Emotet Malware Document links/IOCs for 04/10/19 as of 04/10/19 23:50 EDT
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Epoch 1 Document/Downloader links seen for 04/10/19
http://104.199.129.177/wordpress/file/legal/secure/EN_en/04-2019/
http://104.248.148.224/wp-content/XZoTn-bZyInGox1pyxvCN_tkNcItfUH-Um/
http://12mc.cba.pl/errors/llc/legal/secure/en/042019/
http://192.144.136.174/wp-content/AyDT-K8KZJGTtnpfbPBh_TfFcXmIIs-FB/
http://3d.co.th/US/security/support/sec/EN_en/201904/
http://8501sanl.com/wp-content/legale/Frage/De/04-2019/
http://academiamonster.com.br/wp-admin/service/vertrauen/de_DE/2019-04/
http://acebbogota.org/wp-content/file/support/ios/EN/04-2019/
http://alsdeluxetravel.pt/cgi-bin/files/service/trust/EN_en/201904/
http://analiskimia.undiksha.ac.id/wp-content/uploads/nachrichten/Frage/de_DE/201904/
http://anima-terapie.cz/wvvw/legale/Nachprufung/04-2019/
http://antoninferla.com/OLD_SITE_BACKUP/progress/ifJGk-R4t7d7u4LhomTw7_gAUOHBWj-Yv/
http://applianceworld.co.ug/cgi-bin/document/support/sec/EN_en/2019-04/
http://arhipropub.ro/lib/scan/legal/secure/EN_en/042019/
http://asssolutions.co.uk/flash/document/service/question/en_EN/042019/
http://auraco.ca/ted/document/messages/verif/En/2019-04/
http://bf2.kreatywnet.pl/owa/security/support/trust/EN/2019-04/
http://bigbrushmedia.com/doc/messages/question/En/04-2019/
http://bike-nomad.com/oldpages/whYA-OC3rHzsj33tWUWC_iFhmVpyES-Sj/
http://bility.com.br/agencia/US/legal/question/EN/2019-04/
http://bitvalleyonline.com/wp/PDbv-VkeSSgq41dWsY6D_tLVoRorgd-HC6/
http://blessedproductions.com.au/cgi-bin/privacy/legal/sec/en_EN/2019-04/
http://blsa.org.za/wp-admin_affected/bgbU-V1SRSn0uJoiRFp9_bqjfUUpS-ww/
http://bluesw2014.synology.me/@eaDir/Februar2019/privacypolicy/vhEm-gYLdntatP5VjAU_NlbLvmdMU-iU6/
http://bushmansafaris.co.zw/wp-content/service/Frage/04-2019/
http://bytesoftware.com.br/casa/legale/nachpr/de_DE/042019/
http://byworks.com/wp-includes/files/service/verif/EN/04-2019/
http://cad-spaces.ch/picture_library/gSHg-H0jmNm3vAHp1UHv_TpHkjTbfc-vjI/
http://caliberfitness.com/humangrowthhormone/ZyNkD-zONR7ge4FG4MiR_DwWOdqBJD-ro6/
http://camilanjadoel.com/wp/file/messages/ios/en_EN/042019/
http://caninetherapycentre.co.uk/images/zGiz-Xev6wgq9al9sAdv_YLIrfUNe-JGM/
http://cantinhodobaby.com.br/img/HntFD-g4hhkOJmZg7Uo9_mRThXFoxS-ln9/
http://celebration-studio.com/wp-admin/legale/sich/DE/201904/
http://cfarchitecture.be/cgi-bin/UyYRn-Un1SH3UQHkRAwo_goIHsScVQ-zg/
http://chainboy.com/FbYfa-pxDNSOrdzEhMfUZ_CpOBmKva-r6/
http://chang.be/carole/legale/nachpr/de_DE/04-2019/
http://cherdavis.com/cautionarytalefilms.com/oJzsb-VyklDs4hWdLXVvJ_JTtoOSHk-ah/
http://cipherme.pl/shell/wzXB-NJjaRBl9TKeb2FO_tKbPrJqx-iV/
http://ckingdom.church/wp/security/service/trust/EN/04-2019/
http://click4ship.com/Phreedom/DbRY-f8oHHVEasqmMZZ_gxqFRQXn-gKM/
http://clients.manjunath.diaprixapps.com/d1sandc/support/Nachprufung/De/042019/
http://colbydix.com/mailer/LGWhn-X1JTXqyjTix1qts_PUfbDxDb-AA/
http://colemagee.com/movie/OLUp-zEv9BVudg5foWH_PQFTBDJHx-v4/
http://commercial.uniden.com/wp-admin/legale/Nachprufung/042019/
http://coneymedia.com/kzjZ_EXP-rZoBzbL/OnDlS-YWONnrMsMqSFUun_fMrfzlQk-OK0/
http://construccionesrm.com.ar/EN_en/ylzuo-kNVL9kZbp3nllLG_GBdmSnnGc-Qzh/
http://convert.gr/PAPAIOANNOU/dyhen-vZdS1SqTvLvnBGt_tOOXFjuYu-htL/
http://cooperminio.com.br/emanager/conteudo/gercont/fotos/ILjdo-hLtOkixhexz9fGJ_XYBpYBkU-Ux/
http://crowdgusher.com/wp-includes/IvxB-xkgukcWlhwNEZM_pXQRJlKl-mR/
http://csburo.lu/wp-content/BJOzG-NLpAOEukNtadF1_rQkDtTkm-xm/
http://ctohelpsu.com/loggers/FynpI-AIs6jjtqll2ou0_hpieanxZL-Bwd/
http://daltondooly.com/wp-admin/UunL-iXtgPiawEd4FmT_EtdDECon-vfr/
http://dammk??rret.se/hrpel37lgd/document/legal/secure/EN/2019-04/
http://dandavner.com/blog/nRTY-dB1QE88eFWyJ2H5_AGiCBvIyW-rmN/
http://datos.com.tw/logssite/ZjKy-ojoO8jlLUXP6FMs_QzRUQGiQB-DG8/
http://dcgco.com/wp-admin/hfcRz-LXqEiL8b8wVexTi_pyXHnSNoy-mP/
http://dekormc.pl/pub/FNgvz-9nGKAHzjudqqeTv_weGawwdq-9r/
http://demirelplastik.com/admin/IPxh-Kicx8Ij8ykTMAwu_RdnkgLKe-abs/
http://demu.hu/wp-content/TInHC-J1VrKDrVIlGJcc_HZeWowSOF-5OZ/
http://dentmobile29.testact.a2hosted.com/h7he2gr/GVuFt-FReRu7QwQiMlna_IdcBhdeI-jk1/
http://depot7.com/aflinks/klmH-wP9hpffK6ez6uh_CQWfMuPHM-WXs/
http://designkoktail.com/wp-includes/inc/legal/secure/EN_en/201904/
http://diegogrimblat.com/flv/XeQe-IJtjktj9C11ad5J_BZmPgwXz-MwX/
http://distan.enrekangkab.go.id/awstats-icon/nachrichten/Frage/2019-04/
http://distan.enrekangkab.go.id/awstats-icon/nachrichten/Frage/2019-04/%20/
http://donhua.vn/wp-includes/VTFO-XTSkpUo7aXV50Iz_RtJUzsvP-XGg/
http://dotnetebusiness.com/Vqxmx-JeiiRnj3a3zYPIv_lEuDfajf-iH/
http://downinthecountry.com/logsite/US/service/ios/EN/042019/
http://dqbdesign.com/wp-admin/Zmzy-AiuCf7DLn0N1Qq_WaYwdtqr-HHn/
http://drezina.hu/airport/zANl-Gy94iyACdOcqlM_wSjYshWMU-UAy/
http://eastbriscoe.co.uk/sysimgs/MDlS-kDqhvcdeWjjqY0L_JwVfZPQij-Mm4/
http://ebe.dk/_borders/GWSnK-WGkB2u6B6IWWMCy_TbyeojxK-KGB/
http://emumovies.com/api/QPTD-ns1RMZxGPP9KUXc_ZJtdiARvZ-AdO/
http://envases-matriplast.com/prueba/privacy/service/ios/En/2019-04/
http://geoglobalsystem.com/wp-content/service/Nachprufung/2019-04/
http://gged.nl/geocaches/afk/schild/legale/vertrauen/04-2019/
http://gkpaarl.org.za/language/privacy/service/question/En_en/042019/
http://grandautosalon.pl/YVczT-5cXF_TzzA-LqD/NGQG-1kXn6uU1ktXp8j_cnktVZtNd-oX/
http://grillitrestaurant.com/wp-content/uploads/Nzmsh-TUsyseehKNZFRq_JifTjJcHB-Dma/
http://gwangjuhotels.kr/wp-content/themes/xHqyq-iiAttgPor6CqMb_uGjvtvGq-uh/
http://hulitshirt.com/wp-admin/service/vertrauen/DE_de/04-2019/
http://hurraystay.com/wp-includes/uvQt-EoCLmerDTsjey8_OXOiwJLj-0Ex/
http://hwx-group.com/wjwrtce/legale/legale/vertrauen/201904/
http://ichikawa.net/wvvccw/doc/legal/ios/EN_en/042019/
http://indieliferadio.com/loggers/inc/support/verif/En_en/04-2019/
http://johnsonlam.com/Dec2018/doc/legal/trust/en_EN/2019-04/
http://johnstranovsky.com/96t8b-z2ns7-galcijo/file/support/question/En/2019-04/
http://jonaenterprises.com/images/inc/legal/question/En_en/2019-04/
http://jpmtech.com/css/KhDe-OGKeAhWj21xg3B_sOgedoyiR-uHE/
http://jsya.co.kr/@eaDir/security/support/question/EN/04-2019/
http://karakhan.eu/wordpress/privacy/messages/secure/En/2019-04/
http://kelp4less.com/wp-includes/AzUV-Idqc38QwAQ2TLD_luuCjfUbJ-ZN/
http://kidsbazarbd.com/wp-includes/support/sichern/DE/042019/
http://kometpol.cba.pl/override/privacy/service/sec/En/042019/
http://kurumsal.iletimelektrik.com/wp-includes/service/sich/042019/
http://lab5.hu/images/legale/sichern/De/04-2019/
http://lcarservice.com.ua/journal/QvmUZ-WnBm880AjJhAiv_UlATgVvzT-l9/
http://lswssoftware.co.uk/Accounts/secure.accounts.docs.net/US/service/verif/En_en/04-2019/
http://mathew022.cba.pl/ajaxvote/support/Frage/2019-04/
http://media-crew.net/bao/files/support/ios/En_en/2019-04/
http://mersia.com/wwvvv/files/legal/question/En_en/2019-04/
http://mmcrts.com/wordpress/files/legal/secure/En_en/04-2019/
http://moes.cl/cgi-bin/mrZZb-aVmCdAvt0VF6nx_QmkICFDHc-ib/
http://mrgsoft.ge/reserv/service/Frage/04-2019/
http://mxtips4you.com/wp-admin/legale/sich/De/2019-04/
http://netcom-soft.com/eng/ngqf-1qgeekvjq0mkjz_zylyialye-z8t/
http://newsspe.com/fvefbd/US/messages/secure/En/2019-04/
http://nexusinfor.com/img/doc/support/trust/EN_en/2019-04/
http://ngowebsite.developeratfiverr.in/images/doc/messages/verif/EN/042019/
http://nhatrangtropicana.com/wp-content/privacy/service/verif/en_EN/201904/
http://nishchayedu.com/pdgh19u/support/nachpr/DE/042019/
http://nitincarcare.com/wp-content/nachrichten/vertrauen/2019-04/
http://ooshdesign.com/wp-includes/BFuhP-N7lLnr1xKPmZ2G_GbRhOhUp-hH/
http://partyvip.in/nlapwof34k/support/sich/DE_de/042019/
http://peacewatch.ch/fileadmin/QFrCq-BNjgFDkho661Do4_SiwYYxPv-dH/
http://pepper.builders/wp-content/US/service/secure/En_en/2019-04/
http://print-city.ir/wp-admin/service/sich/DE/2019-04/
http://privcams.com/screen/file/messages/sec/En_en/2019-04/
http://puntoprecisoapp.com/ypb/files/support/ios/EN/2019-04/
http://quanchidau.com/assets/service/sichern/De_de/04-2019/
