NqWP-TQObp_cgfZBBxnl-NP/
http://54.38.35.144/US_us/llc/BRBk-OHo0r_GrEJNw-lH/
http://62.141.55.98/wp/DE_de/WLSEDHREWI0259028/Rechnung/Zahlungserinnerung/
http://66.42.78.2/En_us/CneA-P3sTk_OsvoGAV-kC/
http://8.29.139.221/DE/WJUMGPF5102068/Rechnungs/Zahlung/
http://85.171.136.37/@eaDir/Februar2019/RTDIFLHMQ2752834/Rechnungs-docs/FORM/
http://86.91.10.91/wordpress/DE_de/LXPDQSKNC6740889/de/Hilfestellung/
http://91.208.94.170/DE_de/FLTSRU3564963/Scan/Fakturierung/
http://93.55.194.160/wordpress/En/doc/Invoice_number/57791191801009/BwiT-OTs_oE-v0B/
http://94.177.233.190/wp/US/info/Invoice_Notice/3027157/EHLwm-zES_OWAjyir-lO/
http://94.24.72.63/EN_en/download/Invoice_number/dXtC-6zt8U_bkifOk-zE/
http://aaajd.org/Februar2019/CBVOOSD3555792/DE/DOC/
http://abiataltib.ml/download/Invoice_number/fTvp-N8mZ_rD-PM/
http://ablades.ru/de_DE/UNREEK1803477/Rechnung/Hilfestellung/
http://acenationalevent.ft.unand.ac.id/de_DE/FTDAUCXZOI0278000/DE_de/Zahlung/
http://adsdemo.techflirt.com/info/Inv/42931369754/hvJbI-MOe_mc-B4Q/
http://adwitiyagroup.com/wp-admin/meta/DE_de/ZZSCTX6579890/Rechnungs-docs/Fakturierung/
http://agemars.dev.kubeitalia.it/DE_de/REPPSOOF3613334/DE_de/Zahlung/
http://aktemuryonetim.com/US/New_invoice/cACMi-GX_XtDB-Cme/
http://alainghazal.com/De_de/XPXTELNF7478951/Rechnungs-Details/Hilfestellung/
http://alfaelegancedesign.ro/US/scan/New_invoice/2395250479/IKSi-iG40_eGodEyK-6jC/
http://all4office.ba/de_DE/GYPYCONFA0209810/DE/Rechnungsanschrift/
http://allens.youcheckit.ca/de_DE/RUJARNHQD3830836/Scan/Fakturierung/
http://barabooseniorhigh.com/De/PJCLEXQXV7099833/DE/Rechnungsanschrift/
http://bazee365.com/company/New_invoice/70094947/sbbKq-Ks_m-ba/
http://betal-urfo.ru/En/doc/New_invoice/6392833/DUzfI-eB5_TtHqt-Mu3/
http://blogg.postvaxel.se/En/xerox/Invoice/ukyF-v2RRD_bSBA-Mzw/
http://bobvr.com/document/Invoice_Notice/zgboA-Gd_vF-3TX/
http://botmechanic.io/document/Invoice/122815139860138/VZKR-YLT_syeTcnx-6gX/
http://brams.dothome.co.kr/file/New_invoice/CvpE-cw8_C-QSn/
http://bristols6.wiserobot.space/US/info/Copy_Invoice/fvFD-GI5_WdvezJX-EJ/
http://buybywe.com/US/file/Copy_Invoice/cnEr-yAEr_DVdVpnpt-cw/
http://bynana.nl/US_us/scan/Copy_Invoice/95731481431/uTpS-lza_PGJHjEAIM-O1e/
http://carolechabrand.it/De/YVXSXFZUG5485891/Rechnungs/DETAILS/
http://casadevacantadml.com/scan/855790484907301/tHasY-A32_Pbtx-3u/
http://casagres.com/US_us/file/724137876/gxrV-tqFi_qpgzcTH-mJ/
http://celtis.company/En/doc/New_invoice/SqOe-3pcD1_ckvrT-H6I/
http://clashofclansgems.nl/EN_en/Invoice_Notice/SerL-RiKTU_yYS-pb/
http://comfome.co.mz/EN_en/Invoice_Notice/jJieg-RcvH9_Z-fi/
http://daliomixa.com/En/info/Copy_Invoice/TwxDm-3K_fno-bf/
http://danceacademyvolos.gr/US/scan/zvLFs-xT_r-RG/
http://daotaokynang.org/DE_de/KBQKRIYL9699105/Rechnung/DOC-Dokument/
http://davieshall.ilovesurreybc.ca/document/Invoice_Notice/NWJM-Y5eC_tKcB-iHI/
http://deltaviptemizlik.com/En/doc/Invoice/gKZT-cvd1_b-CD/
http://demo.evthemes.info/Invoice_Notice/qPBHn-RG7_oEZrS-XOb/
http://deolia.ru/EN_en/xerox/New_invoice/atAzQ-hx4X_hqTiKHnRZ-sCd/
http://devdatta.pacenashik.com/corporation/Invoice_number/hvCZ-55Ajt_TDw-Blv/
http://dizinler.site/wp-admin/css/OWTfx-83Ei_cnaBwr-gK/
http://drawme.lakbay.lk/Invoice_number/Tqdo-ko_rFB-oge/
http://drnilton.com.br/document/tSyDD-ucWo_PspeK-uX/
http://ds415p.com/@eaDir/En/company/Inv/GYqLj-d1_iLh-0kp/
http://emrecengiz.com.tr/US/info/Invoice_number/IbLME-Ef_nReeMdyRQ-fKP/
http://enh31.com/US/xerox/Copy_Invoice/gfmB-fmFX_mxliUHWNR-j43/
http://equiestetic.pt/info/IyiO-Zkky2_JYvy-oY/
http://essentialbusinessfunding.com/corporation/Invoice_number/Qrvf-bdQm_LKmIw-t9/
http://excelroofing.avyatech.com/EN_en/file/Invoice/vaPX-HA_yLRaI-Zg/
http://f1security.co.kr/US_us/file/Invoice_Notice/iWCwf-za4Pw_JfAsMTcx-s3/
http://femconsult.ru/En/Invoice_number/063685399/qxHOA-o2_J-e5/
http://ffi.vn/En_us/info/80073723569480/erNce-0I6_XVuhNGDLI-HMs/
http://firemaplegames.com/De_de/CPGSWSMGUE9554639/Rechnung/Zahlung/
http://fupfa.org/En_us/llc/Invoice/KJpLI-eW_hmKUEBia-yO7/
http://fwpanels.com/US_us/Inv/66003684747228/DYmql-cT_UAJ-Ta5/
http://goldengatetoiit.co.in/info/Invoice_number/59727250562939/VvbSI-kHc_R-eRo/
http://groundswellfilms.org/DE_de/YXIQUN9237211/Rechnung/Zahlung/
http://hashtagvietnam.com/DE_de/KKGVUSCF9898646/Dokumente/DOC/
http://heizungsnotdienst-sofort.de/EN_en/corporation/Invoice_number/yGZFx-vqMMX_LKDVl-PP/
http://hifucancertreatment.com/wp-content/uploads/EN_en/scan/waVr-0A_mVwcJ-SBz/
http://hiqpropertysolutions.co.uk/US_us/corporation/oriCO-qNozz_kFBOxwYQ-eJ/
http://historymo.ru/Invoice/MfNCa-nD7_N-Tr/
http://horse-moskva.ru/US_us/document/Invoice_Notice/hkuP-IVis_SdfMs-wH/
http://hotstar.me/wp-content/US/xerox/Inv/rUkDi-zs2V_OoWR-A35/
http://hourofcode.cn/Februar2019/DCQNRBNEW4900728/Rechnungs-Details/Rechnungsanschrift/
http://hscadc.com/US_us/doc/Invoice_Notice/wyxWN-2KEMt_YIonte-3N/
http://ilo-drink.nl/EN_en/info/pWfOb-1qXcq_led-5HG/
http://inverglen.com/company/aquh-onA_FIq-SB/
http://jaspinformatica.com/qlpN-ih_jedKZH-Lf/
http://jerko.novi-net.net/mama-malog-zmaja/wp-includes/Invoice/pmst-TtZj2_wZnyKXk-qaM/
http://jiodiscount.com/US_us/doc/Invoice/umtP-mURI5_hHuYA-LeM/
http://keelsoft.com/De_de/ICFWUMMN2168085/Rechnungs-Details/RECHNUNG/
http://khzwl.ir/US/Inv/NNnML-VGRZ2_FV-P7E/
http://kirstenborum.com/De_de/AQEZDTZY5928523/Bestellungen/RECH/
http://kynangbanhang.edu.vn/DE_de/TKZKFDJNB0748079/GER/DOC/
http://labuzzance.com/tZUFj-zD_QJJyi-gFL/
http://lacledudestin.fr/llc/New_invoice/YvZWZ-4myR_URIud-Mj/
http://ladyswellns.ie/En/corporation/Invoice/rlkRd-h4IK_IHJKIDvp-Dz/
http://laylalanemusic.com/DE_de/RUZGCWIJQ3806584/Rechnungs-Details/DOC/
http://liketop.tk/En_us/company/Invoice/BQmyd-d9RPL_gl-vyM/
http://linkyou.khaledahmed.tk/file/scPI-3BBhz_vxAUAq-He8/
http://livrocolapso.com.br/27500173682/VgYx-XHoe_oJkoY-syL/
http://lmgprophesy.com/US_us/doc/lLHhS-P7t_HnVOY-0Q/
http://madrastrends.com/EN_en/scan/VBbW-YgV1_FlHNc-Ka/
http://mainissue.in/US_us/corporation/Inv/nSBpr-KM7_ng-Mb/
http://manhphu.xyz/DE_de/NKNFYK7660981/gescanntes-Dokument/DETAILS/
http://masjidsolar.nl/EN_en/Invoice_Notice/DzYtu-X4_BQETXE-016/
http://mechanicsthatcometoyou.com/US/Invoice/pSuh-S6pH_O-LFB/
http://methodofsolutions.com/corporation/Inv/Rzztj-Rq_lH-iF/
http://mingroups.vn/En_us/info/Copy_Invoice/klAn-W0Im_ADL-ua/
http://mipec-city-view.com/En/Inv/ltPry-JR_WKit-phA/
http://modernitiveconstruction.palab.info/DE_de/CBHSVLM4774839/Rechnung/DETAILS/
http://mpo.firstideasolutions.in/fAdqt-eXyR_iI-Nr/
http://mswnetworks.nl/En/info/Invoice/dWax-sV0_DjQksCeOP-mRl/
http://nami.com.uy/EN_en/info/Fexg-bK8R_jmz-F93/
http://namirest.ir/cgi-bin/QOBHBWHZ9443410/de/Fakturierung/
http://nanya-tlm.half-straw.com/En_us/document/8250362786601/dKyvQ-l1s7_lAKNvE-EX/
http://napier.eu/UAMDDBYBAV4874596/Rechnung/RECHNUNG/
http://navigatorpojizni.ru/En_us/scan/Invoice_number/AqRSh-ppQ_rWAw-J67/
http://newsmediainvestigasi.com/US_us/doc/73649729271/vVPuj-SSs_I-2q/
http://nightonline.ru/images/scan/tScs-t0_T-P7N/
http://nikastroi.ru/de_DE/OPFGKIYNOF9358268/Rechnungs/DOC-Dokument/
http://nmsr.info/DE/QBMHTO7082820/Rechnungs-Details/Rechnungsanschrift/
http://noithatshop.vn/En_us/corporation/04378129/baVj-GT2gt_lRS-YX/
http://northcityspb.ru/US/file/rmBC-p9VRf_WQGMLLRO-HX/
http://nosomosgenios.com/de_DE/DQABDHY5919940/Rechnungskorrektur/DOC-Dokument/
http://noticias.verdes.com/En/scan/Invoice_number/3001419550/KyKap-9RH_erLdo-G4/
http://nova-cloud.it/US_us/scan/Invoice_Notice/kipI-4v_jsOoO-PF/
http://nvcsps.com/En_us/corporation/Copy_Invoice/VrFM-KaQqe_A-J0Z/
http://omiddesign.ir/download/MLXy-9Y128_bkgOzFD-vGB/
http://plugelectro4you.com/de_DE/UMNJTDP6323223/DE_de/DOC/
http://port-vostochny.ru/Februar2019/TYPXGG4494638/gescanntes-Dokument/Rechnungszahlung/
http://produccion.sanmartindelosandes.gov.ar/wp-content/uploads/En/download/Copy_Invoice/Ihpyw-WoX_N-lRv/
http://produccion.sanmartindelosandes.gov.ar/wp-content/uploads/En/download/Copy_Invoice/Ihpyw-WoX_N-lRv//
http://pujcovnazakom.cz/de_DE/NVCSPV3179180/de/Rechnungsanschrift/
http://pusqik.iainbengkulu.ac.id/wp-content/uploads/2018/Februar2019/RSZYYF2029609/Rechnungs/DOC-Dokument/
http://selfsufficientpatriot.com/Februar2019/ZSKBRNXTYU7358528/Rechnung/Hilfestellung/
http://sosh47.citycheb.ru/doc/Copy_Invoice/Pkfr-iv7o_LCHUmkmlU-r6T/
http://spb0969.ru/doc/New_invoice/wvGr-kpaPN_J-krC/
http://sugarconcentrates.com/En/file/Inv/7230677278/xQRl-myZ_k-tf/
http://thefragrancefreeshop.com/de_DE/HKIJWU9413394/gescanntes-Dokument/Fakturierung/
http://trandinhtuan.edu.vn/DE/SNDLABM5014270/DE/RECHNUNG/
http://truenorthtimber.com/DE/IPOXYGSBR5170225/Bestellungen/Rechnungszahlung/
http://vergnanoshop.ru/En/llc/Invoice/ObtUT-vsvfP_cWxkFTiT-fJ/
http://web55.s162.goserver.host/DE/IZCMWPOIQ1294729/GER/RECHNUNG/
http://weresolve.ca/En_us/company/New_invoice/CbbT-bb9Ql_urEa-Ahe/
http://www.anvd.ne/wp-content/corporation/UwlGE-b50Lg_Kv-lj/
http://www.mpo.firstideasolutions.in/EN_en/xerox/Invoice/ZBwt-ES_vkvEYNM-le/
http://www.scypwx.com/Februar2019/JYRRAWDRTK9273103/Rechnungs-docs/DOC-Dokument/
http://xethugomrac.com.vn/US/scan/455647198/QYLlT-SXPf_AZVdTSwC-rR/
http://xn----7sbhaobqpf0albbckrilel.xn--p1ai/De_de/CYHKZADNDR7551727/Rechnungs/Hilfestellung/
http://xn--90aeb9ae9a.xn--p1ai/En_us/company/86292351/tppR-Ssdb_SxULZKP-76/
http://xn----dtbicbmcv0cdfeb.xn--p1ai/DE/UOIGXDS7797753/Rechnungs/FORM/
http://x-soft.tomsk.ru/US_us/document/Inv/edrFY-9l_UJZVmSeTe-iA/
https://misophoniatreatment.com/Februar2019/JOQMQNSY7255255/Bestellungen/Rechnungszahlung/
https://noithatshop.vn/En_us/corporation/04378129/baVj-GT2gt_lRS-YX/


Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-02-11 22:05:00 (XML Based - ENG - Off-Center Light Blue/White)
SHA256:
f1955fee93d9bc4e5911eb5744c452de74a0ac75639c178bac0ae4a33932cbb4
2653431c554fc8f7e95c4ffee39297c6608b564df9a02bfed65c2380e75a30af
7189f117a1fbc4ee9d9bd61270fa4e61da7502ae94e32bfb3be6bf77b27a9c28
63fa99785856e6660f75519e8d9ddc46cd7a3616625182d5b08e0306e64e0405
b2650164aaf6f72b5fe4b12ec5a1b6fc0a4655ffed06488f9871aab068599945
32521609ae00f63202449b0ee69bebc73308f9799bcb4b257dc8847efc508fe3
406c40303d418ee6b2ff61301532d451ab00fb5d644968d46498296268f5ee11
c1021e32f0c5c1faa5cef5828c72dcf1157a93c4fa83f94228e37b55ddc49ca9
6c26b4d79020ebb8153df783d36010f8b5e1fd3f76baf1a3e3c0f08d6f11b756
7254929e5c4e13882ab0964aba39e3bfd1ff3b60b29efc4f13fc92b568c53a6e
e59ed25746b3cb969a3c002003a22c7a216322bba8c967d79a3ffb0463f2fd90
5acdd8044287ccf56da2c17461257d54e31b6df03fc9bb3ba0a2a4e20468731a
275e761bfcb70339ab38973e4c0595fd6e2e5f1a0b87102ae1277c5b00a476b1
c6ae823e7874e134cb64857b9d5ffc1786f2033582238085ade72b1be67ff6f9
9f48c4e1cb954501e9363a4f38fd7216c72079e38c2d42e39c1790aabcaff564
b708e0ef4541dbc50a5360b6da580434dc397506e86f2e7b045cb61577182d8d
b18a9b23703bc3ed5661f230932a8ac20a6308cf99c85049763a95c0ffce39d0
41a1c941755c81a840d3c4a441d3889e5919671320a08865600ccfd385c54d90
d37f447bd0e9197bbbfc47fedf58260b23ff701686b8c63222cbeee503e2ed8c
bf955effdc5f182cbaeab37fb2b3632bc31af648a13a554df1e342486d431126
5a6f992c582b01c8ecf2db9b23e717b8cc43ca32c0459133d84e9168744fdab8
6354726563e8997b451f44f44abe1a074ba551fdc5a2d397dad2c19ecc8c2b64
5ddd222002563ef79cdb6516b5853c5010edccefe8e9302c8070a0082982a4ca
ce66eb4a3aaefd514d9ea842f41c1162a686cbd141fc6fa7078476fa58378f9b
25f4e1372cbec634c012d01b481d90f7c6ac71ba6c931318e7e6f6975c155eb6
9ea05b312e68099c4adf672f151b4c7a1a97017ddb5762b165c873dd2789a099
fe297945fd02b6ce9bf4acc5f7f06e1055fb8b524731bb322acccb32034aa6c6

http://jejakdesa.com/VLHgib2Jc/
http://ergunhks.com/YnaC64FW0/
http://54.164.84.17/9e1S9ff/
http://45.33.94.177/live/lib/xwXZdEcb/
http://54.175.140.118/7JJ1OGEAp/

