Emotet Malware Document links/IOCs for 02/12/19 as of 02/12/19 21:45 EST
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Epoch 1 Document/Downloader links seen for 02/12/19
http://104.155.65.6/Telekom/Rechnung/01_19/
http://104.211.226.28/secure.myacc.send.net/
http://104.223.40.40/trust.myaccount.send.net/
http://10xtask.com/secure.accs.docs.biz/
http://114.34.129.103/trust.accs.docs.net/
http://128.199.187.124/trust.myacc.resourses.net/
http://13.112.69.225/wp-content/verif.myaccount.resourses.net/
http://13.233.6.83/verif.myacc.resourses.biz/
http://13.52.34.29/Telekom/Transaktion/012019/
http://13.92.177.54/secure.accs.send.net/
http://130.211.205.139/verif.accounts.resourses.biz/
http://132.145.153.89/trust.accs.send.net/
http://159.65.146.232/secure.myacc.send.net/
http://159.65.83.246/Telekom/Transaktion/012019/
http://159.89.107.36/secure.myaccount.resourses.biz/
http://159.89.153.180/trust.myaccount.send.com/
http://160.16.198.220/sec.accounts.send.com/
http://167.99.10.129/Telekom/Rechnungen/012019/
http://178.128.54.239/sec.accs.docs.com/
http://178.62.213.188/Telekom/Rechnungen/012019/
http://18.188.113.212/Telekom/Rechnungen/012019/
http://18.217.211.183/wordpress/trust.accs.send.biz/
http://18.218.56.72/wp-content/secure.myacc.send.net/
http://18.223.125.61/secure.accs.resourses.net/
http://188.131.164.117/trust.myacc.resourses.net/
http://191.252.102.167/wp-content/uploads/sec.accs.send.biz/
http://1lorawicz.pl/plan/med.microsoft.net/agr/event-uat/gtDlnph6D/gtDlnph6D/
http://204.93.160.43/Telekom/RechnungOnline/012019/
http://206.189.154.46/secure.accs.resourses.biz/
http://206.189.45.178/wp-content/uploads/Telekom/RechnungOnline/012019/
http://211.238.147.196/@eaDir/secure.myacc.resourses.net/
http://23.235.202.43/secure.myacc.resourses.com/
http://3.16.186.154/Telekom/Rechnungen/012019/
http://35.154.50.228/sec.myaccount.resourses.biz/
http://35.196.135.186/wordpress/Telekom/Transaktion/012019/
http://35.200.161.87/Telekom/RechnungOnline/012019/
http://35.239.139.124/Telekom/Rechnung/01_19/
http://35.247.37.148/Telekom/Transaktion/012019/
http://37.139.27.218/sec.accs.resourses.net/
http://3dproaudio.abqwebdesign.net/Telekom/Transaktion/012019/
http://51.77.192.138/sec.myaccount.resourses.com/
http://52.15.227.66/Telekom/RechnungOnline/012019/
http://52.205.176.136/verif.accounts.docs.com/
http://52.211.179.190/Telekom/Rechnungen/012019/
http://52.52.3.72/wp-content/uploads/sec.accs.send.net/
http://52.89.55.218/wp-content/Telekom/Rechnungen/012019/
http://54.202.85.204/trust.accs.docs.net/
http://54.234.174.153/sec.accs.resourses.biz/
http://67.209.114.215/Telekom/RechnungOnline/012019/
http://78.207.210.11/@eaDir/secure.myaccount.send.net/
http://82.196.10.146/trust.accs.send.biz/
http://85.115.23.247/wp-content/uploads/verif.accs.send.biz/
http://actu-switch.fr/Telekom/Transaktion/01_19/
http://adam-ch.com/trust.myaccount.docs.biz/
http://adbord.com/css/sec.accs.send.biz/
http://aded.co.in/Telekom/Transaktion/012019/
http://adizventuresgh.com/Telekom/Transaktion/012019/
http://admrent.com/secure.accounts.send.biz/
http://aemo-mecanique-usinage.fr/sec.accounts.resourses.net/
http://afshari.yazdvip.ir/verif.myacc.resourses.biz/
http://agilife.pl/sec.myaccount.send.net/
http://ahead-consulting.pl/Telekom/RechnungOnline/01_19/
http://aitechr.migallery.com/Telekom/RechnungOnline/012019/
http://alicemuchira.co.ke/Telekom/Rechnungen/012019/
http://allaboutpoolsnbuilder.com/Telekom/Rechnung/01_19/
http://allopizzanuit.fr/mm.microsoft.ms/med/event/dNhfd4yt/dNhfd4yt/
http://angullar.com.br/trust.myacc.docs.com/
http://app.websoham.com/verif.myacc.docs.com/
http://ariesnetworks.org.uk/sec.accounts.send.com/
http://asmanjob.ir/wp-admin/Telekom/RechnungOnline/012019/
http://atribud.cv.ua/secure.myaccount.docs.biz/
http://ava-life.com/Telekom/RechnungOnline/01_19/
http://awcq60100.com/sec.accounts.resourses.net/
http://azs-service.victoria-makeup.kz/Telekom/Transaktion/01_19/
http://bachhoatructuyen.com.vn/trust.accs.resourses.net/
http://bangerrally.co.uk/secure.accs.resourses.net/
http://barb-os.ro/Telekom/Rechnungen/012019/
http://batdongsanphonoi.vn/sec.accounts.send.net/
http://batuquedigital.com.br/Telekom/RechnungOnline/012019/
http://baza-dekora.ru/Telekom/Rechnung/012019/
http://beautyandbrainsmagazine.site/trust.accs.docs.net/
http://bem.unimal.ac.id/verif.myacc.resourses.com/
http://bettermerchantrates.com/Telekom/RechnungOnline/012019/
http://billfritzjr.com/verif.accs.docs.com/
http://bkkbubblebar.com/trust.accounts.send.net/
http://bonex.it/trust.accs.send.biz/
http://bornkickers.kounterdev.com/wp-content/uploads/secure.myacc.docs.net/
http://bramjpluss.com/trust.myacc.docs.biz/
http://bueno.adv.br/trust.myacc.send.net/
http://bvxk.vatphamtamlinh.net/secure.accs.send.net/
http://cafe.tgeeks.co.tz/verif.accs.docs.biz/
http://cafevanuhm.nl/verif.accs.docs.net/
http://calaokepbungalow.com/Telekom/Rechnungen/012019/
http://cangol.com/wp-content/secure.accounts.docs.net/
http://cannabisgrowadvice.com/Telekom/Transaktion/012019/
http://carsibazar.com/verif.accounts.docs.net/
http://casfetaudsm.org/verif.myaccount.docs.biz/
http://cbd-planet.ch/sec.myacc.send.com/
http://cild.edu.vn/med.microsoft.com/cha/drm/VDzJNeiePGK746/VDzJNeiePGK746/
http://cngda.tw/secure.myacc.docs.biz/
http://coacig.com.br/secure.accounts.resourses.biz/
http://conselhosaude.device-heaven.com/Telekom/Transaktion/01_19/
http://contents-marketing.ru/Telekom/Rechnungen/012019/
http://daisychepkemoi.co.ke/verif.accounts.resourses.com/
http://datapdks.com/Telekom/Rechnung/012019/
http://davieshall.ilovesurreybc.ca/Telekom/Rechnung/012019/
http://davinsonegule.co.ke/Telekom/Transaktion/012019/
http://dehkadeh-tameshk.ir/Telekom/Rechnungen/012019/
http://demo.liuzhixiong.top/trust.accounts.send.net/
http://demo.pifasoft.cn/trust.myaccount.send.biz/
http://dentistmomma.com/sec.accounts.resourses.com/
http://depascoalcalhas.com.br/trust.accounts.docs.com/
http://dermosaglik.com.tr/trust.myacc.docs.biz/
http://destinazione.poker/verif.myacc.docs.com/
http://deza.ir/wp-includes/Telekom/Transaktion/012019/
http://diblod.cozuare.com/Telekom/Rechnungen/01_19/
http://dijitalthink.com/med.microsoft.ms/agr/sid/YjV0pOXhYYv1F/YjV0pOXhYYv1F/
http://distro.attaqwapreneur.com/sec.accs.docs.com/
http://dixe.online/secure.accounts.resourses.biz/
http://dptsco.ir/sec.myaccount.resourses.net/
http://dwdsystem.home.pl/css/secure.accounts.send.net/
http://dztech.ind.br/wp-content/uploads/sec.accs.send.com/
http://ec2-18-218-56-72.us-east-2.compute.amazonaws.com/wp-content/secure.myacc.send.net/
http://edax.com.pl/verif.myacc.resourses.biz/
http://emae26.ru/sec.accs.docs.net/
http://embrava.eu/trust.accs.resourses.com/
http://emploired.com/trust.myacc.resourses.biz/
http://emu4ios.biz/trust.myaccount.resourses.com/
http://eosago99.com/trust.myaccount.send.biz/
http://ercanendustri.com/Telekom/Transaktion/012019/
http://esgaming.com.br/wp-content/secure.accounts.docs.net/
http://estacionclick.com/sec.accounts.send.biz/
http://expoilca.org/Telekom/Rechnung/012019/
http://fancy.direxpro.md/Telekom/Rechnungen/012019/
http://fcserwis.pl/bin/Telekom/RechnungOnline/012019/
http://foldio360.nl/Telekom/Transaktion/012019/
http://foodfithealthy.com.foodfithealthy.com/Telekom/RechnungOnline/012019/
http://forodigitalpyme.es/sec.accs.docs.biz/
http://freestreetgist.com/secure.myaccount.docs.biz/
http://frog.cl/secure.accs.send.biz/
http://gemaber.com/Telekom/Transaktion/01_19/
http://gettirerepair.com/Telekom/Rechnung/01_19/
http://gilbertceramic.fr/Telekom/Rechnung/01_19/
http://gjsdiscos.org.uk/verif.myaccount.resourses.biz/
http://goruklecilingirci.com/verif.accs.resourses.biz/
http://gradiors.com/Telekom/RechnungOnline/012019/
http://greeksoft.gr/sec.myacc.docs.com/
http://grikom.info/sec.accounts.send.com/
http://hapoo.pet/sec.accs.resourses.biz/
http://hcforklift-eg.com/trust.myacc.resourses.com/
http://herbeauty.info/trust.accs.resourses.com/
http://hgrmsf.com.ng/Telekom/RechnungOnline/012019/
http://homayeshahr.com/secure.accs.docs.com/
http://homaypars.com/wp-snapshots/Telekom/RechnungOnline/012019/
http://htnieuw.hazenbergtimmerwerken.nl/secure.myaccount.resourses.com/
http://hvanli.com/verif.myaccount.docs.net/
http://iglesiacristianabetesda.org/sec.myaccount.resourses.net/
http://industrid3.nusch.id/sec.myacc.resourses.net/
http://iranmelorin.com/Telekom/Rechnung/012019/
http://irnanoshop.com/sec.myaccount.docs.net/
