Daily Emotet IoCs and Notes for 03/20/19

Emotet Malware Document links/IOCs for 03/20/19 as of 03/20/19 23:30 EDT

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.


http://0dzs.comicfishing.com/wp-content/trust.myacc.resourses.com/
http://2013.kaunasphoto.com/wp-content/verif.accounts.docs.com/
http://247everydaysport.com/oslh4nf/trust.myacc.docs.net/
http://agencjat3.pl/js/sendincverif/legal/secure/en_EN/201903/
http://agtrade.hu/images/sendincverif/service/question/en_EN/03-2019/
http://ajmcarter.com/cp/sendincsecure/service/question/EN/03-2019/
http://alarmline.com.br/artluz/produtos/sendincsec/support/sec/EN_en/03-2019/
http://albayrakyalcin.com/wp-admin/secure.myacc.send.net/
http://alistairmccoy.co.uk/hxoMK-0UaFgeRod5GKKy_SDuySbTe-Ars/sendincsecure/support/sec/EN_en/201903/
http://altarfx.com/wordpress/sendinc/support/question/EN_en/201903/
http://annemeissner.com/wp-includes/sendincsec/support/secure/En/2019-03/
http://audiogeer.com/wp-content/sendinc/messages/secure/en_EN/032019/
http://baunbjerg.eu/sendincsecure/legal/ios/EN/201903/
http://berith.nl/wp-content/sendincencrypt/support/verif/EN/201903/
http://bizsuplaza.hu/wp-content/sendincencrypt/service/sec/EN_en/201903/
http://biztechmgt.com/mailer/sendincverif/support/sec/En_en/032019/
http://blessedproductions.com.au/cgi-bin/sendincencrypt/messages/sec/EN_en/2019-03/
http://bobvr.com/sendinc/legal/sec/EN_en/201903/
http://bonsaver.com.br/sendinc/legal/trust/En_en/032019/
http://bragarover.com.br/ww4w/sendincsec/service/secure/EN/2019-03/
http://brianmpaul.com/blog/sendincencrypt/legal/trust/En/032019/
http://brigma.com/WP-ADMIN/SENDINCSEC/SERVICE/VERIF/EN/03-2019/
http://caninetherapycentre.co.uk/images/sendinc/legal/question/en_EN/032019/
http://catamountcenter.org/cgi-bin/sendincsec/service/Nachprufung/de_DE/201903/
http://coozca.com.ve/templates/sendincverif/messages/ios/En_en/201903/
http://crearquitectos.es/templates/sendincsec/support/ios/EN/2019-03/
http://davidgriffin.io/ytpawk3j4/verif.accs.send.biz/
http://dealerhondaterbaik.com/wp-content/secure.accs.resourses.com/
http://dealsammler.de/wp-admin/sendincsecure/legal/verif/EN_en/032019/
http://deemeraldpartners.com/css/sendincencrypt/messages/question/EN/03-2019/
http://devine-nobleblog.com/wp-includes/trust.myacc.docs.biz/
http://dfsk-indonesia.com/wp-content/verif.accs.send.net/
http://discoverthat.com.au/wp-admin/trust.accs.docs.com/
http://dlink.info/wp-admin/sendincsec/messages/sec/En_en/2019-03/
http://dradaeze.com/wp-content/secure.myacc.send.net/
http://drapriscilamatsuoka.com.br/wp-content/sendincencrypt/support/ios/En_en/03-2019/
http://drapriscilamatsuoka.com.br/wp-content/sendincsec/service/secure/en_EN/03-2019/
http://drbalaji.org/cgi-bin/trust.accounts.docs.com/
http://dreamsmattress.in/wp-admin/sendincsecure/legal/question/EN/03-2019/
http://drmosesmdconsultingclinic.com/wp-content/sendincsec/legal/question/en_EN/2019-03/
http://dropnshop.co.id/css/verif.accs.send.biz/
http://drszamitogep.hu/_BACKUP-20190208-HACKED/secure.myaccount.resourses.com/
http://easport.info/wp-admin/sendincverif/messages/ios/en_EN/201903/
http://edermatic.com.br/wp-admin/sendincencrypt/support/sec/En/03-2019/
http://fk.unud.ac.id/wp-includes/sendinc/service/trust/EN/032019/
http://gamarepro.com/plugins/sendincencrypt/support/secure/en_EN/03-2019/
http://geoclimachillers.com/wp-includes/sendincverif/legal/verif/EN/03-2019/
http://georgekiser.com/test/secure.myacc.docs.com/
http://holon.co.il/wp-content/sendinc/messages/verif/EN_en/201903/
http://humanventures.in/aryasamajandheri.humanventures.in/sendincencrypt/support/question/En_en/032019/
http://icei.pucminas.br/templates/sendincencrypt/service/verif/En/03-2019/
http://idrmaduherbal.com/cgi-bin/sendincverif/service/secure/en_EN/03-2019/
http://jofox.nl/stream/sendinc/service/question/En_en/032019/
http://kakoon.co.il/cgi-bin/sendincsec/service/secure/EN_en/03-2019/
http://kamir.es/controllers/trust.myaccount.docs.net/
http://kanittha.rpu.ac.th/wp-content/uploads/2016/sec.myaccount.docs.com/
http://katebeefoundation.org.ng/cgi-bin/sendincencrypt/support/verif/En/201903/
http://kianse.ir/svsvbk/sendincencrypt/legal/sec/en_EN/032019/
http://kursiuklinika.lt/language/sendinc/legal/sec/EN/03-2019/
http://lamdepvungkinphunu.vn/bk_/sendincverif/support/secure/En_en/03-2019/
http://mangaml.com/jdownloader/scripts/pyload_stop/trust.myaccount.resourses.net/
http://manorviews.co.nz/cgi-bin/trust.myaccount.send.biz/
http://minburiprison.com/includes/sendincverif/support/ios/en_EN/2019-03/
http://navigatingthroughquicksand.com/wp-content/sendincencrypt/support/secure/EN/201903/
http://newpioneerschool.com/wp-admin/sendincencrypt/service/question/En/032019/
http://noithathofaco.net/wp-content/sendincverif/service/ios/En_en/2019-03/
http://noithattunglam.com/wp-admin/sec.myaccount.send.biz/
http://nortemecanica.es/language/secure.myaccount.send.com/
http://obraauxiliadora.com.br/wp-admin/sendincsec/messages/trust/En_en/03-2019/
http://ocean-web.biz/pana/trust.myacc.docs.net/
http://odnowa.biz/symvhosts/sendincverif/service/question/En/032019/
http://oltelectrics.com/wp-content/sec.accounts.send.biz/
http://opark.in/wp-includes/sendincverif/support/secure/En/2019-03/
http://orawskiewyrko.pl/wp-includes/verif.accs.docs.com/
http://orex-group.net/wp-snapshots/sendincencrypt/messages/question/EN_en/032019/
http://osttirol.news/tmp/sendincsec/messages/verif/En_en/2019-03/
http://ovationcomm.com/cgi-bin/sec.myacc.send.com/
http://paparatzi.co.il/wp-admin/sendincencrypt/support/question/en_EN/2019-03/
http://parbio.es/wp-content/sec.myaccount.send.com/
http://peerbie.com/wp-content/uploads/sendincsec/messages/sec/EN/032019/
http://pemerintahan.blitarkab.go.id/wp-admin/sendincencrypt/messages/trust/En/2019-03/
http://pkb.net.my/images/sendincsecure/messages/question/EN_en/201903/
http://polymembrane.ir/bCDYb/trust.myaccount.send.net/
http://profilegeomatics.ca/rvsincludefile/secure.myacc.resourses.net/
http://projectwatch.ie/mychat/sec.myacc.send.biz/
http://property-in-vietnam.com/cgi-bin/sendincsec/legal/secure/en_EN/201903/
http://readnow.ml/wp-includes/sendincverif/support/secure/EN_en/03-2019/
http://restaurantequeleche.com/wp-includes/rest-api/sendincencrypt/legal/secure/EN/03-2019/
http://restaurantequeleche.com/wp-includes/sendinc/legal/verif/EN_en/2019-03/
http://riccocard.com/test/trust.myaccount.send.net/
http://richardhsi.com/wp/sendincsec/service/trust/EN_en/032019/
http://saobacviet.net/administrator/sendincverif/service/ios/En_en/201903/
http://shagua.name/fonts/sendincsecure/legal/verif/EN_en/032019/
http://smart-tech.pt/wordpress/sendincverif/messages/ios/EN/032019/
http://softzone.ro/newfolde_r/sendincsecure/support/question/en_EN/2019-03/
http://songlinhtran.vn/OosCQKy7/sendincencrypt/service/question/EN_en/03-2019/
http://styllaz.com/wp-content/themes/zaradise/sendincverif/messages/secure/en_EN/03-2019/
http://swiat-ksiegowosci.pl/attachments/sendincencrypt/service/trust/en_EN/032019/
http://swiat-ksiegowosci.pl/attachments/sendincsecure/legal/trust/EN/2019-03/
http://theheartofmilton.com/test/sendinc/support/trust/En/201903/
http://todomuta.com/wp-content/sendincsecure/support/question/En_en/032019/
http://toolbeltonline.com/wp-content/uploads/sendincverif/legal/trust/en_EN/2019-03/
http://trackfinderpestcontrol.co.uk/wp-includes/sendincencrypt/support/verif/en_EN/032019/
http://tsk-winery.com/wp-includes/sendincsecure/support/verif/en_EN/2019-03/
http://urbaniak.waw.pl/wp-includes/sendincsecure/legal/secure/En_en/2019-03/
http://villasmauritius.co.uk/wp-includes/sendincsecure/support/sec/EN_en/2019-03/
http://vivavolei.cbv.com.br/templates/sendincsecure/messages/question/EN_en/03-2019/
http://wajeehshafiq.com/cgi-bin/sendincencrypt/legal/verif/EN_en/2019-03/
http://walidsweid.com/idrm2rn/sendincsecure/messages/ios/EN/03-2019/
http://webtvset.com/Connections/sendinc/support/ios/En_en/2019-03/
http://wip-company.pl/nazhgmy/sendincsecure/service/question/En_en/2019-03/
http://workforcesolutions.org.uk/wp/sendincsec/legal/sec/en_EN/03-2019/
http://www.3djqw.com/wp-admin/sendincsec/support/ios/En/03-2019/
http://www.5ibet365.com/wp-admin/sendincsec/legal/sec/En/201903/
http://www.68h7.com/wp-admin/sendincencrypt/messages/sec/en_EN/201903/
http://www.agence-sc-immo.ch/wp-includes/sendincsec/service/trust/En_en/03-2019/
http://www.belpom.be/de/sendincsec/support/trust/En_en/032019/
http://www.linvesto.at/stats/sendincsecure/support/verif/en_EN/03-2019/
http://www.nbn-nrc.org/wp-content/sendincsec/support/secure/en_EN/201903/
http://www.nbn-nrc.org/wp-content/sendincverif/legal/secure/EN/032019/
http://xsoft.tomsk.ru/kdlkxl/verif.accounts.resourses.net/
http://yelarsan.es/wp-content/uploads/sendinc/messages/ios/En/03-2019/
http://yos.inonu.edu.tr/wp-content/uploads/sendinc/service/sec/en_EN/032019/
https://daodivine.com/wp-content/sec.accounts.send.biz/
https://desainrumahterbaik.co/wp-includes/sec.myaccount.docs.com/
https://dradaeze.com/wp-content/secure.myacc.send.net/
https://euforikoi.xyz/application/sendincverif/messages/question/en_EN/03-2019/
https://fk.unud.ac.id/wp-includes/sendinc/service/trust/EN/032019/
https://frame25-dev.co.uk/wp-includes/sendincsecure/service/verif/EN/201903/
https://frame25-dev.co.uk:443/wp-includes/sendincsecure/service/verif/EN/201903/
https://gadgetglob.com/wp-content/verif.accs.docs.net/
https://inovatips.com/9yorcan/sendincverif/legal/question/EN_en/201903/
https://kebulak.com/puppies/sendincverif/legal/ios/EN/2019-03/
https://kickykart.com/wp-content/sendincsecure/service/verif/EN_en/201903/
https://modps11.lib.kmutt.ac.th/wp-includes/sendinc/service/trust/En_en/03-2019/
https://nabliexpertises.com/wp-admin/sendincverif/messages/ios/en_EN/2019-03/
https://newsonline.news/wwpp55/sendinc/service/question/En_en/201903/
https://nextmobifone.com/wp-admin/sendincencrypt/support/verif/EN_en/201903/
https://nguyendai.net/wp-admin/sendinc/messages/secure/En/03-2019/
https://obmenbtc.ru/vlfr4et/sendincverif/legal/verif/EN_en/03-2019/
https://ogricc.com/wp-content/sendinc/messages/sec/En/032019/
https://utit.vn/wp-includes/sendinc/support/verif/En_en/032019/
https://www.drapriscilamatsuoka.com.br/wp-content/sendincencrypt/support/ios/En_en/03-2019/
https://www.drapriscilamatsuoka.com.br/wp-content/sendincsec/service/secure/en_EN/03-2019/
https://www.netimoveis.me/wp-content/sendincverif/service/secure/EN_en/032019/
https://wzydw.com/wp-content/uploads/sendinc/service/ios/EN_en/03-2019/


