Emotet Malware Document links/IOCs for 10/11/19 as of 10/13/19 22:00 BST
Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.
Document Downloader Links
Epoch 1 Document/Downloader links
<none>
Epoch 2 Document/Downloader links
http://13.56.215.142/kqb/assets/uploads/banner/sites/fswfqcgj3bho12b_61jyb-448781678870172/
http://1mhits.com/wp-includes/TYyMVGJFbZSLgPJpcrqeJ/
http://4hsafetyksa.com/wp-content/WsJliEuiGP/
http://agdust.ru/wp-content/lm/8unuul2mzbc_r7o2w-7475566801610/
http://ajkernews.club/wp-admin/kay3pncbw45be5gghkcx0c7r3jtadb7fx/
http://akuseruseisyun.net/css/sites/aia73202_z8u9szxar5-687981952959/
http://alfauzmiddleeast.com/wp-admin/YOJWqVhzmTmfofZ/
http://algreca.com/2891d/xs6ow0hecdf4hrk2vskhaoox3b2rk_tbvqju7g-78714282587012/
http://allurestaffingsolutions.co.uk/3hdik/foocyhfqqbcqrdwar/
http://apartamentygosciejow.pl/wp-includes/paclm/qxa6tmxzbl89usceged2y39_e0uv8j1-346864923756/
http://apekresource.com/bq2lfsk/64r5m14k3fvgcen3usqpgqrreya2tj_2fd4gjst-010235475/
http://ariscruise.com/wp-includes/5s0z3pj20fej58dia0xkm5w85u_cw5g1-9983370256886/
http://arsenalwrestlingclub.com/2017vabeach/lm/ptribj4o7s_20bk4gnk1u-5448340464/
http://arthurprint.com.br/wordpress/nslmnrorvy8y28meieii7kw9731334m4/
http://artopinvest.ro/wp-content/gmi97ucro9sv7to01wm6gb/
http://artopinvest.ro/wp-content/gmi97ucro9sv7to01wm6gb|/
http://artrosmed.de/wp-admin/FILE/sjpkur4oxc_9axtqtvigq-4961334883258/
http://asettprinting.com/wp-includes/NKwzWxlaDiikZvzfRpvZiQo/
http://asmc.me/wp-includes/pyw9wzm4820b11e0fsk52e6m9p_k695xbfisd-376882918/
http://astra-potolki.ru/wp-content/NrRDBKacvmlIksqCEDLmpAiws/
http://atakoyarena.com/test/sites/AAKXEFyyhGCmdPtNk/
http://atussa.ir/wp-includes/esp/wn8ob4ubuqjalk2fko_cqxwksbc-0875621593/
http://barguild.com/8192/Scan/gkcwuhhdtjris7wx3tbf9_5gln4syp15-08479879/
http://benjaminorlova.cz/SOUBORY/NkyekDwEBbPHtRxGtGncWPyGWSwuy/
http://bestroadtripever.com/wp-content/HEYEJL7JJ/tfSDDHGQKqdsXWCeSJsFPBnrntbGnV/
http://beta.ipsis.pl/wp-admin/paclm/1lchrwcvhialk7skkmziy_cbjh7jo-883447537532/
http://bikipgiamcan.org/wp-admin/uODsOyUpixoLx/
http://blog.blog.laviajeria.com/wp-content/uploads/HGrWBpDACdheBKHaNQzGb/
http://blog.sportsphotos.com/wp-content/uploads/2019/09/alfacgiapi/paclm/lqlsd7flr8sc_nmy97-40329353930998/
http://bondcleaningservices.com/cgi-bin/WOyYjfISOwlqETHS/
http://boroda.today/wp-includes/10xde4qa7gvtkp4wl3xlsxwck0yhrpkv0esg/
http://byfarahhanim.com/sitemap/uPYdiDciI/
http://canadawpvc.ca/wp-content/paOZaTdbMedyQOewaLTtDEekgO/
http://carsiorganizasyon.com/wp-admin/3rsqemibg6q7euh_ga3y5mk2-0241822430/
http://carzwash.in/wp-includes/lbzXmLNXKZDHDOpc/
http://cc14927-wordpress.tw1.ru/sitemap/parts_service/xz27zaqyodkx_dqihz9v5k-9739697543323/
http://cetprokotosh.com/backup/2nvz2ben7khvipbqdea/
http://cetrab.org.br/wp-content/FILE/g6yqvtcruafc3zkp_d3nr9-321490176766/
http://clasificadosmaule.com/wp-content/sites/szs9n6pvn37fgafd911ss_osiby1-753587659577/
http://cloudmine.pl/wp-admin/TLIPIZROeQRRYquTxLIlU/
http://coastaltherapy.com/wp-includes/AHOCLafJACwp/
http://colegiolosandes.edu.pe/blogs/LLC/ejbTJdoCvOzlAfUyKXqEXH/
http://cqlishine.com/wp-content/DOC/a1cafupj5t_seh2bt-02215380005477/
http://creativity360studio.com/wp-admin/GBCgjqBHeZGhyouxa/
http://culturallyspeaking.net/qezyj8/Scan/rBZgwcsakwmPfkBXVsakmAL/
http://danangluxury.com/wp-content/uploads/09z6u0ev7xi_1qgt32smd0-69457605583/
http://danceteacherconnection.com/wp-content/ibbcLriICeyDJI/
http://dautuvenbienvn.com/wp-admin/v1je27pxxzatki9uw58tib_m2r21-869536710/
http://delhiunitedfc.in/wp-content/hoPDBWDvOQg/
http://demo.madadaw.com/wp-content/tmp/dqgk05se0i9cc5keebjjxbb2w3mgwrq22lhb/
http://denmaar.hplbusiness.com/oqyth/cnorjSYsKOkQ/
http://dhidedesigns.com/wp-includes/gr3i58adi7hyb7eqrixulx_6idouu64bd-35789009/
http://dienminhphu.com/wp-admin/wwgzt33gps5b466lkxdcahifi4gds9n7/
http://diezeitinsel.de/wp-admin/document/4b1hs7073aq1fnmer4rv9k6f_lmrc8inum0-887675682613/
http://dk-elbrus.ru/wp-includes/lxjx6bem48q5d9dld1fzk2q6a576kn0f/
http://doccando.de/artworkoptions/paclm/9h34n40bluy2r4i2t_gai71jhe-72695553514070/
http://dochoicacloaivinhvui.com/cfm/0ak0r37em8cxc5a7dhfz3f12nh/
http://dplex.net/wp-content/poz52g58vlevne/dr1acb63nl723fij9cy53d64u_benhukrxc-225456009668510/
http://draeger-dienstleistungen.de/wp-admin/stztrlkymlmeboqzmpmibzakmggbd/
http://dramitinos.gr/images/parts_service/fTwaaklmvDeGJHpPd/
http://dreieinigkeitslehre.de/myhomework/sites/wh1xl84ca_obv0c8w-6838298780/
http://dulich.goasiatravel.com/calendar/0571495857/vvheovzfdstnzmdqi/
http://durolle.tk/wp-content/x4fwpwjnqdnf4x061xm0ssvh4k37oo3png4u/
http://embalagemparatorta.com.br/wp-content/5a5dk5zstw3na2adg3a3u5z/
http://energygrow.cl/publisher/q93y9wvjsev2zf2nl83x_2i3ngxsem-5709276816496/
http://erinvestments.com.br/dfeyt/HVzOgoRBbCVd/
http://eskeleco.ir/wp-content/OFLEKpcPlwtARKjvQResyONNSRF/
http://estate24.com.ng/cgi-bin/46888948420828/ow46cwknjulmy389yix_8p8a6ent9l-4970654724950/
http://fbanalytica.site/wp-content/xhu74blnl1e76cxs/
http://flinthappy.ru/hUeOa/4m8idkf6piikwu5cpgw/
http://flipmypool.com/seeing.class/INC/NWGlRGuuQelDJZqtVrzCUtswYpx/
http://flycloud.in/traveloguespace.com/91635264599347/u8ucq03z7z76c_trb4t5oj-66656779/
http://foodzonerestaurant.com/wp-content/lxg8ctgw8463dxpwpzhoflayoeglf75k/
http://fotisinfotech.com/calendar/591221349756/fcamdeouiblx/
http://foxnib.com/c3uftcyx/bzvxfhbsybcqx/
http://fuerzabrutabrasil.com.br/wp-admin/SZSRtIkRnbi/
http://gamot2go.com/heuwmap/paclm/anvdvcmn4v41blign2h92txzprwkj_b3mz727-4262796566/
http://geethaseetharam.com/c7p1kb/esp/0z1fo6rx66ql03_hfyuk3o-9956557068515/
http://giatsaygiare.com/sitemaps/FILE/ybpdeddEUbljTvdpLKvQsWYxD/
http://gideons.tech/cgi-bin/Scan/up6n7frg0s_8ldx1ma37-8477658408/
http://goldenstone.com.ng/cgi-bin/zh5b0ojz5hrggjd1py6dbp19409pm9yl/
http://graphos.co.ke/cgi-bin/aq817iimjrpkmmugc5ah39ho8u6q5lg0/
http://green-job.pl/wp-includes/yffqp895t8soaqpf9r0lkl3cwj6/
http://guineemining.info/rxvvop/FILE/lDWTrpKgzHRDkTDBK/
http://gulluconsulants.com/wp-admin/sites/9qf62cv4240d_67orj-35294248529089/
http://hanoihub.vn/wp-admin/ZI25WG7XLF2FD5B/rqUrQsFeoTAYDGHTzAvRSJpuyojiX/
http://haram-edu.com/an3mkpk/vth4ecksh34pjbd152wgu0ilwdb2pa_hjd2opln-0927959715/
http://harmstreadmilltraining.com/ildrab/sites/xqdiqj5arvtvuxlroj67le5b_x11o0klyg-0091343054360/
http://haveaheart.org.in/haveaheart.com/esp/g1qgmf4vyjg6ktgbrp_dfdcxo-224311742/
http://higo.net/pLDvmRTYdWEEDgnQyp/
http://hthindustrial.com/wp-content/dxrj7hyfpcc6yjqfv9n8xb8l9cp6o0_6suhm0-77224476965924/
http://igc.com.sg/cgi-bin/LffIEeeSMJ/
http://incipepharma.com/1mchjx/paclm/o8tdz9sip4h4zar_91qfsd1-48171146495/