http://irtk.kz/secure.myaccount.resourses.net/
http://isaboke.co.ke/trust.accounts.docs.biz/
http://jadwalbolaligainggris.com/Telekom/Transaktion/01_19/
http://jaihanuman.us/wp-content/uploads/9/secure.myacc.docs.net/
http://jaquelinemoveis.com/Telekom/Transaktion/012019/
http://jntrader.com/secure.myaccount.docs.com/
http://jrbdecorators.com/trust.myacc.docs.net/
http://kanyambu35.co.ke/Telekom/Transaktion/01_19/
http://karditsa.org/Telekom/Transaktion/01_19/
http://karkw.org/sec.myaccount.docs.biz/
http://kchina.org/sec.myaccount.resourses.com/
http://kelchysgh.com/secure.accs.resourses.biz/
http://khtc.hcmut.edu.vn/trust.myacc.docs.net/
http://kielak.szkola-rocka.com.pl/Telekom/Rechnungen/012019/
http://kingscargogroup.com/Telekom/RechnungOnline/01_19/
http://kwingaliz.co.ke/Telekom/RechnungOnline/01_19/
http://lanco-flower.ir/verif.myacc.docs.com/
http://leonfurniturestore.com/sec.myacc.resourses.biz/
http://lesamisdamedee.org/Telekom/Transaktion/01_19/
http://lienquangiare.vn/sec.myaccount.send.net/
http://link2u.nl/verif.accounts.resourses.com/
http://live.bhavishyagyan.com/sec.accounts.docs.com/
http://loud0.revosales.ru/pbrihtsmik/secure.accounts.resourses.net/
http://luckylibertarian.com/Telekom/Transaktion/01_19/
http://lucymwathi.co.ke/verif.myacc.resourses.com/
http://maprezint.eu/sec.myaccount.resourses.net/
http://marasopel.com/sec.myaccount.resourses.net/
http://marconuenlist.ch/verif.accounts.docs.net/
http://maryngunjiri.co.ke/Telekom/Rechnungen/012019/
http://maskproduction.ru/trust.accounts.send.biz/
http://matex.biz/secure.myaccount.docs.net/
http://mayphatrasua.com/verif.myacc.docs.com/
http://mediarox.com/sec.accs.docs.net/
http://miracleitsolution.com/sec.myacc.resourses.biz/
http://mirkma.ru/Telekom/Rechnungen/012019/
http://missionautosalesinc.com/trust.myaccount.resourses.biz/
http://mlasuka.dothome.co.kr/verif.accounts.send.net/
http://molly.thememove.com/verif.myaccount.resourses.net/
http://mostkuafor.com/trust.myacc.docs.net/
http://mrm.lt/sec.myaccount.resourses.net/
http://msao.net/secure.accounts.docs.com/
http://myshopify.win/sec.myaccount.resourses.biz/
http://nt-kmv.ru/trust.accs.docs.net/
http://okna-lik.kz/wp-content/uploads/sec.myaccount.send.biz/
http://oralflora.jp/verif.myaccount.docs.biz/
http://ortotomsk.ru/trust.accs.docs.biz/
http://pesochnica.com/sec.accounts.resourses.net/
http://php.mavalerio.com.br/trust.myacc.send.com/
http://printingphuket.com/secure.myaccount.send.biz/
http://quoteshub.in/secure.myacc.docs.net/
http://royalgarmentstrainingcenter.com/secure.myacc.send.com/
http://roznorodnoscjestwsrodnasszkola51projekt.pl/sec.accounts.resourses.com/
http://rubylux.vn/secure.accounts.resourses.net/
http://rupbasanbandung.com/trust.accounts.docs.biz/
http://sakura.hostenko.com/sec.myacc.docs.com/
http://saleswork.nl/verif.accounts.resourses.com/
http://saltech.sg/wp-includes/Text/Diff/Renderer/secure.accounts.docs.biz/
http://seksmag.nl/sec.accs.docs.net/
http://service.raglassalum.com/verif.accs.docs.net/
http://shlifovka.by/trust.myaccount.resourses.com/
http://shoutsonline.com/trust.accs.send.com/
http://sieure.asia/secure.myaccount.docs.biz/
http://speckrot.pl/archiwum/trust.accs.resourses.com/
http://staging.fanthefirecreative.com/mobileforming/public/uploads/sec.accounts.send.biz/
http://sukhachova.com/verif.accs.docs.com/
http://summercampforchambermusic.me/sec.accounts.send.net/
http://test.sala-avangarda.pl/verif.accs.docs.com/
http://testcrowd.nl/mm.microsoft.net/api/drm/U3P8hEjuEZXecO/U3P8hEjuEZXecO/
http://theweb.digital/Telekom/RechnungOnline/012019/
http://thien.com.vn/trust.accs.send.net/
http://thucphamchucnanghanquoc.vn/secure.accs.docs.biz/
http://time4robots.pt/trust.myaccount.docs.com/
http://tischer.ro/trust.myacc.resourses.com/
http://tomren.ch/secure.accounts.docs.com/
http://travelwau.com/trust.accounts.resourses.net/
http://trueblissnovelties.com/secure.myacc.resourses.com/
http://ulco.tv/Telekom/Rechnung/012019/
http://urgny.com/backend/p/secure.myaccount.docs.net/
http://victoryseminary.com/secure.accs.docs.net/
http://vieclam.f5mobile.vn/med.microsoft.net/api/drm/ZPnmc58dAzsXuB/ZPnmc58dAzsXuB/
http://villarouca.com.br/trust.accounts.send.net/
http://viticomvietnam.com/secure.accounts.send.biz/
http://wavecrestaoao.com/verif.accs.send.net/
http://weglamour.xyz/verif.accounts.docs.net/
http://weiweinote.com/verif.accounts.docs.com/
http://wemastore.com/sec.myaccount.docs.net/
http://whiskyshipper.com/wp-content/secure.accs.docs.net/
http://whiteliquid.com/secure.accounts.send.com/
http://wigo-todream.rajaojek.com/Telekom/Rechnungen/01_19/
http://wp.lz-coeus.top/secure.myaccount.resourses.biz/
http://www.aemo-mecanique-usinage.fr/sec.accounts.resourses.net/
http://www.archiness.info/sec.accs.send.net/
http://www.dev.jetrouveunstage.com/verif.accs.docs.com/
http://www.difalabarghoo.ir/Telekom/Transaktion/012019/
http://www.drberrinkarakuy.com/secure.myaccount.resourses.com/
http://www.fenismuratsitesi.com/Telekom/Transaktion/012019/
http://www.forodigitalpyme.es/sec.accs.docs.biz/
http://www.hukouec-ltd.com/secure.myacc.docs.com/
http://www.indocinemax21.com/Telekom/Rechnung/012019/
http://www.khomansschilderwerken.nl/verif.myacc.send.biz/
http://www.lespetitsplatsdetina.com/sec.accs.send.net/
http://www.luckylibertarian.com/Telekom/Transaktion/01_19/
http://www.mardaschaves.com.br/trust.accs.resourses.com/
http://www.nicolasgalvez.com/verif.accounts.send.net/
http://www.opjebord.nl/verif.myacc.resourses.biz/
http://www.salesround.com/verif.accs.send.biz/
http://www.tepeas.com/secure.accs.resourses.biz/
http://www.ttc-grs.at/sec.myacc.docs.net/
http://xn-----9kccsa1afbhzcgd9a1ay5l.xn--p1ai/verif.accounts.resourses.com/
http://yduocvinhphuc.info/verif.myaccount.resourses.com/
http://zolotoykluch69.ru/Telekom/RechnungOnline/01_19/
https://198.101.246.240/vk_wp/wp-includes/trust.accs.docs.biz/
https://78.207.210.11/@eaDir/secure.myaccount.send.net/
https://agilife.pl/sec.myaccount.send.net/
https://bkkbubblebar.com/trust.accounts.send.net/
https://carsibazar.com/verif.accounts.docs.net/
https://protect-us.mimecast.com/s/2B9RCxkV2XHqzjyoH8rTH6?domain=ttc-grs.at/
https://tischer.ro/trust.myacc.resourses.com/
https://viplovechs.com/secure.myaccount.docs.net/
https://www.leonfurniturestore.com/sec.myacc.resourses.biz/
Epoch 2 Document/Downloader links seen for 02/12/19
http://119.254.12.142/En/llc/UjBO-7i5MH_rh-hch/
http://128.199.172.4/US/Invoice_number/946924058146/omHD-D8Zh_S-xw/
http://128.199.68.28/En/download/New_invoice/kKsF-l1_pT-F7/
http://139.59.130.73/DE_de/QRPTYCKAS2952593/Bestellungen/Hilfestellung/
http://139.59.182.250/En_us/doc/921630112996/rgbuP-SSFaG_aL-Mz/
http://139.59.6.216/xerox/Copy_Invoice/71723785755653/htJHM-sg_BZ-FL/
http://140.227.27.252/wp-content/file/Invoice_Notice/Maad-ZTqtr_r-sL/
http://158.69.135.116/scan/VGIy-LJJq_rtJTwGJ-loZ/
http://159.65.142.218/wp-admin/llc/04418048552093/nUfSR-uftR_NvMPXE-JKX/
http://159.65.65.213/file/Ryzo-3h_qp-jAt/
http://159.89.167.92/llc/New_invoice/57979132/ukUI-Avt_NXbMuPG-0I/
http://162.243.254.239/quoteandbuy/EN_en/scan/kgsnn-f3J_CVs-RJ/
http://176.32.32.140/De/AFCXKM3339855/de/Zahlung/
http://178.62.233.192/Februar2019/KMANGTNNIX4458863/Dokumente/FORM/
http://179.191.88.69/De/WVHQJHGVLK3054354/Rechnungs/RECH/
http://18.184.16.5/EN_en/company/Invoice_number/34128416/Fdjmu-NQuzD_srNbU-G2p/
http://18.206.204.30/wp-content/uploads/US/doc/Copy_Invoice/RBRS-B2QR_nBbQqjB-4yt/
http://18.220.183.143/US_us/Invoice_number/rhWbB-2u_bazsmq-zL/
http://18.221.1.168/En_us/Inv/70722042/TxlW-3bBd_Azwqu-AXb/
http://18.223.20.43/US/llc/Copy_Invoice/202956035/wyZr-NIkXO_dEpTjku-0i/
http://188.192.104.226/wordpress/US_us/corporation/New_invoice/RVzv-BRhZ_cdjkq-9E/
http://192.241.145.236/US/New_invoice/ZoRXj-H1k08_v-ty/
http://193.77.216.20/En_us/39503764151217/GIBs-qatn_wDpNVKcp-oZ/
http://194.58.106.244/US_us/doc/DIpu-awo_KK-PS/
http://204.48.21.209/US_us/file/9953721/mOaj-POrQ5_FtPW-2r/
http://207.148.31.160/doc/Invoice_Notice/xJkcH-pXzw_ikv-yP/
http://212.47.233.25/wordpress/wp-content/De/YTELMXMCAN5556140/Bestellungen/FORM/
http://3.dohodtut.ru/En/86756718/xcwcO-tzz6_fGPD-h9c/
http://3.parconfreiwald.ro/US_us/doc/bNab-nR54_DwB-LN/
http://34.201.148.147/download/Inv/rwUu-GoD8Y_YsGNacwnq-Wi1/
http://34.208.141.93/De_de/XEIDPHLAKZ2568324/Bestellungen/RECHNUNG/
http://34.242.220.49/DE/VJRCDGL1534972/DE_de/Zahlung/