http://0dzs.comicfishing.com/wp-content/v41s-2a0k63-neor/
http://108studija.lt/wp-includes/86re-7cfvn-jtjidycsf/
http://118.89.215.166/wp-includes/gjl30-f1n797-kfhmo/
http://140.143.224.37/fb5sreu/456sj-jp7hi-cqman/
http://1lorawicz.pl/language/jjd5-ovwtk-ocprjheut/
http://aartista.com.br/UploadedImages/ay7a-sxa5x9-udofdo/
http://allthegoodparts.com/wp-includes/llprm-tfsir2-hegod/
http://alpinaemlak.com/wp-contents/gr6o-5u5u6r-xiledpx/
http://ammitz.dk/includes/vx9m-4jmne-ancrptbp/
http://applianceworld.co.ug/cgi-bin/959i-gg1hpx-xaiyedlo/
http://ashwinbihari.nl/hctn-f3qx2z-kckrh/
http://aspiringfilms.com/cgi-bin/pj3d-8ueb4-rtskhpk/
http://ayodhyatrade.com/ww4w/f87a-yq0j7-symyj/
http://beeonline.cz/chameleondesign/yh6j-j04xx-eqlvlwb/
http://bergdale.co.za/wp-includes/tc9c4-d1wzjl-dtycg/
http://bike-nomad.com/oldpages/ildl-11j766-lcbuaku/
http://bloodybits.com/edwinjefferson.com/lpjyl-sku17s-qzixznv/
http://booyamedia.com/img/6ryj0-228qcm-bgyca/
http://brightbulbideas.com/agouracycles/qmdc-94hfd8-mivsivc/
http://bryanlowe.co.nz/blog/c0ml-5h48v-rkgf/
http://caixasacusticasparizotto.com.br/bZWfQ-UPKL2fuL4TPLPdU_dkOEUiOmm-JOK/jsa96-rstz3r-hjavlajd/
http://catamountcenter.org/cgi-bin/d6ze-u863z7-zorb/
http://chekil.com/video/m7wdk-cz15yq-kutt/
http://crabnet.com/ADMIN/KW6P-GD8FH-IPTRJXFLX/
http://crabnet.com/admin/kw6p-gd8fh-iptrjxflx/
http://crabnet.com/ADMIN/KW6P-GD8FH-IPTRJXFLX/
http://crashingdeep.com/wp-includes/98i9-39k094-sdtmsy/
http://ctm-catalogo.it/cgi-bin/0nt11-gs6gy5-hrogcd/
http://daarchoob.com/sp95nmm/uq4w-7q7gd-cmwtqog/
http://dagda.es/cache/mz8h-452zw-gdfiu/
http://darupoles.com/wp-content/igbdg-csf76-bmmp/
http://darupoles.com/wp-content/t5d5-rhgwsk-xxvdrtwcf/
http://databacknow.com/logos/ga60-a71v36-hkjcg/
http://dautunuocngoai.com.vn/wp-admin/b1zy-j4vhf3-nnawmt/
http://dda.co.ir/wp-snapshots/f5bm-kk0si7-gwuhod/
http://demo.automationbootcamp.ro/cgi-bin/t5w28-omcgtb-vybeulyjy/
http://devonrails.com/test/ov0r-timn0h-oxpwa/
http://diaocngaynay.vn/diaocngaynay/z3uw-i3jdg-rjwlqhlbd/
http://digitalcore.lt/wp-admin/ew89-9yb52-bpvjpqgrc/
http://digitalisasiperusahaan.com/wp-admin/f914-x5j0d-najxa/
http://diskonterbaiksuzuki.com/wp-content/3cg1-d18xf6-rvxbij/
http://docteursly.com/css/37wyh-y03yu-bgkykueew/
http://dqbdesign.com/wp-admin/i626-3orql-smhctua/
http://drabeys.com/wp-includes/tyi2u-7wf0p-folimmy/
http://drcheena.in/wp-includes/1t8xr-csl7q-shakoxnoa/
http://drmarins.com/wp-includes/kp12-ahzhz-kkqkvk/
http://drpradeepupadhayaya.com.np/osticket/wwuv-brfcos-cupo/
http://dtk-ad.co.th/css/099p-mjwvp-agjl/
http://duca-cameroun.org/wp-includes/6c8q-zphfy-vmntexpe/
http://edtech.iae.edu.vn/wp-includes/xzjx9-n9y4e6-vjmnnaoiy/
http://edwinjefferson.com/lpjyl-sku17s-qzixznv/
http://egywebtest.ml/wp-admin/cuoq-ft4jz-slcpebrl/
http://emseenerji.com/wp-content/u4l5-1rgld2-kjla/
http://erasystems.ro/_vti_cnf/ehdf-vq9he-lbvc/
http://firstmnd.com/wp/wp-content/r9ach-n2ju9-ofow/
http://fondtomafound.org/wvvw/0h1v-ca0kt-bepldva/
http://gamarepro.com/plugins/qntqw-q4d0zw-sfrpucuyv/
http://gisec.com.mx/expertos/eb4a-nv14v4-tkcfhs/
http://gkpaarl.org.za/language/e6xd-efwdg-viuslwndw/
http://grupomma.com.br/divina/bc0eq-xg4qxy-czuoz/
http://grupoweb.cl/wp-admin/q27yq-sbnpw5-kbwxpdd/
http://haru1ban.net/files/wsfh-qoq5j-nusyjkzcd/
http://healthwiseonline.com.au/wp-admin/m63bo-o72ir-pzahllu/
http://horseshows.io/c2nkrlt/4owi2-50xzx-xqrkwfuv/
http://impro.in/components/uks1-ggp59-turwy/
http://indirimpazarim.com/cgi-bin/2f74o-k87j6-jalrveifr/
http://infogenic.com.ng/libraries/d59lw-z00q2-qvmrrs/
http://instituthypnos.com/1sxuh6w/op1y4-slv5q-kohkbm/
http://inventosinventores.com/mwlipshpgr/z52y-55ugbq-hewxw/
http://jargongeneration.com/Gambia/x9cbu-7nqlz-btiwr/
http://jslink.com.vn/wp-admin/vj9g9-bw2f7-ukwhjua/
http://junkmover.ca/wp-includes/85k4w-f7zaw-bbkorlb/
http://kannada.awgp.org/wp-content/uploads/ua6y-fmsdvi-stweysjt/
http://klasisgk.or.id/fonts/2dp4r-dzxkkm-znlolnh/
http://larissapharma.com/fobn/z5y5-9i0nb-rtvsahdi/
http://lastmilecdn.net/wp-includes/ejsoe-6evajr-kfdv/
http://makrohayat.com/wp-admin/ereu7-girqhr-gsubi/
http://makson.co.in/Admin/8z8v-iqdsv1-jlzcpoks/
http://marcojan.nl/webshop/reeoe-wq0nj-jptm/
http://mcbeth.com.au/nick.mcbeth.com.au/uqgw-sbacnv-sayidi/
http://medical.moallem.sch.ir/administrator/o204-n7eorc-cdwyqkr/
http://mejpy.com/wp/mgpmm-f9ngh-rchddekjg/
http://monkeyspawcreative.com/wp-content/r1vr-uruugi-fcoiic/
http://muacangua.com/wp-admin/rkvh0-pktyo9-ecxlbnq/
http://multiesfera.com/wp-content/xzbmz-4d1cqa-fggqdhv/
http://myphamsachnhatban.vn/wp-snapshots/kgp8-nu0lx-wkxhupq/
http://naps.com.mk/wp-content/4ng15-8tleks-ecgqskeco/
http://ncledu.org/cgi-bin/wdrb-3hpflm-ydohkfhv/
http://newbizop.net/assets/tfxd-99vh5a-wvxk/
http://ngan.cc/wp-includes/r3fv-coivjt-qtldpn/
http://nganstore.net/wp-admin/l2dk-9tc5e-gapyok/
http://nhadephungyen.com/wp-includes/nkngr-0ugbb3-dkkeugytl/
http://nk.dk/arcade/o1tou-na5b3-brmzsfve/
http://nk.dk/arcade/onoro-5hk1k-tcwrkh/
http://novkolodec.ru/wp-admin/48sha-0r6e8q-uueylbr/
http://nsbadfair.com/wp-admin/vsca-qvd8l-jmzfz/
http://nuochoacharme.xyz/wp-includes/z4we-ijqtar-wzjtsbt/
http://nutraceuticalbusinessleaders.com/wp-includes/uktjj-h50a6-fzdntjb/
http://obasalon.com/wp-includes/4209-zxxplx-zjqjx/
http://offertodeals.com/wp-admin/02sk-7ih49g-jnsawd/
http://onmus.com.tr/wp-admin/cv0bk-ijpt7-fyqstugr/
http://ooshdesign.com/cgi-bin/0eh8p-keuu8-mweet/
http://opticaduran.com/wp-admin/s2nc-3agq9-nsefk/
http://oraio.com.py/oraio/awgg-zucgud-thuhf/
http://otacilio.online/cgi-bin/vz02u-l1uwui-gkkn/
http://outstandingessay.com/wp-includes/uljew-hren5l-fonjegq/
http://overnightfilmfestival.com/Project/cmcc-v2r2q-lmgfrjuv/
http://oyunrengi.com/maps1311/872cc-4laag-gedlzioj/
http://package7.com/backup/xs7p-qo6pee-irumzgfuk/
http://paixaopelovinho.pt/wp-admin/8h6r-1xrht-jwmebukol/
http://papaya.ne.jp/tools/3xb98-sxff7y-hmupb/
http://pardismobl.com/wp-includes/dp6ap-5ky313-vydrtouze/
http://parsat.org/wp-snapshots/79va-1h1qqj-aqidxv/
http://pathwaymbs.com/wp-includes/rqke-bcm48j-jrfjjxwg/
http://pelatihbisnisku.com/toolsfb/gkkb0-rvfy7c-dlrk/
http://penktadienioistorijos.lt/wp-admin/litho-xkw18m-iontexfo/
http://perfume.pk/wp-admin/0gza-9bb9b-zgfrm/
http://piccologarzia.it/admin/3wap3-dlp5j3-qiyog/
http://piperpost.com/default_page_static_resources/zipd-2r2bb-mbefn/
http://plugnstage.com/logo/m63st-ivk7l-tpdt/
http://profitorg.kz/index.files_/4i0ne-6b4my-zkyiy/
http://sag.ceo/wp-content/ruhkq-hr2ie-vjktnqnm/
http://smartjusticeaz.org/wp-content/thr3-r4ehh-doqhrfvcr/
http://sosyalfor.xyz/templates/d1y0f-0kxye-nrdsbmin/
http://teledt.no/mb/k9uo-xvd3ja-osst/
http://tom11.com/blog_images/cawi-e7c9fr-nvmvy/
http://tr.capers.co/xjoma8v/076l-4cctr-pnkr/
http://trusticar.lt/cgi-bin/03w3u-b4efn-slsigi/
http://ultraluxusferien.com/cgi-bin/uenjl-mn88tc-zsmdkkb/
http://vadicati.com/administrator/mvjej-7y1k8-oxsrjipq/
http://vicentinos.com.br/wp-content/rg61-xdpgy-kircdwlkz/
http://wasfa.co/frtz3o0/gqvk-0xikx-qlabvoay/
http://waterway.hu/ip_uvaterv/dw64-btly8z-hlgqo/
http://webzine.jejuhub.org/wp-content/uploads/967y-k6ypva-qnijwnwee/
http://www.flux.com.uy/fw2xzy5/45gkm-2rmo4d-xpxbkxilt/
http://www.i3program.org/wp-content/uploads/uiof-schgq0-nnfxzbbrc/
http://www.imageia.co.il/wp-admin/gqedx-tync4-sasjdosuw/
http://www.monfoodland.mn/wp-admin/9ikeg-bj0c0b-mnpn/
http://www.olney-headwear.co.uk/deleteme/css/tcvye-lmkm8-fgoykouex/
http://www.oprecht-advies.nl/wp-admin/ye6r-0cxl17-bzwsib/
https://abi.com.vn/BaoMat/pbqpq-8un6md-ijxkg/
https://catba.goodtour.vn/wp-content/plugins/adventure-tours-data-types/assets/fonts/km9w-8du4a-kzufkaxig/
https://dap-udea.co/wp-content/xr3i4-638ij-sybf/
https://datagambar.club/xerox/shosy-d00dsx-ywhq/
https://design.arst.jp/wp-includes/di6ib-ehgyh-whwypogz/
https://dialogues.com.br/p/13q2-ytu3mr-sodvy/
https://drcheena.in/wp-includes/1t8xr-csl7q-shakoxnoa/
https://egywebtest.ml/wp-admin/cuoq-ft4jz-slcpebrl/
https://etprimewomenawards.com/apply2/uploads/iv1y-2j1foq-iqco/
https://euforikoi.xyz/application/2s2ar-n42xb-dblv/
https://fbufz.xyz/h63vb-m2mtnp-icvf/
https://fxqrg.xyz/ngrod-4m9jvz-zyiqvzfm/
https://horseshows.io/c2nkrlt/4owi2-50xzx-xqrkwfuv/
https://ilimler.net/wp-word/ke3u7-surgyx-xmbtsz/
https://kanttum.com.br/blog/wp-content/uploads/dm77n-vds66-eilctsmmy/
https://ksoncrossfit.com/rylawpc/1ns6j-dptojz-qetg/
https://myphamthienthao.com/wp-admin/krdwj-18w5al-psxyaiis/
https://obasalon.com/wp-includes/4209-zxxplx-zjqjx/
https://paygo.mobi/wp-content/kwup9-buqbo-jdryczgo/
https://qualityansweringservice.com/icon/loxo-yecsgh-rdcvwmcz/
https://smartjusticeaz.org/wp-content/thr3-r4ehh-doqhrfvcr/
https://taynguyen.dulichvietnam.com.vn/wp-includes/Requests/Cookie/sudden.conf/guio-gxwfvo-hsatdk/
https://trainingcleaningservice.com/wp-includes/lmcv-a69my-yfztdpzed/
https://vrfantasy.gallery/wp-admin/n69hj-be9cd8-veyfywvy/
https://whitedownmusic.co.uk/Choral/u73l3-xaa64-rzoqy/
https://www.hk026.com/2zsjmbk/49r6e-90ofc-uytr/
https://www.imageia.co.il/wp-admin/ezbmy-03gnsb-xkvgw/
https://www.imageia.co.il/wp-admin/gqedx-tync4-sasjdosuw/
https://www.ninepoweraudio.com/wordpress/qev38-i8pzj5-gskmlzrs/
https://www.udhaiyamdhall.com/images/m43kn-63ojv-rclno/
https://zizerserdorfzitig.ch/wp-content/3f03-z1jbw-yvdzk/

Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-03-20 20:39:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
bdddafc5973928c836a9852aece14d6bb964f2ea2efe081b712316cad5e671a8
5b68eb13ce948f60f9d69f1e3fc59fe605b5e1fe245b2b7b7aad6d6ea692ef7c
174c3d1b5a8089ed921615ea38d3deb3e6b813f33788c827ab34bf0eb4056930
40540b899ea9da4ee11e676144ab896b5c2adf20a09162698765d47957d855a6
528fd71edb5b9efaaed661460c41d3111f1d0dd1872bdbf0373b507bc226580c
267826ac04137f210384367be4b6ea142ba0185b683ad84a9d186513390a7538
9658f51e9d5e635f2c63bab6e921b8c9618a8968211c07de8c4a528348c8ab18
000572ab508b4f249baf9d61ddf9b0c4e7647c1c4020cd648cba2c5d2f76b17d
e4bff4bbb9fb76c8194193e547a34348b6e5a75acb5a256d48212452745015f9
05035473c76177c40655a2f92c60db2abf8b1d7082752403920f34ef6db01c85
e3dd484c69bc77f414eff09233f6d6e2ed5bdc126890d7d90c9013dc228700ca
59af57d924f416aedf2efd6c63fb8c1edd86121f8b4f49b2ed01b65596398b80
7ea8e96dd42f3ab21dc1684e3491a11914b3b6a31ca6455a955dbab75113d55e
e6754e01cf3d08da3c00f171ad4249d5ee466fbbb17b4bb9e2320825f9bdb616
9eacb6941cc93edb829970e287911e2c3712f8b8742b71511154f6d1c005ca3c
9d97d76a54c178b9dfb6571da887fe4b9ad3e31ca217b494586e7964859df2f3
d7712ea034bf82a73560940b079315a81068880c6d243ecf7143d2e37e3313b0
40ad6dd480ce7bc3522e597f87b4a7e4a636d1c3945ca24647682b7bac0b1036
0398420338db5ef54a2e66ab4a3e6c01b499d0f6b75b32270cf66a25151ecd70
33eddc8790a1637424ca3d4dec33077a5960dbdb153556b48b1cf6c0b4dad4aa
d8b58f7a0298951ea482b26a302054ccd85179b3f34c3023f6481780dbb70295
921f5a1a39d2b7fdd024f3197a9a55d9e9e3fa63f67f616608252f3aa4a69576
19ad94fb62a599abf26c7e55b6fb436d878ef2af4cf50e6ae153138b6fac9787
3287ee100e99ef8b15e0a67c982e7ce360bd8ae8061d7a490a4000a0ef42a07e
8624d0ece64e6d8cac05c53040fe6cbe0f4ab065e5bd968f5f3dedebc9c47dd7
104f0aa2d3eb6f771e37a72f9b37dfd17852757380347a11b1b8e0b10ed9ed09
a0bc34e508afc669bd06d3e41cc752b95a15dfa08237f29834d341bee4da3284
f49c8b53816830395557fd755939d18e9f5015f38909c19458a107456faf741d
0e77a3179a5714febef6ca5fbfbcd5fb14efabe0d07cf58680716f80880129fc

http://darkestalleys.com/wp-includes/rK7SE/
http://pennasliotar.com/wp-content/oxVhf/
http://pennasports.com/wp-content/iaqYU/
http://nepalimixnews.com/wp-admin/2QwjJ/
http://filterbling.com/html/QErq/

Creation Time	2019-03-20 14:29:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
21fc4c5b3226b16a6425deab348b0623a3b5855f8ee26d57b5c49b4c4376849d
3668bfb6b2cef27bb1393313f0b7d994b9c725e232365e771db448f31cdd50ab
4463b31a5772fc00b5e2b21f0c123530e062e302b4b8e4b28c5ffa7654a30cae
aec3f11e1affd92b75fccdd44c94090b2371ef008734fb9e43e6bd9e14f3b508
4d6b81387e42eb0d5903753e10512afd69925b0ce308fe663e83bf56c3f4d902
5e44d0ee1861ba545f4b87f6cd2d86bee3d1e004555d48772200a9e87cf9605e
7a257d8119cedacddb7250b9db2357b498b636dcbd37ef5c6a6e108025f75dc0
31e5e467445f11ff86604f37613a315231136d368bba9ea13197280add00b312
bfe8c8766345bc2ced3613f7cb71c3729579a89609ccbd9ae84dfd4f2a80834b
5c8275f4243a20a0acc5fd2e9420e8b7c072d976b4ce05bfb781cfa1c54f479a
7afab0c0dc0d10d7491402f37331eb5de62de3af2e4478367ae0824306388f15
e3b5061e583ce1c4725a0dfb41febce8594a2fb6aa7e1fca79ae05f8aab9ac8c
241f66884cfb79000e8f536627d9fde8b8bb5b91e507c77ec5bb773cd6a67739
6d61d369b73ce350475dd0c41022abf63163c64df6a6c180600f265601a9e9af
ed6720cffbfe55afc6a2861cd9e3e0ea9733088c0b770b6a67357396c7020eb4
0f2597c1ba25a86558aade0e28440a55eaf86975b0587cbf50dcd4f004cdd1f4
6956730252d855f0945cee990721c899c06b899050e19cc3c947a1a2286da94c
971987de46fc8caed50fe33f7613b6a533d87d0f5b439965ceffb4bd067cafe1
1ea5b476b2a163bcd9bf5e46f495b519998526f2d8e440da9b2db62593418576
101e55406127b0e69f0d9ad4c2ea9ec24345e1b77d082c310dedc47310d899cc
7e1090abdd85ee72197c0a90fdd04750ddbf8470bdf480e065cec1105f36515f
851f2122014152ac8418cdecc4ca626a0e371d2d85e54ad061f9fc34d3dfe15a
0413eb4532ffe46484928070ed18ab03e9e86824a89f689116e0c60b9c0a25d1
2846d2e2986dd4f1c46df8d755ff73ac23bdacd6cbda2cda34ed57f2954cda75
2846d2e2986dd4f1c46df8d755ff73ac23bdacd6cbda2cda34ed57f2954cda75
f4a6981f94d0bfe1b0557f534152eac561fd028bb92c1e15ac1e9c155e8058db
27eac8263da494186442a5009f0cc2f03771aee22ee51bf5bc34fb3e249fe287
a6bdd0297c81d006346878a0d05eea9d9023f228d9ada1fc87933f76dc761293
17ecfcfe2a475313689aafeea0dee18140aa8ccf2280f06a3dd04c8acc0f00c0
53c37317ccc33e5ab883c4b115f3852e5f02b81f68e12b88e793b08cad3e62d8
d704fe637cfd1432da3a16d275a47ada7a3968439429f8fe622b0fb73bcd4a49
4f29722ac6675942fde4080c16eacd80cb7793e24fa0ddbca6c22f628dc906b4
34ddb84de696b5a8a8cf0423c5b3fb9dfddf608f218095f7e39e97d9eefc9c51
acbfe69d0d9abc1d2b22e22063d319f3c488555d4d4c0a26f1e079e0ca932b22

http://akashicinsights.com/absolute_abundance_files/xlvp/
http://demo-progenajans.com/icceturkey/JUGy/
http://pdsconsulting.com/blogs/3k2CZY/
http://www.majoristanbul.com/cgi-bin/fnKl/
http://azedizayn.com/26192RX/C90D/

Creation Time	2019-03-20 07:55:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
9576383096b890169115d47d9e6dc9f9d784d2f83e3ec10aa22a53f62d0c2d77
7598b4aabe799050152ba40abea524bbea8a1f645c2021feab502d1800ec2c7a
b1a3005bbc7634fd77fda0c6b08fc60cc026bd104731e0058430b55a41190d04
710b159d015ac24a67d8382cebdd7017a85a0551cf3a7ef59018ca2026fd0632
f7a0bc14a344022e692e534d6daf36f710e780c4465d1505c4f0270996332a56
80231477db838180ff13cf115f74dfbcf5fca67ef08a5ad4953b2fda888d60b2
278d7d114eba36e947e1f0c1424c292c09f670764a4f8e9106ce2b1e18a72ae5
1460412e3f246e0e4f938da5f17553b7f51ba5ab52850bf102d05ca639fa80a0
991455093c967cca467b7686082c6f1896431278afeca3523605cad01bbe3b1f
c9c08c7484ac6a18f285b5842a023ca9371dcb53e73e9698648d66fed03823fa
f297d2c6c18fda341d76eb2b29596b809094eb97dda324073d3a84a34e09c322
2765f39fd2d4a5b8b7e313cc0ffefd1845cfdcf5877a4a7058cd086b9459a750
cc755bd4b757367630d7a1332032943a58f4c3b70a2abb6fa77a3a78ce69a2d9
cafb37b3d77e7c68ce9d2007891ccc1839179e1aa3e5f6c3abce1582a826b508
f15ff7fd16994b8be296a7f95a4e08c56941ab50e493afe7d768436c57181a9d
f0c46f6aae2770a8ae74d8f77d66d627e342f7e963a827d0ab545e064919db54
8b1b81ad486ead2b47b97c0aad2ec6158176c5dc1b17de9be3a2761480d8e041
0ea3b08e124bfa60c103e0c9036b552999d74c33816b94737d838314c9e13f31
46787747628c2f7a08fe3c33b4ef09c6b94ce5e89d86f4d909fa3c2c3e985fc5
1a82bfb0d1f7ae4fa57161216bc83561321be8f34dd5d177e30a8dba389712b6
0d77d901c9c05f41b3c24a8d805c5844ccabe061f32c4425ab76aea837178abb
f71842f8b27e1fa671f6050915a6635ac6c8b33030129a9ca70ad21e3204e200
344a84db23a18b85946f6ea2fcf330e517e51d8983c8910ecf54b01c8dbd1a93
c76989d94bec4cad0f9741f0cc5b6081fcf4db6e540cd7196243b8848d9ddad2
b1814f4ea7b68c44f340c4ce785d136f095411145f4fbd09113d237860f200b2
4a5bd65a180f3d40c4e48eefbcde4af76ae57c2fc6826a12605af7e36dc7968b
c5e5102000f90b6c2f0bfbfc2c6871c5647c02b44bfd39a517af18b7687821cc
f8390376f4d88ce8844d495fd5c4301106a31fbcaf930056056643824cc3adc9
65b8a7279b34d6becdaa64aa738bf1240188f717795eb6e1ebc317320cb1f3a9
1be6d8ef16bdb46f10dafc827beefbdc0d2f7fbd0862f96c059457ee6fab239c
38268988ba268a3312b0ccb836577490770b98d816f3abb680f5a7e64d300bbe
85312e473318756efb8642f1437c144775b646a61f1f8febfdacc72473e3d58b
7fa9b8f8db18160fd626c1d613876f7c6001c6b4979bb25e92d4f39e14bc0494
0a2d5fb31ca57342f8c5a4582bd736e1cb083870b173cc5c01f46ec45f3328f5

http://baatzconsulting.com/wp-includes/Uyfww/
http://www.bilgiegitimonline.com/wp-admin/xJYvwn/
http://aupa.xyz/wp-includes/mHc/
http://albertandyork.com/backupsite/Tv8i/
http://abcdcreative.com/cgi-bin/6jz/