Creation Time	2019-02-11 18:40:00 (XML Based - ENG - Off-Center Light Blue/White)
SHA256:
2760060f62b22f4bcfe399dbaf589691c598a5088ea5c51fb3fdd5615bd6296f
e40f53407ccc5b46e6194a2a15730713622a728af927236621521812b304ecc0
d70f203edb13a412b0702067ec1b9e21d6584b91cf5293aa4cd4fe09abcd0aba
48c342683ca28f1ace1cf0827c498b7aa8d88953aa4489ca5c3ab03849d32c42
6a36257623e8a7c547d88590e3cddf724666e169199e970e98a792e77c67ec34
1228e215453b97a1f79b82fc8cee9e16e713c5ad01e4d663c0a3b0775d6a1564
373da2f853ce6d55ea270340ab9e99d25ba26c800fd3d282d0377ee4d00b4dcd
583f6b9da985c910212fe57e9ebb11cb5750dd0d0e2cb95ddd4c96ac63e39274
af094099f4359ee787bca1e8e5c27a1643b88307f1c36e50c81b9778f41ed2c6
66084fa20640d1c10567169d3a883e53cdaafb03872178295aad8da233fa8433
1c41851b054e1cb9624145b270234bc27093bc438b0f16a91c499d251eaca155
60e094729775ec6e8c1d68f385dd34b667a7fa21ebf65ecb335e5ab8f1715911
1b6e879aaaf204422f5b32df37df00f9fb7debb4e68ba919552dac1445d7c761
0cf3c2fab123fd2daf1c7feb361f61c89ef9f50e687c101046286cf773df30fa
56927eed89db12632e5fec23fdcebbd025813d02c07b23370c44791d61c5ba20
26acf6a0d47b5f7011a5b00afc4ecdfec3ad070f30b1b5d3dc404486d1e89a77
2849806e6b46be00a540a8ddef903d802ca1b19bcd42ea7e405bcb95baa70d6c

http://mesqen.eruapp.com/MVQI9xyqm/
http://63.34.12.228/0XJHDqJq3/
http://3.112.13.31/xktH3R1/
http://190.164.186.104/PNNakLQ9C/
http://141.136.47.32/c5pNnVVa/

Creation Time	2019-02-11 15:19:00 (XML Based - ENG - Off-Center Light Blue/White)
SHA256:
48d8d2ce9f4f148f78725ddaf04b402d07a0da26283c87a5372749bcfe4406ae
dbf07f95be7218813b4f2de9b0826199a3e2dbee6b9b798149d90c5e7ba9b447
8ccc0aa2b190443ad2255a54bb1c106e05f9857c5d873b146fb12b77ddd46afd
ce23e01d2791e97f7189b92458127daff0563cff9024e045bc58ff7515363691
39e2dbcfc5608646db511466ae7b9844e0046ced5223c451b9ca08bec5a6fd71
3ce4c579d699174e6215ff7d1b0646dc9e4e79b2264ba4f0688c32056fb0d663
352f741b98a484519bfe22a419973472d3fdeb366ca6475b7ab7c6ae1de204c6
d76efacc6963d5dcdfdb90c299513f4760faaf80512c093aad5ae5371ad1748f
fe40691fbbf582f933db399349e0fed2faefc3cc3e9282973ec8d5c2db1e8742
6a529b72242844e7610342dcfe56df19b47539f2d5fa538564fee28d42a020a3
0e0e0ecea23a4ee1428a5ba80c34296c4c9fb642067372aa8fb329412678ff0a
8bf60dc788db3167a0b40c540d17e56197648531f6b72e2cb0d27c08dc82f1c1
76195945b3b9c1b4cb69fc602cb1d1540b4ea4328ceea839d2629a10ecfdc88d
e4e7fc5ab1ec9e6f87420dcf36eae98723b80293c45c66e84d65e4d11fcf5b99
3471582a09077dec970eda662005a40ea7db82904cfb812b7afd9529cf77a335
ec09c09c0729c9044703d642389aadba745d437bd08f1b56932461977cd79a40
c1515ecc5349a92e92773e8c3aaced5e2b7851fe3408f65208a5b41ae397dc38

http://31.131.24.153/eYXaJRMd/
http://40.69.23.131/8oyfkox0mn/
http://160.20.145.103/sfcdcCBM/
http://204.27.61.244/GWrMNkk/
http://3.92.174.100/FV5nbvVP/


Creation Time	2019-02-11 12:38:00 (XML Based - ENG - Off-Center Light Blue/White)
SHA256:
7f9aa84b2ffffeb96280334f64671dd08ea0faafabf462dbf70518a61c5f8544
e13babd1e53721acb90fa0f134b29470282b7d3685b41cfa6c9d13123f9faa45
aa0c5dc08e256d9310f85c72fde5de8cd455e0fc08db1e40311f461feb289399
efd66172be299c9a3049fb1a5040d6dbac9baaab0f39ea04a30250100dea111a
47d01d20eede3200c4c7b1eca9aa4b6e241f9c2109459bfe3ec5863d4c525274
3728c6c05f179eb6eab5ec125c060a8f40d0c818638b6a6eea52a1e07c5ab7fa
24ff7e7679d2f190c3c108da9e66364c461a31d3546b8ec922381f752c5c492b
31e15e74600dd9f43f3d3864cb8841d7bb431168519262680fcb68345a9658f8


http://www.prowidor.com/KY5VHstRW/
http://altuntuval.com/n4jkQZWtK/
http://wordpress-219768-716732.cloudwaysapps.com/EcUKpEfiLX/
http://maxtraidingru.437.com1.ru/NaOnFCqNz/
http://mskhistory.ru/sAZpJs8/

Creation Time	2019-02-11 07:32:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
8f52e9e5c3a5a2e2f8a760f848723d42c4ef646cbd401f2674e44cf6cb43f296
c3ac44c47b53961d13b5c47d4a0d17103f375e32e84d3557f7f1797abd1b4603
3bcca13de9f113a22475035e2db4552d5dc991f3bffdc88449711c0e0da2617d
9e1ce64f841d557add8ac365f1a3b3afa23c6028de67b3f639c22d5ec9790918
d0461bd5b8430cb91b6c62a3dbeb501aa9c9cb78e74df1d12a1203990d424c85

http://psi_test.farseasty.com/9SS7j51q/
http://justclickmedia.com/QoXFah5/
http://glorialoring.com/0Y7w7txDEV/
http://apotheek-vollenhove.nl/As9y4JR/
http://symbisystems.com/CJtfk01xF/

Creation Time	2019-02-08 21:27:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
12cf31e593657b5f42e34bc27611aaa106111fd71f53a641439e9ca53368044d