http://35.170.104.162/DE/PJXLIBNDUK7169850/Bestellungen/RECHNUNG/
http://35.176.197.139/KqrEF-qna_v-ehL/
http://35.190.186.53/EN_en/doc/Copy_Invoice/Nebk-gt3_ZZV-Ok/
http://35.202.250.4/document/Invoice_Notice/pnDo-aHDN_HzaHfarw-RWS/
http://35.226.135.179/wp-content/uploads/DE_de/YXLDBCWE5819265/Rechnungs-docs/Zahlung/
http://35.232.73.116/doc/zzwd-Wja0_fJkVYk-J6/
http://52.196.225.91/wordpress/US_us/document/aTUC-RQb_nAQiekDLJ-wbj/
http://52.236.174.152/doc/New_invoice/OwcFW-cQVA_RD-lXj/
http://52.63.119.3/En_us/doc/Invoice_Notice/1095987397054/IIPw-Eoa_M-au9/
http://52.63.71.120/US_us/corporation/Invoice_number/45951863/OtwFS-R2FA_ZrXS-v72/
http://52.66.236.210/HQHGLKQXFF6297535/DE_de/DOC/
http://54.146.46.168/Februar2019/JYZTXITFS1861033/DE_de/RECH/
http://54.154.144.172/Februar2019/UOFNZKLYY3732280/DE_de/DOC-Dokument/
http://54.224.240.34/Februar2019/FDJASWPO8400835/DE/RECHNUNG/
http://54.250.159.171/En_us/2446830/NqWP-TQObp_cgfZBBxnl-NP/
http://54.38.35.144/US_us/llc/BRBk-OHo0r_GrEJNw-lH/
http://62.141.55.98/wp/DE_de/WLSEDHREWI0259028/Rechnung/Zahlungserinnerung/
http://8.29.139.221/DE/WJUMGPF5102068/Rechnungs/Zahlung/
http://91.208.94.170/DE_de/FLTSRU3564963/Scan/Fakturierung/
http://94.24.72.63/EN_en/download/Invoice_number/dXtC-6zt8U_bkifOk-zE/
http://aaswim.co.za/US/Invoice_Notice/XVdq-OO_xkL-iQ/
http://abiataltib.ml/download/Invoice_number/fTvp-N8mZ_rD-PM/
http://abrab.ir/DE_de/CKPKSWDJVC5938819/Rechnungskorrektur/RECH/
http://academiaquality.com.br/corporation/Invoice_number/JgSe-cUu_HTxQABCV-NU/
http://acenationalevent.ft.unand.ac.id/de_DE/FTDAUCXZOI0278000/DE_de/Zahlung/
http://admin.staging.buildsmart.io/US/doc/New_invoice/zswk-ai_mE-d1l/
http://advocaciafreitas.com.br/DE_de/SIHDKA3817248/GER/Fakturierung/
http://aiwaviagens.com/En/download/LATPa-CUUd_Fok-pp/
http://alainghazal.com/De_de/XPXTELNF7478951/Rechnungs-Details/Hilfestellung/
http://alexovicsattila.com/download/Invoice_number/78852957856867/eSAgf-5DRK_lZBpQhzwI-mw/
http://alicanteaudiovisual.es/OUQCKN3570551/Rech/RECH/
http://allens.youcheckit.ca/de_DE/RUJARNHQD3830836/Scan/Fakturierung/
http://amcleonardo.ru/DE/BNZUVHDM9156611/Scan/RECH/
http://anambrabrothersfoundation.org/DE_de/ERZLJNLZJQ2736717/Scan/Rechnungsanschrift/
http://anhsangtuthien.com/doc/Copy_Invoice/33277038235/KYxP-HWT0_Yt-bXW/
http://api.freelagu.org/En/download/Inv/MfMs-5ZmYE_EGO-9l/
http://artfest.am/wp-content/DE/EUOERZ8203080/DE_de/FORM/
http://ashmira.in/Februar2019/AHJLQWEJ3726858/DE_de/DETAILS/
http://attaqwapreneur.com/resources16/Inv/jNAiu-6FoB_it-nZo/
http://aussietv.net/DE/HEYPKKXVJA6459644/DE/DOC-Dokument/
http://aviatorcolleges.com/De_de/ZNMAVWJGE8643534/Rechnungs-Details/Fakturierung/
http://balooteabi.com/US_us/info/OnLj-jGR0b_fnv-0wh/
http://barabooseniorhigh.com/De/PJCLEXQXV7099833/DE/Rechnungsanschrift/
http://bazee365.com/company/New_invoice/70094947/sbbKq-Ks_m-ba/
http://beaterrally.com/Februar2019/BKTQCV1248803/Rech/DOC/
http://beauty.familyhospital.vn/DE_de/REFZJY2927130/Bestellungen/DETAILS/
http://beepme.eu/US/scan/Invoice/PCbQV-kxfoq_vOhPEVxpQ-JOQ/
http://birdiiz.com/DE_de/GINGHGOTB7950051/DE_de/DOC/
http://bizresilience.com/US/9398061048910/XkXTr-FoAC_puryaeaH-pjn/
http://blogg.postvaxel.se/En/xerox/Invoice/ukyF-v2RRD_bSBA-Mzw/
http://bnpartnersweb.com/EN_en/company/Invoice_number/jMgd-JNcr7_yPVV-Z8x/
http://bobvr.com/document/Invoice_Notice/zgboA-Gd_vF-3TX/
http://botmechanic.io/document/Invoice/122815139860138/VZKR-YLT_syeTcnx-6gX/
http://brazenfreight.co.za/de_DE/RERPSNQS6194206/gescanntes-Dokument/RECHNUNG/
http://brsp.scketon.com/DINREHOJH9817383/Rechnungskorrektur/Fakturierung/
http://burodetuin.nl/joomla2/DE/APFBFUKXEJ8698880/Rechnungs-docs/RECHNUNG/
http://buseguzellikmerkezi.com/De/GWUMRBOBA6128156/de/Rechnungszahlung/
http://businessvideo.urbanhealth.com.ua/En_us/download/Inv/WoAba-Tr_mJl-rDt/
http://buybywe.com/US/file/Copy_Invoice/cnEr-yAEr_DVdVpnpt-cw/
http://bynana.nl/US_us/scan/Copy_Invoice/95731481431/uTpS-lza_PGJHjEAIM-O1e/
http://captipic.com/EN_en/file/KIaE-a8xIU_JQ-iW/
http://casabrasileiracuritiba.com/DE/BATOJM2200849/Rechnungskorrektur/RECHNUNG/
http://casadevacantadml.com/scan/855790484907301/tHasY-A32_Pbtx-3u/
http://celtis.company/En/doc/New_invoice/SqOe-3pcD1_ckvrT-H6I/
http://centropanoramico.cl/DE_de/HELZNG8963886/Rechnungs-docs/Rechnungszahlung/
http://chamboncaytrong.marigoldcatba.com/En_us/llc/35009893941047/zMrvw-4m_ew-Vw/
http://chenhaitian.com/En_us/xerox/New_invoice/KtoLC-W2_tyzjGc-5f/
http://chocadeiraeletrica.device-heaven.com/Februar2019/STNPKM6589307/Rechnungs/DOC/
http://churchofgod.team/phpMyAdmin/US_us/xerox/fnCV-Ygfh_QXvrTT-Wv/
http://cisir.utp.edu.my/UMYVJL4141277/Rechnungs/Rechnungszahlung/
http://clashofclansgems.nl/EN_en/Invoice_Notice/SerL-RiKTU_yYS-pb/
http://cleaneatologyblog.com/New_invoice/inFy-JO_mUqLLp-Ce/
http://clients.nashikclick.com/US_us/document/zNDZu-Qx_vjh-WHt/
http://clipestan.com/En/llc/Invoice_Notice/FLDm-e4J92_VKodvsvY-gsD/
http://colbydix.com/EN_en/scan/New_invoice/228118929/YzES-htLS0_txGqTmqkH-B9C/
http://comfome.co.mz/EN_en/Invoice_Notice/jJieg-RcvH9_Z-fi/
http://construccionesrm.com.ar/De/OMUULPC4322905/Rechnungskorrektur/DETAILS/
http://cosmoprof.com.gt/En/info/Invoice_Notice/hVFM-kjIJq_KNy-8vG/
http://cozuare.cozuare.com/WTDRRBGCGP8139006/Dokumente/FORM/
http://crcconnect.co.za/DE_de/PRJAVGXJ6447606/Bestellungen/DETAILS/
http://creditpuls.com.ua/DE/DEHPWQS6699555/Rechnung/DETAILS/
http://cross.vn/US_us/info/New_invoice/JToV-8fK34_MnDNscvu-cT/
http://croustifondant.fr/Invoice/7721241/mNCkj-MD8E_ib-cj/
http://cytecgroup.co.za/xerox/Egzsx-I4_EMjXw-x8F/
http://daotaokynang.org/DE_de/KBQKRIYL9699105/Rechnung/DOC-Dokument/
http://deltaenergysystems.co.ke/US/doc/0561611/ubiQ-kgznO_rhOR-qWI/
http://demo.evthemes.info/Invoice_Notice/qPBHn-RG7_oEZrS-XOb/
http://dentalalerce.cl/wp-content/xerox/YnnJ-raOAu_yCzzVXL-Ar4/
http://deolia.ru/EN_en/xerox/New_invoice/atAzQ-hx4X_hqTiKHnRZ-sCd/
http://dev.go.bookingrobin.com/US/hIPYq-zTm_ZrflKdXwr-7s/
http://dev.whereplane.com/EN_en/iYdix-qN_CpmsEyn-W5s/
http://devdatta.pacenashik.com/corporation/Invoice_number/hvCZ-55Ajt_TDw-Blv/
http://dibrean.ro/EN_en/document/Invoice_Notice/958194924/DMHK-Umcqr_qkB-C2/
http://dizinler.site/wp-admin/css/OWTfx-83Ei_cnaBwr-gK/
http://doctorbondarenko.urbanhealth.com.ua/De/LASLNJ4680356/Scan/Zahlung/
http://door-ma.com/scan/Copy_Invoice/SZNMF-q5_U-Ss/
http://dorispeter.co.ke/US/download/Invoice_number/VSYB-hdJ_uFqjk-cy/
http://dream-sequence.cc/US_us/xerox/Invoice_number/bZKVs-g3_lyfoFn-sj/
http://drnilton.com.br/document/tSyDD-ucWo_PspeK-uX/
http://eh-simplicity.ch/DE/MWMHEHSCI4912889/Rech/Fakturierung/
http://ejder.com.tr/En/llc/Invoice_Notice/lbUuX-5TMPH_M-S8/
http://elijahngaruiya.co.ke/Februar2019/ISWZPEUO4434465/DE/Zahlung/
http://elitepestcontrol.nzhost.info/DE/WNJQNAPG0214475/Bestellungen/Hilfestellung/
http://elizaygust.cocospark.com.ve/DE/ZKDJMFWXZK7899596/gescanntes-Dokument/DOC/
http://emeralfgroup.com/DE/ADBWSQB8304990/Rechnungs-Details/Rechnungsanschrift/
http://emmahkemmy.co.ke/Februar2019/TYTOAYAUN1165559/Rechnung/Rechnungszahlung/
http://emporiojf.com.br/Februar2019/IZBCDQSBH7485666/Rech/Zahlungserinnerung/
http://emrecengiz.com.tr/US/info/Invoice_number/IbLME-Ef_nReeMdyRQ-fKP/
http://encontrodesolteiros.com.br/Februar2019/TTWTUEY4380127/Rechnung/Zahlung/
http://enh31.com/US/xerox/Copy_Invoice/gfmB-fmFX_mxliUHWNR-j43/
http://equiestetic.pt/info/IyiO-Zkky2_JYvy-oY/
http://erenaydesignbuild.com/En/company/Copy_Invoice/Gdpa-fbGWV_ZmRzsu-HZO/
http://eroes.nl/Inv/kbwU-V0xXX_uDMdxque-lg/
http://essastones.com/DE_de/VJUZGDEL3702027/de/FORM/
http://essentialbusinessfunding.com/corporation/Invoice_number/Qrvf-bdQm_LKmIw-t9/
http://esthernyongesa.co.ke/DE_de/JURLKSLGU9851343/Rechnung/Zahlungserinnerung/
http://euniceolsenmedia.com/Invoice_number/9035569694/gOitV-IgFC_fjHLGquMO-jlr/
http://ewris.se/En_us/download/603426478776/BBNQs-Zsrvs_kwvJ-b7r/
http://family-stobbe.de/Invoice_Notice/waQT-y7R_WjjXci-TX/
http://femconsult.ru/En/Invoice_number/063685399/qxHOA-o2_J-e5/
http://ffi.vn/En_us/info/80073723569480/erNce-0I6_XVuhNGDLI-HMs/
http://followergn.instagram.webtoaster.ir/file/Invoice_Notice/Fufm-I9OUp_SlBNEKyKp-WN/
http://foodfithealthy.com/UVDLFV6662688/Bestellungen/DOC-Dokument/
http://food-stories.ru/Februar2019/HOLUYFWH5898818/de/FORM/
http://frispa.usm.md/wp-content/uploads/download/Copy_Invoice/yXWnL-ciMbk_gzYW-rN/
http://fupfa.org/En_us/llc/Invoice/KJpLI-eW_hmKUEBia-yO7/