http://indianmineralsnmetals.com/wp-admin/paclm/atkfzp3ifvhsi5_ff1jd0-495395954/
http://ingt.gov.cv/SiteINGT/wp-content/KmfjRrxXVDDMYPiBYQXOKAiNOhIk/
http://inkapeyzaj.com.tr/beta/mzsoy2zjx8tvswkuqvmx701/
http://innotechventures.com/wordpress/inc/a09dha0dyq1s9cse6d_uz5f749d-804860206381448/
http://institutosucesso.com.br/BRINCARTES.COM.BR/INC/kx2hikofe54xjhb_zsp76v82v9-15352293186406/
http://iransbc.ir/wp-includes/SimplePie/XML/cxzXLUjfPew/
http://ixylon.de/_wp_generated/Pages/cFLMxVltv/
http://jadeedbjadeed.com/uap/Document/XdMOLGXYGfRWgazukFjJgqUGokvVNN/
http://jeevoday.mruda.org/blogs/FILE/DtyDjYveCtJHOUp/
http://joycaterer.in/roawk/XVIwyCOdHETPOo/
http://justvirally.com/luxauthenticator.com/esp/t6xy99re_a1hqt-20982173/
http://kanarac.de/wordpress/xw20s741h04fhqj3os/
http://kaunoviltis.lt/wp-content/bSuRjeyCNWyvMdF/
http://kellystaa.com/checker/esp/wzhEStRUmDTfTnDZLfjCSUMoKB/
http://ketojenoc.com/tywiol/e0g1tyejxnyeca4jk56/
http://kiichiro.jp/concrete/Scan/kc5650m6b_8rl5b-227732444/
http://kleenarkosmetik.site/wp-includes/deuvdXBEIkk/
http://lahayeasuniversity.nl/kyjps/6405985227638495/uehawusmtkb_35arf74tc-90120561799/
http://leafdesign.jp/imge/LLC/u1qnj8zc36nlbtj5rt87k_27qdh-296410350893/
http://lebonmenage.fr/ij5gkx/HpUtMioQD/
http://liyun127.com/wordpress/sites/kjdfxtdmrbgnkaco7g40_xh2q8-091034485204590/
http://longtan.hangan.org/0fl3n/QwlMHIsFgyVomScxwre/
http://lovence.vn/wp-admin/QzQkiBVq/
http://lumierebleueetoilee.com/wp-admin/9q53rj6klnaseo29fx66g1h11r/
http://m3creativemedia.com/780a0b/4nuwnadjz4_45lhp-76334341292/
http://maacap.com/efqce/7MBUVNPO3/zwNPEeZJxpJkERimLb/
http://martinsebessi.com.br/wp-includes/REXyKidSNpD/
http://mbwellbeing.org/wp-includes/AhwsrlZpgcbyDQstFQQTFCZ/
http://milford.redstone.studio/wp-content/JPuomGfkknoflDAKr/
http://moneyhairparty.com/class.local/parts_service/l08vz9rlsq1n0l9_ot5almv4cm-275176722/
http://msiservices-tunisia.com/wp-admin/jADXjYeizhsEfKovkREesdgLH/
http://mutiaraalamhosting.co.id/cgi-bin/cyOrcCVlXpjH/
http://myofficeplus.com/cgi-bin/3719631970052877/ly9d9l9q344y3kfkzqh7639xmj4_he0tqx6-489057542617/
http://mytoengineering.com/cgi-bin/oe2fr06rgssxbd6sbvdsflp0z0h/
http://nacindia.in/wp-content/document/bllvvglukwrqodax/
http://ndit.ca/GoogleSpeech/JTuVMeUjRwSZhO/
http://nekobiz.ikie3.com/wp-includes/esp/uofMWYGRvYAHqMC/
http://neroendustri.com/cgi-bin/Document/zm8ayqjezd0aho8y0xj_g4nhx-15702405918471/
http://nesarafilms.com/gtmjn/parts_service/yzk9i95u7vi5_dgwbm-179083338/
http://new.vinajewellery.com.au/backup/hWEoHDWDHVPugIyZmar/
http://ngoinhadaquy.com/wp-admin/IYTfXkNM/
http://nirvana-memorial.co.th/cgi-bin/TILutWWgxXdHLnYFXkuTKf/
http://nosavifarm.com/wp-includes/sQLMDvJoAhp/
http://ogrenci.com.tr/wp-admin/parts_service/g9z10bsweqe3ms5mjntnver17a_igd37afeca-26625221424/
http://oiktos.org/wp-content/kchibfy5ps06u9welr9109ar/
http://olallalab.org/wp-content/andxhlAGuMUtkNgwJcw/
http://ostranderandassociates.com/wp-content/8pyg56l3ig172f8ec99mydcb7g9ftb/
http://ostriwin.com/calendar/y52saoini1zrh5_2a2lp-58962777/
http://pedrobay.com/wp-admin/537ef0bcozxnx1qo8/
http://plusmicrotd.kz/wp-includes/uu1339zf1bmxdrnu1vzg4/
http://potentagents.com/wp-includes/vn9lc04ogkjdss1ro6zi46oshb456khtogj5/
http://psicologiagrupal.cl/wp-admin/fsvv5vxb60xvml6hri16xiz3/
http://purecbdevolution.com/wp-admin/lm/65y0ghy2qacbnkg7v4_8y7ee5pw-6519195461774/
http://purepropertiesobx.com/menusa/eseg886p5vauwqmm7/
http://quantumgaming.co.za/cgi-bin/gxibJRZWMUqqTBR/
http://rajshrifood.in/wp-admin/DOC/1kw9cd6ess62hdl7ndq2_odev4x6-08464367783509/
http://reborn.arteviral.com/wp-includes/3548483344638/quWcHiSfqPYBAXvSwzn/
http://rtabsherjr.com/wp-admin/pMhzxzgl/
http://russvet.net/wp-admin/qknja6xb3mbe5ygi94d/
http://saidiamondtools.com/cgi-bin/1rha25le0cq94e5kzqen7mst/
http://sangorn.ru/rds1/IStNhYNeCOvdHdmeiGjwXDMoq/
http://sastasabji.in/wp-content/xmxehzp719u14admp7h1hv/
http://sattamatka7.live/wp-content/twz4ljw8hbsl487h0/
http://schikoff.de/cgi-bin/jDOTgBUjvDgX/
http://secaire.net/App_Data/pc36zp480vhl73vc4r0eara8ncbdik8d/
http://seniors.bmiller.co.il/wp-includes/tGQFwGmiOoTXa/
http://sezumaca.com/wp-admin/70ar9e89qwrz6f4eqgn5xumtiuujwi/
http://sharafgq.com/lib/omiqzvXCFjL/
http://shopteeparty.com/checkformats/m34zwvhhwg83r55pd9mkp4xwakvbnre7k/
http://sima.aero/aviso-legal/esp/8g0mtggj06s9fynnknpo_56btyn9-8064074803/
http://sklepzielarskiszczecinek.pl/wp-includes/elIONlcFniHwZqXeizJBmySHpNN/
http://spacedesign.studio/core/s7xzg29e4cmbxwajk6od60g5duq6yhxpzo/
http://strike-time.by/blogs/n1rnzd7a7odufz6wy5t2bs1lq2t/
http://studioartexpress.ro/wp-content/uploads/k6b8ckxu8g2dad7o9mq/
http://suckhoequyong.site/wp-includes/DctZPTMAenJxiB/
http://surenarora.com/consultation/bztafmdit0pvouzosv76trvqncmgf/
http://susanne-zettl.de/emptycart/l1u1aodwcqre02d_bye6c3-605766707562343/
http://takarabkk.com/gallery/93dln7hufnnnv4hit84/
http://teambasehr.com/mvhaz/cQMWRWkG/
http://thaitravelservices.com/qb6w/fyssXckxUBlHYWktpXp/
http://thealdertons.us/js/INC/WrPGgRUV/
http://thinkbigfilm.com/wp-admin/hcnkzm9a18bly40ytvmwue7kko/
http://thuykhibachkhoa.com/wp-includes/132q5rsoe93gyhbppxno7qix/
http://tictech-design.com/wp-includes/xbkesHuyooktFqKnhBVMFnANWmoNPr/
http://tour.nicestore.co.kr/wp-content/hj9uuyk7ru7tfqpaw21h5280v6wsh925/
http://tpc.hu/arlista/Document/YefwDQtxjQNJaESJENGkrqrJNOie/
http://translu2016.pub.ro/wp-content/uploads/psn52xm072z7uo2z52ypeybh2vps9p/
http://trienviet.com.vn/cgi-bin/b1kohu7zn4zsnb8ld1ilp/
http://unitypestcontrolandservices.com/wp-admin/pages/pbdenoqjfnpwinacfmxzwmb/
http://universalstreams.com.my/4no/INC/xm1jwdlp7p4fyu6tj8wyppryu2e3_aund0xjk-62653393384/
http://univertee.xyz/xml/OTmeoSOYcLdW/
http://vashdok.com.ua/cgi-bin/hrxoyi0r1ye3kmw5vovcbx/
http://videodubuzz.com/ixkwnf/UyHkYnhZCbyRZSMvXnfb/
http://videos.karaokelagramola.es/pytkp/wbk6ei2yscdld3uvw1fhxvxs1j_zm0s6qw5l-08821965080/
http://viettelquangbinh.vn/wp-admin/MgMWCvTwyMjRzliPPcJsDexQhT/
http://vinoclicks.in/lwceebg1hw/FILE/KGARPFfBX/
http://vvsmanagementgroup.com/n0hs/sites/lxr1pq0892y_hfwhs2r-552354839089/
http://waterortontravel.co.uk/cgi-bin/Pages/jma6bvp1_whmt1c7-929015613111542/
http://webcosolution.com/dup-installer/7904776135/shftju2dn9yudprlfqogi0psep61z_hc5glj3y-6312486593985/
http://weedgreat.com/wp-content/28l0p2yardhks8u3ag6j43i5iot4/
http://wwm.ge/wp-content/BNBbiJDFjBptWbCXWmq/
http://www.21tv.info/wp-content/KclYWaTzQomBPrnwCbhNNsuThi/
http://www.aaoleadershipacademy.org/submitok/LBPBKL52CI9/XlHOAYQhmQFarvbHBhQbXOqJpz/
http://www.acvehurmapazari.com/wp-includes/Scan/HnpVOmsxeNlbyGnwrDHq/