876757f926ebbc606d38d9d524ffe557641ada8d67776b1614974ba0af7968b3
8c89fd278b1bc80637dcb145cd16fd480993ca1acc003f332dc8d32b8fbe6de0
8482cc4515759e035a96a55f79dd88d6fbec02f95246cbc998f984a24cb0d74b
cd230f6ec25bd1bea3ad61fc5dcaeb0b7fffcd9371bf2862e8cf5ca31ec3f9bb
6b68c1eebeda558ff3418a9ee080e13de076110a84773083106f35bfb2855f0a
497e91ff0154fd3409326b39ef22b821b64520d577532022615de6bf16a960d4
140d2bd852b23fb9eafbe3f04e760e7dc96feef3457dba9d04dde149d1ee1e7c
2bbac0f3303d8d12d43478df8424e46ed9d0aa37ef1969f3126f5ee2f85a31da
8d2082c7298f51f2bc085c213f6d765a6dfa26970bcf652adc70df81ebbb4ccb
ca2553cc6adce02837314ac54bb9dd5ce4d978d77a54e7f2215cd63b0fe0c094
aaee786cf4ce9fc28eaacc5c45201ef843f82bd7b9561a67cc8d8b33b2abc6bf
ef4b0e67aad7e1bf66a23275e81b287a1cc9a44f3b950550b90f1616ce92d52f
1e81c630ad6fa728f446248edbd64b00750db64db41bddeb2026c0c3570e9d66
09afcdf44b7254db4f1a778fa185d5d34e71edc01f50111a3b0638389475030e
ee86d4db327bd87030dfb23aa42fda8670cca93b45711cba5b23eb0cd656e252
097e336d5980f598cef71338b39530c1f4c0d8fffaa06b899387d922aeda2989
2bf6d166f09ae6ecbc12b1910a0e743ee16010482fdbbdd7451e7c99c0655660
87efbc05aa4f29d37f6433c0b65f9a760454ee55677db6c87a162bfea06cd290
b589bc5fbfc0571745594f0927474ce5b9bd87ac900208b2cf519268dacde67e
d2054751a3dc210775edcf73321c4266813a792efa7120d280f8169b9333ad3b
d1f7708667dcd58a505715534a5da4e30f5237e53d1a0cdcd3140e6fc5a37d5a
1acdb3a017c42c2191874b6aa1f303ddb746c79fd912272612ccc88fece1c81f
216854d923133f557c3048ca6117286b6e3a9af4f29d66277ad5cba21ee8d272
b83d55667b81b0162fd2b4b0e3209f9ab578ee17adec4efe1010eeee38291e88
f680475ce8219655d320e34e9d463265d1f0240a7d85b375155463fa4524124d
8a79dd702e2c6edbc3df12e4f3e51cace3e9f780fe588e9662105f1b81865cdd
0c8d48e195c73ae9be821f522a2c183abab15c3f53d92a539896c03b61e4ef71
12cf31e593657b5f42e34bc27611aaa106111fd71f53a641439e9ca53368044d
068834797ad9eebecb50b995dcc8196e28818c7e98b48d01f431376640222cc7
f691184ff87a713eddb08a404967dc209468fcefd9310a5f107351d3d35de490
0b3a99c780df4682db7851abf73a14eb620dfbf34a0ea85ff19daedd0811ec4d
64b3a341cff75904f232e88025905341cd275450812ddc2902c9319b446d8b19
00a307cbdf431b1f4eeb82d7876e2c31ef74427b465090699ae7925e66e24fb5
09b69d46f51082b9d6d1c7990de8a4490fe9a787dac785434c9fe937951d4ae2
81f7a251cb7918c5f30284b0bbbddbb92e913c18c8b50c79aee9c3e5fd04f082
851eb205f74663a82e8d6a1abd8484c3011190f499121422ab0d83baf0d6aab9
24a9c5358e799cfd2b373c73900e6d4a9ae31225f4d0285d4840c2d8f825f226
ab44ad02cac27ec6991cdfb530a0db6979b83c9443320e8875c65ba77f1e8c53

http://livingsolitude.com/HQfhNP5I/
http://jaspinformatica.com/gVPsV0PSRS
http://idigito.net/2Fo72TiZJ/
http://bezoekbosnie.nl/LVyQeXtWu/
http://www.elracosecret.com/rb3xRdch/

SHA256s for Epoch 1 Payload EXEs seen on 02/09-11/19


b9edd830ae324a87bc2317129a6103fa815c1085db1e88bd9813c881e678c864
6d29a93aa58cd0b8bbb9eb8e7ef013897762ac74b6e22064df6c73ce143b67c7
c8a306e1bad8c3d7dd20b9f4c2d33cf8959680688964f59fb353af25917c342c
a226f16c1cac5c6939d9ff9086881577e1956b6328e195dea5b9503a921c8004
4b6054d74f509ab06e8f8cdae79d8928ffd1d8228e7ea3bd3a4ba801ec5d2b8e
679f096ee77a815f3e2c5e12472d017fd5555afff1751e79a1f7e57d6c8672d0
b218b43a9046b765fbe0595809f483d3b1537c7d353da93bf0a746af020d92fc
a39ec1243e8010301a27e424cf0a1d7347f5c101cbc7752bcafe6999315439ab
90dde05cd23b54f54437acc2e532fa6901e9edce1d9fd9ef1a90a356d527648a
c79b2d24112b19afb39303ae4512b0f1e01a0c252ec8a498ef3eb354433d2987
4a2b2437814089607b287659cca2f9d82d5b7e3b5bd745f0c1c225cffd3dd83b
029ef70ab5c37ef58de609e8deff3bd88c1a5be5fceceedfa045e71958786605
795296fb97c6e1cc22303e2a4eda5f01c58578c1c1c67351ecc41f39c1f933a2
da98ac0ecc67b3827e4cb9f03ce07bfd34fa1d4038fd948251e2ae9b26346dd7
1303b0c13c92b3e003b1e4616e12f27172484dc508babc8bf119ee9948de3dcb
84546e47b85fd87267b672770b48b873a2e57ff217353fda254289bfa0925a00
f9604051cf7518348b294c2afdc47d786cac4f51d503b26f0731dc7deee72369
3db236ca9a611d3437fb14ad8cc7dcb7adf76fa23f031587961ddd55edb44d3d
eec863deb57e555328d5328797ebf75653e6b538feb312f2b7dec65e98dee65e
99ca32a28dae0bb3b53bb74472131c78764b40cb5b328b44a5e30ad32d52b69e
183f046759e549ccb25a01fb3b6dc7239a3505d3225a3330d5b3d8065092492b
566dee1cba4ace45c2bde14598f455283762c7386db1d3312cee113521456b97
d761759e69528528755f3a18677796e8eb077e36277998a21e023771a0694a06
91db0dd9a5b8897230394f2cf2fa8b511380e596aab95f5f0847ad24dc071b0b
1705a269f1cef8f7b04bd17080ea4a9bb5b04ace04267fa097aad01e905b6ea6
eaf53d9daef9be6e98cf55efa802fb4228275225a20003839d7c6badf854f1e1
4493bb15f9a1cfb38eb163ddc7df44e71617b39945f09193a9771234c58f3004
2e43c62a901551968765411ee91eace2b0a7c85229c3d5ae32417f48d467f261
c4f65f09aafdcef2eafd05e12e3bfa85085a0e165216c623f94731c6a406fa1d
5eebfab74a4c839d683a7ed2ece2b567fe3db42ef4b505e3f68a1331faab5642
12a8883030f5bbfafb5112292349eedc7a687b61334480361c081f6f1991aec8
11bd364518cf991584bece2bd58b4ad28fe415a40249618bead56f78132865e8
c07a6845026eb334ff24509b91cd9c87bbc2808d2072b46511c8886954657153
209da6e2af178abf8d53275dbd50b8d091e42c95f53ce909611dbed15beb2da8
9b92009b8c263859a154afa34952fd43ea31b5a947a6d5ed9a13ccf2f8662eeb
84cbe9fbebbf8e4d963541d103e27908059460c5b4f4b7e5c9ec685d72b12e45
1241fdd8588b85e3f75b86083754d6425e32783f70bfdd7350a5b448541bee84
79b428caabad8f43b282d7c24411a5cc6dbe2cac8110595b578303af060c6108
e418eb242bfde6597bf6378a8f610f4c297f0d0406ed61752ec5c58722b17db2
c552cf91b8859efbd218753dc485022b61ee78bf3bdbdb8e7b6a41974e7e58dd
b1d99cc01346eac6d8b4d66fe63c4614b35a1eba2380b0ca672de64b827681e7
f59786188cd7179139849991d5fe4ad0a3689158b1706d9917bb90a0b4c7d249
6917e177a790610e67766b1fd62abc640a85e7352b89232492db18609b328157
a6a3125b81a8da9e6e94a2bbe7b4e9f11178c9fcbf112174499ef34fcf65ec2a
dc3783400ae33aea21d92f0e9e99592643fae67272affc66ff3c56c97bc96b52
dc616144e885396946120f350c4deb41f741e404d4e5ed4f3478c3f71fb5a0cf
15b7fc59dd349c271097bd647db724cdac8164a53bd21d3a30492fb10f9e7cd3
6794e5a2f936c31d5b160f20387900cc30a3887d291baca52b65e17bfa86e4c6
ead359bbec96959cd707070eea5c09773dd797419b872aaec05c626b08b8c570
03b27236a1275af297015ff9399d75a6b9d6dd4809bd5c99babe5694ab397f45
29155c27e11ba84a2fbfa36909bc23b4cab078f81f5f7f57c64fe8d768b8be02
0394eae92d7d42d75058f5b2b9dec66aab74ac2ffbd269f805ba694089c24567
0faf44385cb61312f4272a34e366fdb2e9b84e4bcde7b58e582646e213c1a374
873145e5ba21b516593bfb2ba6d5b91c6c4986e683eaaeac607f104be5d209ce
728d04112dd8f7623fce970a8df62dc54c3e1355e1cabe65d5fe3f67d7723a17
e7fe4c03da8733370a5b0d790716125f1699e29cf4207a036a2b5a0c9a1aa872
43d54688debe1f171a7615edcd4344aeb968f90cbb232610678d584d8fb6547e
fec64207915cdb938906059189c9b8180d71bf88b567b0c0d0d83e54e98c20e2
813ab300f766fcdc1f5aa84edd132666ac14b342f15a0f10d448a3172dc99dbf
ae97906c6defee8413b619a42e198937eb4fc484bbe402bb7f7c92c99f55c9ab
63f1ffbf5a3f8081c645d70796139e4277233dc62a04cbfe511d7a8365887bd1
c5b84d1b94982b814a792b753cd26f598c833f4d1293b6e6ab09591d8db70112
63c4743247dff56afe4e601d698e3598283f2da813aa4edca2d8c594279fe0bb
ff42ca352f8ad63819d58e4c1b82edca6a130e53f5229c83abf612c77c7b29dc
b29d491a9134b2daa3e7a4bf216acb6b9dfe3e7f415659473f83314299375c87
6ff0adf08a21c28aeafb8f11c4f5acf24e6970eda8e160d95936b1c3a63a60b5
38c1f44498cde82cb6d8ed6f0b1615d4499262a482696a2baa5388573e4aba39
a1098147dc8cbd0f8d64fb00f3474e6c66cedd44a3b8ec460c50dbbd14c945b2
68d2708493776f2ecea87b2922fe8d2b6b7e56f745847957883363e4fa4b5166
6c39c2f68e9b6460e231225b1398cb7fc1265d14e446a58864d899f7bd442d4b
6891d0d4f234be37df89482404cdfdbb4251d8177fac017e8ef381806b8f69d6
e71b2ab602fa1644371a7f667b3f31279c59e9c4b37c76fd55628da2e4a1a739
6015df19d3d079343e97166ecfcd59fcd569d7dbc921617aa14982e9f8a4df83
ac48f9454bd10349e30161a946272267aaa3423cc8b8148193c607536cc1f44f
f522818f3fbbf1f0182b4d793b6c0a31d0ea8f1005e651cb1d4b0277e4a5f6fc
982eb23f7b0570389af6b2a603edeef7e762c724063d4e31f0e9b99fa432d96e
722626dd7e84bab37bc16b0d91f8df5dd27437ccf70a2d02c6a8400639ce2ae0
175d1b583abd562b2fd693c82f592142c25e6c5c626680964a6a131a6f982e97
9157f0b8aba739ed504eea52ea170404740cd5ceb1a1083cf0a5e9bb80b726e6
bd2dc7203d51f4f2c513f8c540dbd299da3e63dc5b4c337863ac56669c2927b9
77c2ef801b911ccfa7bee3480c1d287600b657757ad0b3d9f9c6ed110d5dd7f6
f72b7d57c56553ea373e1b3dc5b775f05c6d6651ec775e3d95e4db489dfad389
bfc0283b95d143160c27a912920297cd88e1aaa07bf3c83a9ff28ecc80c4c644
9a791c6da1dff2ae52b656ae4d27d74ba960af81055cad3374ee6a103733b65f
9172b42d0e74bd991f06537f3f553a67ae8577a018f032a455d160ec0c047f3b
dd1d4c752288d13cdc7cc1613bba3ac2daa7387ef18d9422e97de59a6a7e06df
ff0f0fe67e2d77f808f9dfda5da4d3e9309c43f0181b2366ef5bf11c0cb4c52d
a64e1e71f9467912542a13c607a87426c651991854748b1fa80e8909228d4437
c1b8175d273e0adcb61925a46e829cef90291a44c5a7a86c82a05dc42f0ae73d
05e89ef27ed9a99a9a2859ae313c18194b1cd9f94a8c4205ea81fe1f1adfa3da
b073af60abc0662910206848516b2feca2fb16e943ce9856baf2ee9616017ad2
7190f500e69f040e96ffa3a69e6fc2fe79cb8d3b12662689056af9be321cd742
cd8a4b2c3c4495543909f85961a3a6c4b0f17b464a7966c1f9d4dca93bcf010f
8ba0aca05f5f1b96d30ae8a672470d01edf79a36f992aef81250acb811e7577e
d2ba4389be24d0659c4575b787b1db657eff3d56ee53f30d72f60d51f6554494
48c81f72eb82fa9ec702445484d636454d734e0f2cbcf11b0eeea781343c11c6
516ca76fdaf309c6bfde86818a55db81d5f5109f2fa11bc9dfbe30fcdbb64031
76a62e034ff27bd2912b70e7653a8e02fdd61cbc866e6643c1a7b312a941d597
23333c31aa8103f981c5c2195c766222c53218fbfe48793126c32aad0c272783

Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-02-11 20:26:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
ace857699dce507a7afe07c9b447d5f7d684460d35e99298c6394dd069fdce92
2ba6f47f151c07271ead628a00573aa85ddcb4ce1e2058bf5db6da352ca2b0c0
f19b42db9431e852438587806a3245d0c008e977c3e32f284c5e914cc7a1c4ee
322ab486dc0396b0d90fd30f579487e71330778d839a32a5c74b59a580f9fb9c
2a22d6133c9722f3c8bc22989cdc67bcaa4d081739d137bbdb211f14460e5113
7c88696e5791acf0f93a9c56dbc624ba75d30646a10c26814ee7da6715bf02db
d17acde75ae2560a1f80c718e57423ec68ba13c09e8385353bbf6e4633aad7a7
03952cd76cb868d0f23fef1b33cbc9e3e7871ae39893569a41b0549e95a71276
ba3c789ebe9a1f94a8ee83b0e127f1d2659e627b8ad63214d03692b60901640a
2781daaf0d72a42fffc28793dbaed78e9c7df97b342406eabea69532274e0c98
4a8bb9d6db463eb2bd29137005dbbf52650fdf6e4fe53910d800db9e091697e9
b512f47e2fa25638b3ecb8e18f832fb198dc42257ad8a67e27c6c23b9ee33740
5cf352b52c4e5ea601e3a5d3635baf0672f4597adde4424a11e8a69fa254f5de
2d8980e0bc9e39b6494ce52ca130c15ecde7ad428200e271b607af9dfa88da02
3e88bb0b6d561e92b62e773f1b26740a4e3acfe936ecf105c3b1e516f0e63486
15f90b490df222a36c3566ad4895befb2bc62782e471fd1d5e0267be99b83b2b
62abb3e0501213ead06b9bb14456ae32b462f728492ad673031eb76f82abd947
c3d5cc485f5846410332d2dd7c68aa0ffc32748e1ff0a0dda6604b02084da360
c21c9c123e502d5356d7af1a81f3ba3bcfe93209a9ffb7b16e2334b87730d9b8
a3cc3a8cc9de4d1b921d23425a289cd85ae07088a55a617a25fcb54f2ec0908b
b05dab8ce4e21ec035844ff2b22093153e5a9e09faaafcd0724e0ab133e7cf22
fa576257dd49739553b4e8b44d7a78e583592d131f7dc319f634897b24989232
d617bec09613f35b200d825df21d1fdf5e8f7e8bfe8cdbded7728013468e0ad8
89a6bc1186075f9172ab14359dff9a4421d86bb452e846933b11369a46bce185
df98a630be3db6e7c02645e30f833e8099f021ad6ec54b6a43d3e25dfd6f19dc
9414679bd8f2f0be79b5e4fb7f1f412c07bd7ee0b6b09bcc34e8eda48e51026a
573535084604b0b83c8f96541e6f360de8be4443c04238484ef8013ff536f381
1d76c053f2cef763987de94d262b794b5fa0540feb9f6bbd841739236138ccdb
21c6ca0ab11cb70de291b3c0f719ea6e9b5c70297391a4148b06bf66c77c53c9
d1df17ec2fd32b9514f8874aab3bf4591d00bd30cd084cace80b1c5d1c6d2d6d
c2e213a80dfeaaf750018ddf39b66dae659e800efe560f60df5cdf5d673b6d1e
c7097928addfc7675046920ce43325d4317023671bb9921d2f87a113f0728ff7
7c63ca32aa91ee7480e3b29cc4e63cca1f71daf286c2259c9d23a98155064a22
59e64306690434e2986ac60b1df54b8f9f393722d73d4cc64f1589ba370b056f
8e0c5ea52d143274ed4ba08d7c7629f0b6ba35867b1be32aa39cf5043c4a3c18
9bf32e93c608d19900dcb98418558bbc1efb8000371446c9b3624fd7e9e39114
5d5ba9f5bd3057f7501e53f61e8308d09eab9dbe2fb75ff4f3be5d4b97847263

http://45.77.244.93/bfObwxpm11Sjv6S/
http://45.32.82.29/G2UAYAIo5zKs4El4D/
http://188.166.161.57/CBpZUIRi2j/
http://13.58.52.117/BBvNV0vvgoectW/
http://104.248.66.24/bXkPxtnIYTR_yd7/