http://fwpanels.com/US_us/Inv/66003684747228/DYmql-cT_UAJ-Ta5/
http://galeriakolash.com.ve/EN_en/Copy_Invoice/3823962600/yxTb-Klswi_NQuCYHBEV-4a/
http://gcfilms.org/En/corporation/Copy_Invoice/doHgv-8bY_ZHBTWtZ-mLI/
http://gemsocgh.gpmedialtd.com/De_de/ZDFDADC8370691/Dokumente/FORM/
http://glencrossdesign.co.uk/Februar2019/MGJZOPF5227562/Bestellungen/Zahlungserinnerung/
http://globalrecruitmentconsultants.premiumbeautyhair.com/DE/JKORFPCG4632090/Rechnungs-Details/Hilfestellung/
http://granjamatilde.cl/De/JGUXOLALP1355549/Rechnungskorrektur/Zahlungserinnerung/
http://groundswellfilms.org/DE_de/YXIQUN9237211/Rechnung/Zahlung/
http://gslegno.com/De/MYAUGF0391792/Rechnungs-Details/DETAILS/
http://halongecolimousine.com/US/scan/Invoice/HgGV-Ql13f_I-XN/
http://hamirani.ir/NHKTVOYY6627663/Dokumente/Hilfestellung/
http://hannahcharters.co.za/de_DE/MJLTWAD5184537/Rechnungs/Rechnungszahlung/
http://hashtagvietnam.com/DE_de/KKGVUSCF9898646/Dokumente/DOC/
http://hdtv.teckcorner.com/DE/BZNUHQE0355083/Rechnungs/Rechnungszahlung/
http://herbaty.zzdb.pl/De_de/ECVEDVE6816030/Rechnung/RECHNUNG/
http://hifucancertreatment.com/wp-content/uploads/EN_en/scan/waVr-0A_mVwcJ-SBz/
http://hipecard.yazdvip.ir/de_DE/HZLIAIMQ7385451/GER/Zahlung/
http://hiqpropertysolutions.co.uk/US_us/corporation/oriCO-qNozz_kFBOxwYQ-eJ/
http://historymo.ru/Invoice/MfNCa-nD7_N-Tr/
http://hnhwkq.com/download/29633049804074/lXydq-L3Ss_ZSCDIr-0Oo/
http://hoanglonglighting.com/de_DE/SNUIDMQ1187026/Rechnung/Rechnungsanschrift/
http://hongcheng.org.hk/file/Invoice_number/kAPhh-fIx_SJTDc-G1/
http://horse-moskva.ru/US_us/document/Invoice_Notice/hkuP-IVis_SdfMs-wH/
http://hotstar.me/wp-content/US/xerox/Inv/rUkDi-zs2V_OoWR-A35/
http://iantdbrasil.com.br/EN_en/scan/Invoice_Notice/44485171469/szzns-Xrxfb_zKWZzPkd-YX/
http://iguassuconstrucoes.com.br/mkt/Inv/KJfF-dm_ag-xk/
http://imran.teckcorner.com/De_de/QCFMCY9853738/Rechnungs/Hilfestellung/
http://ingramjapan.com/En_us/document/Inv/bahX-pvh_dDIg-wz/
http://irenea.com.ar/De/RSDBKZULA3244804/Rechnungs/DETAILS/
http://istekmuciti.com/wp-admin/New_invoice/efIr-gRxZ_U-EB/
http://itseasycv.co.uk/En_us/Invoice_number/884480741/lFGEV-1t_lic-cc/
http://iturcja.com.pl/US/Copy_Invoice/KoRe-rT1_WhZw-Lxb/
http://jamdarjam.com/De_de/CBMHFVRADL2731070/Rechnung/DOC-Dokument/
http://jaqlee.co.za/EN_en/scan/kMxT-rX1DC_GUw-ck7/
http://jaspinformatica.com/qlpN-ih_jedKZH-Lf/
http://jawbs.co/wp-admin/doc/Invoice_Notice/BmwGu-YL_Y-F2/
http://jerko.novi-net.net/mama-malog-zmaja/wp-includes/Invoice/pmst-TtZj2_wZnyKXk-qaM/
http://jeziorak-taxi.pl/de_DE/TRSIXOXE0283839/Rechnungs-Details/RECH/
http://jiodiscount.com/US_us/doc/Invoice/umtP-mURI5_hHuYA-LeM/
http://jmbtrading.com.br/DLTyU-Ty_nZUwU-0TO/
http://job.tkitnurulqomar.com/En/llc/kSAUy-A89_C-7RH/
http://jobbautomlands.com/En/scan/New_invoice/nABf-lG_xbsoVxMS-EG4/
http://jungwacht-diepoldsau.ch/US_us/corporation/New_invoice/vLzBK-mFw_bt-WUe/
http://kadinveyasam.org/US/scan/Invoice_number/cLJw-3BBbi_XC-F8/
http://kairosleader.com/scan/Copy_Invoice/ncyw-7vOt_agUX-ezp/
http://kebunrayabaturraden.id/En/llc/Invoice_number/MdUt-CdMA_Vnav-W4y/
http://keenpreps.co.uk/DE_de/DZLOFPQW1119776/Rechnungs/DOC/
http://keshtafzoon.com/fbMP/En_us/nZUB-b3rAT_jCwM-Ye/
http://khpm.ir/Februar2019/WXZGEFSDW8579548/Dokumente/Zahlungserinnerung/
http://khpm.ir/Februar2019/WXZGEFSDW8579548/Dokumente/Zahlungserinnerung\/
http://khzwl.ir/US/Inv/NNnML-VGRZ2_FV-P7E/
http://kostrzewapr.pl/css/EN_en/LUEQ-03j_HcgPoYnh-S1P/
http://kumarprodesign.com/file/Invoice_number/aVUAh-7RJeb_jglACX-5g/
http://kymviet.vn/EN_en/corporation/New_invoice/GHtP-Sz_J-b6w/
http://kynangbanhang.edu.vn/DE_de/TKZKFDJNB0748079/GER/DOC/
http://kynangdaotao.com/corporation/Invoice/24280260/gshoJ-rrLax_ohyo-AYH/
http://lacledudestin.fr/llc/New_invoice/YvZWZ-4myR_URIud-Mj/
http://lambleylodge.co.uk/EN_en/xerox/New_invoice/918364837/SOqE-egY_RXSqS-zwq/
http://langotranslate.pl/company/YdDy-rL_V-9Xr/
http://laur.be/US_us/company/TnDwD-p0Tj4_ZkNroqaJ-27/
http://laylalanemusic.com/DE_de/RUZGCWIJQ3806584/Rechnungs-Details/DOC/
http://liketop.tk/En_us/company/Invoice/BQmyd-d9RPL_gl-vyM/
http://linkyou.khaledahmed.tk/file/scPI-3BBhz_vxAUAq-He8/
http://lisans.boxnet.com.tr/DE/LECAGTJD9003505/Rechnungs/DOC/
http://lmgprophesy.com/US_us/doc/lLHhS-P7t_HnVOY-0Q/
http://luckfinder.co.za/de_DE/VAWWVUNE8386207/Rechnung/FORM/
http://luvunoberyl.co.ke/US_us/rnnnL-Uye_ZKGBRhAYB-Kw4/
http://madrastrends.com/EN_en/scan/VBbW-YgV1_FlHNc-Ka/
http://magnetic-english.u0449571.cp.regruhosting.ru/xerox/Invoice/WLSfz-EYYZs_XcAs-KF/
http://mail.propertyinvestors.ie/DE/ADBACLUAM5320384/Rechnungs-Details/FORM/
http://marconuenlist.ch/KQQGNCDOFN5346015/gescanntes-Dokument/Zahlungserinnerung/
http://marinavinhomes.vn/En_us/02033242755291/UjlU-CH4_r-or9/
http://masjidsolar.nl/EN_en/Invoice_Notice/DzYtu-X4_BQETXE-016/
http://mat-bansgh.com/DE/YZFCRSAWKE1998409/Bestellungen/RECH/
http://mathkinz.paintedviolin.com/US_us/company/fGVt-PGaT_drL-fGT/
http://methodofsolutions.com/corporation/Inv/Rzztj-Rq_lH-iF/
http://michaelwringler.migallery.com/DE/UYVUVU1006485/Bestellungen/RECHNUNG/
http://milimile.pl/US/Invoice/9885325/fhKa-Bx8_nxivy-rBQ/
http://mingroups.vn/En_us/info/Copy_Invoice/klAn-W0Im_ADL-ua/
http://mipec-city-view.com/En/Inv/ltPry-JR_WKit-phA/
http://mpo.firstideasolutions.in/fAdqt-eXyR_iI-Nr/
http://nami.com.uy/EN_en/info/Fexg-bK8R_jmz-F93/
http://nanya-tlm.half-straw.com/En_us/document/8250362786601/dKyvQ-l1s7_lAKNvE-EX/
http://napier.eu/UAMDDBYBAV4874596/Rechnung/RECHNUNG/
http://newsmediainvestigasi.com/US_us/doc/73649729271/vVPuj-SSs_I-2q/
http://nightonline.ru/images/scan/tScs-t0_T-P7N/
http://noithatchungcudep.info/US_us/info/Invoice_Notice/1478181598/HocCg-SWdk_OhkMQfE-lPP/
http://noithatshop.vn/En_us/corporation/04378129/baVj-GT2gt_lRS-YX/
http://noitiet.familyhospital.vn/DE_de/SAKIUGVO0710659/Bestellungen/Zahlungserinnerung/
http://nova-cloud.it/US_us/scan/Invoice_Notice/kipI-4v_jsOoO-PF/
http://novel-digitalindia.com/download/Invoice_number/qSIV-Oi_ANYq-w5/
http://ose.lazyeight.tech/En/Copy_Invoice/GzRwS-4KEA_mpAoH-Ud/
http://paginapeliculasonline.info/download/Invoice/NBlp-sg_TUiXtgU-if/
http://parentlism.com/En_us/download/VWOBL-VNBa_syuIW-0iu/
http://parkklead.com/US/info/BcXD-aQK7Y_JPoyb-yg2/
http://patient7.com/file/4436736/Lgva-DpbSx_w-1hm/
http://pharmavgate.com/US_us/file/Copy_Invoice/uewk-hpvk_ox-zP/
http://piratenteam.eu/US_us/New_invoice/QUlAC-YYv_YTgu-DhR/
http://plugelectro4you.com/de_DE/UMNJTDP6323223/DE_de/DOC/
http://pmpclasses.net/Invoice_number/49851061083/uPlpe-M7_Vusdh-MLP/
http://precounterbrand.com/de_DE/ZSLJDNYRI7013367/Rech/Hilfestellung/
http://produccion.sanmartindelosandes.gov.ar/wp-content/uploads/En/download/Copy_Invoice/Ihpyw-WoX_N-lRv/
http://recovery-series.com/US/corporation/Invoice/hQoIV-ZY4_W-SAD/
http://renbridal.vn/En_us/llc/IUoi-s1N_Qvb-D41/
http://research.fph.tu.ac.th/wp-content/uploads/US/download/Invoice_number/4625493021388/Ujmwm-gh_twINmUoZ-4Cc/
http://rohrreinigung-klosterneuburg.at/US/doc/zqpNl-gE_ZLYCn-61/
http://rohrreinigung-wiener-neustadt.at/En/info/QxzU-a4vRc_mipHrTA-RKH/
http://salamat.live/New_invoice/taTVS-kAb_ZjMVl-XC/
http://sankwela.co.za/En_us/xerox/New_invoice/6652931/cPEta-4Nfd_n-W74/
http://sanxuathopcod.com/US_us/xerox/iRJbH-YV0_HaIxhp-TQY/
http://seara.com.br/resources/En/llc/DmRIj-QB8rB_wQmAwnBh-lw/
http://seecareer.com/US/doc/Invoice_number/cjAY-GVg_WpOXL-bNi/
http://sergiogio.com/US/llc/kuMWh-yD_ogLs-7y1/
http://sergiogio.com/US/scan/New_invoice/brFS-lYrB_JtvT-eT/
http://sgl.kz/DE_de/XFRCWKD9684045/gescanntes-Dokument/DOC-Dokument/
http://shop.kaishclasses.com/En_us/874870944/MCBoR-nIj_QpI-5xk/
http://sisolite.com/En/company/Invoice/5552157/vvlx-mnCk_ISRWHPNZ-c42/
http://slobstil.kh.ua/download/drPQc-gwq_PSpHxj-5p/
http://snrteknoloji.com/Invoice_Notice/wDpDj-CTOCC_tCdYkShOS-lc/
http://sonharvaleapena.com.br/En_us/Copy_Invoice/25680423862/DQzlN-cWhrF_yagnF-SPn/
http://sosh47.citycheb.ru/doc/Copy_Invoice/Pkfr-iv7o_LCHUmkmlU-r6T/
http://soxmedias.com/En/corporation/Fjpdb-QbC1_JhwJ-pXb/
http://spb0969.ru/doc/New_invoice/wvGr-kpaPN_J-krC/
http://speedyimagesigns.com/En_us/llc/Invoice_number/XVhth-THW_xTfZAkPKT-kH4/
http://stolarz.wroclaw.pl/En/scan/Invoice/12211301/GtGBp-YUQj_ergq-t0/
http://sts-hk.com/wp-content/Inv/PsDXW-WSI2_mcFhg-sj/
http://sugarconcentrates.com/En/file/Inv/7230677278/xQRl-myZ_k-tf/
http://sugoto.com/wp-admin/US/company/ATzL-bIqAC_J-2i/