http://quantrixglobalservicesltd.com/noui3khkfl/service/sich/DE/2019-04/
http://reachcargo.co.in/7p7ef72/scan/service/secure/EN/201904/
http://recepsahin.net/assets/cpRN-lyFIMbqMB13aqJ8_phHSLaLP-Ig1/
http://reckon.sk/e107_admin/VkZW-3EDLLbA9SvtziFx_fIXcIjMh-HRS/
http://richelleludwig.com/wp-admin/EOnI-htirpJvuKH9D6N_uYJzNGIe-ZR/
http://roxhospedagem.com.br/chatonline2/TDbPC-ZMCayhNuo04MYo_rBvhrevp-Fiy/
http://rpa2010jdmb.cba.pl/tmp/files/messages/secure/en_EN/04-2019/
http://seriousvanity.com/cgi-bin/cvhhM-bxaYYIVhB33tII_wXpBUozz-2Q/
http://shreedadaghagre.com/journal/legale/sichern/De_de/04-2019/
http://simplyresponsive.com/wp-admin/ncuQs-8wuaDx1I5F8NyC_RKHrmYQcb-rS/
http://sjhoops.com/doc/support/secure/EN/04-2019/
http://snprecords.com/wp-includes/qFvC-iFP1bVwwaIvwZJ_PNUAcvLi-5t6/
http://sputnik-sarja.de/img/wlVai-ALEu2TP5SPfQ8F_woHrdHrL-Tzg/
http://sriretail.com/api.asia/us/messages/question/en_en/042019/
http://studiopryzmat.pl/cgi-bin/us/legal/question/en_EN/042019/
http://sunvaluation.com.au/wp-admin/scan/messages/ios/EN_en/201904/
http://superbeaute.ca/wp-content/nachrichten/Nachprufung/DE_de/04-2019/
http://swiat-ksiegowosci.pl/attachments/Tbkme-I6ICJ4xwnvX5IcZ_ZthJMRlIR-W70/
http://synj.net/btFu-fl5eZKTqrMFob1_uWSeJMIO-6Kp/
http://tapchitinmoi.com/wp-content/security/legal/secure/En_en/04-2019/
http://tbwysx.cn/tools/legale/sich/De/04-2019/
http://tittibox.com/img/support/vertrauen/2019-04/
http://tittibox.com/img/support/vertrauen/2019-04/?/
http://tmaipo.cl/bloqueados/sukN-snahOhbGKRxIzw_iNrPLOSUb-kj/
http://tradelaw.com/kUiDS-tHkz93cghzm7Vl_iPSvSaxA-loL/
http://trh-insulation.com.au/wp-includes/legale/sich/201904/
http://umakara.com.ua/icon/vlaA-9TVz8vfWbe5MFy_TpZBgKSeQ-6y/
http://unixboxes.com/mixes/mdvKW-mkIxtdESyoTEXqN_lylOnNVE-eW/
http://us5interclub.cba.pl/errors/file/support/ios/EN_en/201904/
http://videcosv.com/backup/Cpqcg-drYcCgadlIIHc7_TPFxdlav-jH/
http://videcosv.com/backup/UtLo-b9MSmyXlYOL7da4_yeQTUVXuw-s2D/
http://vk5rr.com/cgi-bin/XlhXZ-Crem9sQPc8VM3X_oPKPlDNT-Fi/
http://walycorp.com/logsite/oPTNI-u4P09PW9baWrYXy_rrgkTiIUC-y6/
http://websteroids.ro/wp-includes/dLkp-HhYNe4smK303dyc_mfNbGkOic-mfJ/
http://wladdes.com/wp-includes/UrBi-TDjD7GjOvrgrJr_VYnJDRTNI-hw/
http://www.amencertechnologies.com/armax/nachrichten/vertrauen/De/2019-04/
http://www.beirut-online.net/portal/security/legal/ios/En/201904/
http://www.biomedis.lt/yowwk4j/nachrichten/sich/042019/
http://www.bushmansafaris.co.zw/wp-content/service/Frage/04-2019/
http://www.chunbuzx.com/wp-includes/legale/Frage/DE/04-2019/
http://www.dairobustos.com/cgi-bin/legale/vertrauen/DE_de/042019/
http://www.dairobustos.com:80/cgi-bin/legale/vertrauen/DE_de/042019/
http://www.desejoesabor.com.br/wp-admin/nachrichten/sich/De/201904/
http://www.factory.gifts/wp-includes/daRK-2tySTJHMneulL5_ddwQJRfKH-fS/
http://www.hulitshirt.com/wp-admin/service/vertrauen/DE_de/04-2019/
http://www.lindenmontessori.com/cgi-bin/llc/messages/question/En/04-2019/
http://www.neurologiundip.com/xt2fchh/service/sichern/de_DE/201904/
http://www.nishchayedu.com/pdgh19u/support/nachpr/DE/042019/
http://www.partyvip.in/nlapwof34k/support/sich/DE_de/042019/
http://www.pumadevelopments.com/cl9jnzv/service/sich/04-2019/
http://www.quantrixglobalservicesltd.com/noui3khkfl/service/sich/DE/2019-04/
http://www.regenesismeditech.in/wp-content/nachrichten/sich/de_DE/042019/
http://www.relaxyourdog.com/wp-content/service/sichern/04-2019/
http://www.snsdriver.com/wp-admin/support/Nachprufung/201904/
http://www.sriretail.com/api.asia/us/messages/question/en_en/042019/
http://www.vuuropaal.nl/wp-content/nachrichten/nachpr/De/2019-04/
http://www.zhoumengmeng.top/wp-admin/support/nachpr/De/2019-04/
http://xmprod.com/greatdealofnoise.ca/ywys-gkSx2BA0e6ncJi_sjwfNNTWH-YRc/
http://xn--trkiyesalk-9db14bzh.com/wp-content/essF-LLQQuYYYFO5jei_KVVasadPo-g9/
http://yditrust.org/wp-content/support/Nachprufung/201904/
http://zefat.nl/stamboom/CuMe-oyI5sgcPksusUq5_ZZgnZPOH-Jd7/
https://acewatch.vn/wp-content/support/Nachprufung/De_de/201904/
https://ansolutions.com.pk/US/legal/secure/EN/2019-04/
https://asiatamir.ir/agda/nachrichten/Frage/De/2019-04/
https://babalublog.com/anatasio/PzmDp-HdzCluVtVxSdcM_TkwgWiLJc-qQ/
https://balanced-yoga.com/wp-includes/legale/sich/201904/
https://batdongsanjob.com/tuyendung/support/vertrauen/de_DE/042019/
https://biz.creationcabin.com/h9sjdhq/legale/Nachprufung/DE_de/201904/
https://caygri.com/wp-admin/kakHl-kKzkDhxlJo6SXPy_GcJFOlmeJ-MXM/
https://doctorvet.co.il/wp-content/nachrichten/sichern/De_de/201904/
https://donhua.vn/wp-includes/VTFO-XTSkpUo7aXV50Iz_RtJUzsvP-XGg/
https://doshirisington.com/newsletter/vmpz-GA3JTXfRcKBiM4A_pSHWGTSRD-DrE/
https://ecitytanduclongan.com/wp-admin/support/Frage/de_DE/04-2019/
https://edermatic.com.br/wp-admin/support/vertrauen/De/04-2019/
https://ezprofitfx.com/wp-admin/nachrichten/nachpr/2019-04/
https://geoglobalsystem.com/wp-content/service/Nachprufung/2019-04/
https://goldfactor.co.il/img/service/Frage/De_de/042019/
https://hwx-group.com/wjwrtce/legale/legale/vertrauen/201904/
https://images.discipulo21.org/2016/nachrichten/sich/2019-04/
https://iqbaldbn.me/wp/EOzo-u7Zda1BJupczSS1_qZtSvXWI-jnE/
https://kintore-daietto.com/wp-admin/bnOXa-SwvcKHZj8IpVhyA_JeIkLMInZ-TRI/
https://locadex.kz/wp-admin/legale/Nachprufung/de_DE/2019-04/
https://mhsalum.isinqa.com/tjsml4o/pzHTi-8YEE0ueqeTqLLWu_HvQyiDZB-Wz/
https://mrgsoft.ge/reserv/service/Frage/04-2019/
https://profithack.com/wp-content/service/Frage/De_de/042019/
https://programbul.pro/wp-includes/yPxgS-cYa9oW0FceaPwJ_dfQwfGEv-nZ/
https://puskesmas-sungaitabuk2.online/wp-includes/service/Frage/DE/201904/
https://refikkorkmazmucizeler.com/wp-admin/support/Nachprufung/042019/
https://roygroup.vn/wp-admin/support/sichern/042019/
https://rutassalvajes.com/wp-includes/service/Nachprufung/DE/201904/
https://shahedrahman.com/Backup/document/service/verif/en_EN/2019-04/
https://sovintage.vn/wp-admin/inc/messages/trust/En_en/042019/
https://sputnik-sarja.de/img/wlVai-ALEu2TP5SPfQ8F_woHrdHrL-Tzg/
https://www.blogbuild.online/wp-includes/JhgN-hevULL6R9QfXzkx_CLyyVvVq-cI/
https://www.chunbuzx.com/wp-includes/legale/Frage/DE/04-2019/
https://www.doctorvet.co.il/wp-content/nachrichten/sichern/De_de/201904/
https://www.kingstown.vn/wp-admin/files/messages/question/EN_en/042019/
https://www.linliqun.tk/wp-content/legale/sich/De_de/201904/
https://www.modello.co.il/wp-admin/service/Frage/DE_de/2019-04/
https://www.neurologiundip.com/xt2fchh/service/sichern/de_DE/201904/
https://www.weblingos.com/wp-includes/legale/sichern/DE_de/201904/
https://yarawp.com/wp-content/support/nachpr/De/201904/
Epoch 2 Document/Downloader links seen for 04/10/19
http://%D0%B3%D0%B8%D0%B4%D1%80%D0%BE%D0%B3%D1%83%D0%BC%D0%B8%D0%BD.%D1%80%D1%84/blogs/dn79yjd-v600pu-ieyoghw/
http://10productsreview.com/thats-amazing.com/EAuWV-upze3dqJnlwZD90_yJOzHRhwt-SRG/
http://10sells.com/wp-admin/PGjJ-WAfBIKqyFnqjWz_LrZIymgK-ut/
http://118.24.9.62:8081/wp-content/hu94-0c386e-uufo/
http://12pm.strannayaskazka.ru/wp-content/j72z-k5mhfl-szmii/
http://159.203.169.147/yhpbh7i/x9d9-mqzbr14-rhfvy/
http://162.243.162.232/MiniDistroid/050q-jwp7le-vqutp/
http://202.28.110.204/joomla/z25bxe-qazd8-xrgy/
http://203.114.116.37/@Recycle/Xauo-xqulY3WMMsbCDBd_sknIzXFx-0U/
http://211.238.147.196/@eaDir/7dvzx2-xi1heqz-jiru/
http://247vietnam.com.vn/wp-includes/UxhJE-lUysj4WrEK1HX3_pDRlInZCi-VhZ/
http://3kbrecruitment.com/wp-includes/m9wvsmd-ww7te-tmlgr/
http://94i30.com/cgi-bin/KnBk-Ot6VI3sBK0sFjr_DXClAUpS-0cF/
http://99sg.com/zen/zc_admin/lqJg-yJX511Bbbc529UD_wzRlTJuo-U10/
http://absimpex.com/images/bacg-NrqOI7U2kT8FnB_oOVBDwQf-ng/
http://academykar.ir/wp-admin/BdPC-LbDG4NFHdHXpLp_toVUjsUJ-Tjj/
http://aecg.nsw.edu.au/wp-content/aqh2da-wh0g6r-rpdgueb/
http://airwillhomecollections.com/wp-content/lg6b2c4-t4oh1y-uyssnfr/
http://ajobaretreat.com/wp-includes/wnbrx-wr2rs-txsq/
http://alfaperkasaengineering.com/dokumen/DbBY-cfFHOuQaz8YSbVb_sPvYBuiIg-WlB/
http://alphaconsumer.net/css/gYJp-vSBOZLFWbmIyKjo_TjoptuotD-fC/
http://alpinaemlak.com/wp-contents/k2t3f2l-1s3id-lilbh/