Creation Time	2019-03-19 19:21:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
c8e15e6ba527b854f3d19c6baf6eae26d20bb20e52f63e2f2f57d61e4525dbb6
f8394b26187df8d54be53f34338f4378059358f0b2cba98f68f99cdbc29563a6
9c1611f44416bf614a961be9b1bb88562fcbe9a3ecccf5068f1e30edb3824b07
2da70a115d7d57f001f24c8335d3ef8f6f03c967982ebea2bf64bc3aa8b7ac75
5da9a60964fcd7ce690f5bda4c208f7535324a28f8949d07184a43916ddc9ab1
e14ecab2293d76e204d99beb52ea144bb17a3c1ab3707371ff245cd48eb80bcd
c0a2030e388633e5648ff197cb7fba59c0e02bc6160ebb9e7e7f20394a30fa5c
df42fec3d9280ffab45abbb588cd393c9cb1d8408e3a3e05bdf1dd621d8d26a1
db3178bdcfd6c940796435068bc327313c9f5934b3b7e1756f99dabc8c01e50f
79872ce9a63e18ba6a4d5d33ea974fcd932936f666979229fb0e2cca5f9422be
bc2139ec6309f2f44829ec98dfb28c4c498646469d1332dfc7f3927411f6af07
e2b75d73a257a38d6546b2f69238d40f55e78c2eadb77a47ef6c66a830eb6ce5
af2b969be0630a90ff3c7096feacff53302e2592bf8916fee6053e8e33b8e86d
7b530a193a5e47fb384c41e05aaeaa39a1ab6e01aecfac2432e29c2f81fc3f32
6d7bde94f2c95807ede632ac1b12d1086f1e6375d455d9bd728546ebf4411e19
35e1287231f9e9569d62ef13f61442a428d33aa38fdf704be70b5daabffb8cdb
ea1ffe9d1b6166a27efdbc343351e5f142e5a103be3af00664cf01b8cd2dd4fd
0cbbb24400cb11b6b39aaee88532f01fe95b3ad18996834eb6dea1541c0534d4
494ec6b5b7238aa97fa2627689b19e86f30c5bcd20d563998f9c46ae04699dec
bb95c050196579aece21b76ceb3a162c02e6267d4708a8217e06ba8b9220bfdc
af31e2d1cc774ebd0e4a226d5c0cda831274513c904a2d251438962612d240a8
a15890d68726eaf90343870d11b6bc3e2e77206b3c9fef0e5152ef4c501aee69
9cfade2be697a9cd976e7f97b080f4b8a45e1db32034e225c669556bdd947987
59aaae161a76fa84afc2e01557e7f8c6b44271d799570df211148511420c228c
8f30d5961e2b907ca7073937a3d4c819dfe32aa7ba31f023df61fd7476a87961
83aa3bdfc6b6b6e80f5674664c67564c64972402af0e67eab1212fb8bb2d332d
a7da787ec200ab866227bf0bcfed3f405fc9163a65f552b35a91fb20d88222c4
19fb56844b8c0fc71aadc55b8e14c475ab9d1c057db4e25d0cce54fcd509446c
06f1e189f98870bb7676285429e0dfd07205220e716c6352db95e411e2a5f92d
3db89fa46d4c80e1a45c62942e3ea2902e2a4c20b16eba2198fbfded06082481
45b765d8f956618103ebf58f1e4eb2b61d3de13c4d497f82fff8b5f6bd1b2f6d
17332e350f7f1c0790eca446750c3253ee71bff04cc4b241de4e171482161af5
56fcf65c946e99c2ffa3a8fddfc0c59259a35077922eedd915667624a662c8fb
31b4288e450b2eec43e423c30aa78316d0779c52f52a7b6b3e3b756bb658aec5
0a9c82f44097f503edeb2b6d6650ac723d8598ce9aea32654736eddb272321ec
5f21d718976e5fffe61c89827b74a3ceb74054a1bdd1ab1b3dc69a82ec7f4587
d704f9a6c545b291d2aa7d6e61c2622c70e93b178f00e46e01e3b8b3995c2c51
92056064754c74e6a1d00bd0de6af1b0232a2a6e4fd9fb4fc17241ce6fb6ce0e
3e839b35c64f073d93c80cfc47a2b1a10e4a7eff1265c616b8bf33de6f1cf6af
64e0f5876822fb5c0d6116a1f101653b9e8b842ab013b0fdcfbe725297682d2c
83ae8cc0e707c256f7e17a2c9fb98b87f7305265fe4e54d550c4f45d2696ebde

http://usuei.com/wp-admin/SKT62W/
http://912graphics.com/wp-includes/JE/
http://actbigger.com/daUeX/
http://webgenie.com/order/Wsc/hi0TV/
http://wasama.org/4n0f0ik/ne/