http://sutline.net/file/New_invoice/BNPo-YLA_lBqVx-Qt/
http://svornitologia.org/file/FKDIF-Lk_bHS-iKs/
http://swlu.co.il/document/Invoice/8574733589/WTdnr-MMWe_GEhCJCKJP-56/
http://techieclave.com/EN_en/llc/Invoice/KaKr-hJv_qLnJTti-IHd/
http://technicalriaz.xyz/cgi-bin/Invoice/uYbP-nLW4_J-qC/
http://tecnovas.cl/xerox/SVmtF-Fdk_espLunA-DaW/
http://tekirmak.com.tr/US_us/doc/Invoice_Notice/ZbKO-6u60_EFCPbr-9X6/
http://test.agbaclassicmedia.com/US/corporation/836934222927347/PwkR-VD_dzIAkk-Sv8/
http://testari-online.ro/tk4zjcl/URqX-1JoR_Kbhs-b5w/
http://thefragrancefreeshop.com/de_DE/HKIJWU9413394/gescanntes-Dokument/Fakturierung/
http://thptngochoi.edu.vn/wp-content/uploads/AKTN-A7O_ikebSn-Wi/
http://tisoft.vn/DE/STXXHEENRC0814488/Rech/Hilfestellung/
http://tmmaf.org/wp-content/En/company/DRfF-sW_N-bQ/
http://trandinhtuan.edu.vn/DE/SNDLABM5014270/DE/RECHNUNG/
http://trandinhtuan.vn/En/document/DVJjg-mM7_Pbrpg-qv/
http://tsogomediakit.co.za/US/info/Inv/raGw-m3_POzZX-XFv/
http://uit.suharev.top/En/corporation/Invoice/piwfE-wK_IVL-V3S/
http://underme.website/US/corporation/Xgrgy-NcVs_euhv-Fyw/
http://unicle.ru/EN_en/chtY-Ovrm_zDbHH-sl/
http://view52.com/info/New_invoice/mgcW-rh_PJaApL-ds/
http://web55.s162.goserver.host/DE/IZCMWPOIQ1294729/GER/RECHNUNG/
http://weresolve.ca/En_us/company/New_invoice/CbbT-bb9Ql_urEa-Ahe/
http://wibblit.com/EN_en/info/mdJM-Kf_PbWoyqdd-DN/
http://wompros.com/US_us/document/Copy_Invoice/BsgAO-XH_mhJ-xG/
http://wp.berbahku.id.or.id/16457335339/TwFyA-yt_FzDO-lN9/
http://wpdemo.wctravel.com.au/US_us/Copy_Invoice/SMhWW-srF_sGkAbZ-ia/
http://www.andrepitre.com/scan/New_invoice/ODZXS-Iql_bRgGIEoku-ruD/
http://www.devisschotel.nl/US/doc/Inv/TWQF-15dp_ldTNfbL-Ev0/
http://www.gardendoctorconsulting.com.au/US/Inv/uCptW-0aw_wLrnvbW-6X/
http://www.genelmusavirlik.com.tr/EN_en/corporation/Invoice_Notice/8998194/dBki-eVkIl_oDmNDr-ai/
http://www.georgeturp.fr/US/company/Invoice/eRYE-Waij_AfUC-Sxu/
http://www.madplac.com.br/IFZUVG1220472/Rechnungs-docs/RECHNUNG/
http://www.mpo.firstideasolutions.in/EN_en/xerox/Invoice/ZBwt-ES_vkvEYNM-le/
http://www.oilrefineryline.com/De_de/MEOIBNMDH2613801/de/Zahlungserinnerung/
http://www.ozgursimsek.xyz/doc/129827788/gSHie-w5f4_YdYQKMiOH-yv/
http://www.pattani.mcu.ac.th/wp-content/uploads/US_us/xerox/Invoice_Notice/5179098/jRUW-jVOF_O-am2/
http://www.portal.gamehivepk.com/En/info/Invoice_number/VEKmT-LN6RU_GtE-NT/
http://www.rhlgroups.com/doc/Copy_Invoice/meLp-54CZ7_Vy-sA/
http://www.seara.com.br/resources/En/llc/DmRIj-QB8rB_wQmAwnBh-lw/
http://www.softsale.ie/scan/tUECA-EFC_AXRVlr-lZM/
http://www.stormcrm.com/US_us/company/Copy_Invoice/FnslN-LZd_fnZdmV-XlN/
http://www.streetbizz.com/xerox/Inv/2320788647/tHgDB-Vyma3_rPGJU-8l/
http://www.useit.cc/imades/Invoice/nJfgJ-nD_NwNQeaTDR-r8J/
http://xn--12cs3ad5a6alt7c1a6cva8byhn4hnno.com/Invoice/NFzmb-8IMZ_gHcg-tY/
http://xn--90achbqoo0ahef9czcb.xn--p1ai/US_us/company/6600588342/pREm-2Rq1_TGFAyK-wvi/
http://xn--90aeb9ae9a.xn--p1ai/En_us/company/86292351/tppR-Ssdb_SxULZKP-76/
http://xn----dtbicbmcv0cdfeb.xn--p1ai/DE/UOIGXDS7797753/Rechnungs/FORM/
http://yazilimmagazasi.com/scan/14443812417/yaaTz-lC_XMeQVwf-bml/
http://yduoclaocai.info/US_us/info/spbI-AyS_rmgdelklP-tW/
http://yduoclongan.info/EN_en/info/Invoice_Notice/qzLF-QWNk_eUaJAFR-h3/
http://yduocsonla.info/US/company/pnco-tGoyj_WkURfifQ-zP/
http://yojolife.site/US_us/download/Copy_Invoice/hsxh-Bycx_FxUt-CI/
https://94.250.250.29/US/document/Inv/52344797008/DiRY-bp_I-p14/
https://admin.staging.buildsmart.io/US/doc/New_invoice/zswk-ai_mE-d1l/
https://captipic.com/EN_en/file/KIaE-a8xIU_JQ-iW/
https://ftp.smartcarpool.co.kr/lf_care/user_picture/EN_en/document/Inv/YXeTY-LS7EU_tKKoxfl-ZT/
https://misophoniatreatment.com/Februar2019/JOQMQNSY7255255/Bestellungen/Rechnungszahlung/
https://noithatshop.vn/En_us/corporation/04378129/baVj-GT2gt_lRS-YX/
https://precounterbrand.com/de_DE/ZSLJDNYRI7013367/Rech/Hilfestellung/
https://view52.com/info/New_invoice/mgcW-rh_PJaApL-ds/
https://www.oilprocessingemachine.com/US_us/download/CDWRG-W4_rAkUMz-I4/
https://www.oilrefineryline.com/De_de/MEOIBNMDH2613801/de/Zahlungserinnerung/
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019-02-12 23:03:00 (XML Based - ENG - Off-Center Light Blue/White)
SHA256:
fc6cb533a710fa5bdaba2a06f103a8147b78911613d5ec0520bd0c4282c49acd
dcc6711a8116b1e24aec79e5066b4aa738c2afce77656c5150bb3326aaf8579c
1f80bc1a597f55db4ecbf15b6485381153514e782469db4b9e64ddcc2f8badab
a05e4ab8c16c70515ea939a15cd9498e94cb939b600326d18937aa515e3fe8c2
a4ef612e70535abbbdb168a51f1d7e524ea19747e93616dd5daeaca728cb1fb6
0e7f4733841d308e03be632e980133f37432ec209e5f755a6f2f4365153279fd
76cd96db24625e3d9ae47f7618ac30591f6c15e7b4a3446d57c03f586737373c
0d782eae48a64d70cf4a4c87db6d0d0f5410f894b0babeaf927352d4e2574029
3722e38dfc6445a03e843fad423a8f401c24465817c2c65c7150d459851f9e1e
dcf2062518f5f3fbf54499fbbe8ad8c1ab2b26dbe92ab36f1be3720b61d2808b
31269fda4663bc5f6bba68346a4d151ac496cede9f82b0efebc3337aeb4d459c
618b59745eb94d620354bcefe413d57c1d937bd7fb15193c7388e8b2cb8ff79f
http://threemenandamovie.com/80cpPqqvN/
http://www.shop.kaishclasses.com/SWOQMT0yK/
http://carbotech-tr.com/R2QbHfp0g6/
http://yunhali.net/wgY34DKiTK/
http://vcpesaas.com/u1yK11gR/
Creation Time 2019-02-12 19:35:00 (XML Based - ENG - Off-Center Light Blue/White)
SHA256:
0502f2e7e2957cac9d41522a78c1a8af1b4af4f84b51fafb6aef226e48129c68
51e4683c429a41b0da3dbbd17126ab5327d4ded1f4bd4be381a42e65f5d1b84b
6b90fbab01749462a83cc4dc452b96c77ca0b975acad0d81d8fee1720ca39d2b
72651486495d44ab46894a040a7f3e49a8758ea33824dced8d854b7863b97d2a
e9676a11a36d147aac2c5781a8270b45eca2f2509b2c95b2b668d4d1077dce2f
275973f5340096999efcb1d5c11b2c6c396c4b114add07483ff882971a704d8c
e7fa0b77579a3dc649ebed6943d422820bb519ba316ba5261c07dadced0cd8c3
dd0ff448256f42d345e5c4c3fc6709f58edf50cef095a2aded59ed9524de4f45
48e06f2d44bdc24a9629f5fa8d3369973f2e1924e8e8279f6816424518972057
bb061c9e051fbebbcabdb7783bbd4b4cd64e750d3bf3c1d31c4cb94d77749985
30d6db8fedcca6feeb2ab6f64a2c0778e0bc3bc47d55f902cb0c047bd66480e3
8e416277ff178c7f4825946d3f57c35b7ec1a15598616b6d9f1fff8acfb64c86
b602df8a91e19f796e824c41677601f52e31a3aeee07add3427300d6e0f3f35f
3758752a73c0be622d0f99eb301eb447e3f57db71c916c1add6dc801214cf032
0bd765d8980595f4618b5ffafbe9d4a607fd167cf91079aa4f207cf57d1bbb6d
bc4d532da6fa3b8bee4c159e9e96a03b3e9800e938033ed6820076fbaa05603b
0dc73d739c5df89ad2ff7f54cd37b53a529d95b766e36ade366aa394d72b4025
5a64216cd578341e9826d5ac879207015eed1c926ba1297d768efb964592d0cd
http://maypinnoidianhat.daocatdongphuong.com/ynS2TLz/
http://tongdailyson.com/k1cOU1dZ/
http://affiliates.tayedi.com/V5b8FxZ/
http://13.126.28.98/LQm0xocMF/
http://tycpyt.com/t6jjqrkM/
Creation Time 2019-02-12 17:29:00 (XML Based - ENG - Off-Center Light Blue/White)
SHA256:
0c969d5ad8febbf86af5152a0913bc56bab3951f51d15b60726e42d2e3e0bdf5
cfdba67703138690e3aca7cac99bdfab5ebd86d240043e254218ef845c382e10
5fcb69534f967d1724ceb8561472f07c1abd13cb98ea1c8d63009788c27170bf
ac806d78d25581983f1200b8f3d89c233a76c9d87b03ae1d929ea89d0a72edc6
6e133fba8492978c68d2157f4eabc23643a0eef9d8dd2aa2a26e60d3ebf847ef
dd8ab9df12ec9237a07e1b934a1aed3b934e90484f04893343b34afccd7fd5d8
2b0e670389e4e92743752e217eb624f285d205bbbb69502201a291680164b8d6
558f43491473de9a3b553cb99ecbc26f670d768f637291d3873029862f1bf79c
d23c7abd3719769158d6a04f512bdae7273163e74c3e8e165a387842f3430353
2330590939e55a145dd194bd887164df0dfd62fe01b19b0191bd62e4f4fa8192
01a5f6ecb789da2ffa5311b070f2daf717a22cb5e6334a43fb9aeec39d69b55c
http://borsacat.com/9onrkqJ/
http://chileven.com/YAsyS0Mslz/
http://huyushop.com/P2ryBfybD/
http://fatrecipesdoc.com/I20clMx8/
http://idjvn.com/eUBrJig7/
Creation Time 2019-02-12 12:58:00 (XML Based - ENG - Off-Center Light Blue/White)
SHA256:
cfa86f7c0747366956caa5999d6cedfcdb31b54af92e59ae19a169ee7c8d0ecb
e5fa58292e2756ae00924b1e5df8a6550e0fd1f185613082e6113cc634bbf48f
ffdf67f0ce47db4d500f197eaf291d2c1d3a9c7077c1c2c65150dac0b23e3db8
e8e4e5623d3e377465e43a2c41e4dc55f8f42fd7b6d180d35e00e72934234edf
9037ce04ef215a748b74614bac6b49ae8112396d666e508a973a06ade1be0ef7
3b4c9ba7c1a39a107b6bbd84bfd1d7b91fb6b564c90698c78a646b1c682d5441
44f2ac599629b24bb197392a9795fd1aeb4d0a57d2b9b9e52f44d9a5d757d166
0f317e4abf5a7fd99874352c192e1e35714c8150a547d648c261fe705a2aae1f
e8cccb94208d3670e38219b798a6d7a1124428a2bc014609c26d1232a16b21b8
9fb5e5242394557e27ca3ccfc492f7db0f7474662148a8797953df702b4d78db
938cfe59ca776ced6383df8ad9b496121a6b6183e4053af68a9c214141a82bc3