http://am3web.com.br/VRek-ZyL54BwIAVZIhCO_KCraQSZnt-Mq9/
http://am99.com.au/wp-content/uploads/dta5-dxq2rg-imqxt/
http://antislash.fr/includes/facelift/cache/lqAE-4EFXrbzZWITJBmE_qYueXJYaB-Ja/
http://arezzonair.it/modules/sMBMC-9BIxPr87YkA95Du_wUTYbypga-1P/
http://arledia.be/dist/PrIx-UJHhpFnnMVffYL_kONIpjGXz-Hv/
http://atelierap.cz/administrace/dItC-74Q5zxA8xQhAu4t_dkOUxYnM-lk/
http://ath.edu.vn/wp-includes/8juqut-p7516-hopqmag/
http://ath.edu.vn/wp-includes/flHDB-J8GoMuhMk8cZJqu_wQurDekf-nhh/
http://audihd.be/amerika/cubpztc-aow5ac-czneiu/
http://aussiescanners.com/forum/pMbd-D4bIgGwX7JwYIP_AkHuzkkBE-CZ/
http://azizulhasandu.com/portfolio.azizulhasandu.com/8jx63-v3sk8p-xflydow/
http://babysteps.ge/mphoi5j6h/QWlr-wQLepWFv1w8ZgJQ_JWahpKPpT-loN/
http://balikesiresnafrehberi.com/wp-content/dxvr-mi2q0r-weujwpa/
http://balletopia.org/scripts/bVmRa-5L7FpyA0Lx2aI3Y_SmuyTteK-Xnn/
http://bangladeshfashionologysummit.com/wp-admin/ZeWU-R1bEIHyxgtcXAhj_QEaETOkbx-Zq/
http://barcelonakartingcenter.com/wp-content/MQpn-i876e43P0Sy0PG_eMNvUPzP-jye/
http://bayraktepeetmangal.com/wp-includes/l5cj-eyxxz-mxrsuoq/
http://bcdc.com.ph/image/f2vl-gohnfk8-hvvkgq/
http://bellemaisonvintage.com/js/Wxxip-OpvC57q7YuZSfq_YEMvzGQi-6LX/
http://benzobot.info/wp-content/PeJe-wM1sdJNx4F6YUg_CMyNyUKaC-wv0/
http://bergdale.co.za/wp-includes/gltb-w1BvaNGvAkrOqk_laMMhXtkQ-01/
http://blog.flyinterguide.com/d7kowgn/EHpho-5KExsgmpMrns4Yy_FZlgXgIz-qJJ/
http://blog.regenera23.com.br/wp-includes/3d93h-n4rjpv-oadsjeo/
http://blog.utoohome.in/2zutz8s/eba6m-hbomt8i-kmhid/
http://blog.wanyunet.com/wp-includes/fmqzj-h5hdbv-uyors/
http://blogueiro.net/rlkipss/g9ttvwx-6j1vmp-drlu/
http://bloodybits.com/edwinjefferson.com/3f7o-so1vc8-jbfgt/
http://bobvr.com/HXJC-vH5nNU0WAvQKZm_oOCSgAYZ-2R/
http://borggini.com/pages/TYuu-QcfxaYRNtuzjNe_nOfTavVR-rD6/
http://borsodbos.hu/kavicsospart/ongyT-yyjRD9kj1R2glL3_Yblyxypuv-COE/
http://bostonseafarms.com/images/foCQP-HnaWxuchI4XmHX_UfLUfPjs-Yp/
http://brainstormgroup.nl/wp-includes/okofdaa-nzhhu-psqtro/
http://brelecs.com/wpp-app/TSBa-5WLU1G7RRffMrZ2_kmvPIgbI-nDl/
http://brunocastanheira.com/wp-includes/NClw-q5hHeGt2Jf8KPc_TedNDunad-jS/
http://buitre.tv/adqss/06b3cbh-xgf9k3-otqymf/
http://caleo.co.in/wp-admin/a9ys-xrie14d-dtapgo/
http://californiamotors.com.br/site/aZBQq-ZXfw2tPwlEi9lC_jpuUYsgH-XBp/
http://callisto.co.in/assets/Egdy-yQTwCrCIg6E7iOf_mTdWAqiP-Bz/
http://campanus.cz/wp-content/isRbk-SvOleLctyW4T0p_YLaoLFib-wEB/
http://captivetouch.com/Xuyag-G5r2O7p2750FmfP_FlJubrFgP-rf/Sarjh-ZIRLmoYHWUWP3IT_LGtdSdVN-58/
http://careplusone.co.kr/contents/XiwgX-q0Yr0XZsex3y1u_kVqbWOoP-VIk/
http://carloshernando.es/wp-content/nqwo6t-s9uxx84-gcwu/
http://carloshernando.es/wp-content/nqwo6t-s9uxx84-gcwu/>/
http://catherinetaylor.co.nz/Self-publishing/teimV-VeDVrASAwSH0ix_sAgvUHSEy-zIi/
http://cddvd.kz/cgi-bin/qdl9-nfoe0-dmbucth/
http://cdlingju.com/calendar/dtg9b-0ubqh4b-ycug/
http://cdmedia.pl/wp-admin/Lkil-aTP0inyHzTb098_rBzfPQen-o9c/
http://charihome.com/Statement/HgQvG-o58jW4ePycyFnz_XcsBVjlxN-a1T/
http://cheheljam.ir/wp-includes/v7vtlwe-3unfven-ofrnrt/
http://chuckweiss.com/cgi-bin/pEgII-89p8zcpk3yvbDI_LZiBUPNa-gS3/
http://cibindia.net/blogs/knls-e3fqwlv-gsprpc/
http://ciga.ro/jgOE-9cfplM25WsdqpEV_KtEXmnrS-JBd/
http://cigan.sk/fm/hEcuQ-0CIXvPzrJHBTQN_HlYxGTNL-Ns/
http://classify.club/wp-content/ihjwj1u-b3xpxkw-vyargp/
http://cleverdecor.com.vn/wp-includes/05vhpo-ziwpg-simm/
http://closhlab.com/Footer/AwYX-EDOf2FKxWPmTYv_ZyAJzuWhL-2Cy/
http://coccorese.com/ole/UtCg-gni3UA2lCE7Apu_BfNtskKd-qD/
http://conormcbride.com/wp-content/QLpJ-RsS95KNcPKS974_KCwbdfKcI-Rx/
http://contivenlo.nl/wp-admin/iYhYd-fO0AHHYfxYJooc_gyimEKSO-WW/
http://coopsantamonica.com.ar/wordpress/wp-content/uploads/9mar4-f50r8-ypwbrfa/
http://coreykeith.com/fancyladcakes/vPMQ-EJz9r9099NOZcrY_biHnbgOw-P1U/
http://corpmkg.com.au/cgi-bin/iUBz-TkJWyIHueOGZKgr_FdQWzGqY-VmV/
http://craftsvina.com/testgmail/mecukg-9k043s-akujvhb/
http://criteriaofnaples.com/criteriabackup/YTzJA-sWzEyZujbg6lCyY_HUYyuWRSa-BI/
http://crsystems.it/oldgen2019/ZlQv-TCPMxFFeq1j3axQ_gUojtTQLK-XR/
http://cybermedia.fi/jussi/tyWsT-sNOqThvmGRDVmV_JvRGbhBs-bp/
http://cyzic.co.kr/widgets/wd6z68d-4tvbqpt-fcthuk/
http://dagda.es/language/po8n-ztss3-dvmog/
http://dangventures.com/user/stqp-NbwAA3YvZiV21n_zvcvkNKy-6O/
http://darktowergaming.com/l9ld-0dpofc-hiwewg/a9tx-37brdn0-dhqan/
http://darthgoat.com/files/ZnjS-OeDh6e2QPii7C45_CEMTRQEOz-d8/
http://databeuro.com/Sep2018/RSec-7tEDd8inAMFLyNN_lYVtDOOW-TPf/
http://davidyeoh.com/MeCZh-MbD7OSJABqbMagx_ItmaXSBy-R5/
http://deepindex.com/wp-admin/KkPes-V31deF4mwmdcNO_XsMQlVpHT-toE/
http://demellowandco.com/cgi-bin/uCxC-0auqxbeolrT2ybZ_vCEFpMqys-tm/
http://demo.isudsbeer.com/wp-content/hZnRT-neQrKwrOlclto9s_TBzMsZTi-bW2/
http://demo.lapizblanco.com/wp-includes/WYxB-55cJdQM44lqPFe_iwbhodeoj-97/
http://denmaytre.vn/wp-content/juLsk-qsxnvQMElpq15P_ieWrTWMwP-rY/
http://dev.maverick.cm/775media-corp/rFqk-uR4itgkiXBZ2e5_fXBbgYzbg-jz/
http://dibaanzh.ir/wp-content/vouhdp-nvzw7t0-bhetvlk/
http://dibaholding.com/wp-includes/CaZEO-smPnZkm7OLoIIj_zGgdFgTf-mQ/
http://dingesgang.com/wp-admin/PzRQK-aphi6t7XcG2zsG_jbUAuHLCy-Rw/
http://diskobil.dk/gearet/YCOz-7RXsDsfZQjarrh_urWNObDj-8y9/
http://distantdiamond.com/hjyboyi/br64n-03wwn57-qdegvzu/
http://dmgh.ir/wp-admin/wi09-p3i83t-usemzkb/
http://docecreativo.com/gvlb-15o2bIavAAVgfJ8_NqMhKudB-Ot/
http://easternmobility.com/js/HGpRS-FcPEe0DuuOpQoBb_zhTuvwFnf-uFZ/
http://editorial.wijeya.lk/wp-content/uploads/2zsuu4-g0z3q-eujnbm/
http://educacioncontinua.udgvirtual.udg.mx/wp-content/uploads/SDRZJ-tsGjCX6wggGyObf_eUUDHXwX-oJQ/
http://entrepinceladas.com/resources/desf-typ0zeWqkmS7sy5_RrMTvoRIL-3WC/
http://ernyegoavil.com/mineria/tf0th70-m2g721g-cgzdt/
http://es-5.com/wordpress/IKkvs-qiqHQPP34dviCK5_aWphrklHC-bu/
http://esmorga.com/pelis/v5umvo3-6ssfzf-lgtj/
http://esquivelservin.com/nog6tun/WvpSM-Peq1kPwDrS5sew7_gmveZYRzM-ct/
http://essyroz.com/wp-content/q4xao7b-j13tpz-chqs/
http://etherbound.org/test-images/DCRl-zvVKSUvBoF2bCB_FAnTHIFL-Hi/
http://familycake.club/js/1i6m5st-ow15hr-zlucaw/
http://familycake.club/js/5ps2i-h5gzpn-qypixcd/
http://fitnesstrener-jozef.eu/0vta8ll/RfPc-FtOa6oVhtJDNFbT_ctOfUESxJ-XNt/
http://flatbottle.com.ua/@eaDir/acTK-rUwQeKERem7FQ7s_BQVRHPmVF-88E/
http://flcpremierpark.vn/wp-admin/kztwd-59nm4-lfnvgn/
http://fondtomafound.org/wvvw/4j3j-dcxdxqc-erxvm/
http://franosbarbershop.com/bdsxlks/nu7j84-yn1mt-yerxhp/
http://fumicolcali.com/wblev-6pox5-vpckk/AfdCf-S5RCLnfOQUos0JR_NvTcxhKC-oCv/
http://gbforum.online/wp-includes/jyxba3-uzqbow8-hsgscwq/
http://gged.nl/geocaches/afk/legale/vertrauen/ys72kv-naf6ksm-nlqcx/
http://gghacking.cba.pl/errors/BGBHK-5drFBdEak7o7FPa_SHKAspen-vS/
http://giaphatdecor.com/wp-content/faz3owg-1nfo194-dvugx/
http://glampig.com/wp-includes/itdctg-cm8fphc-iukzmx/
http://goldenhillsdanang.info/wp-includes/5z90jkv-7m5pz-fmavx/
http://hagebakken.no/loggers/z94f1x0-2669du4-cyxvi/
http://handelintl.com/pybsnyc/kAiW-vNQ4nut7ScUZY1_AZeptQxK-m0/
http://handelintl.com/pybsnyc/RYPu-6KvYtxriJteoRc_QYhIRpFQK-qG/
http://hangharmas.hu/js/dWRN-DbOZPZAa5wcN1H_GqJXlOzvT-zs/
http://hanginthere.life/wp-admin/VLMoJ-En1PJ0LVkwsUvp4_QgPfadRQA-hJ/
http://hds69.pl/zablokowane_ww4w/xUuQw-j0sWMwuqF6erPd_RSWjCukYi-Lvu/
http://healthyadvice.ml/neio2mv/qplvjjo-fk5kwk-oydcy/
http://houstonroselimo.com/wp-includes/b1jq-scfsdo-qegs/
http://hwx-group.com/wjwrtce/dxke0-5q5bg-cecuome/
http://hybridseed.co.nz/error_documents/yqswu-fqjp7w-pqixo/
http://i-genre.com/wp-admin/5rb5-0em9w33-isch/
http://imaginativelearning.co.uk/files/themes/css/bCtmm-HK6qcgkIttnWG4h_tWuVOXuFQ-Uc/
http://imaginativelearning.co.uk/files/themes/css/tJvJ-4S9GbG33T5NPWs_noIKbYrDD-ZI/
http://impro.in/components/d7dx-7qiac6s-wruj/
http://indiemusicpublicity.com/wp-content/jdjn-awglozq-zkkmpak/
http://industriasrofo.com/Connections/sk54h-6xuzxbh-etbahl/
http://inhuiscreative.com/wp-content/q70dwtl-2avua-cifqzuh/
http://iran-gold.com/BzCYu-9u_ldXkubCA-K4/75ulao-6l63pw-ebca/
http://irukina.com/audio/lvkI-iPYhlHVAYdaMORu_lqzvWArp-9L/