http://www.brightheads.in/wp-content/uploads/vJIBgwBzsXUYnfHPLuwoqrMEWLGi/
http://www.carsiorganizasyon.com/wp-admin/3rsqemibg6q7euh_ga3y5mk2-0241822430/
http://www.chalikdoor.com/wp-Enfold/x1vlmbxif4j5zbdf0kb01012tfw1t41mf/
http://www.corumsuaritma.com/alphabet/snfbHwkU/
http://www.criterionbcn.com/jhvm/e4byofe9lwy4wzp25txgta9w7xdb/
http://www.diamondegy.com/wp-includes/yvoARKmNkVtSrZIITA/
http://www.divinosdocesfinos.com.br/wp-content/uploads/iOFfUVEkuAfBDSPtcIZnjRPMZU/
http://www.dongmingsheng.com/eovij4lvke/sites/3tyie6vsv70l3thl1_mq8ue7a2i-11294097/
http://www.edumartial.in/wp-content/uploads/kVRegrPzGgVUEkSKxNtacU/
http://www.eightyeightaccessories.com.ng/footer2/INC/BtlbChfnq/
http://www.elcapitanno.com/wp-admin/iqnc3sbahsk4t109j559am3z1ax/
http://www.famfe.org/evrcooq/esp/84c1epp13kh5edk3x0biqc32pe_iepmt98ep1-283131932215/
http://www.flycloud.in/traveloguespace.com/91635264599347/u8ucq03z7z76c_trb4t5oj-66656779/
http://www.haveaheart.org.in/haveaheart.com/esp/g1qgmf4vyjg6ktgbrp_dfdcxo-224311742/
http://www.hthindustrial.com/wp-content/dxrj7hyfpcc6yjqfv9n8xb8l9cp6o0_6suhm0-77224476965924/
http://www.ilion.tech/9t59i7e/lm/ie6pzr18kd_f3faf-43169793/
http://www.illinoishomepage.biz/cgi-bin/pnziKsxvKdKByuwybZgOeaaSYkU/
http://www.ilovewnc.com/rrzx/pNxXloPhklUEp/
http://www.indianmineralsnmetals.com/wp-admin/paclm/atkfzp3ifvhsi5_ff1jd0-495395954/
http://www.jcie.de/wp-content/sites/re3jpzr4ip6u81gt39bnydp_j5tl3he-76534962/
http://www.jphonezone.com/catalog/Scan/iJyTvexdhwbIkEt/
http://www.kanarac.de/wordpress/xw20s741h04fhqj3os/
http://www.labstory.in.th/wp-content/uploads/paclm/8wir284b2zbdmvqk98_jjmnralgm-76572020596/
http://www.latiendita.miradiols.cl/cgi-bin/iv9wxouda2ggxn82l4jgcnj/
http://www.mbwellbeing.org/wp-includes/AhwsrlZpgcbyDQstFQQTFCZ/
http://www.moneyhairparty.com/class.local/parts_service/l08vz9rlsq1n0l9_ot5almv4cm-275176722/
http://www.mundonovo.ms.gov.br/hino/mHePHSCUaXVaBII/
http://www.mytoengineering.com/cgi-bin/oe2fr06rgssxbd6sbvdsflp0z0h/
http://www.nacindia.in/wp-content/document/bllvvglukwrqodax/
http://www.ofek-bar.co.il/wp-content/Document/LesLpxzMTscIaRNtObgSroReSi/
http://www.paparatsi.club/wp-content/ADwlQQbulGn/
http://www.parikramas.org/engl/LLC/3ah7g1shzd0n4lg7db6_mv3xpum79-40795232/
http://www.pepesalonspa.com/wp-admin/YGryVSmMxZWNJZ/
http://www.pristineglassmirror.com/cgi-bin/INC/SyDcaBFPJdwQpt/
http://www.richmondsnowremovalva.com/wp-admin/ZpIQcnsGGxZdbHnlIe/
http://www.roofcontractorportland.com/wp-admin/rWbvjYwaFRbDhOoccnKhNmafeBuZA/
http://www.smalltowncarrental.com/cnr5waoyz/qzh48jsnnkvtc4/
http://www.strike-time.by/blogs/n1rnzd7a7odufz6wy5t2bs1lq2t/
http://www.suhamusic.com/wp-includes/cdzbAlORrAbBmIaziGH/
http://www.tavld.org/cgi-bin/hyDbIUHOCfylmCNLTmbt/
http://www.teambasehr.com/mvhaz/cQMWRWkG/
http://www.veteran-volley.com.ua/wp-includes/SpgHdpZUGEYxwoRsmmofjNuR/
http://www.viswani.com/cgi-bin/vsknAYoTKYKXRHhkIpx/
http://www.vvsmanagementgroup.com/n0hs/sites/lxr1pq0892y_hfwhs2r-552354839089/
http://www.weedgreat.com/wp-content/28l0p2yardhks8u3ag6j43i5iot4/
http://xn------6cdkbdlygqdckcq4aalgfd1b8angdne9c0lnam0r.xn--90ais/gazoviy-kotel-fgg.ru/UBojKBKpP/
http://xn--80aejfgqq8aef.xn--p1ai/wp-admin/ZQ4UACK2TTYV/obh0t6c015hdkym6kf1ye1el_zsgfm-40589087/
http://yay.toys/wp-content/parts_service/dr3unuutdshdmmnnb2k1o20c4_1fria-89718259422624/
http://zajonc.de/cgi-bin/1631913712982/UmxGVGHZqDnpeUBNdbxRqR/
https://9tindia.com/findalumni/LLC/3i4v5815cm50zlvlmvbrejdt0_jips7-44088017/
https://ajkernews.club/wp-admin/kay3pncbw45be5gghkcx0c7r3jtadb7fx/
https://collectables.nojosh.com.au/wp-content/SYqlHrEWUyQ/
https://conhecimentoproject.com/wp-admin/Document/srk5og9ifk7nbt310ersxpx_r1dur9yzf-39521419/
https://cqlishine.com/wp-content/DOC/a1cafupj5t_seh2bt-02215380005477/
https://creatarsis.com/wp-includes/Scan/8u8xdhkrd0cenccr6f3lblsms3c5_ogb3u7a-16925328382795/
https://datakrafv3.datakraf.com/wp-admin/NvUlEUxQot/
https://dienminhphu.com/wp-admin/wwgzt33gps5b466lkxdcahifi4gds9n7/
https://doccando.de/artworkoptions/paclm/9h34n40bluy2r4i2t_gai71jhe-72695553514070/
https://ehebauer.de/images/esp/8r7cd2emqghjdlbuahat379cekrqd0_6e3w8v-5952086246/
https://espie-rouge.com/rjxna/lm/CpMYrBmfmFQUkznrxcLwYBXaxOfVk/
https://estate24.com.ng/cgi-bin/46888948420828/ow46cwknjulmy389yix_8p8a6ent9l-4970654724950/
https://flipmypool.com/seeing.class/INC/NWGlRGuuQelDJZqtVrzCUtswYpx/
https://freshersnews.co.in/wp-admin/814ojqvcjy5z78gzkwx5axfqyrreazggeil/
https://gethelplinenumber.com/wp-admin/XRFDKHynLBVCwmAappeEHAZm/
https://gideons.tech/cgi-bin/Scan/up6n7frg0s_8ldx1ma37-8477658408/
https://hoidaptuyensinh.vn/wp-content/uploads/QCfoCCMcYjwBADOLkUjVzJM/
https://homeclub.am/wp-content/GciOGXfSNSTjYvPxo/
https://lahayeasuniversity.nl/kyjps/6405985227638495/uehawusmtkb_35arf74tc-90120561799/
https://lumierebleueetoilee.com/wp-admin/9q53rj6klnaseo29fx66g1h11r/
https://m3creativemedia.com/780a0b/4nuwnadjz4_45lhp-76334341292/
https://mbve.org/cctn/Scan/jog52jas2_i4bs9a-22970863048126/
https://mediabook.ca/elmar_start/CtXQNPXUwFpvogICOQWxzDSwIHb/
https://myhot-news.com/cgi-bin/INC/FcVUENkzKBTPCJEVNRmBwfw/
https://needbasesolutions.in/cgi-bin/vJoGJxMqQNvtfLlArkjlUQxX/
https://potentagents.com/wp-includes/vn9lc04ogkjdss1ro6zi46oshb456khtogj5/
https://shopteeparty.com/checkformats/m34zwvhhwg83r55pd9mkp4xwakvbnre7k/
https://sitio8.userwp.com/test/jxCitTyH/
https://surenarora.com/consultation/bztafmdit0pvouzosv76trvqncmgf/
https://thisissouthafrica.com/wp-content/esp/cIdlOwyKFrynRbDcF/
https://www.carsiorganizasyon.com/wp-admin/3rsqemibg6q7euh_ga3y5mk2-0241822430/
https://www.gicasolar.com/cgi-bin/mqgwkmd816hp7coc8nlgkav36j9xp9v/
https://www.haveaheart.org.in/haveaheart.com/esp/g1qgmf4vyjg6ktgbrp_dfdcxo-224311742/
https://www.ikwilstoppenmetdrugs.nl/bjgk/Document/vvFCTRXesylo/
https://www.mundonovo.ms.gov.br/hino/mHePHSCUaXVaBII/
https://www.ofek-bar.co.il/wp-content/Document/LesLpxzMTscIaRNtObgSroReSi/
https://www.ozlemerdencaylan.com/storm.api/paclm/eQIwTmKXvzZrqjM/
https://www.vvsmanagementgroup.com/n0hs/sites/lxr1pq0892y_hfwhs2r-552354839089/
https://wyf.org.my/1ax/parts_service/JvdnrMRYEeNbppDruhUdv/
Epoch 3 Document/Downloader links
<none>
Payloads per Epoch by Document
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:11 17:55:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
d395610d27e99a7e540cc82e5db9ba27ddbcd2b6e868639c04d54983bd009668
c87b8f64cd40d7f0c52d614d373e251ef4726a07fa6c935f9cbcfb48c14a9734
eb5b68161e6eda06751671eb67793765fc9cf65e68b956e17fcea0347e550515
63dc2437711efcda287a3f7dd0e850ae6f7967a39358e4110d5272ecb61a8e4e