4b8b2e718b08ec87e051d268895c1c2c97f0fd960cfa91a069c8b7d2f5dc24c3
7d778c558b2ffa03b9961ea87926ee8f2d596b42a007db27a434f46c62ba65ff
d023efd7eb4b52a51534b2191c9953068b1fad7348cfe6320d0353b092195fb0
10b21a4e9c2b68e82bad16cc714b0299959fde08793c94cf82bc77056d105676
10522785e03660974f9f3602f8ffe26779141f19d41dfc3800e3c016bf53506a
a2dfbc8d9597e7e1eab934a350435c5b1c4d4a1ba1d4571d9db77be823dd7231
cbe11c5f44d374df8f9f671b4668d23a0405da91a7b1215d30e288fc26c6dc07
8d4c196e67842e55c560f75097d0dee39e0e9cd4d86ab5d9770e794ac94c2b71
8beec0df1710604330dccbe373a36caab18e68f67f2cdbe892392e6fdb1341b1
http://dadafaringostar.com/rtQwT55z/
http://file.lauasinh.com/PXehLPPl/
http://angiras.org/x8BjaM444I/
http://adsuide.club/y77QTKhV/
http://michaelwringler.com/IRYYqPb5N/
Creation Time 2019-02-12 07:01:00 (XML Based - ENG - Off-Center Light Blue/White)
SHA256:
62f7aedf583ad718d0230898e895ba7c3d85367981d000b0caed3c527fbf95ab
ddb82646c9711b8be140448a2dabbd17affd57a2fe066a21d160a3638eddaf65
50064c2b9346c1733dcfee5c8e27d9b62d2b17e1fe2d31f6e6b07635166aba85
aac4fb4af39506baf7344bc47cb69d019a23fc01ac9e94a64a4e02a7748ef867
3440a1a84cd06de89e87040a67b01df861985be6d3a77f9795ce1807710a8431
afb3f90cd3fcf89669ef4050be4d3854440fcc3f7c9711909f375a863fb3af0c
5ef28cad0d97b33411fc3af948722f6b08624af3acc068fe8a407947bd8c3b02
a8229ad9e1fc18a7b1b9e0757c3bb6e4cf590d639e822b7d8396053927cdb7c2
d3f15e99170ac48ddebc6c8ab0e924cd6216053fb75a1c96fda51a7acaad62df
36eaab2c2a6c7993f6fe9dc820f4d3e7756abc8a863a043d6a8a76bb244808d4
0f797863d71c2450f46d5b1c9114d1f965162c078a4a3616e72d1cd0dd7a6418
66d7af4267bc90acb817100358bea433d9c2ac041e04ca86fc7fd292ebdd1a8a
74c91cc572b3f52fb3668f9157d85f648dc098f519de630320846335220bbae5
1f5f96828408d84e96aaf070c8923fa3dd868a2a7e0696d932be9512ab6259ad
a0a025ecd8933977f60586310ef0424abbe3411f184e6dbf7da14227b2a40c96
23ceeeb084708501aa017648b1123d8c5aac7eb0fe53093cc40ec41106ed4ec3
ee42820f88a256b2ac0c24f4fce2c347e7b89977114ee962910b9c1e51b8cbf3
872e1bdbf5efcd65c8280f1c916940efe191d41b65e71613b9c4417ef333cea1
98d6031d127ec25c0e69004e0f8b9fd51cf69632ac987e822d2eb1b47ea289a5
0ed2c61eace0f4a4c9a003ac04510c36b72094a220e51087d99f7b768245df21
5cc0b4d23a9bdbebba55e03f3c132d6f0ecb64f43cdb1a066bf544f4368a7efb
c07cafda7a704484323d451ef4b67eca2e2201ff786e011352c0387955ea3973
dc890cdbf81c9a5e6bce33592ad1a527ec2a49d368771901f3ab21dc7114c7e3
ce32a78bf3c64e1a8cc4a64fbb9b02d3eadae79f0c2f013b0f00d2247aba165d
0efc7dd6dd50d2a4ea85a28433928af55b64a8a6e62bb93e9b77d25fd9b32f46
2b0e3ebf6a1a31c2649c81f3357d63ffe4b85ff6afa01eb696f80ff69f8f188d
d490fd563659f0c291a963d3984e4c680f22326a9e5bde6f7bbccc22deebee05
d5100b839cd2beeb9da35efe8092cad06829cde92565b51432a331c6a7153ff0
1a6e50247910449b0a02c6983682ca67c7262e4293c447d1c0f9fd4912176e2f
2dc1bd2fe72ed309e65d8b1c29a081ce26b7ab4f8520d94630b2683482aa0c74
http://miamifloridainvestigator.com/31OYftWmPs/
http://nrnreklam.com/JxRnXI5/
http://stemcoderacademy.com/qYPmDDcr/
http://nexusinfor.com/pFp4vo9bZg/
http://waaronlineroulettespelen.nl/y9Sb0nnqe/
Creation Time 2019-02-11 22:05:00 (XML Based - ENG - Off-Center Light Blue/White)
SHA256:
f6bdc7cceba1250a19b83d0d83f3dd385fc609da3a09f0a9d208d3aed38a4208
3c7ea3d562d1f02a1968766f242e4a1fb9ac289aa3d19bdeb5784c906dc4b326
cbb21f7231c61582c3d30d0643b1bda8fe2cf5139ab06359d04ce87ed666a0c1
a40b1406440fcb871ddfb4dd0680e9fc617fc28381d118e490ffb0c5fb8c274c
39ac97bb4bf0cae5e73a9c6b44d4b54de204d1a190849fd251c2e082108fa297
ec93efa30593183c280c682ee9df89a7ac2cf8e5a3c542cfce3c3438f85304b5
620e8be300be6caa415fab883a0180b22b97f7f9108b4a18dd7baf32ce4bbb54
9cd8bc71cc176edfa223aa1ae6d9ca8c917c95b7c9622866982559e144006190
8a7305c21575ec7bda6e5381a7cefa0ff8b25821b3e2642c54cb3990c5f9ced7
f1955fee93d9bc4e5911eb5744c452de74a0ac75639c178bac0ae4a33932cbb4
2653431c554fc8f7e95c4ffee39297c6608b564df9a02bfed65c2380e75a30af
7189f117a1fbc4ee9d9bd61270fa4e61da7502ae94e32bfb3be6bf77b27a9c28
63fa99785856e6660f75519e8d9ddc46cd7a3616625182d5b08e0306e64e0405
b2650164aaf6f72b5fe4b12ec5a1b6fc0a4655ffed06488f9871aab068599945
32521609ae00f63202449b0ee69bebc73308f9799bcb4b257dc8847efc508fe3
406c40303d418ee6b2ff61301532d451ab00fb5d644968d46498296268f5ee11
c1021e32f0c5c1faa5cef5828c72dcf1157a93c4fa83f94228e37b55ddc49ca9
6c26b4d79020ebb8153df783d36010f8b5e1fd3f76baf1a3e3c0f08d6f11b756
7254929e5c4e13882ab0964aba39e3bfd1ff3b60b29efc4f13fc92b568c53a6e
e59ed25746b3cb969a3c002003a22c7a216322bba8c967d79a3ffb0463f2fd90
5acdd8044287ccf56da2c17461257d54e31b6df03fc9bb3ba0a2a4e20468731a
275e761bfcb70339ab38973e4c0595fd6e2e5f1a0b87102ae1277c5b00a476b1
c6ae823e7874e134cb64857b9d5ffc1786f2033582238085ade72b1be67ff6f9
9f48c4e1cb954501e9363a4f38fd7216c72079e38c2d42e39c1790aabcaff564
b708e0ef4541dbc50a5360b6da580434dc397506e86f2e7b045cb61577182d8d
b18a9b23703bc3ed5661f230932a8ac20a6308cf99c85049763a95c0ffce39d0
41a1c941755c81a840d3c4a441d3889e5919671320a08865600ccfd385c54d90
d37f447bd0e9197bbbfc47fedf58260b23ff701686b8c63222cbeee503e2ed8c
bf955effdc5f182cbaeab37fb2b3632bc31af648a13a554df1e342486d431126
5a6f992c582b01c8ecf2db9b23e717b8cc43ca32c0459133d84e9168744fdab8
6354726563e8997b451f44f44abe1a074ba551fdc5a2d397dad2c19ecc8c2b64
5ddd222002563ef79cdb6516b5853c5010edccefe8e9302c8070a0082982a4ca
ce66eb4a3aaefd514d9ea842f41c1162a686cbd141fc6fa7078476fa58378f9b
25f4e1372cbec634c012d01b481d90f7c6ac71ba6c931318e7e6f6975c155eb6
9ea05b312e68099c4adf672f151b4c7a1a97017ddb5762b165c873dd2789a099
fe297945fd02b6ce9bf4acc5f7f06e1055fb8b524731bb322acccb32034aa6c6
http://jejakdesa.com/VLHgib2Jc/
http://ergunhks.com/YnaC64FW0/
http://54.164.84.17/9e1S9ff/
http://45.33.94.177/live/lib/xwXZdEcb/
http://54.175.140.118/7JJ1OGEAp/
SHA256s for Epoch 1 Payload EXEs seen on 02/12/19
d2e3f18bc0c11936ea764426bd7abec07de03d077620cc76ddf3cfd4f05d702e
d93e278585c018febe2210754ddd47252837f7c4c0509ec09d3b6b90d22a9479
3666a83c5eae9c11f21140a54e91eeedb569100019cb2c5cb6d63ff523324368
23ab1c4b7d20d856455cb33ef61ef454987a41b5ee5545470c19994a643606fc
e45917ed40463f2baad1b23e83bdd9f3eddc2ab53faa9215854bc70bbe8891f5
5bdbce2e62d126aec9b2c13e80140283afb895dab289b59b5d8807d068a5d792
2f42534a62ba0e16ec615eb6d149d3259a490a94d798e001e581111c2b9e020c
18eef4f550342b98ad763644b04f13da97b5ddbe3611886bb59e56cf5a303150
45300b722e29ee45de0fbabe53469b4a7d763f92c1d49daadfdf152d3884df8f
51d7e110e1690785b88fef0b0e6cfe93e8f58282089824790db7ffc0af76b1a3
43d4f00741bd1e6e7a907219466a9d5e41be4cb1b21c4af2b12582881cb0c126
98516dbe8ba5427a47365cde0aa857b0f37503464695354c2f62609065a57d23
82fa35d4f8552c453b7ae2603738478cc22a266e687e481d02473ace810c7e1a
650a8a0cc93ceda516f5c606c24ca5ac813d9ad6ac2d119923ce8cc4ac6ddb73
175d198b087d786de68346c7e5d52f6ba82e4c4402215b810712c413bc197bda
270b96b10c2063d59527b1c205b08958dfaa0ad4a705513efdc8632ef4789e8a
d8b837038a8d5cae6ddf9eb6ebbb0e9df7e4a3205aea06d6137c89bbec0b25d9
6c9767df14e250159bea02cd28aa269e4c26856e99813aa84d7879277fcd833c
361c6690b464569336077534f4606c20a95337dcad6acb3552334cf62a3a0e36
ac72a3e93b5ce35b4c756c2fadcf404c857cfbbfcf58e44673ffb07ff615574a
6c26634fe9fb17a09cba226175856cd5a6b6c75e595defe4b923c11941ed383f
0fe9bebaafdd59ea26d7b6ee34b53879c81a787d10e545b7c32722b77f71a69a
6504992aaa318be60ce362b05ec7938a020936f850edf9ea6b1b06cce7ea1a23
480a280fce534929d8ef4dd01c062ed394debd3ca261d69399a8efd4d06df755
b9edd830ae324a87bc2317129a6103fa815c1085db1e88bd9813c881e678c864
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019-02-12 19:44:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
4d12ed34441fe2e465f3970728abffbc76d5a588b39ad3161f2b2dc9fd711aea
2a82e054cf0952cba51ff4967636c4d1c8e2360ac42c1eb7413863980426042e
a5394b843f84949178acbd4d4533c08009ad11e474e3ebdf9b16e251accb2ecd
3d80603be0d5672f12c6e2525974687f78d2edda7ee817e093e947f60537b2ef
1d341d716fe5ce577b3cc061913f8f1dd133263d654d3810764864b389023e3a
76ba05fb7693e6f73095e182751e2b8ca5383a9ad826a6c233976d45d398bf4c
80b58ec414425dd89f34d2d46622d6707e16c1181c04a86ae18279fe3c9d7793
aa8f85055234a1315feef510b177289ea9ab9417f287040fa9fc5eb99d0d8a30
0f4869263aca0033a984e987cc96fcc19dad5dbc3fe6840864d87a45abd48554
ef8df1bdbc4be0f037360baa4c719be4848018cb76dc85e6c298b7e5c0c8708d
a55aa934cc7fe5bf206b1930c7893a2fa068763d2656d36259ee1c29f563f681
481931d27496fe2ed1f13af908e7eb1917429c43a7ab2db6177cdbbb5601e902
e9cbc12b2fa25b7ce54fe396128f702718fd89c3b7ed3ec6ae1f3b5c17467a98
248bd5ff6a4d44f8e54b69789a8a322e89fece8e81d0b703695198e24b4b18be
efa318382d151b2b3bb24f127f7e1b8294671a30072e036c4fddf0787399f445
0724d302fca719266eb7affa0678f980b14494a9a5cb691b109c41dc9d60873c