SHA256s for Epoch 1 Payload EXEs seen on 03/20/19


a1ac3c4cdf059dfaf9a025c47122863729b16b55b01ce58fa524b3c7364c1e3e
a1a3685a2562948570e93757c56c50d479f56d40dcc05a8d3b7e6f4b5db81a67
2481d54ce26b51a17e04cf78c97bd0521b49797c90ef01ca785024663df719b0
9188c21fb9cfb9043302e8c63bca57f032c351973a5c36bc2cfd2db6e99ae4b6
00318c9410e81941bacee07ea1ffa279038dd3178e6028e01f287c98b6d6514c
7236c9471b346206df3e7fb97632daa912ecb3a7101d60312eeb3cc6a90d6cd1
48df38bd82b767226fb4066c4b043c4311b159864f1fa0d6e3506b9ed5488908
80512ee651e73db924d6dc96058a477831a1acb5f306fba09e37498f7043a35d
c24b166e7fe03fc313bab1892ada6a0a794cdd0064940b3346abf00f3f61030b
e25b087a311c8545e7050fdae4438d954196308ea727d51f2952730c6235b642
00a608faeb9612a0af8a7a9c8a3ab91d2f51336c6ad74d58c2e216818cabcf32
c4079b5b57067a0e56073f56199a8ae55766a9b2781e2acee9657b20913bc4e6
c634c99431375782edbfd50d6ae9bd5ce7e0759514fdbf36eab9206f1febb09b
df4ed9891023f6fd6bd450b6717c0461c2fd910fb4c84923d979bf283dedbaad
695a98b4ddaa265f0cb554a0d42dbc8cf2e4cdcb54b183bd9cbe158872d2b3d4
77adf56b71daa9a50653e67ea779eeb5a6a0a8d70ba4d60eb1ba5371fadb9cbf
c2cbcf24edf463dda63c066164d9bf240d91c172b42cdb22a1fef5cb1e30a174
e7778f3085b8a2444cb51b5c5880bfc7520c0393d25a0b11eff24c15119a8592
c101e9cb13baa0916a41dad40fceef1eefc53d30a347ea0294bee6faeea148db
8e6570bd37c3ddadba1dcc0c26aead12314d3453ae11c98eba5415d5da7c3ca3
d140540a3251719b4a93728dcc743641631f0e590f9e5004bb154320b11840e9
466d7365becc3d5f2dfe250099b8db41af7ec13508418649b3757cfa77766d35
7e1ee0f7c454439259ff3e2c5919799558a21162a9c725901bb9a22b311708bb
53aae7e002cd54a25244417ff1d1953b00783157ef779bdd37abd23a2e35094c
ed261bf5d889d631f5abdd43f70f68e87834c544004f904eb59bd6898954c16c
f3e8fce45c549e5615035dcf75bc547e765254f05f9f5d085eb62e0f37b2fdf7
d953ba22d4d5f7412d0b4f24aeb2220a375c366b1779dc0b92e03bac7f849605
7ad2865dd7362b54caaa855f91fdea1ba26426f7683913792ed8438a264712a7
022eb5317d51118af585d926b489099934292d5586eb94d2d7c3706da2ef9e23
19e70e5a366528feafb405fca1202557e94526f778fc58b5ea820355dfd2d4fe
58af3fe5c9ff5c67a7c42fd3a3a75c07925cd3d75978270b6f40650c824a95f1
8fe5b30bd832dec5317b2909577e1c2824e9d9b97216a1b7df6db4128afd79c7
2e83179a07fae715b2f6fc3b8a04ab4fafa33de76dd01ee1c62b39e6a8758671
4c8d6ea85273e9c67b1994555d9cb56fa4fe5eb73c1cce34337b88dd428ed9d2
3c3faabb20a68ba67a4a0de1e0201bc05a556ee27b4bb6a77d46e6aa1e56f809
12b334924535192fc24c570a92a3391dc9ab10cd11409b4c21cf6255e210ec5d
c97f7664fa52de27004e906b719aa8e8149f5373191097dadbeaf2a9573abfd9
6addd0dad5f3b120fc545d55865fab16d651a5ad54b21b46fda2f2f829a207cf
1d386e0b21eb506bcebbf227068423b7044cfc90ce5260f0081c3ffc15130de4
bf42acafa49d6ee652e45ba0d4f7bda86b2b2e0acc1b1748a6959b717303714e
ca7d39ffd489d14da048863a563b0ad1fd17ba9a448537c201c1b742c28beec2
b272d634e7ad5394fcf664e0341d9602934e7145602de1eb70646df07c5e368e
2b216f99cd59e3ddae9c1fdfeafaac2e1a024a68a98502cadc2e5cb105017b06
5938e0712cc987cd8f70a8f4e44fa3c32677b4c0b8ea4391b8cfd381dd763c73
f0afc01a6e2353ea86259f0ee8fc4a0882c3a33bd6994a0ba7a4cf60bbca1aeb
0938963c4224cf45673082488b9f692d3c16c2d2a37041ee6e60e848b53ca69c
e4bc62e8cec47093aed3b744169dc1c5dc5a87f753054b72436c98a0076a197e
77c779925160a7ace5730dd36635e5f064815302aea705d827b47f239daa1b9f
ca73b25ae6e1100c6f16060c34d039fb21f7e61eee7f70662bc57e6bf1bd06ed
603619a25cebb374aa0500d9b4ff8c9173fb70cd813df7c083a016bbb2a74b1e
cb0387dfaec0ce07c98a63b71fb8348d85fc77d3c2a8de83ff623f3071218c9a
5d89d1e2f547bc33af6b03ce70fa61f2d437366e559aa4de55e7632cc1791b97
6929fd87accb46cad20bc86fdee7fe0e72f415387b3acdcde08c899edec00248
f345b8bf6722717986f425a74bab4f6fbb2cc67e580c2b276ca317ea4019d1a8
bce43b608626d36693b3849222211f3a1d8d18b51da5553fb7a4dcef88046825
3b2a9b132122aee3981d18e6128de68c28ae5aff587b6a707dff05258300b8b3
6a4c9a4bf7a196f9706855525bdfd05691df004d8149c1f416e6bd993b8b07f7
63b994d248ac80b7a3673466d05db1f219085414c85f6a91773fe49c25bca6a7
d1531c1bfa3fb0616b657892137f6bb1d58d3bdbf4579ec5ff938aea6c3f3b8c
728f034c8601df49adde567b766b4d7ab7c1c81ee0e65f841441c1da11acc592
9cd78b8eaa83bf0246bcb34b1a82a76bd0af45798e58e1de03f98be955429c94
ba3d304e79d7a6c7bf20b1b168aa67394b924dd13c4c09df8c382accbd4ce91e
12487a24516f2f81571d16fc08724fc7cf19c522f381646edffc14b775c77319
34188470555e992bc5e620edae6a8b902f38cfe74adfb1f49ea42f4f762ecbf6
975b4e5f69cff920598e8ed3aa9eaeb1e026d1bc596ebffbe086464dc72773cb
d8851d8ee62ce7646344d49ac54f4c7008c27795177dd05e0534f809ef9fc8b8
efce99e69eaa9750399c70e6df7e236414fa6cd6f602ee25a92cc4f549d19c94
3c712fd770f4681d0a7f791049808bbc5d6898ef2f9f89429b2416b140423655
ce1ecd82d7603b445bec2c7715afa4b35081a4131ded5d024e9ab686a16fd44b
58bd58f82f6f29a3b627a95e8b341cba7ebcd1794a319f8850594078942d2f34
cc6c6fd6bf9d95f16f3580649d791419f77ef6bb5f239e9a68ebeaca386361a4
f9e1871ac7e6eba2f8694ec126c08f75c0a0f2956d95fdf58c2930e1cc1d9c7d
e7ab42cfb28f84a4287dcb848fb7a03b13bba0e563cfd56919f71bc6ca8ea0f4
2d34383ace4a9cc270e4a6511c7ca75f989f2827f08169566234a4cff97eed10
d0b0a7e8e672afe1412044c9448b66be17ca0fb89675d3aafe3a8cd128e82bbd
5cd712ff95dcf25282621488d5a9b7961cb8f4ae995ecd4ba7b69f0e397f82a7
1d1e6a18731f31b511f0af1b8029a73d8f12471ec50c2ecf173542ed0d7e7a08
e9c19eab5b09994dd19b012597e736234d9667598c287933d0e60f9ac964dbd2
ee758091f3c9d67f6fee479b68447129eecd3468399c3eeb9344575af1fd6c80
d5595a6d11f4bba9f8f2a7b9b9d5de683faa8913aac4d6a8b520996c4a55e69a
86d0cc981c67bb1c2f16877ffd5e4331e395ef77aab4a549ab71c10871879610
2976de5bc906b5a03ba796d6518988e1e7a3a65cfed54f8506a430922776459e
2de480f2bff4e5f0d88a36442e736b97422d2a75e7499676761b5ed454642956
6140c7cac8073d2a67f930c733ad9a241b6aa8df0cbd0b4ec52c61b21e68eba3
3d54872a752b1883ddf9e4bc8d910a91aaa48922f3c2a9ac9ad2e243836f982d
5685b1f92dea5ce2e37e75fba5100a7c7341583e6aedcd96851a3ed023ceab23
6c0a31b06c2aaf65bb7805638c82b77c0705c28be7596a7efd6a6d1e8fc32683
a3c49cbfc7e1f9fa1e6936f997c74f938637e3a43e084c049052c06aa65e462d
1f7635e9776458c0024a9a3b9300ae1a9b22a26535f2a4012a0badb8eeeb467c
3ca21f6d37320c499aef3f60dc1a97689c87eff44976d7ce0aae19be3f155f16
fc96237f3ff9812b4cea7ffc98ffd56c6cc3565d9b4663bdfa62eb45b734a28f
db0536047fedc99a03c9bf53e61333f1c381b4a9b3aba544b7c0ea2e5e3fffc8
d2f68f838ad0e69ac32dcf6a5df4d71cf7cc855e17fa18c8d84bb8a916078dc1
2a2cc7261ac4a995e8a9cf5d02993cba0bb1fdab4732d3c9858ac65c60d27a2f
e3ba0b19511b1b74dcfe7ae44d710abbc7175cc7108d8c373ad3754043760716
e2296516b5db2601cfa6a0f4151397d2b893df5f06568df4c7c60c8eaff4a97b
b96f2a68e95e3c53cda691e954f8e33d9cb6e9740e77881a0278301e0c5bd2f6
729cbb8bf9ff70917112308be488bfe523a5af9542300d3ef6152f733e5e136d
5d7906f47031e3ca305c838dd958bc3d0cecf9075711145f6d3b2267f77722fb
0c6d405e1ffff998f7315774f9c194d6ac153c111820950c42ab3b9bb975dde8
bcb5be96a4dc9d798d76d3edc36794901a4687ff74b4b334658963990d3f9617
142351149cdb2ac1bfe31f19d156057aab4b6e4a17873f7ecaa42b8bda13d594
83c97e0fb9788f5715bd3c98b70c423ae23920f2217c36cb015254a66b6dac2a
e04a4068f013f7185bc9655979d994f415d0a59eb7cbaade397badbf516ed190
07b5d43a41710edcb5d171276a2eac220a4ff538d4074b946338a627e5392834
917a8c4454107ea8d21658fcb35e79e221fd25dce7d595dc9eefeb634ab99b0b
fb29283732df5daa1ae4411d9be627484042668cc126e05bed7ae3385927fbf6
405229a5826fd8fe94e7f79e2234fd0fa65a31968a2b5eb8e1c21c83c4d2b3d6
c522cf5f9d3a3a727479798745e5c788a79a56cd7ce64973c1445ca79d6a6397
c53003cc98f8a061ac6eaee18a81a106bfd6de6acd32c1793b7fcd38005517cf
dca3bc5cdf777c37cc6e9cf74c3a687dd0556febbf2eac94101c4afe193c4b1e
dc781f5cc5ee01a4b3c27915f5dde82f0a733f6b5d9aeb8d49f6613ab4a9a381
880102f9b503e9036372dfa8811e97c1f5d4a94bd6050f2ac5b8f696e02d1b12
ea01704e0c24467fa6c56d13e7fe1d9771d5e451dc03b593a8358f4fd595a4be
7662b649e3d12245dceda611fadfd134720c532e0ea79971b39ceb9c39cf5087
224a5d6dec2fa1d55a2f1b2b0cc55c06703fa38d913dc6d0958d4c5947c33087
5e702c024fc15ab6f7ed01f9499255b73c3565e2c8d6b2ea109addc0ae802a95
4f82b189d1d0a051091f53642933798c4743c5a7148119a0e5dca8910158c399
eb9e92862c37fcef09c42c7ef8df02368bc4755671c70f9909382ed4a9637312
260ffcea7ead329dfe59b8ef33d279b1eb7b58f2ce2610b53c5228ed70fdcf54
24be23c916e153effc1977a3ef86c8cb4f55e27f1a43654c493dfa5c93c6a948
c16dcdf9a19cea4ba92469d3c7925dba06a189e14fd976748ddcdf6d7e45eed1
bad4e93012e90d0a5c5b4cdcdf554e27417edc91ae9f1acc47fedce05bcdd154
0fea6355e3f277a1cf6fd238a405e322cf48400324c857c9e84bab53f922d398
b7a2d72f1259a112f9b7c348598a9c2100bed7c49fdccb6e716000a7701f4e5a
ca7f5786db8ce8cb7ed7a896012a2731f1281922bde92070e12a4b910c318e50
f79a72556f44b1592a84db85f694cbae3f25eb837cecb2eefee49d4134b2c3cf
415e15002f07995cc50cb0b525a7b24ae237a157ba2c5af1526fc5a97eb051d7
5d12812d06149e2778fce7fa904e9ebcef993484fa7b2d88f98480d56fa6aec8
06d5d2f7e9020d83e4a7064b9c681f5087991d2c860a44bc96a283b880dc9841
eb10cc81f5dfcc3ac606d8bbf8578363d94c0325c19cf737d5c304ad6d924c49
7a96806167668aca7200fe8458ff7fcc31425acaac92a2cf06930b73d047ea10
ac826ec5b32596a660141be5d248233de45c735032cc9f9f24dc37fca59685d3
20404a32895d44b9b63c6d192d30471112c435d42393355b290f5a529dad9b23
f33ca506ed0adfb1cb73fc2cdc513cccd80e5bcd035f8d2b9770433501c2d8b9
1b68cf295f22cdc627fad8c39aaeb48366170162482aeb33fa13c3189ed6056d
d092b6bc1aef0f5d84613be013ffd3607ed3d7833b33f308dd012de6661dfef1
150fc1b13ad29c3afcf178b9a48542f6944a67c43cd3df339f725999359c0f9f
9f9fc0bac4443b4dfc42d5573b7001514956a51048c6cc109d2443dacd43bb78
b005e1c43d4e00ca8dfd49a1f49953d379a7d140fe483aa02001c31ce9325906
fe85849505914fed75fedb7eef7b19b9bfaa813a1d1d82bccbe8b952c5d2dd12
c00c471749f8b71e9270ac96d052837b4032fd9fdb1872fe4a5dc2797589decb
97c19bab59a7c2b7d1be90438fde7fa1d2746fb3e32f0b6454a556df52b3a4ef
5cd08b5715846f152d48b593c424cb1f1808d00f757a394307756ad2e1ce1a83
be1b73d7e5b7ca2c3c2691391401a1710276be2d69c46c3fb932594434550b40
bbdcba0bb043f08297caba75de6d2ac6291a95d8507e2d8e9e599374313751ce
504e2c75617553d852df04ff030d829e7b9f3dc82595d2d224ee1c35b0dc24af
54e7218bc97e22b4729f76908f6ab6b94918145d02056de2412da48cb84fb2ed
b3cded45e7a59c62c555d1133a22038ba74255551c3e8ef6b6c761f9e5c3cb40
2704a27c010014531e02a7befa31969209b01d5e7082a34bfe0c57c28f5c33b5
fb6da504409dc9f5123fb21a51fca43f9c68a32a46fc4433e861104b98538cad
d608da59f873a2fdd5136ea2a56e3667f26c9c9c775fa33930c36ce081026d6a
9aa3096a74a0e61e51830cdbb975110b52d769021d24079171117518ad84d526
7e09507d000b1953e288c4cb5ec7c91a73d5d8266ba62c13be0e12d6635e5581
da7cc6342217ae29474ef0842ae340be932685a198587ceceaa85c624fe5b600
9e4516b54a9ffafb4e57cba1cb145e76ba0750ac6f2b6e88fcb3fcf4a5f5348e
d6e837edf8dcc1e6c0daff23eaf587664c1168f0a957fd3430f44eb34186fe3e
9a522bac051758210728c947fd1c2602986bff1d86d86e11c739b5a991710249
5a3129ab3f9f5a8e38c3e2bbe470c92d09f8942280a9003a4846cc55ad36789e
c755ca4af6fbc6c12f3a29c753000cdcbdfa5814aafdd48fb8bdbf60e612d328
f38c77ba6f85b8561e1a0b1487542671e01bd478e5f36f2b7af107a55f00f5a6
080a5776eb2680f2673b0aa71dc3b30e5eaf08d4c9137a4eb3b26668d5a4ddbd
5b0b9d0a9d346dbbdd1040e35fcda4849632766d8aff974914faf23c10d7d05d
ef90c173ccb89fb90178fc5436746265983d3689f6a3bce83f0f0ba12cfc47df
9f6f08a2733af0fdd1639dedf928b52b16f0ff155192ed24d8b3c3018cfc29d9
454177491471a402ccb21efe95387e7e17907fb12a5b04c0da2dd69dcc42ef9b
25a984b1e2fc58888e0971722efb2c5b56a6457bfc900d464140a30a0f77ad75
d7b8c87a64dfab6e23a98b41b710c38156bae35139400522bc03e8daf544fd86
8a3189baf36f9559a1c948a933b7be359d0e0980526f50b4e7c9db357d5b8523
eef08de54d525c55a4f01662b927dbf333f9f2b9b562ad8b8bfd81ec35d720f2
f81774bcbf1a0ffab98a949acc0f5cc66a4618aa773a4c109ea47c4471a30bf8
178f2bef174c4bae26bb0d54e2961428c43d266464b887218e9ec6f99f448c93
7d3aca2f5ed5576f6bdba952d9f22a8fa738a388fdab19484eaf10ac7bf160ab
a2fa811a7f98898b639ad06ad1f4c60f315e20a683a7fd964c3eafc1b18320c4
7f88910ff14dcaaaf65b554b82e587fcb82c1d234e41944ef2274be66419753c
fa164b7fc86004033cc97ca808497cd0df61a5b4d2840df7f30d0511c70f9e30
e7cf64f1ffd24569a02fc9ea5cd0d65f8c7d4d68923787b5d9a365baa8ba3710
c0850f7415d910a0ea5e907266e2dea886ae65e89195a776b1f02dafaea8451f
4c99f8148caef539667020bd5f7b4f7c616e5af69bd21d296ec37165c2233142
0e8ba5933f43b994d9832c67ea75f6bb0604ab7838ffa34268e1ee7ce8a1a8ea
156e424ef16ed9b0ed28533b28db5239f61c0ad19df4c389a925d0aa9c6a49ee
291b18fd0f30c534f3f1ae1d487666224c0efb36546f98ce7b3f501a9e8c02b9
cd7629f5d9ed6ac3c9e0e8f96d00ea085da7bc21d40132389dddc24bc0b89d4a
8358fb6d7ec6d6148d3c6b13a1def51b38d1389cad904ba569475300a413a332
14a32facb781c8e5f55a506ceb275e42b83130b97b962be1d41da7be5c1849cf
91226a1a2e1d65bf22a1e9217cf859d22c4acf39ca4531956278b2d17f90e37d
4537149f7a4c234343aef120ff4f2a20e8ccaf01e785f16327fc803fd3c7f3ef
e1cd814a13618ea5fcbb48a1d3ea0f39615dd89cbdbfb097009f98f772184603
f0f130e01a6e42bf6a3bd26ab5cfdd05ff9891bd58072e05b0ad950153d87fba
e07b347351cdc77b302ffb8c1f2a617fa35bb583ba7b405857a7d1a0ff7be4e0
7ee5e328d2e61c82e0c5997f0c6a3fb101b1303004458e7fd27c7aee6fe5bf02
00251270358ba7a88a4a6ed123c14c3220d00254de813778fc2a78ac5c585ebc
720556e3629d69958796b6519a09e2014fdfd7f8bc731eb979b1641d313f4008
c517ea76300e87705ff18785e2633478e293be6ba2d5bc6145d8b5bc8856feff
4c18bf59373ab39ebfc1675d2278470ff436c36a3191050e7233726f8b8b4e1b
5c2b88e022267a80bafea2d32138e5f39df9a5aa1de753def1bb595ae96108ab
bd568d0c04a92a7ba73be4e0361fd86b2f5a3f0a4e5f2f48cc339778a33710d8
4e837fc56085044e52d2e68af5f08b3df8e3a2da7c7a17b0e910b43840f7a352
06362d51a67320290dc2578730d7a1c2ae96408a1300f04c868be896453f692e
b83da937bfdb72c492c8abc4c072384a2327ce168f53edb992f6b47d5a0dfea8
ceb4e591d291cfa80011a038a2ee29d583f14ce4287cb99fca33e223e0766d73
ff2b6ff85c0f66ee36ff83612603542d8b24c7b3b99d76be0ec7a69d71a0e784
26c7c1cb58fa10e87d5a1966d6ea23ffc52bc4851d672d07adea5b8043000b97
34106f08190cc663bd0d7983364c0cb3dc372bfd9c6638eb1c47578b290dac10
f9b7675e4056cf101f8d25c855f6176e51defd1f40bfec9f4a7d4aed99f25ada
3809b823f62f24b15da59821d9db39d45337d2d14fe5391191dcb616e0808621
0db8e31980dd6278305010628e079e138d96b3d798cef0050d608b42e81f12c1
6f2c07dcdd3f0f079dafc83ba3481de1204047f6046d752055c64e438556b2e4
c284251e054bfc60ddb2d80d345daf98c0659698037f7e7af5b73dd471253989
a468f1dffe07880a846ff2760305ff46b1518b42d561fd8223576be03cacdce8

Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-03-20 21:18:16	(JS Based - ENG - Fake Error Box)
SHA256:
869f09c1b430433a385b4ec13a90eef4cfe0cba092a46fe71107de2f865bdf0e

http://northpolls.com/wordpress_e/xh/
http://pearlywhites.co.in/cgi-bin/TwQ/
http://nownowsales.com/56mt6s8/SiP/
http://oukaimeden.org/otul6pg/eyhG/
http://8501sanl.com/wp-content/AKgD/

Creation Time	2019-03-20 14:48:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
0d0e0dcb30161c1caebd0228add4efca3881aa1fbde72e77c2a4eb8b3e9bc99c
4b893cad6f1e4bfedd50880fd7a08f496569913dd7c1590a125a9b7d4174ccfd
2d6f6c5fe5c4af44e8076f053d423de86f1d1cd62c78f8a2bd7bfed05841e03a
58ebec99bc0f80218f9e36e121e22d569ce5b28b8b843990294c29f5ec7b82a6
89375294f0339b33731debff0baf4953fb097b56929bafa7a839f594108f4e11
6cbaef4ff2e8d29a62665fdd26f6a1042e70e900b1ed66a066af60dd4fa979dc
023ca21f517ae8c1dab26cd17ceb16765a6768ddb02d7bf03e8777fca53b4bc2
d39f048c46cbf9e3e71fac8dbdc06222089fd0d48a69f531a065fe4dfff94e36
fa39d04d0e6a305ad8a3c0a9f4ed8c80f02d8c57e9bca7a903bac2545e086d09
11316a1c4c089e8503fdb6d897e1a3cb446a782d3400831b8864a3d26bac67ae
6fca7aed972894debec3c11f25cca7ca9efe384eff513651d7a5d680f4c08b80
c276615a7ecd1278f7650daa0ea084d72f49495e1af26e6801eeceee3ce81a50
211be866b21316604e53bd3f50bc502280c7b1603ab7ef7ef96c22b369402030
84811d076fae0f573eb91d0c8aa792dae2aeb6a5e6f0f989296e7bc97da67ab0
2f07a4c89370248b99160b0c4001f1945d14fba6c9ffa5523e7f117422f8498d
4ef23af785770da0a939c0b23ac2dfa02450561b4fc31fda88a747e80edb93af
9e565c060b4be380a1596f693d18c72f3a7d0a7df583b605b2f4f5e544e02467
784ef6e2d484f191705d49dc3f1b7ce8b442dd3a5916c33136e61e903a76d818
d58ca69e03c4f1e840867f1f6c5a2a927164393698bfde6fbb4f1112e7dfd1d9
f2e21dfe83f2fcfef12486507c4ca2614659134188f718ddb832771c4b2281cd
291df82b52799bd469a851e0b9d83a415c5d29b5b4c6aa22602b8d03559f79e9
6a78108ab0b40c65f501481fd0ea94c1541dcc419d93f12fb6a7a06d699eaaf2
329b1ffed8f5fafc30fdbe2df189842a247a69bd37cf158b90e50bb086c4c394
5b42db8d80442f5c13e700ebccef1f0ea8cb2f929a9be800543d7ad4c88c48e7
706351643c333f88061c12b433e84ff56ce5b3fc89edb46423b7ca5fb1aa2981
27c96680382ea3cd21b2e384525174c9e5f6761e7ab15e6232c11d22cfc6df8f

http://northpolls.com/wordpress_e/xh/
http://pearlywhites.co.in/cgi-bin/TwQ/
http://nownowsales.com/56mt6s8/SiP/
http://oukaimeden.org/otul6pg/eyhG/
http://8501sanl.com/wp-content/AKgD/

Creation Time	2019-03-20 08:30:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
90bccec27163f7fa4eb34e024a1d7532ccbeb28dd98cfcdcba10d2b7df3b1f39
3cec3e84c24ba8c5bf86107f7ccf4a344268662b2ce9d919bb75bed08ac43bf8
3cec3e84c24ba8c5bf86107f7ccf4a344268662b2ce9d919bb75bed08ac43bf8
cc34a532e806f7d32ec7d22923e16c584d8d3435cbc9ec3f56c258cefb039875
71ab28bbab6012bb8fb67b568ec1afd40efb8c2c421538093a1860b25d9f4113
e42363f56d36e49a55a9f9f2adb171ba79590c2ac82c4a85f6da5dc1410553ba
51772b8e5de9739b44c5cdcf28ff18fc1241a3f077d3565079446a3a81d42ef9
4230607779d62bb99027fcef81dc5d92454f4e38f08ab27b8620ba03f715ea89
12f423a2cde7e035345d42f4b083e2b262049849414b8bd946962c39fbd32382
e31831987f89c53560484983b15135546a7afe56a50a1f498d936d07f905ad95
fa9f68eeb3e65b760aa781b207c75df1b73c9dead610b34221dfb08a6a45fe83
8891648d6d36b0bb4233c7e1992e121a3b02a06e87650c3f7a764b04deb4594d
65e4b399804f938a56db8a31edc7c83b4d843004e963ecdc23bac696a3491055
a9eca651c74880a4879ef98dabf00f9d29cecb7de47e107ffbfb082252db7cf9
30db246c83a0a3b6af0e65e21af39be03e0d917d35a009855174f5d696180534
f308c5045d144672942f099d71e30bb89384c77e200e869c8288d9d13405a88f
cbe9f0ed42f4234d5c3520549a4129bd2c61dc8a0eb44eb95340f3c51b5bcfb8
13b5d65b58920696584037f8236c0d1b28b04e85ef1c7a8e57e2fbd51f643572
c46bb9759e3ae8cb6c40c817ec671c9e4f0e06928e4519c9c17f8b4e67581a8a
dcc316942b32efdac4d8a87fec151d0a727562ad0ec8cd086de8f32ca24d2974
4771951b18a708931be4c0e5624e0d0e60f87d393ac8c8bbcee4340b1e2b69e9
e6a2663b29b9742e5cd476804a90f55936f9cb003dc9eb1fd61e77d028e9f78e
6ca53bb668081720377b01b08b42306ec2c3f1290b6c7d050dda9d0129b1169e
b6cdaaca89cd1d627d2f5c9ee93d8d5ac2166e64e968f7bcd33d074ccb352fc9
9df14de20af3979affe96bc7e8c32e593382bb67a1dde947db160565e124df90
c4e07f9b7d86b1afe452b97d8dc4c0baedfb75c0ec8419a48df0e1b0bad103ec
442f78d75ed0fb3388d37b1cfec5bc70781cd7283f7308e90f1dc4f22fd07c90
bed04452db5228e5b86a3232f99d1d8e6a016db0147aec03a96c4a93bfcd03b4
b50537b0892f6efafb0bd1c814bd014246ac93ecd33ee7be0839a0483a0bc27b

http://smelecpro.com/wordpress/NJ/
http://am3web.com.br/e9j/
http://kan.kan2.go.th/css/qG/
http://nammuzey.uz/includes/f1/
http://wizzys.nl/theo/M5v/

Creation Time	2019-03-19 16:45:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
e0dd530812d079c2c5b907ca2161c78d6ba99e33168716aaacd09775fc0ce059
8a29749fc390c3e214f401e8986b04e9e272aba085fedf53ac491aefd42c9d61
f907a21325e4e3ea5d8cf52f44a733cd82025dd0400876917942a680db217d3d
91f21d600fb6ff984ab0b9ccc5600bb91ec0b9b2de10bf69afc76086e7d6e8f6
111aa62fa00b552ce5c43b05c1aa4de70d35ed8a335899857edd5e88b71aadfd
98e02877c3a5a85005f4dcec2877221186532fcc2e64e6f2f5ce42a114fd2f19
cc3271ca03f5d8f33444da17467e0c5416241643267bdb6bffa34a38ceefee00
5bb0fb66121f125d42badd214307312ddfc414401b8b64912f275e7f5a57e2a7
3471df7df21fa3d5a9115484caab610b441f617e12935e6fac8d0a825a969488
f7821a0e84fb83151caf26a8ac681206999bcca59c085c6c8b74acae73485707
2c01dc5885d1e3eabc70071fe664525d7616734efd3dad449be575230db6c7e7
197c9a8450552d2327b51349baaeae767dc1c6d77f12fc65e1ddfb35cd4980e5
003683fc6d2c425be2b87c127b27207b19525f0e348cf5c75d8430f6c3f5eb0b
c4c5a2e4a249ae6535a1e00c0fdd80e33ce826171378e337206ccc7375c6dac2
c026fa10b57b6ea2ebd6d6efc4a04df4b1edf8b13ce1c660b615ad0a70a8a714
826d22322bd1a38311a7a3de55999921543aa38bdea06dc22cdbe5567fb0115c
e545364bfe8e1e072499b805fdba2566887c176ac004783879bb66b22983c671
d54e9fe0b0d31ee4d2f40e0a02672f6d05496a120c36c1dcf3e6dd14e40eeb9e
e11c31f3bb29f29c6c5604cdf643f38e344822e1d83ab5ae1f8b9c81d55735b6
2cdb85d48bd0aada798682cdc9e00688f3315fa247b820813094cfea0d57ed60
936b959e68e56e6a5d2cf15e21a7fd100634d0eaa7e42563fa5a9dc0a2ddf246
037bf8bf787f017a0e3f9efe7f3df2059511094601f793cd9bb19b95a60f41c9
34f713682281f772f3490f6d894c97c93eed50eb3866a4fb2fe2988df4b0112b
c4ee2c5efa2b2d503a33c8228e09bfb1d171dd8d84e2aa10dee250f970a8f2f9
f24f3d547fdebb1480100a8ab61abf96220222fe80c5d40bf7c9ab006937659b
c45cd1be90e54011a5f26aaee821ebe47b0aa9c022e8b10727a493fb73dd7814
2a45a1772ee1999e6c15019bb04568485af17259f0d5f4dd0dd599a9c908a7d9
e9101d348f50f967bb46bf2d2021dc4374ac30eeed17cecaf65382647fdc865c
659ed37b750ddf3c00f63b5db0acf0cabbbf8fb89755b73b77bb47d55395e501
2d2822e1fa837db5e8d3722253f06ed82fbe43aaee6c724ca01488511fe2f298
c603dd3399ce99caa51062a1011f5176600b1964705c488eee8ae2b47025f72e
d57ef7145fdb0b552de07acffec8e01bd1eed943a6a3fa34f3bf32615631998c
03094d0122a540dc72687a15554b143719ed1d7f82b26f1a8ca4e082b4aebf97
915c28d4ec0173040a2eaed24c603942bdc9937919c16dd3386c4326e393ce0c
1be3b9c63166b8792a8766fcb089442aa9f6a0042f47437ced571939dc476f73
4a324568d1f1e3fb3f47e5a177532da085599b9cd89638cbf80ed5fe0a257190
365e98c9680bb5642b6861c90c5a265eb65d5272e38a767c1559acb82d3c3c92
8c97a981866b6121ec734ac9b0da80d1805af5e4008d6d20ae16753c6073b804

http://wsme.net/cgi-bin/xH/
http://justart.ma/wp-content/uploads/2019/01/Ti/
http://majorpart.co.th/wp/qI/
http://estudioalabi.com.ar/wp-admin/NvvP/
http://marketinsight.hu/wp-includes/ly/