http://janetjuullarsen.dk/ydcb7-9ftb6-beob/pifwzzn-gw88wv-quun/
http://jeffwormser.com/v1site_images/Ixzu-TvXmWwUjuGEBX3_suRfJsMrM-qk/
http://jeffwormser.com/v1site_images/nznp-ymGrwQGDNbOUnD_TTIpSGQif-vM/
http://jenthornton.co.uk/wp-includes/syei-hvzzitn-gbhqx/
http://johnnycrap.com/verif.myaccount.send.biz/att41-8i8z8jh-crxvtiz/
http://juldizdar.net/enhn/Ohnm-L69cTooqv9S6I8_XqVBCjOV-xjS/
http://justart.ma/wp-content/uploads/zQypE-gXgg4HEzdwvkUc_slKPSnSNm-VW/
http://kanttum.com.br/blog/wp-content/uploads/DEHz-virQPM4i5khBe7_HLQwWsxy-K6l/
http://ketanggungan.desabrebes.id/hhpdoejk5/ntejf-sutlsh-ozanxw/
http://kingsidedesign.com/blog/WYlPL-za0gol0ooOD9ZlW_vMVNAVeA-M21/
http://kingwax.es/wp-content/rLjye-OYgN40T1gygU0xy_hrFKZSdk-qXG/
http://klanelkhamoowo.cba.pl/errors/qhveX-W1gZfJiwUe4NN7B_IoBydJfFa-YI/
http://k-marek.de/assets/2dx5jz-vmex9sm-vjoc/
http://knutschmidt.de/wwvvv/ww47h-33j9b-pbdiwll/
http://kokintravel.com.vn/wp-content/uploads/p5q6p97-mzy7lx-hbpzsn/
http://kvsc.com.my/rtrtgtm/e30n-iwge68s-zbbt/
http://lacave.com.mx/wp-admin/b5565a-ekz0ru-liptjg/
http://larissapharma.com/fobn/XgSF-Sq8pmNy1ZXFrNON_iOCodegrd-nuT/
http://lartetlamatiere.be/wp-content/wjgh-PXi5GhbCY5JCZ14_eTxiKlJxb-st/
http://lecombava.com/Surlenet/z6i00pt-alrk88-rixthw/
http://lexusinternational.com/wp-admin/tdm4y2v-cqbsmkg-khkayvi/
http://liceovida.org/cgi-bin/keyd5v1-xqi397-djxeszz/
http://lobez.cba.pl/beta/YWoi-AZV9vzPy3YosLI_AeMdfvRli-VQ/
http://loh-tech.com/sitemaps/DSGu-HcSSeQxODDHYidj_yGweuvNQ-tK/
http://lphmedia.com/ardbrookStripe/3lvi57p-4konfd-dqspjcv/
http://luacoffee.com/wp-content/uploads/3urkj9-dgxla-eucrfgv/
http://mail.mtbkhnna.com/oqfi4kksd/n3jo-wwtpd-rpzj/
http://makepubli.es/tshirtecommerce/6es52y-w66v3ug-eoee/
http://malnia.cba.pl/wvvw/a2ij-jrlec37-bjzskbf/
http://manorviews.co.nz/cgi-bin/mp3fc-oxu3s-ktiu/
http://manyulogistics.in/wp-admin/y80qc3z-vbon1pv-hyzsf/
http://masana.cat/pix/neyo-PqqvNlgNTlXXPkV_nEAkLkfud-a6/
http://maxindo.com/verif.myaccount.send.net/txLPa-F20Ef9ZeQ8tdi4E_zsPNysUC-f7/
http://michaelterry.net/pambula/1o3fca-9nbmq-egiz/
http://michaelterry.net/pambula/VWhV-MxzBocitppJV4U_etzKQJUfF-pN/
http://mktfan.com/admin/mQwM-T44MiJLt8hD1st_ebDHKvgL-ll/
http://moiselektronik.com/css/wgexb0-j6e21-tombxd/
http://motok39.ru/wp-includes/z6s3-7c6ps-pybvo/
http://msecurity.ro/sites/8894bt-u8wb4-dude/
http://muciblpg.com/wp-admin/RPAX-UtFEpXJk2N32NBL_nLIpLnVxT-2w/
http://musicianabrsm.com/8uhpkl5/WBtaP-K7AgjN9BByDbl9Q_VSWjZcoSn-klD/
http://mybaboo.co.uk/wp-includes/lcwf-6lp58q1-chouzbv/
http://mymachinery.ca/DI/nDIb-GhJy36OJ74gA8X_NtAXqmdy-JQ/
http://mythosproductions.com/ttt/XZVQU-qrS0uYBmjbWl947_eyqTiGve-Dgg/
http://mytime.com.hk/wp-content/7zna62-olcuc7-tpxhtp/
http://netimoveis.me/wp-content/wa4ps7-zuytpyo-ljeyawg/
http://netwebshosting.com/whmcs/kg3nj-bf1wb6-ksur/
http://nhadatphonglinh.com/wp-admin/iaav2-myyab-uiezsdp/
http://nhasachthanhduy.com/master.class/xu0m14o-rb2qq-zyybedv/
http://nisha-universal.ru/wp-includes/yt0hop-dpixl-ibbzx/
http://northerncardinalfarms.com/wp-content/zkbI-Gwn9SW7cnGntUc_gsnxsaYIC-sW8/
http://obelsvej.dk/forum/7qm6e-vijdp8a-qqstov/
http://ocean-web.biz/pana/zVGPe-kif5jFbEiGMIn3_ZrfKoJgP-Fn/
http://oilrefineryline.com/post/ShXjT-k2F3GukUHVvRPuK_lDPjKAmnC-1M1/
http://old17.cync.ge/TEST777/9dvn8ke-aazo1-rqab/
http://ortopedachirurgkrakow.pl/wp-admin/is0v-9x8i2c4-gxen/
http://pablodespeyroux.com/imagenes/oq2nd-gbxf1p-qntaau/
http://passelec.fr/translations/mUYr-Ybdr2PeNGBEX5h_OFnPtpLK-mW/
http://peacewatch.ch/fileadmin/ONCC-J2W6jolNJZufTX_gwOdJdkBl-k8M/
http://petr.servisujem.sk/81.89.61.188/q8wssf-xaord-vdil/
http://phoque.nl/Knoppen/wjDnB-DpD9rVMSh90GkT_YgXgWvjMT-Bh/
http://phpmasters.in/helpservice/QkoNA-lU98I9HGljQ8JC_cTwldMsD-US/
http://pibplanalto.com.br/gestao/plugins/thread.init/nnsP-WP6m7KAjZTqkI5_vehwfOAE-O7S/
http://pibplanalto.com.br/gestao/plugins/thread.init/uiKo-xrb6AKFzFB29Swz_VZBUUviY-du9/
http://piccologarzia.it/admin/tJBH-7wXqhub9RVqaXDh_XKnVbFhpO-g1Y/
http://planetatecnico.com/cgi-bin/myxt-cfi89-hjqn/
http://plugnstage.com/logo/CNDcp-ebNMFpM321YFqVd_mXoApmMZ-Tmt/
http://positiv-rh.com/xy4zpct/YvHJ-dqGECITCHVj3hA9_FKuDilFcM-Pk/
http://provolt.ro/wp-content/cmsuq-7x6eho-ssmxm/
http://psicologiagrupal.cl/wp-admin/9s5yx-f0th65s-auxjxh/
http://putsplace.net/cgi-bin/gw8kz0-fg89x53-cvjy/
http://qualitec.pl/images/ySKQ-XXrRaJtiutdHn7_mKhejIcdT-Ho/
http://quatet365.com/wp-admin/7yey-rtep3-bswopw/
http://queekebook.com/css/eb1lx-mq7kqul-ofuee/
http://ragnar.net/cgi-bin/xfohb-448e6t-ldum/
http://rakeshbookandstationeries.com/blogs/mmnz3-q3jmg-epof/
http://reckon.sk/e107_admin/IinDo-SR3wiEcsbEXj03_uNpnFBYir-EO/
http://redtv.top/wp-content/iljPv-rDkksNPr0uwfPkY_XEEBKoFm-Kr/
http://restaurantxado.com/test/via6-agd9tyu-gxmel/
http://rosered.cba.pl/gallery2/2pzacuc-3wo2i-nyuqvkh/
http://rsq-trade.sk/wpimages/1az0d-ipjua8n-eafhjs/
http://runnerschool.com/wp-content/yadvag-681992-rqnhjx/
http://rvo-net.nl/awstats/3rec-91rt6k-mesqgiw/
http://sainikchandrapur.org/wp-content/y5ow-wddbcd-vsoejyc/
http://sandovalgraphics.com/webalizer/02bd2-a0zxzhf-ybgnhqj/
http://saobacviet.net/administrator/iapuyxv-vpuh4n5-pyxc/
http://schollaert.eu/EBKH/bGhc-B7DEaH3SyTTHIV_Epdnfikz-Oe/
http://seorailsy.com/ww4w/6ffq7-hq2z8rx-gpjw/
http://servintel.com/newsletter/6r8z-cuctny-qang/
http://shagua.name/fonts/ymo91-obw958-avrvxyi/
http://shapeshifters.net.nz/files/lby5-7zz490-otybn/
http://shazaamwebsites.com/perfzone/ZxBB-UorFE6EyMNZ9z9_KWJRzDfFf-Sch/
http://sheikhchemical.com/wp-admin/bnm0f8s-prjs9-arpmnr/
http://shopbikevault.com/wp-includes/i7y8-22y8i7k-xhhe/
http://shopnig.com/test/mdqd4b-vanzny-debroq/
http://singasia.com.sg/wp-content/themes/eizzw-32nywno-talh/
http://skygui.com/wp-admin/oCURt-tqpxizYs96C0iWT_vwDKTPJHo-Fm/
http://socialshaktinews.in/wp-content/YdsSo-NjLGZocngQXrJJ3_RquebpIu-th/
http://speedy-kids.com/wp-includes/joev4s-ol4uklv-ulkujf/
http://stegwee.eu/aanbieding/zlZdY-I7fBRw9SxuMdVq_CYAOblRD-fU6/
http://stiha.nl/grid/wdvyj-9gzxu-zuaepnn/
http://stsbiz.com/js/vIzd-2925r0q2Ox2Moz_kzTFXPBu-1oB/
http://studiospa.com.pl/images/kYQPS-uW1tRvKxicHJYE_odQoDOpi-MU/
http://sunshinecityland.site/cgi-bin/z0068-a7orx5h-dkufz/
http://sz-lansing.com/wp-includes/iijyh-aik9ew-xpdivpv/
http://taheri-t.com/wp-admin/yauXh-3N17RyZjYwPQmr0_IyJNdVRYn-iP/
http://talleresmarin-roig.es/wp-admin/xffskx-44af2-iqwbj/
http://tamsys.net/subirarchivo/JzQtf-ECB9rVXzlIXVPF_YOzIgGMu-Ksk/
http://taphoaxanh.online/wp-includes/ydts823-dpqquu-walaiis/
http://tashyid.co/wp-content/cmkxo0u-z5fgy-nrvy/
http://techproject.co.uk/generalo/w2r0jg-1f5sjpi-cgsbpai/
http://tecniset.cat/docs/NLxk-6DYRtCmSy5TdDVQ_DiFQjBrWi-dy/
http://tempatkebaikan.org/wp-content/tarjq-8knd94-wcxap/
http://tetrasoftbd.com/www.tetrasoftbd.com/AdYuG-UDh04QaOA26vN8_zNyVrRHCl-TY/
http://thinking.co.th/styles/GdTX-G2KgNj0WjLZ6eH_vYEDhzQBY-TY8/
http://thonghut-bephot.com/fckeditor/tzu1d-u1zy6l-jmxvyq/
http://timehalik.tk/mphoi5j6h/XgAnb-m9ewdcAoWRVNVp_kanKPlYnn-2eX/
http://tissil.com/wp-admin/w994wy-rf7s199-nzcexv/
http://titaniumtv.club/wp-content/jj6r0j-ol9tl-tsds/
http://tomiauto.com/sec.myaccount.resourses.com/vlsh0-wpvc9qp-plqam/
http://tonar.com.ua/wp-content/inbu6en-lkm1ftc-yfaowrs/
http://topsystemautomacao.com.br/Produtos/qnwTi-HGc5CqtJRzHYfR_uaygRtoJB-B0/
http://traviscons.com/_borders/v60p-3teva9y-sxap/
http://trendygital.peppyemails.com/wp-content/uploads/xn4xahf-7hsj7c-ocdvz/
http://trident-design.net/wp-content/h27crj-gnm5kho-jbtf/
http://triton.fi/trust.myaccount.resourses.net/gieVj-5ipAkxHcM3Ze5K_ldhzGEKlE-GCV/
http://ulco.tv/1v7wu20/i5wd-57pbm7-xstq/
http://union3d.com.br/new/YuAN-sef0gd0PbBcJi4_ckaUYCjRG-44J/
http://usuei.com/hrpel37lgd/nyzo-90tourz-inxy/
http://utahdonorsforum.com/wp-content/WodyY-Vx7e1TgYz12Tx1_HdkVYnEuC-Ny/
http://vanspronsen.com/test/Itves-0njYfVdPglL6O9i_pfOTaRUp-pe/
http://vidalhealth.com/vh_bkp/MHhZ-6Ef2QZYOQIf0gXj_lzlpwXEdd-X2m/
http://virtualgolf.com.mx/wp-admin/wj99-sku3tq-tuyk/
http://vishwakarmaacademy.com/wp-includes/abdvgu-lja7du2-jazzb/
http://volgger.net/nfbJ-Khwr0fhWv3gKER_GrfeBFUQ-VBa/LeROj-yPU2250xB66YB6_yRfBZiPH-5yr/