4243d427a13e1d07448aab7d8ad2c31700bdd002c5e05d81e9602c32877ed2a1
cae5fcb92271eac3f193651511661e63dd090391cb5f46107e222506bb15c46c
c6fe62ccd70ee860b6aa7f280368d2806162fec09376d8c580ee8e707aada495
5efa7772a4b59015846e9673ddb16b75245e43e7e561080aedeb4962271245cb
4e41e9af78f6883063e2adb3569a6016e9b3e05e01abf2267426e0c24f97345e
http://bignorthbarbell.com/yuf2G22rSI3c0s/
http://mail.dentaladvance.pt/iyRttLHb/
http://3d.tdselectronics.com/IWZfq9gD/
http://greenflagtrails.co.za/HOHvd9NFU_BaZ62/
http://kuoying.net/wp-admin/NcdixzAUZNsxHs0_8DoIcKe/
Creation Time 2019-02-12 19:00:00 (Doc 2007 Based - ENG - Zoomed Indigo/White)
SHA256:
ceb007931bb5b6219960d813008c28421b7b7abfcc05d0813df212ddcfa5b64f
http://bignorthbarbell.com/yuf2G22rSI3c0s/
http://mail.dentaladvance.pt/iyRttLHb/
http://3d.tdselectronics.com/IWZfq9gD/
http://greenflagtrails.co.za/HOHvd9NFU_BaZ62/
http://kuoying.net/wp-admin/NcdixzAUZNsxHs0_8DoIcKe/
Creation Time 2019-02-12 17:33:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
2e69abb5d7d5e1c333a0b69a36dc9c64e8dd76cd3b3d9db0c0b907e6616718a8
647542e616202019869da8d1c46464b0a1677e7cd809d71c12e4d9f15d92ef15
53a9faa5326dbb86ee1c25a8efb2f015db86db476fc5a44e318009fbfdd15b9a
4ddca771f86a73439df39fbd28da78637fd0012caa3f24efdeada5b7018e491d
97a5bd2739e519ee0c219450246e37df61437fd537c09da313a90e4b4ae2db82
da448702c9a2daf4dc8c71499b878fa36fe07e67e00f4f7e459753e1cac9d608
20d57831a57bca5c48a34e655f3f64dd3b1b44137433508465438e31601f456c
http://goodmorningsleeperbus.com/wp-includes/fQGJQ8jfqnV/
http://authenticity.id/QOjNGXUYA8kvTah_uu/
http://ngkidshop.com/usVXrsNKz8GcFj_HWVYF/
http://spbv.org/99pUKZ1GYwsJewd/
http://www.ingrossostock.it/lCOV6EKUQ_rPQE/
Creation Time 2019-02-12 15:16:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
77237ae0c47398155d7503c703275df19344937350e1195ff5426058710f421d
aea91ca43fc82a8c0e1cda3225f081657f6105ee468440e3beaa116a52689cb1
4ee0ffdbcd1f4e8e198286a8959f5b18c46f9df4f86438a1955f02b0e442a0c8
957aedad03a3358fe4bf1f721303e6eba3b9e29c114bdd96bad73808da71e46a
b11e80b61f8ae07b719bdf4ee2ca45401204e6444af14177cab37213363de9c4
cbddee173c6350456df57db514941caa599436a15ca014c26a94e46ff143e674
f4f1ede0e564672725f3b255b52e0ff819e2f7939478c4a9c5824ba7feb3201a
2150a35cd8ebfed6ba8d17296afcb9b0ad915bebcf71046a85edfb116fdef5fd
3eeb2bd103fd19d9e5528555be0cff169c33bf513a6bf9708569a37cc6cdbc05
2af2a75a3186e072201f57cd494bf578f9b4a7a2ffb38c1ec3e2be90136dafaa
6b130ef77e061f8533ba6c8d0f966444b29684c8fd62eb09697fbf7b4f91f138
8be846317fa0deec67c07cd689b59ba7231c4244b490329e6dd4b74ab9fccc74
4e6318854cd0c1ca2fda716a2d077dfc1be9f5fa3b4772ce1ce4db2a58495731
http://54.85.253.114/WSI0rgK9_K1mC/
http://52.59.169.135/AOVbhkKVMU2/
http://lainaconsulting.co.za/r9iWvJAVkJ/
http://mpdpro.sk/oRHmNW7L9Gn299bh_6sGXddO84/
http://kotou-online.net/ZYF9Zv1oUZF_0q6Bc/
Creation Time 2019-02-12 13:29:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
55ebd19889089904c2494e1ec0233a09440d4b8c4943680f1b6b0ea47ffab2da
7f2d2be9e8393c8a38c1e3e948b27bb4660bba4623be31894dca25318542414e
d928eae039aa86eeaf2e269e5b6929f7197a29c86a9b437588beb4738bd39155
b9b5ba5b34fb541bf6ce836b103d3b213fb5d0d1bb023dec4a809e5200ffadeb
f025a2e7245bad5d2ca5c61329311ad8d89385275b35910a6e47fb79f2c0c3bb
93e7bab5a87110e1ec49b5e2a40b70eab6c53c4a6f42b63b77d472f52f904676
319e696035318ad81de588cb10ae0540adb5a0c841549d3726c72715c6540026
cf695e41e9056c61be0e13eed2b589ee13c75ab8642109db6d4d23f3fa031327
9e500ad2ac11e0f355d7966992ecb085244e777b278f5d8d13568cc4b256e089
c8d577c672f5b29040e2e7578a8c877a24a8a3c6905219bb6142d15f686433e4
a8c4074b059b68bdccedb05bb15c8b42a5778d8979bef8f8b96be4e9c5ced1a9
ec841b5a6810a726a78d53afac2e809bd0be8758248ec41dfc49424654f45ff7
0559cda958927d6970175955e1bae5a71d5ec1f20a1a0c3f22995cb58bd229d7
http://baymavigiris.net/MMBMWtFDhw7Ly3/
http://holdens-uk.co.uk/xzPuFV5Mas55m/
http://kentazo.vn/VbtIv0aV7Y7S_Cm/
http://alynedarabas.com.br/iP00kVvGieP3/
http://marywangari.co.ke/OWUFCo3wEBv9_nov6xLeK/
Creation Time 2019-02-12 07:12:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
0ee57c0f537c9b6b5e32a57416ed545c36850ed0dd023c094a289c66f8f8a353
53eca122ec298ea4f73562092ce57e2c8809f9ac46ee2b331be21fab5ac39d90
15af7c179436a27abc2b60a87eb7cf7322fe8284a647d96c599932f8543f8aac
a93912a1e7a7048fa20bbc586a7ff188a3b23a74b596cccdfdf63f4dd2d8a3d7
b5a0c38797bc6759adb5a0f83f9082f753996e6afd68959d4d49e2efb0e8243b
2fa71247c8825a9732ab1f9cbb884b16932ac72a89c4e786809862b3caae3791
99faa9ddfd4fc4a3df4d489d7dbdd9dbf0d2f7f3676b0eee8885774b36d5e976
660f59af3b4995bfcd65aa162e38adb7f017a89f1215a0e5e59bb415750a145b
ae45a175d2fffe98a90cc016ee11b3b0ae85ee9cbfbd89d1cadbf52b8f9e0b9a
67ad8f8c59359d0fe14ff3bb37b7a1b8087c13a2845ced8322e816447f187ca2
b264b4f3dfa384f40f1ea84f323802b159c959d3b011be741c5597617df49356
0d20173df64fdc23a85ab3a0af60c6cecbe277e28988f8f069e22cb7b7e4a9c2
5e137478903383471820963b9025bb1d367c49ddd40b3c18ca405c29e041af09
233b98ead2663e8a2f9b16daeefa134cb0b4f34a83efc98203d50bee258344c4
83244c85d4d7759b679274ea13747a43cd68716c6f5203e6912007a4b0d5eec1
c68c32b90b04710d7c9cdd124a1dcb2039197933d5f50657562845257a7e94eb
8da9c3b4a4c3685015b16c16b1bafbf03d6a9d570875ab5430438bc84e561370
a42455b01a8b32430f7a3e777848bf0b1c6e1626c859cfa2bc6486aaa8e54b2c
052acce6b4f11ffc163ac7fb9d6cbd34e4911462ebebac89658ff4491f662f75
e966ca1ac7b65e7f50f39c81125cab53e69fedfc3f483c68f38a587a5ea0ba54
38b3d3c9d5a1fca3c1d52bf5cea0f12dbb6eed43161014a9ece3b36547fc241a
1752081807ecbd810df1a3ad2ce1dd236496157eb3900e3698dddbffcd7d4853
bcae1a1859ae62c5b4c3cfc43813f6ef910435e143cba68f363143ad503c4c07
a5115626a3b164103bcd78436a5127b8283cf41f72eb88bb8a8faf8dc87a75e3
40f0f1fbedc5e5e9f85f7306e9b7a1db861e438be93143be3b4a84264fae7e4a
0c8e741589605619729a828df74bcabaa6f69e44002c8b17ea3e222a2a2f77bf
c8e418cc9fae5573954a75d3b225c4f08af992482511892a37effd4a9eb3dc8b
e2b13f6bcbd93dac3761866adad726e347794eb98ab44a85c5088513d693fbac
4bfe096f665b09283637bad2494c92d2c6377e90d18f53f03f15e70f8af9b990
5ca5dce8fe909ed9341e8af50e9a534b17aa71e3dc4a9cc9b892ab4e77779531
4c6058f9d89d3cf4dc7c61fdee6dfe45d2f406a79554f74a7daea9691a6d43b8
6bda25ad0f2cd97bb44e78123f30ed368e2095d285a060c994f32a0913317a12
1c69f034905fe0d1eef5f6370ccde737c41a71133420bed7cfcf1f2062eadf4b
http://mardaschaves.com.br/K1FxKoifpDS8BC/
http://mail.eexcel.ca/JChZqQzpUyYXlpD_5/
http://mojtabasedighi.tk/wp-admin/CuxC2wfrmfivh5_Yk5DvCs/
http://kosh.ir/kYjmtMPSTqngAKWl_Cpbu/
http://54.208.237.58/yBnG6KTc_mRtKtntv/
Creation Time 2019-02-11 20:26:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
e837f29478fbb117d9fe612c32c39d435426ef558810aa4ebed6a7a1bb50d039
91bd74af8be134592176607c7a1d9de98c06fc70c4ce3e4b211dc4afc7e2dfa0
351d6749c1c9ffd96287534fe1e8f8d71226f6ce875dd1e8d7c520201b1c40c8
1cbddbc78e64440162def210473bf2363bb36718d09c7ac2825009a304f2055d
f9986dd2ae83e3df36388da8cc498d686f3b07bf0ebad2f2c70cd943f0686f10
ace857699dce507a7afe07c9b447d5f7d684460d35e99298c6394dd069fdce92
2ba6f47f151c07271ead628a00573aa85ddcb4ce1e2058bf5db6da352ca2b0c0
f19b42db9431e852438587806a3245d0c008e977c3e32f284c5e914cc7a1c4ee
322ab486dc0396b0d90fd30f579487e71330778d839a32a5c74b59a580f9fb9c
2a22d6133c9722f3c8bc22989cdc67bcaa4d081739d137bbdb211f14460e5113
7c88696e5791acf0f93a9c56dbc624ba75d30646a10c26814ee7da6715bf02db
d17acde75ae2560a1f80c718e57423ec68ba13c09e8385353bbf6e4633aad7a7
03952cd76cb868d0f23fef1b33cbc9e3e7871ae39893569a41b0549e95a71276
ba3c789ebe9a1f94a8ee83b0e127f1d2659e627b8ad63214d03692b60901640a
2781daaf0d72a42fffc28793dbaed78e9c7df97b342406eabea69532274e0c98
4a8bb9d6db463eb2bd29137005dbbf52650fdf6e4fe53910d800db9e091697e9
b512f47e2fa25638b3ecb8e18f832fb198dc42257ad8a67e27c6c23b9ee33740
5cf352b52c4e5ea601e3a5d3635baf0672f4597adde4424a11e8a69fa254f5de
2d8980e0bc9e39b6494ce52ca130c15ecde7ad428200e271b607af9dfa88da02
3e88bb0b6d561e92b62e773f1b26740a4e3acfe936ecf105c3b1e516f0e63486
15f90b490df222a36c3566ad4895befb2bc62782e471fd1d5e0267be99b83b2b
62abb3e0501213ead06b9bb14456ae32b462f728492ad673031eb76f82abd947
c3d5cc485f5846410332d2dd7c68aa0ffc32748e1ff0a0dda6604b02084da360
c21c9c123e502d5356d7af1a81f3ba3bcfe93209a9ffb7b16e2334b87730d9b8
a3cc3a8cc9de4d1b921d23425a289cd85ae07088a55a617a25fcb54f2ec0908b
b05dab8ce4e21ec035844ff2b22093153e5a9e09faaafcd0724e0ab133e7cf22
fa576257dd49739553b4e8b44d7a78e583592d131f7dc319f634897b24989232
d617bec09613f35b200d825df21d1fdf5e8f7e8bfe8cdbded7728013468e0ad8
89a6bc1186075f9172ab14359dff9a4421d86bb452e846933b11369a46bce185
df98a630be3db6e7c02645e30f833e8099f021ad6ec54b6a43d3e25dfd6f19dc