SHA256s for Epoch 2 Payload EXEs seen on 03/19/19


8d5e506c28ff27448dad9976005b4e5015038ccc7bbf9e3ba21de9ff547a7ba3
1e87b7720ff59a5f81fb6cb62fdf90223add8932829c466b2eed1e99de6c6a15
1e00bcfc92bb9c49a975a55935a1fff30584e9414457a6f303ad50722e98424d
7e7d60e395f17467bb71809ebac8df94420ca911f233cdc4d121632cffb71f7a
3f1caa809a4084e7a79b4eb714f3339c68bd14114eb96fceef5f3d4e9692581e
0f0c602ca42c413ed9bf93d5815322cf3e59fd04d9b83930c761f83608fa362b
89d5d47e7c9dfa0c12748ed746a71e9f07539948d4bf6ae19f1d75f153a2cc8f
0947af028dedb2cef5b97c23fb15035365fdcd7cedbae75de17576240160683f
90f34d95013d7d438ee64a18d6edda15499b0358fc5e5128e0835be993cc51b5
45868fe6cd7423f79856829b80487f933f004f09471e8c83a42af2af182c5b53
a95be921e74664f08bd124ef05cdef4c2c9bbdd278923d122b7093090b9fd239
74803747741f7d39f884f8ab80ce9d649c3ba29e40e8b634a4a316c374585693
c7111e4465ed459e2ba7fba32b9082811a5f7f33fceda63b2ec4eea449efa165
c51d03341af5f273f53be5b50012a41c48032acbac7f5d21ccacc60a533194e5
5adf3700a775b0ef0e9f49645e490838d8ac828e45596d010848990285398607
da68040ed86cc2d4d2594e4c533560a1ee8a74023d23d33aeaf6a1beff8fb543
cd83ba6af36e45ff3a61cf365ae9f3d41847a509a12d42aabfef55d32776b8b0
3f7c8f0180a0917ef34cc81e83c4036ee390e8ffeb0b4a57bf70bf1f89f5cca7
f263d55fd19d83f055c41adfe099d94e6398eb046b1ae2d5821e23df956cad77
0682bee6600a8095a3e0307a75dd36c0b12ebb99cfadb255d89f973cb2c49f94
9bd438103a1059443e941569185305a591d3f5879aa1c3153d2dc2f083f6c77f
5e790fc226d0deceaaaede6512b3b96c389d657fc5ac6f6577af2cb3e9649510
42350bfd0227b50e3cefc78442ccf4e2348db84db92ee4b3867a13d4c5e9bc80
3f581e3cda00e5f0f0f10959e5c04dc8ba2e8d7f09eb7b057f490a73150f39d1
aff55ae661ab76de75018c2249a644a61fe5d17d95734b69b8cdf25c42c50ea2
95798575d3cbc1d7ab9650bd5382730aa2bace510f72decf5bb382f2f552652a
915f68f39411d1a26220c3d7028ae19c9261bfb8c2b05dcd15174c12b644cb0b
5d6f3606b64edce426e1c96ff4bae7a30c25a7ae933bc5c1f3b782c7a2ac20e9
f1de3b0975ed5df1a745ddcc8c943fb32a69c918968fc5866000dd9c8f77e365
63560cb92928796c965e1f024beccf4ba009857ebbf8439210fddc2441fce02a
887af7ff87007633988ecbc8cb2664fcbe4a49876b7e781b2da88d1ae4dfc48e
97c76a7cd9d50212e4077ae1fd7db00389961ef3cef7981d008b277a0bdd5792
ef4366d075bc2092c7a20dd31b17d334ff6a738896c2484f866e6916dd73293a
5eb04aa52a362039ab1dcaa0375179fb77accc4436b52d34098dc16f7ac20bbe
b02e88a90f480d61081fd5822ed70e044b940bd1776a531265dd52b919360065
4f22f07119733520b0c4475015fbc845f28c6032131128c751107aadf7942cf4
56ce0e8ec8c7718a9519cc5a4524292ec1e4b097831b3bf2f4e4084729ab1da8
3d36b676fb8df7ff997c81502f2ef6906a32446023a67c97a5ba7e8172351f6c
aea99175c8c1189a9adc5d7972cad069e7d9ced8765cc12fa4897e4444e697bc
2b805920c2ac33c41f72bce4288a2fd01bb0991eaa8c39d319fc775b8fea1db9
36a1f0ff955e25c41242dc5dfbabc515964012619ba1771d37fb268383bc004b
5dfd7d73c7b524bc07077d9f66739934c2b33e4ff424064328e1cf74d10f97bd
fa93471930e323ea1515eb060b5efbf63d130599fa364a3d1dd5570efa0dbbd2
9f48f35ee64c9b51c13118faf279e86e8a7c9c520a65951334859d2a682c4870
f59bc47cb8f92d0fedbcc0f6e3c9d184f0bbf07042c231598de733b6849cdbef
f7a2758d70a1d1992e1066180b0d16fd5a3c9cade654ffabfbc7f1ea807ab1db
15a0115e3e5816413176e9ee4306388ec9dcd2f9852f8b223f58d1e30fd67ae0
1b21c96ca03f12eabcf3dd0dcf936908db9dff8a63c5d8091c016fc49d8003d3
55646d034c47ddec8b91c0e0fc20d8a84e179f322ddcc947efd9d843700ae28b
fbd061e82d0181836592058f45cd5f305af21a89f2cb5de04bf93631d85fc2b5
e9d97990485830775ff393859f2bec4b3a0db29df2d1d7470c4bd4179937af3e
7732aeff662120a335bf43e1a7b9a4e2639656e146b3c96132134ffdd0699e88
e464da2e0868c1e926dbfa774670bb3f4ba4afff9c2aa40f5408222407fc1d46
31e8f97acb756d2d6bd938951a670530871b7ee29c75a4c68a3dabb8c03d2828
cc7dfb0b5abc84f266faef20d028a2941bff0fb133caa551b6556bf0b8176964
edc76cb22f5b33306f39bd232f01f8bf5de26d693d3f49b1350613919735ee3f
1c9758d03021e48527a98101969091ec1081b4c347e235fb7d18eeffdbaa72b6
bd23cea62ccf68f74fc09fe56d2180caafe8d52570344774dde4fef66816a7c8
d48214822b62ccabc6ba8dd9b821f4c8776a708806a98dedac67f93b0fa86619
a4fd178ea7addf344958060e87d8d0d3de52c75a991dfae2ac17b002e4c46f90
c871cb8221b1bb408706a2d8da18df3616a834e7689c2b14d95bbb346e1eb5f1
3a4db42186d8f36b2b092447420ab7ee7e608c02fd04b67d1be80d84827be1e9
0a554677621354d65c4f8385e42d2a69eba28da59fe55af0f01522f7852018ba
5658c7b9298bf128aec11bb0a8d91c8b70d089be7415f01526bcf40eab47fd3d
09119e6c1636261d98835fbc7a4329928e03f335b929e0d63ef03fa9cd9c1cfd
c2a861436045f5f7bdb324d6a1fb0f1b975110e000a70a5e8f94eafd29bf80b7
bef6d06169e16a3896b730e82539963361263fca4e269163666264394fb0fc29
ab33ef347b3c452df5d662ba5144e447f4ad283ba3ec9843d0ac621956ce9dcf
bd014c6e25a10c753b942924a65fa5c7c4b56d5db5dfc17647937bdcb90924a0
39b8ec90180e0f9f843043ff9fb5fabcc79bc37c06d73eddd4551b63d569f9d4
afdbb7c69ca990cdf0ac12dbdf459f7c193d579d9c488bf1a7fc83ac6c9fdc36
75571fe0a673955ed86778a65a6dc27f4cd0bdc20f09539b0b6c8c6cf6dc8fc8
9364b2680acead04f61c75a1b196e677df34b7d55ca8df6203babb5aac50ca4d
7e097f0c5964b733178d88a00724a79e42fc3a4cca124d2e571d56d2b7107f88
f5d35ba30f5354766a3f30bc9208d5a189345a8812998aa06cd2898faf4c8229
9c372a3ebd1cf3da401bad71b1215231f9c2081c0986692956552880a4cf7a8c
78427f0fbc97cf7d48a0e697acb5893521d7290d49f80550d1011db86ed397cc
f50af499d746c4f073150e4756b61227c2b43508b2afb4e97c4ece132f6e6c01
3f4ab233d48da17e1cb60340e0df52c782a98b7aa58d143c81f68f263ecfd74e
72eacb1427b54c153873f3456ce38f691e6dec40c484739487a5f1375688339b
baa84a30b62187c52f54b55b414ef5e569da2c092baf9de6126908ac3467c797
690b78ec0cbbf8201234610cd531fd2c1cc03a44ff4eb2f34e1cacebe190a722
2e3713c1a808618511cf34527ea3b1c3110fa228d1a2263c79a69353664862c4
0efb74f2124d06e1146f8f8e618d92073ff215948d9ad56b3517b1365ed9bcbb
09517537074bed3c510cc750a07acf1c0fe25d1a3fd9c0a39f73673755d74559
1dbf7f349bc05f05e78c277aabebfbcc5be39a36426fa5c25b12a69ac0845052
cc983bada012644c7fca5f2b1b30bba60a5037b3caa512d1f87575a09b8992d6
282f11ad4adc1839838033c94001e5f1c607760328a5404a3b0e98ad69f5cd74
f273bbdae9880e0184aa849c853f4f657f397cda649eddd2c87d4a2d13931786
880a54c2db13839b0607af878e8ca3f6e8d8a30b3da25ce9974f6535ee2e079a
4dfa0ecdce0866ea235f8159f2cf46675b13bd2790db8b58274662676e58bbac
94fadc8d26652d4715e332cb4df4f5b42432c020424fe34bf83f1ac41a908dc4
14c7120f35751a8705c13870fee3de27ba8b7067174190f988c1cca0bb2c42c0
b43b9f33a75694ca8dfa67893353ba6e0cc40f99a75366184c74e6dd978b2f44
c70dec7dbf8d201beee7733cfcc4953ffdf8b450f41bb5bfc9b1b909e64840ef
b8fd405309cf2503403acade35a3d3370e6e77d31762212fccab08bc0f84e3d8
a83975c2f0278f637fe1b01aab84cf086b688ec8d8635701688fa851d3eee422
0725b8aef53e42cb1cacdc744fe0682eac81a17a8508a590fb750a39f9e145c5
066129f4c87c444e2818d55f5ad6dcd4fb7fcc39b5b3dda1e271737d05c0dc6e
1d645f66ed4c476aabc02fc50911e7d3b9766456d10438562040a97f28c8f5e1
da674bc4c5ddb3ee77e8d2588909889672d86ceef410b208693f64487d23d88c
85f9fcf6a4321442d3839f8dfd94fc60cddd56ec93b4197001846586cc9d4331
616706ce17a955dcb5a6ad583bcc4024db2108c7b26f413e77518c0f2ef9ca30
49c118b25084b239622eb199a99b60028b744c2f54c12d0d241e64297e8cc8f5
8e767b93c2367783c655bbaf55bf001ada3644401f859c559324bf53f335a4a9
03ff8905b857282366457cf596442425182a4477120ce0b6673978078c206c15
befe0c9c48a9f0977c3dea040850fba532f44ccbe644600034ccadca4942335d
d45ed9e8ab4cb31db179700ae1059346dd89cb90076598fc249ea61fc11fb4ee
1db252da6bcdacd351459dec18340913d9c460a8d3814fa73e0034aa3c18d161
efb3e204f04d10234807e706a85821d7597b509371f0d74ccf44146dac47c3d9
348ed3991ab4592965912c34cf8d0edfa45bce6a11efbb37e712eb45f6af75e3
3b44cbbf524ba6fbffd6cdf3f116252402e96aa5a5e8021ed6c20da3aa933258
4ff98e3c801dff117b54a9b3f445e36a31ac5c00e19d7d13b87a0e8f48dcc92c
ac9e1bab8585c9562bb21169176498601549999d8976ea030dea8ac47a6e9a73
4cf94c7fc7ab5531af9acbed9e7edbf7a51b254da3cd6c499e7d2ab1ca315d0d
c31b712ff3c1306d59b1a2d1d7deb622d940b3476a144436915973f14e4dc97f
7a545bc3b9a38987a6545752039930df78daa4a637e01add95c193fae0fb486f
02f7a4499b76140de7248e4862ce780bbaa38878732f984050368663dc4e8bc2
4c9ad9991e9bb6250113d4afbc47efabf5d545a28403815f91d75a8bea2e0b62
fdfd5d5ad41da804e9f319b914a7afa3469a890b25c6fc23f88aa1ab7107073f
e866c2a156d4bf0389429032dcbf713c1182d69fe1bba1f3352841ec379715dc
052ddf9774eefde3ca4c77016791587873fbbe8dcad313105cde203ca9faf4c8
245ca24935e7f9b3cf05752df195a7a7ec1eb528d3fdb2731152d9b0a0eb2427
79b5fed6144692b4ff2614e54a5994882bdf2f26eb26edff0723d701c1251b66
0561ab218e55a62d04dce66bdb009fafe2a734ce293fd0ca362f12763b5ee181
76c762fb779aafb9e82e60ab867bc06a8c6d0dbf5a0307f05a466b3209526546
7a80f09665d7c1df5645fe9f63c12863ecfe0c5b40875a4cddf57502e31b3dc3
13e8f9e915e5ce0844b913e918dac2927f3edcc272aa1dec3bdcb8cb66e8d29a
603f4411bd889e18069633d017a026f8d15382f8b5aaf18be1a45e5744407b61
250aa52ca391b8c4c9a244d629333af6b3f74b7f24b10e7671ddbe0473aff495
e3b98331582ac3d773739808ccf76ac3d117198dbbd204922658cecaac97c7af
90b5f9c7d8dae61055303ae33f62d75451174a2176c96414121cd5195af317a3
f88db4c88b86f54bc1731eaf4c50fe06e617d2e7ca6db1aeb3a656fb2b6cdf97
b33499ee6c6eb8ae9b7ba297a374e68c7707512b8781109a8997cca88f5b2119
21e068c9c42aa1f3da68d519945fa5ced9882ee1021644c0c8e77a308314a3c3
55ff4748e4c2bcaa3887c2ee1ea30bb0e1b9be1356387631417ca5cd121d481c
7c8bb9c9157bf8aca42b95c1801abe105236d61dd4d519ffc6b69b3e00f5a68e
3ea8541e3880eb0ba18c1fa474cd87246fec423e4c3e4862469ed8fcc3cecfd2
d87695de001cdba1df67b69ea0831073d0f7d8a9560bc5ee8ec6579241d4809c
d16e0ab144e459af44f3011ca6d7badfc1e3c374498bd19c71e65350fbff973f
8579b49ace1da68b65d3a0972b7a937e10a9cb0e0b3cb10622b666384c56ba11
32717039818371b7e191602642dc4f78ead0457ef38e1fc419b67fc0e34d7b03
186d8f2ccb0757675ccae75ab9f6a1d5626f8d06f71c1e2d6218af2470c8af4e
4f0f72dc63c02242f537d2e9385a04ba4983bc5ed2b57030b24e1ab32a298440
5ec8df954da4647d5532bad4fcb24256eb406a12e27d6d733b3789706ff8aa86
a6fb40f9ff8643cd8222aa815a9d96de2c890e8a175a8dfe10153d0d2393150a
dc24337c890fabc3e6d59f5cf9ed3ebb5b05d12458cd90d88c34fa01e6664719
409f997bcfaf52c96f57dae2e50e3bf550b5a67e236b6d100b0e1ac983ac79aa
2385f6c9a2011db54f5756e8447957f00f3628718657b83f34227b9652a7521e
4917fec946a3936d134f0f1db35b42857698d16d02f5f00a4b273366590a615d
bd3e8487f799661d3b47d529386e214a298e65bb4b1ece3d312be5543cf0d2ba
a98e8732b3219a186e101141da6d92b333084683a957d33081976bd1ac42336d
48e76ea95f03215c984284f00cda798ee2f690672874043629683dd234743a28
6dc907af946c924488229005f40efcc7301aaa136bf252f0510949a7dbb6a919
ccbb3e01da977dfff123df39486c674f99e7f30ee54b0d68196a9d7fc160c92a
c848bfec7dc32a532f39251a7ed972f578854e322364fcc40ea5c82b6b044ff9
2805028cd2030f0d753701c786998d3a170367cb0514bc523e13dbf288599c00
cce71ceaff2500ec875a13cbdfa14408663539cb6106e0467bb9ae56fbf6aa22
c4b38867cb65bb6203e0b92e72e8781afe8dfbf9800b66fa9cc2e5dd26e1f015
c30bf49107f51f201f598dddbef9a2b99a9066356dbdbd7d2b84602228dca86a
ebbb1f472e34f1545c1842506a5b7904ae8d20a24ccba4438ceb0963f047da78
900963cdae2fb98408a75fea6ac2d7e43b8c09c0098a6416de31226bb83640a9
f6b1b401c0488fa97b0ef24d0b334a0f96a9ff73a4f4659a1adec03b044aa105
cd1ab78abe4f367551ab2796c2a204341a8effe89badc691478aef6e39d835cf
5919cdfc091e8ad4eb94c74edd5cbbd8b5b9476fe4bf8a761a6ff4b88140b05b