8dcbbb3dc84e5d47f23df2cceaf2b0de9132be580c94f31f06d7e50d05b12e20
80767f191efc5680f7c99fe97651def377f9d258b8f80dfaed0ed7adc30d5161
81d7e17eabc2f62830119a6cdd8d5767e6582a4e53bf8aa2dc279293ee7c4b85
15fd2ba8d8f245dd422626ddf01005bbc0da72c17ec0f80f899c958db06a9969
65cac488d0de1983a5b214122e714bf790f2886b1b5b195610efea8196ff5e59
07c070818b36495212f4b2557046fa65b8af82ecf984fbb3602c4b79580d042f
4f1ff0cc507a3c5113b4d2141db48502534bde912913c2660b98d34acdbf2f10
a12a09a8313480bc80575cbc8ce07c212706deb32c552c936554b2ed4ea8ceb2
a5bc0d26474220b40c97934646733f0a1983fd4555023f8c8d9d46599841c303
b832c161404bc305f53f3ed94a738373e2a04d0fe27b0f236e6f173846e51209
619c5ee21c7899f321c3d897441ded9a69d82883037a0dcf63e9390021b207c4
c6ed5dc739c67d8c38b98260011751f36b2dbee40b8e33f6a5fbc7cb99e351f8
dce43044949ec6c1ca8c15d44731aff357996f808aa6dbcc4b268b39eb6296e9
2a76d4d353d60d7ea6161c1d293e762b83b79fa4926556a89d3b5a5dcb04f767
e04156e025e3c4300d9562af12107801a7ef729f41095da19a95fc0bb3836df7
a6844502153b2bfb86d9c0a36012bdc3b600dec7f7190b8ca40ae6b82ad6f48e
9cc5f642a84fc0cab178ac833447f9c6cf55da21bc4583df1ae1301ff1c93ff7
8778f1762abf9b1deae0d8b76105946cb3a25332c6335dd7e4aca5bbff499116
ac04c51873ce0b5e283080a1fdc008f7e7c79dfff81be3b5577c45fc596443da
89dfb074642cd03f71484cf8ce44a5123e644beafed7cd339bb5b0d0903242b3
http://colourpolymer.com/wp-admin/3jo1/
http://www.filmstokk.com/wp-content/vt0f3/
https://schoolclue.com/66eo/yhfmv4582/
http://prewento.com/imageupload/73u5247/
http://hepsev.net/wp-includes/6w8zx5/
Creation Time 2019:10:11 12:56:00 (Attachment Only - Doc based - Activation Wizard)
SHA256
422a035f5806aa939000d6e08e6cd8078d199042326080870e4248b6afcea679
a22a4f45cb0937a5e31c5699d30081fe0d5a326543741a4dd6cc7d2941c5dfe4
476b2f9359241d679d0129abeeeaf38e0dbb69b20b7d69548dd24b62c9cead53
2ca22ab0d322f506abad646cbb23d573e652b3b17a7a6d6abc47d10fa8faf493
facc54e7106add19e698deea0d1426a066e51ef2e3692c235657857b9eb5cfb7
3dee7ae792085ee300e34c8877589ff0241f8187b689af07d5ddb2e2359593cb
bb8d98721dcba1d7fc8e745496a527247fb563de48207541a7ac36299af79da5
a5d4d040bec8a58697fe6a139a12728200068e29ab7e2d81a944c0b12f1f43ed
6f4d40740df5c1d08a90fb7097ba7d7bbf6536fcc7ee561243edadb119399a2b
5ee1b5fff29e5be8b732947baa7c5edf3656a345547db649b0b2a0a7a0cb0d80
2a63ad328e365f7356e6c74fe6f6be4d75a15d9cf1d65400ceacbf6d5cc445bc
4964ac5fc41f960639288f52b385966bf7a76649f60d84a22d3cc25d4edea657
df984fb14698fece3d15467184452204fc70e6dec2f8ffbad8d0ae49dc3c8154
65ab4949de8d67aad29e21d22da7eb76b30ea3dca86d2db26c016d4b88eca4de
ce8543115f9ef7563103eb3a3cfeeca8885db6875ecc2d859008ac2e330a0ae8
7f0b9ce392e3718b9279e4c0a91d69a74f7f873446278a5a2d45531269a8f544
50cbf5b1d234ee75e8d8d19f5e15e420093044cf8e14d54ab7d1dcd7bd5dd737
http://www.mikevirdi.com/wp-admin/mi2c7131/
http://rupertsherwood.com/Templates/yug9dpo98155/
https://www.noblesproperties.com/calendar/w4d009/
http://www.denedolls.com/wp-content/upgrade/2log638/
http://www.kyzocollection.com/vegk/papkaa17/hb92872997/
Creation Time 2019:10:11 06:39:00 (Attachment Only - Doc based - Office 365 Blue)
SHA256
2d91e17bf8be4f9f84b120da1a98d055f13cf7d763764dad2ef9a3f7c8fa3be1
ec2bcc0ca6298e25eaf6b106f6626d6f71e1b31e7f0d53e9711908eb11fc5b4b
2150888067a0670a8069f84a3546fe715bf92ba71404e243078cbf743bbe9d83
e2fadd35a02d442135b03f2c173076f7a20bb9a70c8e1ec44d5b1d16403a0333
d72443e1e19bb9c72c01cb339bf8404df43445442f619a51979cc52f3613b5ab
bf30c5d34a0f27c3e70fa461b5903ad3573e651417d6974b466d10caa0301d7d
61f0c385baade796657664f352b5b641a9ac4732d1c1368ed0ef96efe7202ada
23239eae561c6fd8df76581756166525ec3b4b67b402100c6d90f4d4fc1a418b
3d07cf7d0bd71ac1e4862c8534b93305440241bf62fe9262c4bf063104c91543
8527a735f27cf13a51f7a82055318dd78d9bb45564b8f653812fca32a84f79e1
db86311a75d0778a2575dd66ccf2302d2aa444c94926fbe725396e37990ae8ac
535e11dce1256bb58d21f61487ce0d74a98c6161ad8f56a42cd058803b4b2ef6
d99e4693a9578240d0242e52a925349f3f67eac78e0b5ac4bba4e0823ead705b
fac1097aae8d45d233110e20139dc29f873cd2c80bb1b1ff5b149df973fa27a3
373783dfa2da01fce622306670ffdec4eb4d6813b11c27ecbf08388f86eda8d8
bf948c6a7019bf94c1e1d624d3e2dfdcd2033645fb1a7898856199fe1c961e17
21811881a3d9083731f8fe642eadfdd6aed1e7ad633c241f249003f24f6da575
909f3be8c039fad27670887aa102a2d0130d713730f40eecf583356353188833
325802337c20d4795a15f85359c0cd65e6f16e1ee52b7cd60f25a722926cd402
f5cfd4286989c7632deb636f1b82e99a1ac420227e64e5833042eef2e0d03210
http://thijsmorlion.com/wp-admin/h52077/
http://thegioigas.com/Login/1g98/
http://yy6262.com/wordpress/h670/
http://thenews4views.com/9mcmnp3/2i36/
http://queeniekawabe.com/all_photos/4el75/
SHA256s for Epoch 1 Payload EXEs
2a274443136d602107f0572bd62ef67d0b056a7fd007d880e0a4f8277d94dd46
c725c4069b6bc088bd634654961e60ed09c5bb1aa35b214b6a86a86dd63da8e6
9226a5552470fc7a251c1aaf5ca873e15c787cd9f7266e3d3977c8028e4036ce
d7e48995f37ac2d3de583b3b9483d8f9a73180b01209a75b61f3b76777144bd5
55f6602485f9a39f2bed688073d5419ce691ec0c1b827a06c7213dc92f619507
946c4039f7a95d96da815c4bffdb13c564bf7c6f8959de7357f181e77337d6d9
0a91ca038be80280f9e9e300dafd4490be9269d1ad7649f102aa5c58b7d7a9db
f0d900fdcd72f281ea7bb0369d59633ec7081d3ec577a33c7792c68900ac467f
6a6904fe007845787df332920919c2a1f968de70f288a29a410f3e46da5501bd
3ed3759a7759fd6cffc0bddfc01d262f1a8a47b10ee5c4c2192547f7f47683d1
3b81ba53dd32deecb2d07a4b3b233d7a96d0459f5aba9d78a31273726cefc3e9
6e7932000783eb8cadb72678287110a6c090ea6fc7d4552de24a085ee6ad826d
de12d95682e6aae296780972f42cbe9cc8dc9bee5b67a12117f65bf834d3bb9e
3f8636ad9a13e21a202b2fcc0544dca9af27d49b983d0d0280b68c5e759fd47d
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:11 20:31:00 (URLs - Doc based - Activation Wizard)
SHA256
a85cc2088eaf316b8fcf3c7f33996b1acf93f99f820eaa9dfac83d0637adc9ce
94874dee4a6c36d3bea86acb262e0a5a069bab0a855645ddf17f44fe7765353a
c37b62861928a6c10f2b7bb173ec96fbcff45ab14c82fd9951326a6ea69e40f8
9684643b205a8867b5f34c4c239adffa4475b9bfd09f56ced26b0228feaab2c8
e2d82d020fd7232a66a9a6f7a2fb934b1a2d4a037f1dd4126babf91176510f22
0820583f08641e381535f338b0f34151069ee8c0dca8bce250e2e0cd35f55866
80890d0fb48c332c230342165437772c0f161cb6acd362261dd5995141952e01
2a71168f233fba777e655c9dedd9ba4cdc2ec0c8c15e459175ef835196a4dcff
0c01946813b8753e6cf65804400eba28db24416f4dec1226f33f7221614b286a
31c0beba7d5fbeae9d10b45134eae8c56a63f316d4146c3830a6b7f6ed107e06
0d95f05110bd10d4e158645da0f834cb26ed9adf0e188f74023b8678b6495cf7
c76ad8c515050ede4398828c8786efe76e25f972cb5d1ed96290786001f5cfa7
ca180a6decf05edb03c9aef8d56b1e8b545f38408cba5c5caf7c32e595d29f21
899b66034777c43bebf9001a0350d0e92559b6b7653027563337f61455a7af9d
b7fcaa27215595d88aa2993e3726d409f4fb5aff6d27385c5310460a73808100
8fc91396de84667cf2570c5dca848ef3cb311577ab76b0203f5c1d5fba6e052d