http://vpacheco.eu/xzds8sq/HeluA-9zLuUi5nygiqTzJ_EsPCAAAbO-ay/
http://wackynewscorner.com/wp-content/5expuh-mt3g5h-fyzmv/
http://wangumwenda.com/9dhcexj/lgozs-mzbnr1-almlakg/
http://waveparticlepixel.nl/jotihunt/SsNx-aCxPisKcEJgUodr_pKmLVHEZl-GU/
http://web-feel.fr/wp-content/nz1t-5sqbt5-fzuqsg/
http://website.videonhadat.vn/wp-includes/dfhngyd-1l8gp-sezs/
http://worshiphubug.com/g3oy8b3/49f4l32-5vodl-esgvcz/
http://www.am99.com.au/wp-content/uploads/dta5-dxq2rg-imqxt/
http://www.atuteb.com/wp-content/themes/bcyDC-lSuPVlXh8oM5lQV_hZVpFfyJf-et/
http://www.carloshernando.es/wp-content/nqwo6t-s9uxx84-gcwu/
http://www.doyoucq.com/sites/HHxjY-fv2VewYkdJfWer_LXMfUzwc-7X/
http://www.ecommercesuper.com/mijmbxg/YmfYk-sJycvYGXX5Twkd8_DcawmOef-QM/
http://www.gifftekstil.com/C4mAvqn/QBcM-12vE1JqwNNGXOHd_rsuhGjLVR-L34/
http://www.karalamadefteri.org/secret/vahtc0-s2rdhb-eezguv/
http://www.kvsc.com.my/rtrtgtm/e30n-iwge68s-zbbt/
http://www.learnwordpress.co.il/wp-content/lmiu-08ekzg-raxo/
http://www.mediaglass.com.br/wp-snapshots/ar0nj-pmsvg1-dtubvqz/
http://www.mustafaokan.com/wp-content/uploads/kjlb43-pgqbqxg-bynj/
http://www.nilsnilsgarden.se/css/a4094-9lztww2-yjcwoy/
http://www.organiseyou.nl/wp-admin/OQTY-zIz2mS3hpQ8NFv_tTYgiwxx-akN/
http://www.psoriasis.org.il/dating/oflmv-tuan953-obdic/
http://www.secomunicandobem.com/wp-content/bq8i-qa7pl-thirhnv/
http://www.singasia.com.sg/wp-content/themes/eizzw-32nywno-talh/
http://www.suonoinfinito.it/icon/o0zh3t-7rnc7k-throk/
http://www.thantoeaung.ml/wp-includes/YReSn-wD2tvrDyUp8Gbv_jDWxFmdTx-mdu/
http://www.umutsokagi.com.tr/cgi-bin/RXyJy-wIAnioF1Y1Kknkh_YYqndjPb-2M/
http://www.virtualgolf.com.mx/wp-admin/wj99-sku3tq-tuyk/
http://www.wangumwenda.com/9dhcexj/lgozs-mzbnr1-almlakg/
http://www.web-feel.fr/wp-content/nz1t-5sqbt5-fzuqsg/
http://www.whomebuilders.com/wp-content/oy8c-y52h1p-kwtegj/
http://www.your-choice.uk.com/docs/TdLT-OhAh7irjwCgdEg_xbaQilZt-Vx/
http://xetaimt.com/ooecgp9/3ueyg0i-0b8xq3-duwfmc/
http://xn--c1aacpcxier6a.xn--p1ai/blogs/dn79yjd-v600pu-ieyoghw/
http://xn--trkiyesalk-9db14bzh.com/wp-content/udNvx-IAZBk6UMMY1SAa_irnRMhlD-Hv/
http://yzbot.com/phpBB/ltTy-tMUIOKx9kqCDYA_esMfYIys-buo/
http://zentelligent.com/wp-admin/fhUpL-IdPW8qVBesiTjD_TDwAAeQU-GGL/
http://zinganet.com/cgi-bin/LMKR-kQ2bYpuM3KKy5Q_TWJIqWqOT-28/
http://zmeyerz.com/homepage_files/cEJM-V7INCoCB6a0TDvA_HMWgquJvo-I2w/
https://aecg.nsw.edu.au/wp-content/aqh2da-wh0g6r-rpdgueb/
https://asis.co.th/cisco-sg300/PTIja-gQtO9yyS4MiWBVV_zQhbGznL-5Qv/
https://bangladeshfashionologysummit.com/wp-admin/ZeWU-R1bEIHyxgtcXAhj_QEaETOkbx-Zq/
https://biddettes.com/xakgexg/a9mba-8cd5b3-yzhsfj/
https://brainstormgroup.nl/wp-includes/okofdaa-nzhhu-psqtro/
https://buygreen.vn/wp-content/xNstv-CRWKqfiIKKypFSK_MCUjOOEfp-lf/
https://bwh-reservations.com/wp-includes/kmbk-blIO4Pid67FOn2_NKhjgVoh-vY/
https://catba.goodtour.vn/wp-content/plugins/adventure-tours-data-types/assets/fonts/fYuC-U6V7h00Qhdy5wt_nfzwDyogd-j1/
https://classify.club/wp-content/ihjwj1u-b3xpxkw-vyargp/
https://compucon.com.au/download/aRer-fOAl7AFFNKGwppS_URYRZXlYR-OUx/
https://constey.de/krams/GLtQm-9Ogl5zbvPvpmvF_HQaocXbW-rl/
https://delzepich.de/wp-admin/sWUx-ktPsdQCF5uWnPNm_PwVEsvPEr-9B/
https://flcpremierpark.vn/wp-admin/kztwd-59nm4-lfnvgn/
https://franosbarbershop.com/bdsxlks/nu7j84-yn1mt-yerxhp/
https://gardeningnotify.win/wp-content/xqxl-21fz0-npkevqx/
https://giangocngan.com/css/WbQGL-oitjLvs19kzOO2_AuFhcxAf-Og/
https://go.bankroll.io/wp-includes/l1nuy-n19zlva-fjyqp/
https://homescout.tk/img/isc5-aj20mt-jxsddsf/
https://hwx-group.com/wjwrtce/dxke0-5q5bg-cecuome/
https://ingelse.net/AUxDp-b4CSupAMfWu2Ne_jRJanUStb-P3/
https://inhuiscreative.com/wp-content/q70dwtl-2avua-cifqzuh/
https://inovatips.com/9yorcan/mts33-18ob6hx-frmyru/
https://internetport.com/wp-admin/iDFt-o5F4AFsdQBwje5_qwBbMADk-R8/
https://loh-tech.com/sitemaps/DSGu-HcSSeQxODDHYidj_yGweuvNQ-tK/
https://lphmedia.com/ardbrookStripe/3lvi57p-4konfd-dqspjcv/
https://madialaw.com/wp-content/zejx6a-iunci3-lgjyw/
https://manhrem.info/wp-admin/fizeek-sa20cr-evehqd/
https://moigioi.info/wp-admin/aZrQ-PJkBRJipyoyZAC7_fXDpWjRSL-x0/
https://musicianabrsm.com/8uhpkl5/WBtaP-K7AgjN9BByDbl9Q_VSWjZcoSn-klD/
https://nana-group.vn/wp-includes/phfhhti-s20v4i-dquiqkq/
https://netimoveis.me/wp-content/wa4ps7-zuytpyo-ljeyawg/
https://nhadatphonglinh.com/wp-admin/iaav2-myyab-uiezsdp/
https://projectconsultingservices.in/calendar/v30fk-3nor8t-drzqe/
https://provolt.ro/wp-content/cmsuq-7x6eho-ssmxm/
https://samcovina.vn/wp-admin/u2ih-ycouakn-svybd/
https://shoropio.com/wp-includes/hspa-m9yoar-ocwv/
https://speedy-kids.com/wp-includes/joev4s-ol4uklv-ulkujf/
https://sundarbonit.com/cgi-bin/09bw-tnnre9-ojglxa/
https://sunshinewondervillas.biz/wp-includes/p3o5p-r729r-cqiusd/
https://target-events.com/Office365WEB/ta6d-qewrel7-zmjpcp/
https://techybeats.com/wp-includes/8haihmy-phpt3e-tuxcm/
https://tempahsticker.com/wp-admin/ycYSF-TT0h7TircQ1UGT_tBlxSnERX-7D/
https://tempatkebaikan.org/wp-content/tarjq-8knd94-wcxap/
https://tissil.com/wp-admin/w994wy-rf7s199-nzcexv/
https://tonar.com.ua/wp-content/inbu6en-lkm1ftc-yfaowrs/
https://utahdonorsforum.com/wp-content/WodyY-Vx7e1TgYz12Tx1_HdkVYnEuC-Ny/
https://visualhosting.net/img/7efhgwt-smhc5-xgvvsdt/
https://worshiphubug.com/g3oy8b3/49f4l32-5vodl-esgvcz/
https://www.dierquan.com/wp-content/4cvr-tq5fz1k-ihqyut/
https://www.essyroz.com/wp-content/q4xao7b-j13tpz-chqs/
https://www.la-reparation-galaxy.fr/pctjrn/ImGxi-ngHsKidjYsNtQvX_HITVfaktb-Xf/
https://www.learnwordpress.co.il/wp-content/lmiu-08ekzg-raxo/
https://www.mountainbike-touren-pfaelzerwald.de/uuyt/9sehfy-ubd8cjp-wgmri/
https://www.mybaboo.co.uk/wp-includes/lcwf-6lp58q1-chouzbv/
https://www.netimoveis.me/wp-content/wa4ps7-zuytpyo-ljeyawg/
https://www.oilrefineryline.com/post/ShXjT-k2F3GukUHVvRPuK_lDPjKAmnC-1M1/
https://www.qickworld.com/wp-admin/5cp4-9kw48y-xnqwphi/
https://www.riseandgrowplaycenter.com/wp-admin/x0us-q624nt-fzqz/
https://www.virtualgolf.com.mx/wp-admin/wj99-sku3tq-tuyk/
https://www.worldfocus24.com/wp-includes/PzlIM-DIGfi2rofntZMZ_vbMzZNGj-2yl/
https://www.your-choice.uk.com/docs/TdLT-OhAh7irjwCgdEg_xbaQilZt-Vx/
https://xetaimt.com/ooecgp9/3ueyg0i-0b8xq3-duwfmc/
https://xn--80aao0acd1ak7id.xn--p1ai/wp-content/themes/creattica/CCgiM-lC4PnTzyMkoijw_pIkibgpr-3YW/
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019-04-10 20:10 (JS Based - Fake Error)
SHA256:
7d91ca89ded649dd8a7f691d603d22435d13fc741a7d78b3f587b18370184029
https://abaoxianshu.com/sendincsecure/DfS/
http://flcquangbinh.com/wp-admin/baG90/
http://nealhunterhyde.com/HappyWellBe/joLiO/
http://pemasac.com/css/Uy/
http://uflawless.com/kceggkl/zop/
Creation Time 2019-04-10 13:30 (JS Based - Fake Error)
SHA256:
c5aa88145481b5ec57a620084e533210b7d896e4b5f7b4aca8abdb68646a8343
https://binhchanhland.net/dxxt/JJ9m/
https://hidrogadget.com/gtcmhlv/MDdjv/
http://gajananled.com/wp-admin/GKb3/
http://ibleather.com/wp-content/VLn/
http://www.karabagvip.com/css/Rk0v/
Creation Time 2019-04-10 07:05 (JS Based - Fake Error)
SHA256:
20f61d43bb940c959db46366a7210ec321b90552f17e6bf3502bb26b5490ded2
http://algocalls.com/wp/M5TiUY/
http://dailynuochoacharme.com/wp-admin/h3S6/
http://hclled.com/aspnet_client/RdDn/
http://banzaimonkey.com/images/7Edt/
http://biztechmgt.com/mailer/NUi6/
Creation Time 2019-04-09 22:15 (JS Based - Fake Error)
SHA256:
77c98ff712a343ccc9112da423212287d0111a63c6ddb750ba49866b8e48a0ce
https://gadgetglob.com/wp-content/awCLA0/
http://namellus.com/wp-admin/KfKR6X/
http://hyboriansolutions.net/wp-includes/eg8/
http://caferestaurantnador.com/wp-includes/0ONjP/
http://www.muchdesign.com/test/TNTL/
SHA256s for Epoch 1 Payload EXEs seen on 04/10/19
d2dd5c3334f7198b0763cff611d99b643c785925d8f3619cdd33828923f503b8
91ebbf5c7cce26f86fb23561076b5ac611989c6150efaf8f6f678619e953c92b
3521f9acd6139fb596a07a1292da86eef4ad2c47fca1619903d41bc4fe23e7a7
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019-04-10 23:15 (JS Based - Fake Error)
SHA256:
b3fe76513ecc54e0ed1c1a4bb1f12db47bbbd25b42ee85cb2336187cc85efdf2
http://grupomma.com.br/divina/Y_A/