Creation Time	2019-02-11 15:09:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
47a1b83d1eb6b9bed860b7f2c12679a4fdd8d3c067fd35960a57c41d566c78d6
4c1c56bde40e88eb6c18e59119548f37f1546fd0705d5ced00e0574283b9848d
e4afb3aa366aa0e697c67b1a5ef950cdd5237bc3d6b4e3c6d50c6eeb87f1519d
f3ccf8ce8ff7386022e858466899407a8d426d3d6240c90277c5584ebeba5a2f
0326a97197cb921ee1dc3c98aef3eb55237a248e9a6f2b73fdf5c1a30e732f0f
f2feb1a4e591a2cd0200909bb6ef6c9640e739f043e5ab1c8f3e061d47e21ca1
5aa756caaf652db7e3fd210d747e3b707109250be6c6ee4bc7d59cfed36e905d
35659cc974e742d9d1a884cf4fd8183741b8f9f2f3b15723f971cfa662ba9055
4588a9558423fa2642056dd4d70b3f5b240422b6a3d6d07447dae2cd407e8038
7a2cfa1c9cf0809d7798256e0056098a12e8c4e4857f132170bdb3fa151bc3e7
adf829de459655d8ed5ff10aa2d49bc45e059b6bd16564522442c92adb6a3cf6
101f4cb92a14ec64e6644a1859c429c4a06e9b3b30b783a6cdf8ab37306d2a93
6c978d820911669b4b00a5c9216785bb1322a8f86d85f04f0af41e6c21c04058
5bee70325eba14e5693c6ee994186c66fb460bc04a5dfccb56eda3b5f5488b7e
d21b3686c2a747965f4318403b54d044749cff79785c8c6428c5f204790d3041
05919c6605a91f25c145bc7e10e5d19e59300520b3071c780bee8dd2a68b04b3
7d4e3e8180c4ac7f5276d6c82bee3d48bc723813c00429b7ceabe2c52cc27eb2
67d61a98699495d3b3b3ff3fc9e152523c2288e8951d6bbc665671d4f5e1dce3
58f1428946246a2d964f304ab60a6410d2c107bb65ed24734674bbc2915197c2
38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0
212c5b2a5b059683e08f535aeb9c4ab7ae2a6f844b84d61c493a5cc3788fc50d

http://104.198.17.119/h0Ya3P8r0O_cG/
http://178.159.38.201/wcbrQ8LRfb_7pKaOP9z/
http://118.25.176.38/bmNCKBx/
http://178.236.210.22/tKMrxvGkHP/
http://128.199.207.179/d6JEQSR1V2hkqXqT1/


Creation Time	2019-02-11 13:01:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
6e927c5d6fa40f1dcd1a2de07aeb18c9468f72308cc039e83ed24c3405b01acf
33b1006e66da703bc812ecde9d309190e6ff8a0476d423c45de05e236a357d93
a418442135c3ff6db4a8b1be74b8efb1797a9f983f62efda4f937a0e0d971f61

http://13.126.61.22/ZersFqNzy4Dr/
http://139.59.64.173/hSQpezoBAp/
http://13.126.61.11/TTLDQc4Su4n/
http://138.197.72.9/vRoDcTOZS_qq4qSrbs/
http://207.154.223.104/ooDtybmXDTDVP_Iv/

Creation Time	2019-02-11 08:13:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
024733144341126a04610c276ab04356cfa2cc7eb50401b6818ada0b6b09f0a6
26d3c4f085cb36ea6c3073cdc7bd23d9bbd8c08d4c25823f981d256e78856f8b
0e9dd72bdd4e07746b29a3401b55da5aadaac85a34a5dcd170e82bb5238844b8
f565d48c0e009732ef3c6e22e0ffcf5ae82c5dcaed1bd7f103e1c23dedd3695f
360db0786b5a1be871c327a6ae2d949fb05e02b8054d47b7b3f71bd6d926a04d
7ee7937c9de0f91ea56c8e6eb07a2cfc3189b0dae801ee47e205f53c0f90b16a
72e9c76cc8eaf062bc6464aaa26c220c842c900faab93a661e2551866d25a9c3
509407b3e175c723b7f7e42d297a4df98cf1ce4caf4b9a04d7bfdeeea44ec367
06c42235a3ff621a78a0825032ef9df39f25a6a1608a32881a151519f97556e8
000baf1efbd0dc7e573c779362f769ab452d20b16223a044e0ab6b55e4298ea6
2b7ae3407d29c271431a2c36b97e4ff532b683308a41cae4c6a8d16de83da8b7
594f2c1ee8be8a60c490defb7d9697f84b591d021d77b0d5462499485cd24dbf
bf5303b663caee6f75adb0cdfcbe16408842aebcd440bd808f27d7cab46965b3
6ffa77a8fabcbdec2199abd48a9674ded43cfe9fe1fd318f1054244ab699cf15

http://mask.studio/YekA282vrXrdhU/
http://fenichka.ru/gxbQ7eOunffJ/
http://206.189.68.184/8nQyj8ifKmYc/
http://thales-las.cfdt-fgmm.fr/cgi-bin/maGRA8iYgDCPMG/
http://prosperity-student.co.uk/ml2NQffoMmyJs6J/



Creation Time	2019-02-08 21:40:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
53b0784f219135bc4164dc3b89f39b421863e7282c50d1955b13dd559cfa3370
2111a1ccf0e73693691a57b360a21c9e92415afd68ed86123751b2093d3cd9b9
849c9bf1a99a6ed85308b27e32c6922fcd8f864df7357931816ffa64923fa122
53ce0f6be71bc7077be95dbfdd4c1fe292391f24fc627f8597c3e3d6772a6048
65bebf4b60bfcdca77338d02c016cc297fb0bd2c080a0aa3ff40179851033a6f
1fdb1acd778c65c05ddd1f224613f15e2367cbd67a2b6ce4453fefb041012de6
af1789e75efb958c0d2d22736622f7e1d4f1c6e9645ae5ff1c2a59c3e9a57dc0
3ab802b97cedc7fe56cbc95082d62917ac883a5967a33a9c0870dfd653b44ea0
d8edaec331a06e54c0a7e7d51c52ed8909dae5eb4e774cf74032970c01d1de87
6f03b408d13644eb4d4f17eba0fb92c2905c5becc4fcba53b6bc8c9565c1af22
75de8f9b05a31f1860373c8ffa8693e75dabbeef303e849a396a185a8a456ad2
2cb235472f7a97d7cbe568447fa64642bf6416acf472ddc1311e6308a16517bd
6f5e2f7c534be44b36c0df06a0bbcafbf72fa633e33998627ae6e6268dde555d
e498bbbaace6d88007445f3abdc8f182f935ec9343ddff7eed415e39371de588
5ce42f9ec479887f89000027b43800f9e03c5e5c760193650b5e22279e6a686d
f33d027db4224495d2b000f2423f8007522eff8ef6f56258f7bcf693cd594f5f
352992986122ae1cc776ac7389078cce9222a0adc94ddb743e3ee75a4061bf71
05087b11e21dc5cb318f9b35b448ae12b1351073c6169554a075f09f382483e8
9ff87a941dbf2cfad7db031df098fa77cf93049caae866b2a4aba50d55417a63
e5ec0e796556497b8bea0d2597525960353082c43ed18845e53c20cdf1882f3b
826e4b469d1429ad9c749f13a72592df849100013833edc1b3ee7e262df0c0b2
3ddcf50d3509de0997bb9ccc10436515430bbb2137fa71193400becd4ea2ebd2
da35afa07bb858c6c00129a6f1e87e1f36220026084c760e2044a5198ce625b3
561acf43c7b8cce4f658d839455eab514366b01ae71b50a78ca8a4bc6ef40b41
53b0784f219135bc4164dc3b89f39b421863e7282c50d1955b13dd559cfa3370
f13447be887a74fed191acefbc945c099aa73130446de9af9e1d4714b7dc34a0
3d576a11e841ec17ee0c551f770e9da07aabb8b22acdfa61310bfaf216b3b3c6
c3fddf89da39bf8c0acd65edb6d068bdd663a725192e4807a8f7209aff19ebe4
811126499ee7c0eb20ee02abd98cc569daa5d5b68b8391a37dbf689d4be7b18a
12b7d14c5b2b2f9b418cc581e13ba1826ab44366a2655cf9ee2bcf244efcf47e
9ca10c1a8fe0d766be4e2bed6df8c03178c921ee39c007033e06808ed26415f1
4aae6398e602432c0a2063c9e399ee6894043e0dc9825ecd8fdcd5476aa044c3
4dd107d93426f7e933b112bde796ee356aa33ffb5f18541b012490ecb9686091
4783732fb6d276b20218cd6283226e5cf8ce076b3f460e6cc1bb94e86a5a4f52
ae0edfbcc844571f275cf2d5aa93c07ee037e3bd8a3edcde5c708539e17fdeea
82e8a2b710ce805f532515cdf211482c3190fc9ecc83275349921d3377967249
3cccf50c378af6ef6675b1ac148b82c3ad750e71f3082cf3d907d88d59239f4d
48026c404114797c99095bb105e7f3d52a7215ca9596e49fbed6f8501d9b5c41
22ad45aaf536a845812fa0fc7ff45223fff0f635d38babe7611cfbd567b5322d
140e58203051b22e1234e698b04c446a2ff4e6c04a5d2886fc2a462b5b9a6c58

http://kurzal.ru/wordpress/wp-content/uploads/czt7YdTi3rZV_pa7/
http://labterpadu.ulm.ac.id/77gLl6H6qP/
http://duken.kz/SOHMlMvz/
http://compex-online.ru/1v3PpPJA6C/
http://marketingonline.vn/wp-admin/SojclY7Rslabm_423l6/