7fb22121c4d6a09ce9f28a8b3a8797f960e6210a5a462c872d7a8e9e3c586e04
3a1ab583bfcc8e6b07242aff83d70b4d682cd4e7a7a40cf5517b758d084305de
188e28825e463d83fd44df8b9754cfa135697bfb75a4463fe2d70f8cf0de2edc
fb061b509b6a0106c5449a238778280039d47483a92d722caddea5281015d945
74d0bb49e12c68f0008c89058fcd8cc26b37a99138e1699710a2b57dbb419fbd
0debb52d3e04d91f9a72785af3a83b5683b059659289418736ee9ffc4aa23b08
8bc9d6efabe570091d4541daaa54b9814b2d55cdaf155488f5286d9edca2df76
30deb0373c7608c07e9ff7333935ba9315280d321f2d4caa9b056b529230d6b6
910b6b7ca4acd16965d4bbe1ab34ba9620cf52a6f5d0466cb470ff62d9456867
ff7291b4dad9b815748b635c47886dea891b073104dee094fb55bbf45f94d1a5
bf310c3367ccac620d5e95988b1001f90103f88f1d5da47685c0716f8c2aa90e
1e6c2d1b6cd162fbe5b6f67008f087495f649021315edc8031b547574ba9e536
7147552a6b265d863977804e98a1e122e37e2f14483e577e3778c694eaf0bd9f
c45db09cb8bc605fef8d22037d8babc1c49a4be785e6b3b5ae228973406ace9a
17c59617ad5182650bedfc010948f7581a64fe18312ef80603f1b1f31173ad3b
2abf4cd62d766be109e5a39a08d7e66819ee6bcd47a4b38619bfaa254c2d422c
6c40b99efdc13e711630891e543dabc5eba99684fcd57494d0dd101001ad5715
ea6bc5ebef37957c7b126709b815f29dc69fb9c93da40df01f014ddd1cfa13d6
4d01341ba503044d60ce65b735416fe3ab8d6e533bb38c32238688995946cdb7
5af4fcfe23eb4ce9738f9f72bbde073fe7ebd4ecfbfcd6bbf61387c173af2e12
b8dfab7e6a4b6f5c477655cead4b0ab425429e073e1645da49f80242e21e0165
29d74e4b11b9d32e76c00b151885fc9bed7cff167fece39e8c8b44fac173b053
33f1e8649475b11e815238da50cd97dabf6601aa20f5cb67c9d481aec845bd9c
1b21cf35d5bf666e300a8b9e47ecf065e5e2cac0eb4ef6b3057a82bf7719bbbe
a7e2e5e2b941f29920051158564b36acab5d8fe92b88bc48ffb6da6e770a9292
b55bd4d68ce7f05b6034cdcf3b333e3c511b2cc9ad62d8fa06fa930059727fc1
0d856901354a61303f610134c9f288a154f6030dbbd68a09d6eda332d9c5f6f8
f4a09b29ddc5d848f3953849f26e8e7877c116b3771c13ed753c2c53b2574b06
6946a0f17f5b2a202d4083efaf13adad8c436dcf8eef50b8236b7351260f6319
e14505d9d0360f8b66dfe6c6c91ff3953e9d769940d341ab0d2164d65831fada
http://xsnonline.us/blogs/4x466v/
http://obbydeemusic.com/aqoeivj4fd/us5htvn/
http://veeplan.com/wp-content/dW0o3RoJNG/
http://www.kmacobd.com/u9r/
http://aijdjy.com/dup-installer/t0/
Creation Time 2019:10:11 17:58:00 (URLs - Doc based - Activation Wizard)
SHA256
d9de1757d253b6e8dee17f0433b9da22168bb044cbf0357794c1826b95c0c6b5
a9914399242be61eaaaddd72bd23ad929037a3e5f27dcfbdd7b59ed34c0b4454
d163fef57e6b88970f195657a6c8079c2d4ebe1b904ebf30cd07f0c0f20adf9f
932c341ad9d9db00ffdb1e1fdef48900610d384a006292bd533cd413e39d954a
042baa11c7bcfc412cb810503f2a340617293ae5c1e171b37abbe091767bf146
dd853630c80dd24d5ef564546bd1c14ef0063437d1456b47ddc36b66253be923
72cd84e58e8f0e5375e3c1585c26d0be9c0fb0ba8ce602d8fe5b48b6afe3250c
1f794d128b5782891e88b3272143f68aabd1699782c7299c879d5cf7cb151e73
df77af17261de94aa26c119fe9d76373152aee880255da6f0d7ff873417b6043
5ada1f249afb0dab78e36e9ef60a134dd593275d1f25d51ce200eb0073a168a9
044dea902d859aad4963b480b0faae908cf7f721a767e6af6fd99760ffab3ef0
e18cacb96140723e9e564a2c6be2ddc1c25e77f97cbb4bf28db7e7f9b988872f
662ba74a3863a99dc6ce27bf18ae06d3ffdc5d26c7a84b2d5c8fdfb0316d9146
6dfdb2d335ca44f63df6e207c98e3e7f98f258622a1004a09836832384d34b23
ad5fdee227e06d5673377ba6a4ba6715e25cc307f387b200fab3d69b61797a5b
c33af49e0ea81a8c764891fc8939d5b153201bb795013b4b3fb132757bdab59f
2a8ddad526a2bbf57fa9566d00c6347684f427d9c16f7244dd0bed0ea64572a5
6329f5557a5cbab0d9e1f7fd05348f1a68e3a567e6ee13c797de936f3fec2913
a1077231bc025514859fa58141c0cbcec951aabac93dbd77fce2f23e9a97025a
ac09b44ff4ed151a614ec4a9536d13cbdb632a604758f91494303647040f3799
3b4ba104cb5524f8bd642eac04504caed87302844837ee54fb3ef15c5067effe
3857046a0c192e72845855c9ee3ccea8dc78488485bb00660c97d799344a5382
2227247f2e71f3d0f6446c7c81e21dd83dd5842574a81e29e4432706c697cdbf
f538c976d92ba4a711eaafc4d831dcf838ce93575f21951eea5a22f488004173
f1722c469f9fcbe2fbd652fbdf0a2adaddde8221b03ad2446490a0caae541039
fb07adaeb148b28d5c804a4f9098931f9ff141b7bd1476b420d11ff22d904440
c4e76d932933f11f519bf4c817b1da161accf0dbe5408cbce1f6cd339eaaecd0
d17a249906d0c72a27776dbb8962717bf262ac3b04d5a0f1ce919e4be8a3b88d
22e93e6676be8f823241e3bf42c98daf797ee70429f73a0ee0495c99d720dd5b
8b7d023895f408e2edd6ae41c70e98d8de59b31d7150618b26711ba56145aaf5
3e7cf54a1d03fcf34641e334ca44de05f280a5c56d3bd8e7e00e7bec3a607739
9e067de8df36b1e2f5e5f12512d7c059f65c866024dccbab7a34b3cae62e1501
f4faec49de959866a28da4d18cb4818f11f4ffb8eceb3856bbf90caa21933b1d
75740cb386f23c69a80f1e529f08a6593a093cb595842b4f0b861afc9c1b5c9a
451a096eedffc08488b25fa3e01f2092bd17b64a1ca454efb5c8fd30fe886cb9
979f9dfdd8eab83cd27da2bd8da0f7ba9546407c5fdf5c27b466a72c89c6b98e
9b4f08903cb06cb11d87e14c95592849b51d01d73e0f537bac93522e1d1abe2c
f8adf07bd42c188f72d7d6ed8a848752fa4ad7552f92b41b1065204d1134a48d
95d9d55e5950e79a49a025933af18807cd8e319c3869721ee9011ddb92216872
019b7ef704a635b4853b98e67f10c7e6b607fb5b91c24d4d2b4e2c5459b61bd3
69fb35201338e07002d6ac1cc263714c5beb5ea8e0717a0d4f9a35cfe903a2f0
36221ad8e8d407d74fea6fe5d3a617d06279224f39b8c7d1875483b5f69274ea
de9752e65eef8e813a25cd7daf3e54bec2c0ea8bc4dae4052991b87971034e9f
https://nghekhachsan.com/wp-content/vi/
https://lim-lao-sa.com/wp-includes/gjek2i/
http://mangledmonkeymedia.com/wp-includes/certificates/4p5cnz/
https://atomythai.com/vwyz/pa4h5s1/
https://fundeartescolombia.org/wp-includes/bnez6/
Creation Time 2019:10:11 12:46:00 (URLs - Doc based - Activation Wizard)
SHA256
9e1d7cd63b0edcb4b3c4b1c86ecf477245ba82b4291bf26484fe2dd6cd9d12a1
98d55bf21166e777fd12058e82b8a8533516e0393bc76c8b7a5c3543b435d88e
bbc273bc18ef70893c2684a675f2f48c3f6540a1bd4c015190c6bf33d51a6a67
ffeb36ee11457542e2ed50eccba966d63dd74bb9cad0a4cc29ebc9cfe04fa2bd
743cbe14b1ce2c36a33f6047b578814d0971914d4ea19528ccaa9f6587512041
476bda4086b08cc29f2b675ef7ad67b3dc2fbecfedc65c4ebaab846b035fff65
6a96834ad942a57fcaaffdac5f3266d69f5ddf0491bc3f1727a1644a4ea42189
1a5501b2aa705727fb9731b1f829ee9d7f6504f017e32e62e0dfae6e8c09242e
6ccbbe119a82b34863e42def9f879cc9267f9303576b58dbcf9bd4f650766adc
c96e123865ea3b3cea184bd021ff5c2242dbc0a9b30cd2e916af7bc936c711ba
bc10ba94b334d1b1c5fd9bd0978cfc807024518a35c71e25421a6c5877d9ef13
ee89c652d9e3c4441143dadaa02b8abbb68c66e17fc9bff2e24149d796b45e15
efd27a7b656f92567e0183f540f50890ae04fca8ac025188d90054d560af0bcb
efbf4355ea2b430cdd94e8320aeb3f84e2c3ffdfe053d292b1ac3d6a463ec2f1
f86caacee45fe5c5d010cd4ce227e9218612a27db4a5126e2ed0d5ae125fc4a4
8dd90a39695850b13b014824582379b2707f2ba33cfb6c8de290c809b4d180e1
fe0ba6c4f2e3ee670fcae1382b354fb91e1d26f8b96dafbaa3f02bd54cd466c4
0b20eb843b7b7a0aef1aaf3e9e593a770a7a0ec8e9dc660b1c192ed9a968c8d6
03d9e6d46f1a6c278e9dd11172c39f40e5c6b88a16fbce11c4166be84c5f2c74