http://dragonfang.com/russ/j_Y/
http://clickdeal.us/globalink.cl/C_e8/
http://cityplanter.co.uk/site/8Q_q/
http://sanmuabannhadat.vn/nqlnlysz/4_IX/
Creation Time 2019-04-10 16:20 (JS Based - Fake Error)
SHA256:
26b5d6c8934dbf593f2cc541bacac6e7812d71ddec256eb7bb4e9dd61b9c13b4
http://www.canvedatozdemir.com/wp-admin/uG_a/
http://smarterautofinancing.net/cgi-bin/9U_yY/
http://jishihai.com/wp-content/IC_nf/
http://lp.fabbit.co.jp/wp-content/3A_V/
http://hozd-magad-formaba.net10.hu/wp-includes/S_5/
Creation Time 2019-04-10 13:25 (JS Based - Fake Error)
SHA256:
7853439472ed9cd4358d92492c3abbb44d2ae46a2e3fbceebea2bcd858e4ebaa
http://www.lattsat.com/wp-content/j_2W/
https://www.shema.co.il/wp-content/lm_p/
https://youlya.com/wp-admin/xD_wC/
http://mundosteel.com.br/zgrhl/q9_l2/
http://blog.kbits.net/wp-includes/8_1/
Creation Time 2019-04-10 06:30 (JS Based - Fake Error)
SHA256:
fded1345d0108bf6da569dbb8b00e143b393e89c87cb201965cd1da0631ad4a8
https://adapta.com.ar/cache/Se_Sd/
http://wginfotechnology.com/brisbanecomputer/9H_T/
http://artalumin.gr/loggers/N9_Jj/
http://mniumek.cba.pl/blog.tumblr.com/8_Z/
http://nethouse.sk/txt/Q_q/
Creation Time 2019-04-09 21:50 (From ZIP and non ZIP - JS Based - Fake Error)
SHA256:
7ddfffb789cb316a55ff6f7c0dea5a703dbe3cbdd25d70cf6cc60481e90a057c
http://rudzianka.cba.pl/wvvw/6_hQ/
http://sandra908.cba.pl/Program%20Files/Wx_UU/
http://smeets.ca/cgi-bin/G_LD/
http://nrc-soluciones.com.ar/soporte/wk_UT/
http://siamnatural.com/anchan/E_K/
SHA256s for Epoch 2 Payload EXEs seen on 04/10/19
bffce3b9045c249659d41f68d1228933e4850e285eb9a49cacd684f4b23f2686
ea1a71343913bec97aca98d12f8a6e7a712ad8c6cd31acc80a9630c07dfd0337
fba15dfdcd6d321368d247cb7c6984ce9c9d240d532ec40cd25e43dd81c67d0e
23de3275048995d64aeef3062935037763186abe57b291a17353a1f46592d3b3
42af3f0bbaffc7b5216d9a3e53c3f3e73f7f5f9c6e06f3a0245d3ebcda4e69d5
83cddcaad7928fd9022d88e4f3da7b1e04414817bba64b0fb1dbaee766ae1e12
7f08d3756b699d47e3fbb743a0ca98d535ec724c18c8261c199636a8aef8b270
755a65f7b94a283b3dc623c40d5cef047a35425e73b4dae038d31576d2232152
2ed6ce82a9286ea394364b006491ff4ca2ef0013b14e7aa1a4b84dc07d933309
bd20a3acc3cc2bee4049c979f2f66245a4f0ccd15a7fd8b47487194d609a6770
3e785403a87a715a0207a2285f84412fe63574b343bca45dc8144065be57e21b
83e61d943c9dfe058a18b357c96729a0b793d0b976db43e244b518fa79a5932e
db2d0de788192bcd9dbebdd60dccad770d79bb73a6d624b279645a931aff12a9
4d430ec3b06f0d1820b8d341cd39a9af856f098aa28b96b04925d737cfd41efc
17d1d3163051b66b2ee1af0db4fb6d10811aab0f5d474beb5b5fa886b793304e
903a57e0d6b5ce29992ab61d647a821f3b9ae8733af0f39466b14904586f11f0
6e2f7ffa82e1cb1a466406df9659f9e00885454d09af7df5127769c9171d4a2d
08d97ed749399a2783a154fb92462158e3bcd6cbf10ecd4fc69c9e81a08faea0
f891d2e1dd5b4696fa0704f2682425d744c9d222e642512af5d3928f6361fa39
f585320ae10d30380c555e31feac8fe1f97d37e3450104c152e25d9414182e3d
d9383fe9330ef97e39cd0d5f24d0281cbfe02d37aff872cb16e6527133734f3b
b85db64f267e5eef8c8427855061138415525cda5f781511d419fa426d2f96ba
f06d5e8bee889d5e7398c24ddfb91406f8d9812cc26652219992234ea8779d49
d2b3795ae382b60b62e9b795ff077fe55dfc52c5ca7a7592b02843d8e6f5455c
1e1aaf76e1c6679850cc50402eea33ff1d4eea092ac71af5c14801a8009343da
3be60a8df4992ce231f1f5780e35c4dda81bcda43a2facd3c3ac2df7fe33fd3a
79418f6a7b581cde930cf8b86ac8ffe6e3fcdb5b2d198f8c82faa3c6ccb8c505
c38b2b95ed05b2c6e10f90a7f73775facf0d79b2337936099f32adfdb7cbc6af
e1f94c4f8630caec6a19106f15d8e8dfb8216c207e569c538cc0c75c376ae0a8
323bafde4abdf8a6afd2d1f1bf242d979ed1d5a872c92f8a789a953b7dfcbed2
ed2186d66a6113b1fbcd8946634515a68e2ef854a230f7d417ae206890f9564e
f2cb7880bf07ddca4578c05738dfbc88453f8cfb0c37dad8086818aedfad66d6
420c22c01756a0d70297a4a65375853fc0c60d8a64e56d1747af05871d9353d7
e8754195a7f276ee51892a63a41fc89a254d15e9f6842f8d5cb925a85c2b6363
e6a93706c2bc73d8469c748df614e74aa65048e3f2aa0c03cffbafb9ecae6083
13ce5d1f42bbf9dac129713c26d8240bc06db1620b485b7ca9a670bf7bf98386
c6f92d07a6dfe7cac5f2ab4a87635ace6996787612589afcd4626ee25344fd53
4e363da4b64303394b6980de48849bc3e7010cbe0b3015eb2f95e9737676186f
158c8771c1d3130d43498978e80dacbd47c9337fc98b9f5a408439314f4cee6d
c0c82eb7084e8506b8e3d6560b110d0771a3d41f55eacc329065f75ef0f42709
0c99b394f5c7778bd9e80bf5d5ea6ecc5f8499449eb8cf2a10a9e0874b812280
6ddde6922a26cef2682f33d0bde1c4744bbd70628b3f2e038cde1f0b85cf927d
85276827f6c9c77abbf475ac299eeb8f6ff36868758f77d50cbe04a398000ec6
e94fc977a9aa09dc445d5bfbd437e9c6ef29f430ada304fa22232eddaed67297
8814678a89d7a30924016100f7cf3141fbd87d7f99aefacd11837c8555bb8c0a
38048dcd88d55ef1b6c65ad50ff4085e82d47264747c30b2b9b6eb2d8756da46
4e7b9bd17bbe6e206ea69e05c57b90f25273ddaba0c812f6aac972db7696c37a
ca6953f5a165e62741f2510f94fd8e378841e07e99f5e1d6bd06de22ef901cc4
70accfff642086a699d2b96fdcfaab81496bca28d9c74f4dae39daedc3866bcd
3f9a7f00f4ffe84156f61ce93aacf75034fb6b2352e6be3da340d1902bc13179
db1232dd7f33c745a8b7b158e60c381820dc7d39e6ca77ee0d881a8080a22318
73274bb0e1e6f3527ce1e9b9710768c0ddef5f0a903eb118008f1f348a6ec6b6
07e7671c76884fcd953c8b1e1a79c71d67fa5e2f1f390239a0420b7f26077acb
d88767640afcf2207b483e70115cd64cd1ddf156106af0961ec537509de705e2
8a145491386f6ed1cfc58429441453d488abdd1912c389fd2dfa760a9f64d695
4516e8431c323522f2ef138ed20e6c505928dec846b0d8d655a00b48a2a0d8d3
8107568a2dbadd480f09154389a8b9a30f5674972dc39e3a07e15c9ca45598a8
5637e160a2fa3795800edd3f24eb9e8d1e12d16f2da5ab8a8c0956490db7b49c
54a302af136ad0d56409f40602ba05940bd69fb334b674946d4b84da02e896d3
e03e5725afd82e89074c55386af44a96ad5164686751b03cf9b199c23b98bdf8
a93f64a8fa04069180bdc4d7903b852ca57cf25e88913e9f6e8110f94fb9f172
ab4df8c779e88ef81fb6fd7dbf2217ce0ceb5d6fecfc905f138a2cb2abab2533
113f4108836e8be60b8cf0dead1fc111672af52fb21285f15a9146765a5feac0
94a7fe0f245f12397b7fe225c1a5cf3267778e87c0b5d40eda8a1ee13a8fc6b5
5cf7717687202af6784bb2462cb182a52f4812ee832f64c80f2ba0ead6bca8db
679fbe74e365ba88ceb1062b2abe23aa4f3157d6dfd7c79d6f0d40851e08e9e9
c0748312e7580bb7e35da88e178e989068fc0654bf0f033f671f8ef12a6bd424
2133ad4871d0fb4661791a3e26aec0d2435d22f4ff727a885030e2eb48b48a26
bdadbcaf01c4089b300f9cd07915498220d2bf340bf2543e9a53d7a3eee7c437
d948dea6a677cc2a4594142a7fb199704e2f4861034ac40a082dbee602dc49d7
d1a11e59e40c1a67cecdd7bfc004ef05202e93a8cba7293400541fdcf1fad31a
407c2d02738ead762631f109afb61339599dfd67e45a923595dae73bac8e5c66
032069fac8e996b8119716df4d2789e91f09672cd2c0b99b5c73051d178f22a6
d055f919226e6ca1c7c5f2a4c63994f4b118e757a2544fcfa238efce35e5ff62
2a96ec4c17403d527583a7b7be4b8283ca8e6aedc10ccc1d2458e6d6cff5b480
bb7d6ec2e0b72747571466f1f147547df49d3dc4cb8a9a370b59e9c4e1532e28
bd18986bce4554e5eb8207404e326c0136bc4c3d94fcd27df86b1232d16a5373
3558176a2944dc4a9b9f7929b5b682d6f522058b8217e6935455945663611d23
db7161a69c9c7687a22a27035da77da0e693ce8d9feda4d943f2cc35ad00d4e5
8f8bddd9cc3c4eff098ba2452221220fa6265df5c1cf13e7cf044eb8e11b54cc
605b4fbf47c1b87fc38f3036457da59c81c34f09e1b23e58494116935ba3944a
b3425fedc58f7eb7e2269886e68d83e91fa8f3474f3c284b0463d626a6ba2633
0a84450b8f27615c002a6039f97407c8fc5aa5882e847bb323ec18684b82435a
04d89dc10b4143ddb7a274ff9aeb81d752d30e111c25f5e14192b57bd3b509bf
bd11a34b96bd2466f3e03196d75e2f613a8bca83c5df0048c7dee600185e6eb4
fd72b338a5696957c77b81803421e10f6dca9f9af3bca64dcd0dd46ae33df0e8
3e65ffc8e94fb67e55e025a197e21aff0f0eb32a5c6ea77b1c58d72fb30390fa
c99d035fa2990ae6a14ac793a4c632d745fdb27d401a6568cce42c1c7c1147f9
d4e028345c6641b2c1ca6aecc9e4e948395cfc69dc1ca4a855196af4df9ff62e
90b07ef7851e976f13753ba0dc8c64035ea9573059743498587251d38af97b50
aa99fcda04c23941fdc4894a12d184d52cf01639c110f106a1cb18a62f1cb1ec
fb117b18b5d08819e44cb318f7945e4b762dca8293f568eb0a47773a0556e765
f70e9d834b12347aad05386dbc2672efce9390dc819c92735b4be54f9352405c
aa99fcda04c23941fdc4894a12d184d52cf01639c110f106a1cb18a62f1cb1ec
7b40112a235baa0fec16d637e4299acc146710e725bb8c0fdd4db042cb96585b
3562d7c5893587d17601aa4ba9dd351936da3064369217439988a362ac9d77fb
48c2cb4bf3afd0a806d7967ee37a923e88eafcad035ede09a70a6748aa5e5002
e7fe4f25fca86fc49f40e0f3e2c2411fbea1e65d9c8d3d3150ac156fa3e4216f
37b5ec1a173d9f160e0746fbb3226f6f39910765762f22425e9d83114c4bd943
722d64c9f8000fbe007e8bf911c3e2a76cf6a245cc5f9e39b484fab26c3c4b7b
1f3d2e5fb41ae099d4b4ff7fd17d29821a792437f68bfd382e7d2f494d4b8a90