SHA256s for Epoch 2 Payload EXEs seen on 02/11/19


91f97bc5e179a2333b0ad62f3a58ee218ea5c158560fb9d658b2900a6884083d
6fe6f639f3dcf9f3053c315b483e8a22a67fbce8c357fda695c48cbde0750d0f
7617fa1febbd7a84d93de644288d4b957564439fecf78129ccd4507ce700225e
8310915ca0c10ae366bb3f9c0d31b926bb2e7eccd071944c12e69dbcd6fdb3b0
73e8b1ee6e4bccb4b7e1b8099af7f157da57820f4fce27a5cb9cd76319544b87
6437286daeea3a7f959ccd3c86ed42eadd1a32f374fccddbb76e429ee216a1e2
2b4b07af8d3baa6d5d37491584915fb1a1e186bbb482639eb987342d730acdd6
7f214b366480cc854522b65c72009dec5230a2115695eee9849d0eccdc7364a8
76e35f30c5e4a8e6953a275f6c9c958e44ba5d73d69b50eefadf2baec9456ff2
d4cbf0525ae98bc6bbbe051dee25f4f68760b57238dfd7e1671b90c255d8f321
0b83e28dc6b41dec8320492270eafa2819b4d00128058d7842e3b8cb5830eb1e
d5cb1a67ec286e5e2527ef477ab2bef6b5c8f8c4c505e880c902192334259211
ae82146b684c3775d2230b4f8d2f0023857bce13de1592955202d88a8230fb67
7a0fac493843ee87530389fb351e64ec3c4c880c00ea0b463bfa10e4cff08c18
634c933493f0d325226f4ac4b7d64592d632b48d2cf4e97d941af824edd17fe1
80723e4f7b74c43331eb0ebe35676245835bfcaa7fa379132568dce3c57e2005
23738255c3d4918a661c43556c6fd48d3efa9cf7fb589328bb3907d28dd41a63
9043fd4c227b7427f597987fafc3dd327247431ddec91ee3e49df668e7698dc6
2a8b1deb299fc384d45ce73666e863eec7ba4f872aed6e316b2eff22d1e8c745
90e298609a5c138baca2f102773c2617766ec708b9b28d5e76eeccca9bd3c006
ddd922bce427da64152d2deabc6033715ae89301707c9075905aa89c177427e3
6f3423d4e498f456cffaf91734a422c6c6c4b0677bb457042154cdb9fc12b3fb
1a8e426fa5bb80f768026bc4298f2017a38d91fdf7b32f8f864daa17d33f8be5
72334c3b573d4b297186de624434bbbce1bd193ae1aa8e3a8e0b86ca11dcd5a1
22470bb9bd2c2c1f1d37368f4d372222d5e974ae986d605ec29c1671e91b4d6b
5b6e177a2b83fd7911564148c0e1b36afd310b7475ff4c2785c672e57cc0f100
ded2a3733f0ee49ecb6c1d1cd221502d94bf341f7b1bd7690831035583fdbbe7
8a68a6709de4989bab760b3f725d1ed33f464cdae9c61d0de2f6fae26c878364
8ead46e11e457800b9f170fffcd12c7178fcdda58ef3e8a22b87ce154d0ad4f5
4a77c9d0a798b84d9626430e261a881ae01458c71f65b8cdd0e4502502ef462b
af261303deaf4fbbb111c36c3018dbfe585c2fe6b8f71b60d29387d71b4ababb
a90e5aab8e947e23a968671249de8f8e4f78cbe455fe6064ea19485cffa67bae
f56524dc4ab7d4b46ee9ffa452ab5265e6d0cdf92f85f7ef5ccdba4c92afab9e
7bc081cc47271a2f0667086136db097818137ebce748eebe0f23735a89779b59
0838647780c03d934a82e0500b763ce35dc096507f0ff3a43720322427d98e67
1e6e9b5e4b3b1130d8794b085ab6ce38a953398896f70b2b57b04f908d4a0646
37e48d55537e225ef8e8465bc17fbb32b2fa22155be196d1b8151f7c37558dfa
7fe19a3a886b4bcfea8e6f4438c431a78a74e16510eafeb474fbe03008bcd965
9b0243a2793d3eb0c81ba4cf5a019755f4be863ead401f075fd6b85e57fb09fb
1ca928fecfc462080a03c628099342946af856b54fb256456af885416a4f6c48
a74e72946dbb83966c7c7e313e9cc4760d86d0fbc134d5d4243a65addab00631
c1c456a1eb782e9c664b338d000425e0146f452af5b19da280a36114a3c02332
809a70270ff774dd0e226324e7f31a613aaab06a1f4bc710252f7a0a94bc862f
3a2986667036c20a3bbe16c3c98db4dac6f0c8273c90de8cdcd6dff1c00d1ffb
78c9172f24f8f59a1e32465ec1e58c56b064228b76b7794315d176bca29e487a
94f330c1464d1ec8b0fd3d46ef0a1937abf5ebcdb8285aff485d8518b4357f07
0024324486a88ace4c745f14d85d394f080672271ec86758ddd94b390ca55e83
1e20ee24f349409127e0dff0013d5ecc1fefa1c6c1531f8286e073a5ff475426
4e6ac53d3a4ace20679a56c7e59b60e88c01f7a62798d52ce52b4af909bef96f
c09def3a304741651e4cc6a625a3feded17f1377d66784170c6b220210904065
4f157791dda926849ed59f9473f346152b3a1f721f0772bf7477e41364e0ea55
3fd22a3e2c4f0d69c02e73e7467c23fbb29288a7f646743ce3adc05d8d9d577a
8c631027fb066a52f5c4783d592d12db35ea6c21199b459618ef56941a75b3ef
0b77c0580aef1fa1d816745909b77393f0dbbaeeba652f454228c8c1786e1ff8
29f0213365e3b3ecca991e26bd3cd6bb1ee3e68579d2a71e1a365b552725f458
a1534d89374f61438e2b5c31bb9eb43f1e5998f07c6742084b9a5882993df2df
e905c70ed7080026b719887fbc103d77b2e14f96833fbe241286855a1bd1dd82
932897d0082912cf4a6516cffaeddb9df2414d415dc841f79d4e9c466268b1f5
329c9ff28e363a087753c416b6d9d7fecc64127c98c875c3683bd0d084ebc9fe
adb6c1ef0b90201c42d934fcc27d683e0f0df7d65bbaff16cc570e39009af60b
1a748bd574b248e84cb0b74a4af84cbbeceb9b38419ffaef3f755bc96819f190
a62e46265182b97c7ac92e354d73eaa2a64c8230659b060b6148b443894f259d
09ee64eab7082f31aa4fd0ea9a8053d0e1485b20441ca4c62a1d02fa74d79da6
a3bc551bf88c5c2fbd1071195010b39f5ea434e9a739d6573552592d2e0f5639
f68465bf15bb4cb19c19d6dde0add47101eeebfcba5b904b641223cd91a31773
8f7c46ee4bf42c97a94fafa3dee3b69de5c4ecb39e74c74f374e61878bf93082
4bfc1b10343c9740552f6f96e181ad7a2394fc2e2d4c1b8ed67a88ea0f9069a5
f34d7a089baac01119caaa6b97efbafed560919d80b7b6278cb82d02b33c008f
b819cd3df3353e482807e7f1f15027d46fc10d4d423c5296c82252575d14fbdc
77dc86c2a5eb02d79f2fd666910e81682271da5bde71ba5a6fbbbf19c864d202
73df05b89cace48c4338cc9ae4d9d64d96e73d31b54972c5b3463739f8fb2272
7112c2967141ffd3ebd36a6a7c4949b845082bcbc695636527d238aad540a207
c8eea6868ab99178a12160fd39283d51796c81923e5745be2379ede6dcc5f104
9d5d203ccbb7cc392f400d9e56de267d0fbcd413f9f401387bd23413000ea217
1b4ef666de3574c0eefea55c4f247aedd62f2f9ca5be9d734f3d6230acfebf88
a68d59403a166232d7c69125ac33ab1377d86fc083829798636320943e18423d
ae20504e6fcab7ebe3f0231f8f3361d762ff27bb6b5ca475d3b051f6c7a1411f
ddef78b220ecb7aebb87719d870da12c4fb8bb20fcff75a117d7010ebd33cbfa
949fd11cdde24a261f3524115e8fa1251a099bcbaf5b2a0dc2bbda8f354102c6
d4d8a8041f83ec0918aa5edbeba350a77caa367de584c4d7043ab517c441e518
fb38fc661f5820ebd64aee096c5048d2ccd5a3a72a71bdb02fab71129fca436e
164bb683430a827f158ebc1c08d7906d2e29a99f7c722807340c902dddc4b817
c1cd377420fe4446d2b17f4f52a49c374de7e11a897dd47a3135c50bd9f57f61
61821dc1dbe8e8e2c0ddec4f38656e5ce730ed5363d4836912c539f72494c1b3
f3a1f700a24e75ec6349ed14814ce1fbeedd9dde25df3e97eead16c344a58cd9
80c97ed9af1b384ecef1faffb14c565b972f4397666da21484902aaaa2275709
face11cb17a829f57724e785d82da0a66440ba7602b825b9a7a10be84b933f10
d471ed2d00609932e6c6424484bd132429a29da9660efa5e94e5218f0b813d89
85ee364b165dd7932f30e22a49488469a23450ed9bef790897d641bbe2c82ea6
9c79465559d60015d67668edb538bed10e4373daf6fee8455b54b8999a9dabcb
82f9b2ddffdbfcb9c62f10966a18a44acbefc54d4704ddc9133e58913cdfbeef
1c713c57a798dc61edaf456613d2054622953f8cdec4914130b44e8804e24cb3
5bacd66639f463a44b41241b45c747fec11c1307c4d103e1fa82fc1d9b426fc7
556be9d0efd9bdccd689c7ec6732b1562bc121cb70902456909e94aae4a68488
ad63d65f4ae2334a3da25c67e8c1415d02b75afb7caf7e9d1481231920e20017
584cf07b725f65230f9a1bc877d61e1142ad50956635a798f92e8d998f26e419
b4961f5ea2b77c8c620a833a106f5d76611767b01172b92aecdf32e3c4620109
cc79082a92729cd222e51a0f8ccb55bfb53e90127d5047fb42d9df9971387452
03ae00f9fec44e8a68cf1fa1ef776935c4a82646489ffa868c271e5546dab58f
7f1d02fb84dbff903dfa62b97f565f28960cb4078113bf592615297f124b9c75
5cac6d9ab4d8decab0275d0bfe2207e340e389b713ee15217cb94f4ed6cae24c
2047b8f96d307f441af098dca5b39f4854acfd08907cefbd83753f350b43b88a
873e5002d3736017f50a3766aaaa768824e0671657a2f8e10ceb66782106d456