Epoch 1 C2s


109.104.79.48:8080
109.73.52.242:8080
138.68.139.199:443
139.59.19.157:80
144.76.117.247:8080
159.65.76.245:443
162.104.1.255:443
165.227.213.173:8080
173.177.157.7:443
173.248.147.186:80
181.16.4.180:80
181.228.211.100:443
181.40.122.122:8080
181.56.165.97:53
181.61.221.146:80
185.86.148.222:8080
186.137.133.132:8080
186.138.205.189:80
186.19.36.126:8090
186.3.188.74:80
187.207.188.248:443
189.208.239.98:443
189.250.145.98:443
190.117.206.153:443
190.146.86.180:443
190.15.198.47:80
190.185.241.151:443
190.210.3.93:443
192.155.90.90:7080
192.163.199.254:8080
200.116.26.234:80
208.180.246.147:80
209.159.244.240:443
210.2.86.72:8080
219.94.254.93:8080
23.254.203.51:8080
24.137.254.148:80
5.9.128.163:8080
51.255.50.164:8080
66.209.69.165:443
69.163.33.82:8080
70.28.3.120:7080
71.11.157.249:80
71.43.73.58:443
71.88.106.124:80
72.47.248.48:8080
82.78.228.57:443
89.211.193.18:80
91.205.215.57:7080
92.48.118.27:8080

Spam/Stealer C2s


104.236.185.25:8080
181.168.129.146:80
189.159.195.202:995
190.147.23.76:80
47.180.177.96:80
50.116.63.9:7080
70.44.163.160:443
73.14.76.77:20
81.168.92.58:443

Current Epoch 1 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB

Epoch 2 C2s


108.188.116.179:80
133.242.156.30:7080
138.201.140.110:8080
147.135.210.39:8080
167.114.210.191:8080
173.255.196.209:8080
173.255.250.241:443
178.152.64.225:80
178.62.37.188:443
185.94.252.3:443
186.113.255.229:22
186.4.234.27:443
187.189.195.208:8443
190.211.207.11:443
190.51.51.93:80
190.97.219.241:80
200.113.185.229:8080
200.50.185.54:80
201.212.49.246:7080
201.212.91.189:80
201.220.152.101:80
201.236.95.82:80
201.239.154.191:443
203.143.86.111:8080
208.78.100.202:8080
212.122.71.196:995
217.13.106.160:7080
24.243.101.134:80
31.167.109.122:80
38.131.14.154:80
45.123.3.54:443
45.33.49.124:443
47.180.177.96:443
47.180.177.96:80
5.230.147.179:8080
50.31.0.160:8080
50.80.248.108:443
58.171.215.214:8080
62.75.187.192:8080
63.77.201.245:443
64.13.225.150:8080
67.205.149.117:443
69.198.17.7:8080
70.57.82.196:80
72.214.54.39:80
73.183.131.231:990
78.186.5.109:443
83.222.124.62:8080
85.104.59.244:20
86.98.222.202:443
87.106.139.101:8080
87.106.210.123:80
89.211.201.179:80
94.76.200.114:8080

Epoch 2 - Spam/Stealer C2s


198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080

Current Epoch 2 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

Credits and Notes Section

Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1 and Epoch 2?


What is Epoch 1 and Epoch 2? (updated 03/07/2019)

I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications. 
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more 
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen 
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same 
time period. 
Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those 
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on 
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this 
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

Community Lists

https://twitter.com/ps66uk/status/1108493157338091521 - @ps66uk
https://pastebin.com/LnZFdMMZ - @ps66uk
https://pastebin.com/LbDWjFe1 - @pollo290987
https://twitter.com/pollo290987/status/1108275340416303104 - @pollo290987
https://pastebin.com/Zan2LMfv - @executemalware
https://otx.alienvault.com/pulse/5c92998f0ec8c62d649fd092/ - @SecSome

Credits

(OC from @JRoosen and/or combination work of the following)

Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, 
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk

C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial

Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman

Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt 

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, @urlscanio
and @Virustotal for providing services/software no charge to this cause!

Daily Log


Today was an interesting day in the land of Emotet. I got 100 or so malspams today with the vast majority being link based. Most of the 
malspam also came after 17:00 EDT also which is interesting to me. 

Almost everything was the SendInc type template this time from E1. I did how ever get a couple PDF attachments that were benign themselves
but led to the download of a malicious javascript file via the typical URI link in the body. These PDFs came attached to the Bank 
account suspended type templates that we have seen before. AKA Your (Chase/Citibank/Bank of America/JPMorgan/Wells Fargo/ETC) account
has been suspended crap. There was also a couple of attached doc file templates and also a half dozen with a strange subject of 
"Commission Claim (Spoofed Full Name), inv226677, Mar 20 2019". I think it may be a bad translation and really means bill or invoice
but what do I know. Beyond this subject, same crap in the body: Hey dummy click here there is something overdue type of stuff.
Here is an example of the body:

________________________
Afternoon,



Based on our records, these March invoices (see attachment) are still outstanding in your account.

http://parbio.es/wp-content/sec.myaccount.send.com/


Thank you,



(Spoofed Full Name)
(bogus phone number)
e-Mail:(Spoofed email address)
___________________________

As you can see the goofy send.com type directory structure is back. Nothing new so far in the regex that was listed before on these.
Other than this the templates were pretty normal and trite. 

The big story is this .JS link download. This was first discovered by @executemalware today in this post here:
https://twitter.com/executemalware/status/1108456115363295234

We were quickly able to confirm this was happening and started to take apart what was going on. @Unixronin noticed the error was
really fake in the text popup box. Therefore I am calling this the JS Fake Error Box template. The javascript itself was pretty much
clear text and not obfuscated for the payloads. The payload quintet URLs were the same as the document type loader before it.
I have the feeling this was a "Test" to see how things would be handled. There was no rehash/hash busting of the .js and it has
been the same hash all of this evening. Detection of this .js is relatively poor on VirusTotal with 9/54 engines detecting it so far:
https://www.virustotal.com/#/file/869f09c1b430433a385b4ec13a90eef4cfe0cba092a46fe71107de2f865bdf0e/detection

It remains to be seen if we will see more .js files going forward or not and they seem to test these every once in awhile. 
At least this time it wasnt directly attached to the email and instantly blocked on 99% of Outlook client mailboxes.

E1 today had a more normal 3 payload sets today. E2 today had only 2 payload sets today if you do not count the .JS as being 
different since they just reused the same payload quintet urls from the document previously released a few hours before.

EXE Rehash is still going nuts and we are seeing new hashes every 5 minutes. Doc hashes are more like 8-10 minutes again, 
with the exception of the .js or .docx "experiments".

C2s changed for E1 but stayed at 50 combos in total. - recorded above (Mostly moved around existing IPs but some new ones)
C2s changed for E2 but stayed at 54 combos in total. - recorded above (Mostly moved around existing IPs but some new ones)

Still same #s of C2 combos today. This is the most stable I have seen the C2 Combo/IP count in a long time.

It looks like both the USA and the EU are now being targeted for malspam as of late. 

Till tomorrow.

Sandbox 03/20/19

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 C2 run on 2019-03-21 at 02:15 UTC - https://cape.contextis.com/analysis/51697/


Epoch 2 C2 run on 2019-03-21 at 02:15 UTC - https://cape.contextis.com/analysis/51698/