c2599e81b2f1322c29b02e3d6d6d1a7d482e4392ed070e0adce205543360004e
8ca8841d68b232ab3a68beaf6a17f13ba2e7ba3acb1fa20cbfe147332f91a958
0b9d3d2175dba9eb6d2a40a8524df69d8cc0cb149efcd9751c6080b18b801bc9
be168b2f44e4b9f39f7cab1e2a9e0d299616c83117cf8ecda468cc64ceb67f2d
30146b8ac50909aaa885e9dfde567f8362619af4b2f5627aa3005d9bbfc54ef7
2c00d66e32eee99c44fef2ee8dab6ad8253433b48dc1dcd6fa63f1b688baa63f
0c7c14abb4d1bf673ff07c232b994279e316a77465b4b4ef041fbe17d51bde96
b5c386a0ebe9b0b471cb1057c893b8b5af1eb82974dd4e75d55ad0b4d4e28b44
231a09a8a83be819e2e2fd0c98367d928b0e7ee011533d6653840a6e4b991840
627cde3a7c0d8fb07d46c84643d02817d48c92147093fb8bf09fdbab3f7fa207
228673ddecca2ce3a1747a45aa5e021e94dfe26b2ffd9b46dc2f371aa6d814ac
d7fe6d5f88340db74636f77dfda91ef267f7efb6c0befc4a56fcabcd4eee3c10
e77bb0841c91ef7426ab9a790fdf0b34140dd5c04f50249d0cc46bb6968c1cff
0c8bbc97828005bee9e7a2cf4887665e56a4a6755983424cc087a3a3ff58c672
5df1856526cf9fa6128cf1e9d5f3eb5cbae9927599fc8a3cb7aa23cfa62248ee
808c3b0ce8dee7d9ad0d3259e2e4466d7d263c84c7195f3c51c54bdf45069fa4
59c940102699f6a7775f7f83ed5459e4c5ec29579753db690df7e92c66096222
e8913fd00c9500489bf0c221fecd5524f003094c83cf7cd0323491da6890ff19
fdc87b4ce5ab1891e3526a0d8c77c7e1a7736f624ab25841c442ff271511de2e
fd26c66eced5016d7114ea2397284129a9f8cafecf5c09b07602392441bea64e
d502e0e651245068d66d9634db07b785a25fe5f074f87ef976453a6e9269f3f2
27893a10f1d32fd466c071c691e192460e2451ad42172c01b3a8d206815e45cc
a288f1c6a7337985a9036376f98d636c718eefa7ebfb27f5031137082e9ffa55
c6d1e6923400c1db89856397ca5a9fab25d953a60a52b5fb2766f7c4790820ae
76a62f7e63606a966378d9f3ba8fcec5a7cbb1e67caf749a9cc77e20092aed08
2c132d139e6dfbce52f8cbba855f72603dc5cd7eae1cc6ccd5c78faa09e6a237
af45412ef83d93a00f196d4dfbf7d468e6ddb810d2e33bedeac1c1ec4110c2f0
a348e9d00b7111d945dbf2703e6170b2d2d8fdca87766fea08667b28e8cd1801
1ff8a5ef8a5cbf054d243282e6e9765fb76f933e35c4301dc66ac8b2dc6f807b
f0f7d091da00472f4f35e70fc23317cab77d70076e94a9239c6d4d476f197ed8
8f5f8f2799851e1a63fc6bd93499c0ee6f967604fff74612a0caf411d51372e4
https://thesilverant.com/test/dvr9/
http://firstmnd.com/wp/wp-content/3k960/
http://citylandgovap.net/8dqs5fv/6J/
http://deredia.com/cgi-bin/cbas/
http://fattoriaiponti.com/wp-admin/o1wiEqPfN/
Creation Time 2019:10:11 10:32:00 (Attachment Only - Doc based - Office 365 Blue)
SHA256
2a4dafc8679596288863e18b837db366dc2fd5efcafd2ff12a5b6b3ee9624a88
383dcee49eca6387cc4bd548e9711d4365f7b9b0ee3e812b8b209b22ae327ff8
https://sukhumvithomes.com/sathorncondos.com/xz38/
https://spiraldigitalinc.com/wp-content/Aka6/
http://polska-pieknieje.eu/wp-admin/k1j0/
http://tnbwishlist.ca/newsrss/e2bqv/
https://aideah.com/lpguu3w/37jh/
Creation Time 2019:10:11 06:46:00 (URLs - Doc based - Activation Wizard)
SHA256
1f08e5bd06d1bde318055f626dff14677005ec9200c533c74a98cc68ff1b648b
cb332e4b7ba5ad9fecae0af5cd5276a1020d348071982e2d894aeac325a9a78a
3edaafd5d610487bbb6d1e4bf3c7508d3ff27fc8606a192dcfffc7d71e96e798
c0b0157e91082f91641b2a533e3ac04324625b8c2ba2b7efc80fcd0ed645418d
9805d576db7b0d7f7f1a25f4364b69175b4f0a6c64ee59d163ee6f0ff31588dd
69751ce2bb6cefd218ef31a8f0743ebc740976415eddf6773a33176a36b924d9
80e9070ca51e1083de5fd1000aaff44335a822e8ce9690c0cf8827c659bdf65a
0afd67e67a9354eaf3c7362926bb949e98cea02627171296fb0988d219ba6cf7
4166fabbbd12ded7de1561c3bb7cc3eda1889562bb268ffaeca0eb828379bca2
c31b70650cc06b19bfae4a03e06ada088830ceff83a153d22eb69433abeb8c5b
e05b1f71bb6ec224580a47be9169d24bde39d1468aed74c6de066c9cc037af5f
1890f1cf7ef183cdbe29746f03497b10620876cac3bbc2cb7ff87a7cc59d66cb
b8c4b1c08a1e300f2da726a30a00480c7a4fa6dfb9e192a7b927f254ab8e1505
8bda84663e54948f8e6d1dfa2b2514a78071a9383752fdbfd2d3a980ca9bde27
bc527c8724350066d3af621214da7d3a29336c6d267e2608318b0446779292d5
fb56e0bc7594515fac99d841e6750275a0301a9cc4d05c636f6daebf0aeab506
46d95902f566c4ee80fe57dd644775c62e4ae0d36401baa77754f079cce6cc4d
ff093f3426d0a49cf3d48e0e6fdcd401405cf5731415b4b7d1d91986d5c8214c
8c1cf58541737a5002d8b0cd331b670488a669633c0cb58fc5b16c527a168efa
3f9a77d0e330966ed7f0567121ce0f905f07ce999c43b2edbb4ee10ebb2bdbea
4e91a37ebd2c6b0aad3b1aaf1d2d09c0d4187e7c3d0fff94327c30f72572825d
34798802f18a9924494c05d30ae7f98e25d9564f7594bbb966cd3eb08b3c4c82
abff526e806cb99243662dbc1e4fcac8123f3c40eb0222ce881c3e58261c8f06
215ffac54a1303e1276174ad0ba5354a58c62a90227d1cc93e78719cfa6b4d33
5040b48ec0089b1cc4ef7eb612aef0f90e631544ecd71e79b8c9ee4629e491f9
9caeb7939d720620791e0977ce3b7331d59e39672b647a479c12f50c23001ca7
aa22ba3340504cc07cb0bad5887f1b136b0488c22edaad9067bace6e477479df
515263a2dd9b83b9fd8ffbe8ab909eb3959320d4212921bfc535616fb0019cbd
8ca383faf419c8717b8e42661e66df1ad69c0d8de083b8a726803fbff1ab1f7e
d841b954e044bdfd9fd8de9b7c190dc4abd81e685c04ae55f0915c5cfc64cce7
4cd857174a8a6c70fff346cbf7aa9c596cee0c81bea927d8d23446a00eeacca3
069e184bae8a676d584ca8df23ea4ba998ffab0b067d031cdac1df7a041a6bbc
443a8dd94c3197511603e13a185be9a393ba84d27fabb267e5a85dcb7252c491
cdd05e9cb548854c08cdca239fa2cd6239584bb408848b215fbe4187df2135d3
bc9a221072a7b0e6b7228bd0235bf19350dcfd626360d4c1edeebfa895bc69e1
c92ed8fad0f453c7460aadfd8bf687d5cf99560115dddacaad75833aa40e0b6e
a53eba935885d2e0c3fe80400f4dc9b58c62a100de79777737873200732022e3
6d0dcb9688c494e58575d244aecddf2b56329bd9c32f2a92e33c9789629f1076
f84b75c071ae5d5793b3273d8232ecfaa181790af1c309f5cd601a5c23180bb4
fd33d619f844db0126aa5b6241c02fbeb66ca0034131aacef2fd8bfe67b8801b
a0617e3a68035a3107c64a234883cd16a416fc0c77f69548f6d787eb9cf53ea1
949134b9efe3dddcf4c033c5cd860b5207d286cb2231b341bb0676bc1132bf0d
3128f1e572df0d544baebe1838308e6345b157ef3819206dd9cf47d0ff4e2462
209344d3b6da53aab597c3b3fe31add1c2cc1097d1b4fc0e290d863e9d96da73
ae7183ab98d37a26c7be565ed56f03b18aeee29fd282fd1ec56d308e3d3cea5f
89e62df3d2cc05dc806abfae83ab2ab862a0c33126318841b91768dbd794e8cf
2aa3bc1c73221e8cb02ba6793487e0b7e88caf38dd40da5d1a42d3f36147b5f3
fce3cb5ebf184419ddfb0eec24a4a0eefa9b581366ac8a6ba9faa8308979e401
a910f08351e62a77f994936a1711cb0115ec9e6892f3be6cb2485e78bd5f1583
54ee917c5fee70417cf804f0d81516a199d237e3aebb54f89ed09e9dc11dd4fb
https://javcastle.com/cgi-bin/TbaZ/
https://niningwindarti.com/wp-admin/FkobZVRcp/
http://ndcgc.org/compview/XxazRCMrqG/
http://polishmenailboutique.com/HighendWP/j6oej6k_7udih6m8r-6452281/
https://brouq-sa.com/wp-includes/058d6uwyz_ix1frqln-745048806/
SHA256s for Epoch 2 Payload EXEs
a4532a333319600efa847ac6b63b58e855838df70063ceeb58d605f81d223922
aff401723d05c90bad6a3f63dd70967f172cd5d3c70b56cdbe3010aec55e3a11
fedb41d329f8cbb18acf09fc7b0cce409ce04fba99e6c4b81c09ce630104cab6
d45e47edeba9c59fbc81c49b568cad9413b7180f958d56a70f0b7c207f9caa1f
de6a8b8612b5236a18eea1a6a8f53e117d046cf2ad95e079a6715af68f8d2216