22c22e132653edc558565c4ae68b21e4598db924d6e0193b26d88c2a07bf6891
f14bf6ab9762b22918eee301ccdeb0c73ab33529f905cfc25e67247905b97343
79c99a1fb6eafe95f6858614befd9f4f27719a9f4a663146ffc3f1ac94068660
2f581fddce225090ed3df00209a45c75ef7e095f14399f34a42ca53760d114dd
1b8f652539533fbb0b5c2f365dfd465e8c72d77333178d99308d6be28b23f5e6
4607066fb919ebf8e9117b6bdd11f73e165ba98622213381dab25a37cb444ec5
4988a0df1d87fcba0aea23447b7925489aabb368260003e6ecbdf4d768fa666b
20fad9ba6ec982ab57a0b14dd69e4d2ea4a674b8aecb67bd1a311d332dfac448
a882cd36825d6e74446f7e4654b5658c0e350c6a473db3542c537959cc661499
3227826cc7b62e49721d5e3c4c9173f2ad3a375064874c6f7f76fcf39e3cc44e
7795e95cb366af9c725d8dee10c77d6e5dcbd6c59c4ffe6053c8cfca6cac1935
3c88bf95227c3e0916ef239199d265e1c67b38a93f1a5481007f3510e300e4d8
1db3047cfd57cf963310d948d9caf399cfa41807bdf0b3f47373a81831dd9e03
a06ef58572342a42523e1fae4a74e0c242cd3f5bab7c929e4b93bafdf3fa309e
c5030ed0dd57eb10e76a908de2284a8c388ef8f3d9d97ead7651b1a3ce043a53
d43f43a9cf71eb7f7623252ec3d4b7376f726501d675f1e6651a477617a2dc77
c59cc42846ed5ade5d0b9f2a6ce772fcfee709aeb3aaf8e47e3ea32ee1c43f78
a38d25a9197220b7df146cdd0e980a0fff1d5349d664485d7b90ab0f7c020629
ea2b3ead840cfa441fa1f033327802e61fea55db143a797aa4f6809b745db85a
cf83c7afb299e549f86efb6bcbbfe7d7b40ae0492160226e043e8db97950d3ed
f6e6db8f51f975e1d9190393d201629c029a864a1317c145a4328f96c9c9e1fc
e95ac93fe01a7ff0d4e978aac280e61f9b04a2a5a528235943bb43d48e8078cb
8199e49b44b179e9edcbeda6b4a9c130edadb2eb5c9f88a99df8c0061692942c
23d2a439f71d60bc239fc73bd579b90bdb8bce54e00c599847ebcf6f0230aebd
fdb72096592ad983ea8db2836aa27745932f1fdb9a734aae248579a355d45d1a
e1d3faea577cfed11564e43a6223de351303be7fbed047e2e17bd0a320d73815
09413cacaa19a7ad2646db17a066e47ae48c2cdecbbf35cc61252665732db950
54dae3b5b5a3643d7cde0c125c91bac5ed92a2dd04982dd483029ae636e79138
d7a745533209956b23fafe533d54e93193c7cda43457924693dbe60ec77ef8f2
28cf2a0df49a83892ad9f6bea77619ab8dcf1155e938cea6309e094703d62df7
540a8a9952762ba7525caf61fd2c4a29c5353452a2ec4e71f960886559b1be90
fcddfee2eb5bd7af144930c3df7b147a19673e63437f8927edf4cd508f94d2c3
4beaedbcd34b4881cd44f5832ffa28db015ca7c14117a4abbc29c5a4c0b8074e
cbc2f952337bdf063187b2c0ace7cfa85d0a0f40e8773c1301941c44470e9e67
c52cbeb6f8d6922ccc14f84d94b7be343ff3b29fc8c788e436b774269d01f301
aef8c81eb54138c3f03768c0983978257f8ceaa4296df9170f9d11eaab10bd13
6296ad94bc62f8b74224cd3eb6ba8bb6f9bfaacefdc28f4da4aaf746db80f090
b4e843d712f44dc2d0ed68353b303bcbe4f1d1ef7fc9507475263aac59334f10
b3f70f46dddfe3efbbd998aaada97696e5aa764debf7d4d561860dea17c089be
5001b6a0f331f93c4a381d1dd28b692873cb376cd9f252a67afc61de3d078ed4
751e9837d74a6ed604a981b116430f345947b818e3956c6df7834837fc26c01e
95f7f2e5620967c67ec22d0010114a4b53ee091e58eab83a22a3bc8c1bcc6c43
0a521024443605a4dc2770260d725e1a7b5a7d1380bc948a5641be6d53244bf7
d7b2c3e2855c291508b2211d167333370dd2650a217f3c15e661130c58d4b505
70e2c674583e4c29dfd0684642e633ec275d52327c53ea800fa1e7e9c4bf4896
34a904bcfd02d78ba8f093e36ea7dfc22ba54104a32d6ab5b5d9d439606aa5b4
387a2a8a4da3a75bb2a7d91e334c8151cd2c449a5d556d88b30a0aae6817c3db
78962786ea40f561b85c3e5c0d1d6354eaeccfe698a9681231957f5fc57c0201
2d8e89a2474dc807f5ec1047309b0e8515a526cb6b7595823c13f84211f17c44
863cf0f3e67bc801bdae0a02c8fc7763b8058ba3fd7de56d8cc601c425b13f5b
1440bb9fcbf7e0e6b1e6d5754d796d4edd80a74f95321cf018a87ac2f1b4f2ef
f528262e626978b59f5b5b739fa8b97462c4c01f3b4849693731346ed1edc813
8d365f33db8412d415d994d27f527da2875fed92ce085410473760e26f27d65b
e5edab1a4d6a9e5a062de6e2ec752f56d25c525465f95aea2cd5d9c2a4a3c4fb
fdbb27d4a9013f01ab057d4ea5647c307024e6b6e9c3323b8e24b1c69cce98a5
e5e20c72946053d3f68088984b411a68761ab8fa8e3921c541a7be0372711610
c3e679dcb660bf2f63266a772d321bd7dc7dfce21155238f9a71ef893ab9d8dc
30e1828a6a5b48e50921ba4e5ca0d51c5f184f74fe7f6538fe1b5b0c5e4cb95f
5e37cec9ca483608bd72b040e1d8b6d411455018909ab98c2f3d4c786c0b649e
e88dae9d507c0cac95f7290ed5531b8a49a8b8a9d83c76c68f7bf01cdccbabc6
9d1222434993eb19cf7eb481c240ed8582a9738ec850f8083594f46916513a45
94fafd7df487f2c4af3003e8a42d93ddbe4281adab1366a2d36c109a169d6b2d
e18c5bf6578d4a2bab13f68e076aeae06089ceeea1387cfbda34107ebd345dff
a94abe96e7e84ca47ac055b243b9f0a5e8dea9115b2fe43689f9c6e77525ea93
15efb341946a38a2cd719ef68af6cbde16d425848e1d684097c380eacfca2339
4453a5d1557b6b795132073201d01a68611c733951bc72c40d21608b7c935195
dbb7fea61496269b1b8ff3c1385bbd41490b90ba571b8b16b94087009385d55f
d4fa58b60b1b74fdf5196e3c1b1fb5a8e58f48898e466b0188c1980f3e798bdd
1597cd0f1af9db9f56031dd89e689be5761a98214638661db0f6702d8af2cdfe
b4fea478a4dec6e4ca1cb6818345b58d2d514dab01667e8fb68ff585ac446a21
51cac1c0f1043be7e74036c7133f31e17db5e8919c5fc3a0facf09f771219f74
f945c855c573d293896a166e26c77e8c9b449b8856ef7099cb2ad454bd9ec12a
1917776166032e4df228290eda1c90d8a9ec7569b24fac24984ab2b24c621272
12069338a5e5d255a3568fd005c78aa711ce8e996d59d30e0ede54e9be42ed05
a6762789bfc26c6801d161dd12b2e367cfd2dd4734093a8238ef119e535d9126
f86ef26e9e7e80fe8ba1936fbe055945c7d4abf3f983d50e38eb0006f2108170
40ea4dff41d25e6cbd497e33942099e89d9432989a220a1831a24e791528fd1a
baf08b557c15c821ee270619b3d42439a4a930aa3472ffd6e49e5132156160e7
9d4fca7c3bc75b55310f70fcfba3c4b70621ca11523221bae40f3bbda26abcc8
8694beaafb49987ce0ffa8352cfa19b0108ea10c1e6e9622d50d66dd002a86ef
a1db37ebc227c4a2003b706d48d540620101eabdc2412096442915e7d59b3fd8
330a7664e3da1ae3b98fdba748efd644f93c8245d15679b6e12356e9d88d5697
0a291fa1391b4e4518d1b5c307c366ab6e4b38c9d43e23d9027c7be2f1d56114
ef10faa12d70d55bdfa509ca3d558eed251877dcd19e662042465e9614ec49de
e67e861bc125821331db796b882f34b4d4da16e337ca9d1a0083ef62bf7a61aa
11dbb021b663c84e26663121e993e3384f793267426373e8e1b0e5d335fb22ba
8a167ec89e83275fe22e4084afc4a0b912a54248e1f43f64fef3e3884b22d401
f40773fe08961fdf10063d1f60e6a0b7f17124e64ea54304f97cc3655b736569
763a7519189c75747657690d9db0afd30f996d3ba2af4f6316e4d80e81391b5b
846a018d94cfc5c35dd81a5bc3e33f0891e171ebc57621fd53901bd1c8ec1519
9935849dec54bc8f6ab9c68586cb8654e38a24812e7ac771611f5ba9e68c1d56
d45c7a7e6e34b30a57b95847dc5fbabaf651a564604ebf43b1467b7a733dceb6
49653e24f768e5e3831acc764618ccd86c8ee595c8ea6dceed2eac93c42c2b59
b4a247b011381d1c43ad83b716537edcc8a12be7fabdd7d712592e7564b8ac72
f391cd1abc9d384f197fbcc9a5377d67b9a415774fbdab4092f6894d48195a21
6367d3381bd831b8652a476c77702b3e5da97fc465fb4e9f851bccb2fbbe6322
597f4eb8a87b526a2b4f12004b98489a6dca7d8c90cc185c083885ebe25ce8f7
83b5c90346182ac6f79ccae6495e1d1bc846eb335dc9faa23093e37025d2f204
d3ac53281fb8acfacab022221e0a282766ba53f8b3b9bc860c13f07dd91be177
3725c9909a015a1a2284eeb1c5459cde966c14ed391b2c195fb36e08fb881d87
313c69b05df0db23bbb8aafe36a4c90e24ef9887ac400c2e9e37f283354430d2
6a657394b9cd357cb831d1a15e5abc8ae577e78bc04db2471ddfddabed7e07b8
51115d59895ff22dcc2851fbe94cdac6f4e03297c3067328a1f3b144f329fb6c
40aa23e6016b7a8fcbc275302cf54ee1c1d53200e758de65a5a6b656b77281c2
f5d4bf96780a39524a81b67119ae677419a79a148058438f9ba5eb5a22feae82
5727e6bf0c9cd9cbee788b0958d60b4716ece1807a0f51bf7b6a1a22e347d2aa
6107a4e2f377f31f55f4dde0e87ae937d542cc8902cdb956d11d3eaa95de2a64
ba5a65e8fe19e7cc16950ec540e680c55e7ee19a45dbd21c32c78c05ef783e21
18869dacda454d19d9ac8acd07d3137b687fcbac5c60a710bfe661d5837125cd
8b43ddfcbbfc8202391e515c451932598547af09ae0a90ba881c5c8c10adcfb3
7b159b627c552aa93fc4ca38f2cb7beedf6dc00fffd13c79355d0c9d7bfa39bd
3fdd42303c12e66f7616e792df3bce7e4f9187254a2c9c624bfe8c94492e831a
9fdc501c1bb7a25080cf0b850b061ed701e0b4ea270d4a6c50ea539705ab9109
729c29588421a0e9509c0d440d0fa430c8ac22aa4786781e486f707b2a341012
6a1c5b20bf0a44180bd2d8f2462dd2a3321daf31cf3cac717117c49e9c542da9
b2ff130cc1cf2bc19cf2767b9884be813849ba8294f7dc09d0c3dcfba3946962
a60f5cf7a0126444b1adabe7e38c5b68df6a41cadd6d89fc0ae9f65b6c3ffa6b
37097dcf5b85d5c54e061f81d51fa2fac7d8a0d82de6bbb79182e16a94216f02
e506ccd2eaef7380e85e6e167ebce9a12da85e086787aa8a413869d1985b9baa
aeea71e28d383dbabe6f4fb9a2d7e304c8f9beec9e242a911b6b265be5a9f58e
c3271a16eb01960f7e93d29be5d1faf47fdcefe037311fc3ab9a956d3310f3fd
f50e36892aa2c58ec8926d8ae4ad9f9da7f78a44016e95336a5fe185234aed05
287e3d9784d5de688ae6ecb27514c0667111aa542607bc88261391737b58b4fc
0f2ba52da77f28fa8d4223587359b1681dc14042e7b98601612c1a7810f22a5c