9414679bd8f2f0be79b5e4fb7f1f412c07bd7ee0b6b09bcc34e8eda48e51026a
573535084604b0b83c8f96541e6f360de8be4443c04238484ef8013ff536f381
1d76c053f2cef763987de94d262b794b5fa0540feb9f6bbd841739236138ccdb
21c6ca0ab11cb70de291b3c0f719ea6e9b5c70297391a4148b06bf66c77c53c9
d1df17ec2fd32b9514f8874aab3bf4591d00bd30cd084cace80b1c5d1c6d2d6d
c2e213a80dfeaaf750018ddf39b66dae659e800efe560f60df5cdf5d673b6d1e
c7097928addfc7675046920ce43325d4317023671bb9921d2f87a113f0728ff7
7c63ca32aa91ee7480e3b29cc4e63cca1f71daf286c2259c9d23a98155064a22
59e64306690434e2986ac60b1df54b8f9f393722d73d4cc64f1589ba370b056f
8e0c5ea52d143274ed4ba08d7c7629f0b6ba35867b1be32aa39cf5043c4a3c18
9bf32e93c608d19900dcb98418558bbc1efb8000371446c9b3624fd7e9e39114
5d5ba9f5bd3057f7501e53f61e8308d09eab9dbe2fb75ff4f3be5d4b97847263
http://45.77.244.93/bfObwxpm11Sjv6S/
http://45.32.82.29/G2UAYAIo5zKs4El4D/
http://188.166.161.57/CBpZUIRi2j/
http://13.58.52.117/BBvNV0vvgoectW/
http://104.248.66.24/bXkPxtnIYTR_yd7/
SHA256s for Epoch 2 Payload EXEs seen on 02/12/19
0cd9bd97fbd6106f464b34e4d8f780c1febaa465e9bc98bc6c11f1d59b5bbd2d
cc08bd05669a213d07735ba2b567cc3a615e9a1bcae4c2f6baa878c560f8f0b7
efd9f27dc06fe39568ed2123ce4ac69c696fa62eec9e5ce60f6e5b6f4a0eac7b
acdb168cd245b844646b8e4b4ee65c38a52d51d394865941bd8a58015e6839da
acf49b22cb77721f3ed49687da0312dce984b3462f8f841ecf525c6d8519e0ef
7cc256e3e5256d276e88327434319c35cb51deae507529ab45bb734dab464aeb
0c27d6dd7abfa118ce6876e0291c967572f6eed7d80f531fb3aec774f3336feb
916df741bdcc5ca3959ca80bd5fac2e641fa90fc9e3d143cb9bee21d44ebfb6c
f6ab445b28b62c857a595c2cc6df9e6e2bcf549745fb7bb860033c024ea5f516
ca00129519130310b12f3edfaaa6252f26e7a38f37a22358348302e07d7d9a88
e66098188f963fe9dbd7388f8c215d534dd228f27c3047d2f26f56f2a0d28378
51db1d1c67546f22fc8e9c8c7c681496b0b2ddde964003fe68ffdb5d67a44eae
1387f7ce269a115f9e03c0376593848c327a621d0b5812802f135b0114f425dd
8e6ca08bb52bc257f646cee309edea4c870fb0080cb130327da16534bcf21cf4
e419d4d94fcb56e38d772654e67d5c1ed1effd51fca56cedb81f05de3c941fe6
a54ffe900e60a462d6ed1de1c9869a8018bc778cfbf01a402ef448bca6eac39d
30e78a3fe9ac69d7da39327291cb26c0e99fb16c69a1e6d60d509a5fca006a5e
a5a59ec3fc730ac703320698429e14a283255ec7d9ba81b05025ac4028ad16b8
8de5cd7ee4f1a660c0abd3575ca99a0ecb4e1300b87b95827743484a8e59c371
508c6c02dbd2b09dc61754420a04a84ba3e32e73d0432fffda79f514b06a0779
0f00d75d1510b18f008dc4ecac39024b6a870cf924043dec8c93f1d881efff97
a2e5b159a953065203b07ed191875191fe16d9f165003dd958c912254b5210f0
b776832237dd43103f27ee97370d26517f19b16e1ea332bf6f541cac0858f1f1
b6311f8c2fb752edf193cfc0121421d9a6c10589508b293fec2298ad1d82c4c4
587acd8a8a0e6e57c719058b78983af883cfa76615be24b4112473ce9888f7b8
e7faf9a13d738ab08219f8a4887e6df15f80edc5c766e75b7e9ab1aced08169f
e2343d38e7c678965d957640cbc32819ef950345bf4cda82fd9e130ed57fa07a
91f97bc5e179a2333b0ad62f3a58ee218ea5c158560fb9d658b2900a6884083d
Epoch 1 C2s
104.200.80.44:20
109.104.79.48:8080
116.58.87.8:80
12.6.183.21:8080
138.68.139.199:443
144.76.117.247:8080
159.65.76.245:443
165.227.213.173:8080
181.15.224.57:80
181.164.25.28:443
181.56.165.97:53
184.101.191.86:443
185.86.148.222:8080
186.4.127.72:995
186.72.205.234:22
187.145.0.129:7080
187.146.255.151:8443
189.170.39.188:8080
189.173.176.115:443
190.117.226.104:8080
190.186.110.202:22
190.248.133.18:443
190.96.172.225:8090
192.155.90.90:7080
192.163.199.254:8080
200.116.200.136:8080
201.156.42.238:443
209.243.21.172:22
210.2.86.72:8080
219.94.254.93:8080
23.254.203.51:8080
24.194.252.25:80
24.37.161.242:80
5.9.128.163:8080
50.195.236.117:80
51.255.50.164:8080
66.209.69.165:443
69.163.33.82:8080
69.170.237.82:20
71.40.213.82:8080
72.47.248.48:8080
74.45.170.110:80
74.62.52.222:20
75.110.229.201:443
92.48.118.27:8080
98.121.75.14:80
98.238.127.216:21
Spam/Stealer C2s
104.236.185.25:8080
181.169.2.89:8080
181.58.30.155
198.58.114.91:4143
216.98.148.157:8080
31.167.70.26:8080
64.178.246.207:8080
73.83.148.166:443
74.57.246.27:8080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
Epoch 2 C2s
100.35.190.8:443
107.13.149.212:8443
108.190.34.69:20
133.242.164.31:7080
138.201.140.110:8080
153.121.36.202:7080
169.57.61.42:80
173.255.196.209:8080
173.255.250.241:443
174.62.215.11:80
174.96.7.155:80
178.62.37.188:443
184.186.222.145:8443
189.222.174.85:8080
189.225.165.11:995
190.114.242.130:20
190.40.100.7:8080
201.211.167.72:8080
208.107.52.29:80
208.78.100.202:8080
211.115.111.19:443
217.13.106.160:7080
24.173.121.154:993
24.227.158.234:21
24.228.124.151:7080
45.123.3.54:443
45.63.17.206:8080
47.187.38.245:80
5.230.147.179:8080
50.31.0.160:8080
50.80.9.93:143
50.93.34.66:443
61.76.180.18:443
62.75.187.192:8080
62.75.191.231:8080
66.57.212.114:50000
67.205.149.117:443
68.192.249.20:143
69.198.17.7:8080
71.167.42.74:53
71.7.15.240:22
75.97.212.250:7080
76.94.226.173:20
79.75.233.224:21
83.222.124.62:8080
87.106.210.123:80
94.76.200.114:8080
95.10.12.151:80
96.234.162.118:22
97.100.88.65:80
Epoch 2 - Spam/Stealer C2s
31.167.70.26:8080
64.178.246.207:8080
73.83.148.166:443
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
Credits and Notes Section
Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1 and Epoch 2?
What is Epoch 1 and Epoch 2? (updated 01/29/2019)It has been awhile since I refreshed this section so I wanted to update it and bring it up to date.
I have been tracking Epoch 1 and Epoch 2 since May of 2018. Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for
communications. Epoch 2 is currently the larger of the two botnets and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing
version of Emotet at one point in May/June of 2018. Now Epoch 1 seems to be the smaller of the two since this time period. Despite having unique unshared
C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behavoirs seemingly controlled by a single
entity/group. Here are some observations I have noted since I have been watching these botnets:
- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an Epoch 2
document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those being delivered
in maldocs on Epoch 2 at any time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and Epoch 2 may
have a document hosted on host.tld/B.
- The RSA keys will change every month or so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours to stay ahead
of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from is to find the payload and then check the C2s/RSA Key.
If I think of anything else to add or if anyone else has any suggestions, I will add them here.
Community Lists
https://pastebin.com/4Ggmc8sF - @pollo290987
https://otx.alienvault.com/pulse/5c6319d1500d5447353abb88/ - @RedBear14679277
https://otx.alienvault.com/pulse/5c636f2c088a4c35b549c234/ - @SecSome
Credits
(OC from @JRoosen and/or combination work of the following)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
@Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial
@shotgunner101, @HerbieZimmerman, @Outkast_TI
C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie, @devnullnoop,
@gorimpthon, @Racco42, @Jan0fficial
Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987,
@malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial,
@OguzhanTopgul, @HerbieZimmerman
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and helping out with all of this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch
and @Virustotal for providing services/software no charge to this cause!
Daily Log
Slow day for me today. Only about a dozen malspam with older template types.
Not too much else different either but lots of the newer templates are being cycled in now. PDFs for awhile and then links and then XML attachments.
C2s changed for both E1 and E2 but the keys remained the same. We keep decreasing the counts lately and I am not sure why.
Now down to 47 combos and 50 combos on each respectively.
Marcus did observe something interesting today, Qakbot is being dropped again by Emotet and surprise surprise, it is part of the same botnet as
the previous direct exe drop a few weeks back. This settles what happened with that episode and it was not hijacking or anything else:
https://twitter.com/MalwareTechBlog/status/1095469134480007168
That is about it for today. Until tomorrow for more FUn from Emotet.
Sandbox 02/12/19
(all with fakenet and MITM unless spam/secondary infection)
Epoch 1 C2 run on 2019-02-13 at 01:45 UTC - https://cape.contextis.com/analysis/36720/
Epoch 2 C2 run on 2019-02-12 at 02:15 UTC - https://cape.contextis.com/analysis/36724/