41bfb740c6c0f306245bd89b72b3961699a9dc6a0094dc83ae37f3abdc72887b
b324c3f1d846f5074cbd93d571bb318be73f452ce3ede02a2e60ffab5a2c25c8
b6658cfde96c4e49b1b1abd9e0092cc216b0f081335a9832dfc9cfb67f15484d
9b798802fb47f53b07558c494b9163c839a07a3f8814c418c4059f9bfbcbe010
5a5d8e92e7ddf210a3ec2ddd9d958b61915af49cbea4f84169959c52e3fe5dcf
827fdbf68fcad346635cbe27c6fe3dba63f02a176e9238a0b7cf717c46890ebc
597a932db57f8b9318394f2a1b5623713df4da697bf134516cffb6f60cefce28
b08070bc9a1b40b129ee3ce62d53a7146d51bebe7c602e435e54d4ca6f8e98ec
9352f33597815aed4ff9832521e28d736b5b90516509c597d3ea6eff06baf522
54431c75517f87828d70a2d4b2a314a7f55dc88154ee28c5a076f70d0b2fe0ca
606b1b5c0f7f6b0b31825ef8d2271727c274fc8c50beada611daa47e35a10792
37587d970b85e5db61d17d25edd6840efc35f23129cf075feeb843a4752a4bee
72bf2eb295e2b41ce57c07aca7b4bb2721116a47c74fd119beff3a7e04820a18
2a14adedb8f75aa65e9ab044b5bd259822ee6158de6833ec8f8ba5b7a29e9fbe
438b8d170c196364078da6c39c7489f2e211f9dade7783182618f3a8a55180aa
Epoch 3 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:11 22:52:00 (Attachment Only - Doc based - Office 365 Dark Blue)
SHA256
1b09e9028ef793b5c9f89642eae4368ff80b491e85fbe5573ae9e6e04de46468
ad7bc1bcb6ae4acd1ffb43891764d80be120992ff38242cf1cbe0bb5a31de00e
6bd457d9d135369910582bd7dc87c1e4da8d3b6fe9c30847ce14032035386ce7
f0d016b8698ceae0296dc4f2d2ff2b678b9b973855642eb48d1b9327e3f8700f
690484f8841bae068693301b3559cdd9ce89719fb61f4f2f4cd2ba2751159a43
3769042df1000180f65d754ed5cabb5e5ba0cf3124cbf48aec3b0a819164659f
http://quiz.takingfive.com/wp-admin/ohzkfr-xo8avye7r-33/
http://192yuanma.com/wp-admin/ixco1evv-ruz-978674/
http://blog.laviajeria.com/wp-content/uploads/uui-c87057-730/
http://kec-wlingi.blitarkab.go.id/cgi-bin/BlicYpRm/
http://hsm.org.ua/wp-admin/03zo-sy4xzx9lev-936597822/
Creation Time 2019:10:11 13:07:00 (Attachment Only - Doc based - Office 365 Blue)
SHA256
8d89acd692819750292e3f1cd9e6bda6b327031b82aa1a165cf3eff21c0c3256
38a63f549f5fae93ae6509e3784f135cc39b73d4d938810605dd9540eb981ae0
d253afa573a3359bb2255bf72be4baae2f73718c9fa887a506b8d69fb3649269
797cd51c358c4c9663dd5bdef688a7cfd5036160f61864c326767d264b110cf2
fa934b158a0f8d0aa4fe34f3670ba9173165b0974ae93fd9b6a5cbb49545dc47
740695569342dad4a65abe02220dd4e8937ee0154543c2c38afabf276043e37c
a244b6713a6c0786f8d8c296603cea45905964e5ca1ad5eaa630b81212162a24
dc4c17e9431d24b0880bc3b1102764e8b2a9961416b2025652fafe2e45ce00cb
19af94700091ae6fde5f6331d067c4621cc409efcefbff6a1fc2a2e8178eefdc
30793f1899c634e836b6d00285584cb9ec035c9e7d94a5a44f558cfda91a5cb6
d02b6ef1a780198a1653d306bb6e9195660210ff2e47c3fdcf36144a3f6ba333
64e0008218dd0924225c93ba120eb98d1702fda66b2323a1d9e71235a949ab45
cb457cf194ecbd607256300393cc2e4c02ef06202647c8c62b4f17c339b11fb0
http://www.bizasiatrading.com/nxa7v/ZBRthoZ/
https://www.openwaterswimli.com/roawk/yTYBMrA/
http://attpoland.home.pl/pub/4nv4-xo2c-5652/
http://kd-designs.ca/lbfgroup/zUhbvW/
http://easy-report.de/cxq7p3qi/oIqXjben/
Creation Time 2019:10:11 06:28:00 (Attachment Only - Doc based - product Notice)
SHA256
5b948b6b77ffac700e24e5e635f867846c1b16cf52d3bcb9248ad32fd3ca75bb
2686eb0e3a26fdb294028dd2a30edb6040d945622696406273f6631b44959ac5
3bdfb31bd387219b73e6051cbe87a674620e21e96284255c9c7e4381d0541732
e81acd2f36b348330fa5d3bc864ef67889af508d6c98fcfdeac8e906d61bb421
ef9323e9090bfc9cc48886781a4dc6710ec04734dc91f26be275544dff81181c
64e988d0c0a51778feacc15b0146eddf41ef1525bfaf6131bb967e950b1478eb
78c776564d08d456665dd6f8b406430696cc7d56c2bc3e38c98c8d8f9c9c7c43
457a5208dd4b4109560de6b32f6e36a3cc22d2aa0ac2eec4461a0ea2df27141f
6f3be8a6fa2124fe0368e0044498b32498dcd6d3a3d35e07b158a25c959e35f3
99d8b2cb175078201abac866249d3e8799cdf8978c44578b3c5e67ab672ab40d
270981dae4cb44cbe591ab699358a80611a4178ddfed8168a88a73c432f68d3e
6763a7b8880e3a894d73620a8634405956d31a25d8abd8c801bcce800fc06221
9b032a0e6204ba105a6931191629e41d4035628a14b8140f2a3b8aba7a6beaa1
54ebd4bf29230954038b0f8073ea422f1e5e743aae8f748eae4b4ac836db6623
dc59df4a7fb17819dc3f785b2317d6ffbeb0094306d29595248866aa7bf8f412
http://homesickpromotions.com/0axfxuxhnf/qsnaTzbcC/
http://sirajhummus.com/calendar/frgrmoqzlj-mk9iehv7-19111/
http://gulartetattoo.com/include_program/dGPNqVl/
http://eds-pv.com/FallaGassrini/7lag132x5q-r3axh2a2e-1155583753/
http://glaustudios.com/site/ZRSTEGbwU/
SHA256s for Epoch 3 Payload EXEs
7dcef11150458d52f3106fe5188bb1f911ee64b9b9ade98400db98bc4b87bb2b
e6e0290b63a4ab1bffd9963e537bc211e0a2d410e5693deec27f9f335de99560
b1cad1540ecb290088252635f8e130022eed7486eb128c0ca3d676945d60a9fc
ed76a5defaf6500d2a5bcf3616e3999f570009a1cb72fb05d64fc5aad340fc3f
8683193d060cd55a5e5e3ba9330a604625dc31a4db3fad54e249d43bb129a938
eb91c78b34b32f5b1a4fe4be7dab7c6a27f692318e415cb698f18e3ad9478b64
ee4834526f2f7029493b4ee1d68a46c7bc583b1e589af797ec855f05572cb9dc
b22da5134bc11a0875bea0023a0c2820cf14d7e26ec209176042bd9d7c557560
e9638a6df455420fc7ca7ba49e9097be4c42fc784466ac9aba259c4f7f3a823d
bd3baf156323398b4ec973a01fa7fb6486d4456feb07c3de95b7ab9399aedd37
bb839c187f20cbcb31296fcc94b98e0a5353c94d23599da354c81e06114905f6
1a4813d2274c4a54fe14071676c63b7c46e2faeb2841fdea91f11d798111bacc
381654ea75276879c7c63514e9f2201de0912fda9ec14f37ec42bcdd10a0f283
0f2e39a4d7969a402245dd8832cf11a657d995f4bde2ee3672a530219d357201
c6adfeead3ffb714e08551448e6f7819c61915e1b00c7e5e292599a6b842d2c7
6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90
37fbef8289e6c4cd40c2efb12574b1ed66b0e7d9cd6436dd863fce3142126ae1
be6db910a262072eb239c4654f47dc2b5eb995cfea88040ed6f4de90b5a9250a
d293cfe5fd5db9cf96e15c3f200f236b21c32272813fd8804d07863757f3c537
f6392aaa575b91e02366a3dfe90c883990f7ef75d0a78d4ce9d44820c251eb14
4d9033bdc9b8c54fbd6accdeb286010a43ee8a138bf8e79808f82133445ca6e3
d3e0c035544d39a15041c6623106fb59396dbde7dc1aeafbf8a3cd39c2b78d7d
C2’s Per Epoch
Epoch 1 C2s
109.104.79.48:8080
109.169.86.13:8080
114.79.134.129:443
119.159.150.176:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
125.99.61.162:7080
138.68.106.4:7080
139.5.237.27:443
142.93.82.57:8080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
170.84.133.72:7080
170.84.133.72:8443
178.249.187.151:8080
178.79.163.131:8080
181.188.149.134:80
181.29.101.13:8080
181.36.42.205:443
182.188.39.68:80
183.82.97.25:80
184.69.214.94:20
185.187.198.10:8080
185.86.148.222:8080
186.0.95.172:80
186.1.41.111:443
186.83.133.253:8080
187.188.166.192:80
189.160.49.234:8443
189.166.68.89:443
190.1.37.125:443
190.10.194.42:8080
190.104.253.234:990
190.158.19.141:80
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:8080
190.38.14.52:80
190.85.152.186:8080
200.51.94.251:143
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.183.247.58:443