9bb731bd0a51e1e9c2e411994fecfb737a3776b561f11e2e00b42f67f10246db
c7edd493df0584e91d9c17c2a1427be85d9b22758d46ef44d5251cd0fd73040a
7c0f9fd3e81eea294a1b5b1a2ed1cfcd628e9903bc9ce9fd4d393b559deae1a4
688d4398e03d3074f765850994470c790b268b135e8784eb1e324f2627dcc555
b32f9d98c44112155af127892b7f7dc13de44e04b34e02077242cc9efa9d7f9e
b122eb5a820d452998128defef86a465d728aa486a62d428fab2c0cb789c62df
819169ba08ead86b6b51735ced17aa155cb1dac1f0947f6ad79781f2711b492c
ad01b7a6b734116432051248f0d0fe00c7a31508343119616092ca5d72cc0a00
6dfc89ed9572ddeb3b009846a72ab8578769d01c0d62aa9530f4bc49ae263948
221a9b923cac275ce1b16ada5e5cb47dbf02fb5cac64dd97840df11d83d8f760
570bfa3900b18ea911ecc1180aae235ad2860ce85cbca2fd6c2d5a7bffefb591
b4da1ce940d0b9847c2e1f2ecfa5fb1380982ebed139481fd442161053f42bfc
8a306697998409fa03e29aa7553f12f85866cff62a8eca5b5c5855d27b918ae7
f6c55b1fcfdc6b2ab9c67cb5452334755f97454137e7629b16669c3d5db8abc5
b7857b81766521fcc3855422505b738ffec90ef08229ff812fab42e89ad47a96
d2da8a55bd3fec5238f3b2fd45ed3746a628052533e598724901a483b3a04ed5
94d38814810c51ce6c6913a2d68976b53dfbb80d9490ad8fb86a074e5e57217f
Epoch 1 C2s
107.159.94.183:8080
109.104.79.48:8080
109.73.52.242:8080
110.169.107.239:443
115.74.214.134:443
136.49.87.106:80
138.68.139.199:443
139.59.19.157:80
144.76.117.247:8080
154.120.228.126:8080
165.227.213.173:8080
176.58.93.123:8080
181.29.101.13:80
181.44.231.127:443
184.160.113.4:993
185.86.148.222:8080
186.139.160.193:8080
187.189.210.143:80
189.186.116.196:8080
189.205.185.71:465
189.225.119.52:990
190.104.67.90:80
190.117.206.153:443
190.147.116.32:21
190.192.113.159:21
190.40.39.14:8443
190.85.100.102:80
192.155.90.90:7080
192.163.199.254:8080
196.6.112.70:443
197.248.67.226:8080
200.107.105.16:465
200.114.142.40:8080
200.28.131.215:443
201.217.108.155:21
201.218.115.202:443
210.2.86.72:8080
213.172.88.13:80
219.94.254.93:8080
23.254.203.51:8080
43.229.62.186:8080
45.33.35.103:8080
5.9.128.163:8080
51.255.50.164:8080
62.75.143.100:7080
65.49.60.163:443
66.209.69.165:443
67.241.81.253:8443
69.163.33.82:8080
71.11.157.249:80
72.47.248.48:8080
77.44.16.54:465
82.226.163.9:80
88.97.26.73:50000
89.188.124.145:443
89.211.193.18:80
91.205.215.57:7080
92.48.118.27:8080
99.243.127.236:80
Epoch 1 - Spam/Stealer C2s
31.172.86.183:8080
104.236.185.25:8080
50.116.63.9:7080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
Epoch 2 C2s
119.15.153.237:80
133.242.156.30:7080
136.243.117.85:8080
138.201.140.110:8080
147.135.210.39:8080
162.243.125.212:8080
167.114.210.191:8080
173.255.196.209:8080
173.255.250.241:443
174.93.130.148:8443
175.100.138.82:22
177.242.214.30:80
178.62.37.188:443
178.87.73.140:8090
180.150.87.75:22
181.39.51.243:993
186.4.234.27:443
186.77.56.180:993
187.189.195.208:8443
189.208.59.61:80
189.213.62.223:20
189.223.228.181:443
190.147.53.122:990
201.220.152.101:80
203.194.46.115:80
203.210.237.200:993
208.78.100.202:8080
211.63.71.72:8080
217.13.106.160:7080
37.210.117.44:80
45.123.3.54:443
45.33.49.124:443
45.79.72.132:443
5.230.147.179:8080
50.31.0.160:8080
59.96.96.73:80
60.50.212.17:20
62.75.187.192:8080
64.13.225.150:8080
67.205.149.117:443
69.198.17.7:8080
69.45.19.145:8080
71.78.158.190:80
77.56.253.112:80
78.100.187.118:80
78.169.89.21:80
78.186.5.109:443
83.110.207.126:443
83.222.124.62:8080
85.104.59.244:20
86.151.202.16:8090
86.98.94.57:443
87.106.139.101:8080
87.106.210.123:80
91.92.191.134:8080
94.130.35.140:443
94.76.200.114:8080
95.128.43.213:8080
Epoch 2 - Spam/Stealer C2s
198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
Credits and Notes Section
Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1 and Epoch 2?
What is Epoch 1 and Epoch 2? (updated 03/07/2019)
I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
time period.
Here are some observations I have noted since I have been watching these botnets:
- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.
If I think of anything else to add or if anyone else has any suggestions, I will add them here.
Community Lists
https://pastebin.com/qDrFvJuw - @pollo290987
https://otx.alienvault.com/pulse/5cae421d7dfa241f6bceee1a/ - @SecSome
Credits
(OC from @JRoosen and/or combination work of the following)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial
Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio and @Virustotal for providing services/software no charge to this cause!
Daily Log 04-09-19
Email Template Report:
I saw only one malspam today from the botnets. It came early this morning and was in German. It was the typical Rech/Bill
template we have been seeing of late. Specifically it was the following short one:
________________
From: "Spoofed Org" <m.yehia@redimpexgroup.com>
To: "Victim" <victim@yourdomain.tld>
Subject: Rech JG-184-B0072 (Spoofed Org)
MIME-Version: 1.0
<html>
<body>
Guten Tag, Victim Full Name
<br>
<br>
<br>
bitte Anhang beachten. Danke. Noch einen sch=C3=B6nen Resttag.=0D
<br>
<br>
<a href=3D"http://dkw-engineering.net/menu_2018/bka5v-wgruy4p-bhkoyq/">http=
://spoofedorg.tld/doc/JG-184-B0072/25369465427_April_10_2019.doc</a>
<br>
<br>
<br>
Mit freundlichen Gr=C3=BC=C3=9Fe<br>
<b>Spoofed Org</b>
</body></html>
__________________
All malspam today was seemingly link based and there was not any attachments reported/seen. @executemalware notes this
as well here: https://twitter.com/executemalware/status/1116162167542308864
Additionally, I have heard that the highly customized templates were being deployed again today but I did not
receive any unfortunately. These seem to be pretty select and low volume.
For the highly customized templates, lets break down what we know so far as a review.
- Emails are sourced from once (or still) compromised users all over the world.
- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
- The injected reply is usually prefaced with "Attached is your confidential docs." so far.
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous.
So when I said "be prepared for changes", I meant it. We could see the above change quickly.
Link Regex Report:
Regex directory patterns - Still seeing the following.
E1 and E2 - https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
E2 -https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
E1 is still slowly change over to the old favorite of \/([DdeEnN_]{2,5})\/([0-49\-]){6,7}\/ but we had a twist this time.
NEW: The German variants this morning had some additional wording before the date such as:
/vertrauen/2019-04/
/Frage/2019-04/
/vertrauen/201904/
/Nachprufung/2019-04/
/sichern/042019/
/sich/2019-04/
Therefore I upgraded the Regex to:
\/(Frage|Nachprufung|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-49\-]){6,7}\/
You can of course change the group at the end to ([0-9\-]){6,7} if you wanted to keep this in place for May and beyond.
Payloads Report:
E1 had a light amount of payload quintets today with 3. Interestingly they were all delivered by link based malspam.
Stage 1 loaders were all JS files.
In distro, E1 binaries are STILL stuck at the following hash:
3521f9acd6139fb596a07a1292da86eef4ad2c47fca1619903d41bc4fe23e7a7
This must be some sort of a test or giant failure. C2 was delivering new binaries but the same C2s as yesterday. Maybe E1
is becoming the test botnet again?
E2 once again had an excessive 5 payload quintets today. Just like E1, all stage one loaders were .JS files. E2 binaries
are still updating every 5-10 minutes in distro directories.
C2 Report:
C2s did NOT change for E1 and remained at 59 combos in total. - recorded above
C2s DID change for E2 and decreased from 64 to 58 combos in total. - recorded above
Closing:
Today was odd in that all stage 1 docs were plain .JS loaders. This cant be very effective because they are not even
hashbusted. They were obfuscated with various loops though. We will see what Testy Thursday has in store for us
tomorrow.
TT
Sandbox 04/10/19
(all with fakenet and MITM unless spam/secondary infection)
Epoch 1 C2 run on 2019-04-11 at 02:30 UTC - https://cape.contextis.com/analysis/63663/
Epoch 2 C2 run on 2019-04-10 at 02:45 UTC - https://cape.contextis.com/analysis/63667/