Epoch 1 C2s


104.200.80.44:20
109.104.79.48:8080
116.58.87.8:80
117.218.253.157:8080
117.4.245.5:21
12.6.183.21:8080
138.68.139.199:443
144.76.117.247:8080
159.65.76.245:443
165.227.213.173:8080
181.164.25.28:443
181.56.165.97:53
185.86.148.222:8080
186.4.127.72:995
186.72.205.234:22
187.145.0.129:7080
187.146.255.151:8443
187.149.41.221:8080
189.154.100.228:443
189.170.39.188:8080
189.173.176.115:443
190.117.226.104:8080
190.182.161.7:8080
190.186.110.202:22
190.248.133.18:443
192.155.90.90:7080
192.163.199.254:8080
197.83.251.252:22
201.143.10.67:143
201.156.42.238:443
201.203.187.56:465
201.239.126.253:21
208.189.3.60:53
209.243.21.172:22
210.2.86.72:8080
219.94.254.93:8080
23.254.203.51:8080
24.194.252.25:80
47.157.230.41:8080
5.9.128.163:8080
51.255.50.164:8080
66.209.69.165:443
66.228.228.211:143
69.163.33.82:8080
69.170.237.82:20
70.30.252.174:8090
72.47.248.48:8080
73.141.99.157:21
74.45.170.110:80
74.62.52.222:20
75.110.229.201:443
92.48.118.27:8080
97.121.198.2:8080
98.238.127.216:21
	

Spam/Stealer C2s


104.236.185.25:8080
181.169.2.89:8080
181.58.30.155
198.58.114.91:4143
216.98.148.157:8080
31.167.70.26:8080
64.178.246.207:8080
73.83.148.166:443
74.57.246.27:8080

Current Epoch 1 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB

Epoch 2 C2s


100.35.190.8:443
107.13.149.212:8443
108.190.34.69:20
115.71.233.127:443
133.242.164.31:7080
153.121.36.202:7080
169.0.85.74:465
169.57.61.42:80
173.255.196.209:8080
174.79.240.46:8080
174.80.166.76:21
174.96.7.155:80
178.62.37.188:443
184.186.222.145:8443
186.3.223.3:995
187.151.226.219:465
189.163.137.10:20
189.225.165.11:995
190.114.242.130:20
190.40.100.7:8080
198.74.58.47:443
208.107.52.29:80
208.78.100.202:8080
211.115.111.19:443
217.13.106.160:7080
24.173.121.154:993
24.227.158.234:21
24.228.124.151:7080
45.123.3.54:443
45.63.17.206:8080
5.230.147.179:8080
50.31.0.160:8080
50.80.9.93:143
50.93.34.66:443
61.69.20.54:22
62.75.187.192:8080
62.75.191.231:8080
64.87.26.16:80
66.57.212.114:50000
67.205.149.117:443
68.192.249.20:143
69.198.17.7:8080
70.55.70.230:7080
71.167.42.74:53
71.7.15.240:22
73.119.47.209:22
75.101.48.184:995
76.94.226.173:20
83.222.124.62:8080
87.106.210.123:80
94.76.200.114:8080
96.234.162.118:22
97.100.88.65:80

Epoch 2 - Spam/Stealer C2s


31.167.70.26:8080
64.178.246.207:8080
73.83.148.166:443

Current Epoch 2 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

Credits and Notes Section

Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1 and Epoch 2?

 
What is Epoch 1 and Epoch 2? (updated 01/29/2019)It has been awhile since I refreshed this section so I wanted to update it and bring it up to date.

I have been tracking Epoch 1 and Epoch 2 since May of 2018. Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for
communications. Epoch 2 is currently the larger of the two botnets and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing
version of Emotet at one point in May/June of 2018. Now Epoch 1 seems to be the smaller of the two since this time period. Despite having unique unshared
C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behavoirs seemingly controlled by a single
entity/group. Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an Epoch 2
document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those being delivered
in maldocs on Epoch 2 at any time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and Epoch 2 may
have a document hosted on host.tld/B.
- The RSA keys will change every month or so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours to stay ahead
of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from is to find the payload and then check the C2s/RSA Key.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

Community Lists

https://pastebin.com/b91Lkcbu - @Jan0fficial
https://twitter.com/James_inthe_box/status/1095015199382204416
https://pastebin.com/ntgAHqLK - @pollo290987
https://otx.alienvault.com/pulse/5c620447cdc7d83b7dcafed9/ - @SecSome

Credits

(OC from @JRoosen and/or combination work of the following)

Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
@Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial
@shotgunner101, @HerbieZimmerman, @Outkast_TI

C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie, @devnullnoop,
@gorimpthon, @Racco42, @Jan0fficial

Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987,
@malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial,
@OguzhanTopgul, @HerbieZimmerman

Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt 

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and helping out with all of this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch
and @Virustotal for providing services/software no charge to this cause!

Daily Log


Well today was interesting, I topped 300+ malspams and I was pretty damn busy doing dayjob stuff. There were some interesting changes today, 
IPs were used in URLs instead of FQDNs for the download URLs and eventhe payload URLs. This seems like the start of another long list where
you sort the numbers to the top and then start using things in order...

If so this is going to be a long week with many new URLs thrown at us. So as predicted, we got more of these PDF attachments with banking 
accounts being "suspended" but we also got a couple new templates today. One was concerning Microsoft accounts and was sent primarily to
GER/DE and was covered by CERTBund:

https://twitter.com/certbund/status/1094895999347249152

Interesting tactic on that one ^


We also got another new one which @ps66uk saw first this morning for invoices in HTML that we call the purple button.
(Picture will be attached to the report on Twitter) https://twitter.com/ps66uk/status/1094957953910743041
This template was the most common one I received by far and I did not expect that. It was just from E1 from what I could tell. 
Most of the purple button templates had a subject from the following list:

Bill "Spoofed Full Name"
Bill from "Spoofed Full Name"
last bill
last bill from "Spoofed Full Name"
last invoice
"Victim Full Name" Bill "Spoofed Full Name"
"Victim Full Name" Bill from "Spoofed Full Name"
"Victim Full Name" Invoice
"Victim Full Name" Invoice from "Spoofed Full Name"
"Victim Full Name" new bill "Spoofed Full Name"
"Victim Full Name" new invoice "Spoofed Full Name"
"Victim Full Name" new invoice 

You get the point.
@ps66uk also reported the patterns to the URLs: https://twitter.com/ps66uk/status/1094966716340285440

That is all of the URLs seem to be include the following type of directory structure which mimics another Domain.TLD type structure:

sec.accs.resourses.biz/
sec.accs.docs.com/
sec.myaccount.resourses.com/
secure.accs.docs.biz/
secure.accs.send.com/
secure.accs.resourses.biz/
secure.accounts.docs.net/
secure.accounts.send.net/
secure.myacc.docs.net/
secure.myaccount.send.net/
trust.accs.send.net/
trust.myacc.resourses.net/
trust.myaccount.resourses.com/
trust.myaccount.send.com/
verif.accs.docs.biz/
verif.accs.docs.net/
verif.myacc.docs.com/
verif.accounts.resourses.com/

Basically always that pattern of starting with (sec, secure, trust, verif) 
then (accs, accounts, myacc, myaccount)
then (docs, resources, send) 
and lastly (.biz, .com, .net)

Additionally, I did get a couple of Spanish based attachment based malspams for invoices. Most spamming was done after 13:30 EST.


C2s changed for both E1 and E2 but the keys remained the same. We are now down to 54 combos and 53 combos on each respectively. This is more
like the historic counts of tier 1 C2 hosts.

That is about it for today. Until tomorrow for more FUn from Emotet.

Sandbox 02/11/19

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 C2 run on 2019-02-12 at 04:30 - https://cape.contextis.com/analysis/36480/


Epoch 2 C2 run on 2019-02-12 at 04:30 - https://cape.contextis.com/analysis/36479/