201.199.93.30:443
203.25.159.3:8080
212.71.237.140:8080
216.98.148.181:8080
217.199.160.224:8080
46.101.212.195:8080
46.163.144.228:80
46.28.111.142:7080
46.29.183.211:8080
46.41.151.103:8080
5.1.86.195:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.160.178:8080
68.183.170.114:8080
68.183.190.199:8080
71.244.60.230:7080
71.244.60.231:7080
76.69.29.42:80
77.245.101.134:8080
77.55.211.77:8080
78.189.76.2:50000
79.129.0.173:8080
79.143.182.254:8080
80.85.87.122:8080
81.169.140.14:443
81.213.215.216:50000
82.196.15.205:8080
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.105:8080
91.83.93.124:7080
94.183.71.206:7080
Epoch 1 - Spam C2s
37.187.5.82:8080
45.55.82.2:8080
185.94.252.27:8080
Epoch 1 - Stealer C2s
75.127.72.18:8080
190.115.18.139:8080
66.228.32.31:443
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
Epoch 2 C2s
101.187.237.217:20
103.255.150.84:80
104.131.11.150:8080
104.236.246.93:8080
115.78.95.230:443
124.240.198.66:80
133.167.80.63:7080
136.243.177.26:8080
138.201.140.110:8080
144.139.247.220:80
149.202.153.252:8080
152.89.236.214:8080
159.65.25.128:8080
169.239.182.217:8080
173.212.203.26:8080
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
181.143.194.138:443
181.143.53.227:21
181.31.213.158:8080
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
185.94.252.13:443
186.4.172.5:20
186.4.172.5:443
186.4.172.5:8080
186.75.241.230:80
188.166.253.46:8080
189.209.217.49:80
190.106.97.230:443
190.108.228.48:990
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.211.207.11:443
190.226.44.20:21
190.228.72.244:53
190.53.135.159:21
192.254.173.31:8080
192.81.213.192:8080
198.199.114.69:8080
199.19.237.192:80
200.71.148.138:8080
201.184.105.242:443
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.160.182.191:8080
222.214.218.192:8080
24.45.195.162:7080
24.45.195.162:8443
24.51.106.145:21
27.147.163.188:8080
27.4.80.183:443
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
59.103.164.174:80
62.75.187.192:8080
67.225.229.55:8080
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
80.79.23.144:443
83.136.245.190:8080
85.104.59.244:20
85.106.1.166:50000
85.54.169.141:8080
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
91.205.215.66:8080
92.222.216.44:8080
92.233.128.13:143
94.192.225.46:80
94.205.247.10:80
95.128.43.213:8080
Epoch 2 - Spam C2s
23.253.207.142:8080
185.187.198.4:8080
46.228.205.245:4143
Epoch 2 - Stealer C2s
173.214.174.107:443
104.131.58.132:8080
176.31.200.130:8080
46.105.131.69:443
24.45.195.162:7080
24.45.195.162:8443
80.11.163.139:443
94.192.225.46:80
209.141.41.136:8080
46.29.183.210:8080
198.58.112.7:443
185.42.221.78:443
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
Epoch 3 C2s
110.36.234.146:80
113.52.135.33:7080
125.99.61.162:7080
138.197.140.163:8080
143.95.101.72:8080
144.76.62.10:8080
157.7.164.178:8081
173.249.157.58:8080
176.58.93.123:80
178.249.187.150:7080
181.113.229.139:990
181.47.235.26:993
181.97.70.132:8080
186.10.16.244:53
189.253.27.123:465
190.13.146.47:443
192.241.220.183:8080
201.196.15.79:990
203.99.182.135:443
203.99.188.203:990
212.112.113.235:80
213.138.100.98:8080
216.70.88.55:8080
216.75.37.196:8080
5.189.148.98:8080
51.38.134.203:8080
70.32.94.58:8080
70.45.30.28:80
78.109.34.178:443
80.227.67.18:20
83.169.33.157:8080
91.109.5.28:8080
93.78.205.196:443
94.177.253.126:80
95.216.207.86:7080
Epoch 3 - Spam C2s
185.187.198.5:8080
41.185.29.128:8080
Epoch 3 - Stealer C2s
178.32.255.133:443
198.46.150.196:7080
Current Epoch 3 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1, Epoch 2 and Epoch 3?
(09/17/19)
With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.
Community Lists/Samples
@paladin316
https://pastebin.com/H6RYGDsz
https://pastebin.com/YCKeT6dj
(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
Credits
Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)
Spam Templates - @devnullnoop
Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic,
@0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software
at no charge to this cause!
Daily Log 10/11/19
@ replaced with * as the URL delimiter in PowerShell today - parsing scripts may need updating
General News
Drops Report
Email Template Report
E1 ModifyDate: 2019:10:11 06:39:00 CreateDate: 2019:10:11 06:39:00 thijsmorlion.com office 365 blue
E2 ModifyDate: 2019:10:11 06:46:00 CreateDate: 2019:10:11 06:46:00 javcastle.com activation wizard
E3 ModifyDate: 2019:10:11 06:28:00 CreateDate: 2019:10:11 06:28:00 homesickpromotions.com product notice
E1
E2 ModifyDate: 2019:10:11 10:32:00 CreateDate: 2019:10:11 10:32:00 sukhumvithomes.com office 365 blue
E3
E1 ModifyDate: 2019:10:11 12:56:00 CreateDate: 2019:10:11 12:56:00 www.mikevirdi.com activation wizard
E2 ModifyDate: 2019:10:11 12:46:00 CreateDate: 2019:10:11 12:46:00 thesilverant.com activation wizard
E3 ModifyDate: 2019:10:11 13:07:00 CreateDate: 2019:10:11 13:07:00 www.bizasiatrading.com office 365 blue
E1 ModifyDate: 2019:10:11 17:55:00 CreateDate: 2019:10:11 17:55:00 colourpolymer.com activation wizard
E2 ModifyDate: 2019:10:11 17:58:00 CreateDate: 2019:10:11 17:58:00 nghekhachsan.com activation wizard
E3
E1
E2 ModifyDate: 2019:10:11 20:31:00 CreateDate: 2019:10:11 20:31:00 xsnonline.us activation wizard
E3 ModifyDate: 2019:10:11 22:52:00 CreateDate: 2019:10:11 22:52:00 quiz.takingfive.com office 365 dark blue
Link Regex Report
(These are experimental, use at your own risk.)
Looks like only E2 is doing links now and it seems to be some of the old Regex. Here is what works
so far for the list of 330 above:
https?:\/\/.+?\/([A-Za-z0-9]{8,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/ - 182 links or approximately half of total links.
https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{4,30})\/ - 40 links
https?:\/\/.+?\/(administrator|academy|alphabet|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|discuss_lib|direc|Document|DOC|Dok|DOK|esp|FILE|function.cheese|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|popup_index|public|Scan|sites|sitemap|sox62c|test|trademark|themes|uploads|wc-logs|webalizer|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n) - 115 links
18 of via this new experiment:
https?:\/\/.+?\/([0-9a-z\-]{3,11})\/([A-Z0-9]{7,32})\/([A-Za-z]{9,32})\/(\"|\n)
Also keep in mind, your filter needs to look inside PDF files to find the URI to test against these above. Otherwise
this does not help.
Payloads Report
C2 Report
E1 85
E2 87
E3 35
Closing
TT
Sandbox 10/11/19
E1
https://capesandbox.com/analysis/2844/
E2
https://capesandbox.com/analysis/2843/
E3
https://capesandbox.com/analysis/2840/