Daily Emotet IoCs and Notes for 05/02/19

Emotet Malware Document links/IOCs for 05/02/19 as of 05/03/19 01:15 EDT

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.


http://12coach.ro/wp-includes/trust.myacc.docs.net/
http://199.com.vn/wp-includes/0s8rweczh_22mqot8ogd-004539243/
http://acli.org.ar/wp-includes/trust.myaccount.resourses.com/
http://afriplugz.com/cgi-bin/trust.myaccount.send.com/
http://allhealthylifestyles.com/9yng/sec.myacc.docs.com/
http://alliedcontainer-line.com/wp-admin/secure.myacc.resourses.net/
http://altituderh.ma/wp-admin/sec.myaccount.send.biz/
http://aplaque.com/wp-content/verif.accs.resourses.net/
http://arrc.kaist.ac.kr/new_arrc/verif.accounts.docs.com/
http://aseloud.com/wp-includes/sec.myaccount.send.com/
http://asis.co.th/cisco-sg300/verif.myaccount.resourses.com/
http://atakorpub.com/emailing2016/sec.accs.send.biz/
http://atlanticterraces.co.za/cgi-bin/verif.myacc.send.com/
http://autmont.com/vrgyd9u/secure.myacc.resourses.net/
http://aviciena.id/data/verif.myacc.send.biz/
http://bandit.godsshopp.com/wp-admin/secure.accs.docs.net/
http://bardhanassociates.com/wp-admin/secure.accounts.resourses.com/
http://blog.ahlanmagazine.com/vdpj/verif.myacc.resourses.net/
http://blog.amisz.com/wp-admin/verif.accs.docs.com/
http://blog.bookingham.ro/wp-admin/sec.myacc.resourses.com/
http://blog.memareno.ir/ozwh/trust.accounts.docs.biz/
http://blog.moonlightortho.com/wp-includes/sec.accounts.docs.net/
http://blog.refa24.com/TEST777/secure.myaccount.resourses.net/
http://blog.shiwkesh.tk/wp-admin/sec.myaccount.docs.biz/
http://blog.toothlab.org/wp-content/verif.myacc.docs.net/
http://blogvanphongpham.com/wp-content/verif.accounts.send.com/
http://breathtakerstours.com/wp-content/verif.myacc.send.net/
http://capitalmarketsummit.com/old/sec.myaccount.resourses.net/
http://cdaltoebro.com/wp-includes/secure.accs.resourses.net/
http://cisme.in/wp-content/sec.myacc.resourses.com/
http://citralestaripuncak.com/wp-content/trust.myacc.resourses.net/
http://coach.getfit21latino.com/ResourcesPDF/secure.myaccount.send.com/
http://coine2c.com/wp-admin/sec.myaccount.resourses.biz/
http://comfortless-showers.000webhostapp.com/wp-admin/secure.myacc.resourses.biz/
http://corporaciondelsur.com/cgi-bin/verif.myaccount.send.com/
http://craftsvina.com/testgmail/verif.accounts.docs.net/
http://crescentschooljampur.com/wp-admin/verif.myacc.docs.net/
http://currencyexchanger.com.ng/inc/secure.myaccount.send.com/
http://damynghetuanmanh.com/wp-content/sec.myaccount.resourses.biz/
http://danxehoichongnong.com/wp-content/secure.myaccount.docs.net/
http://data.iain-manado.ac.id/wp-content/trust.accs.docs.com/
http://demo.jjmayurved.com/wp-admin/secure.accounts.send.com/
http://despachodeabogadosbou.mx/rrx1/trust.accounts.resourses.net/
http://devoyage.co/walxz/secure.myaccount.docs.com/
http://dieetvoeding.net/wp-content/verif.accs.resourses.biz/
http://dreamsfashion.com.vn/wp-includes/verif.accs.docs.biz/
http://drmarins.com/wp-includes/trust.myaccount.docs.net/
http://dronearound.com.au/2tia/secure.myaccount.resourses.com/
http://eccninc.com/dri-one/trust.myaccount.resourses.com/
http://elenihotel.gr/wp-admin/verif.myacc.send.biz/
http://enhancers.co/abao/sec.myacc.send.net/
http://equip.tokyo/wp-admin/trust.myaccount.docs.biz/
http://exceptionalclean.co.za/p2ih/trust.accounts.send.net/
http://extremesandblasting.ca/wp-content/sec.accounts.docs.biz/
http://fastpacepersonaltraining.com/wp-content/trust.accounts.resourses.biz/
http://feenyks.com/wp-content/verif.accounts.docs.biz/
http://feiqichuli.cc/wp-admin/sec.accounts.docs.biz/
http://finergas.it/wp-content/secure.accs.send.com/
http://fitnessdenofficial.com/wp-content/verif.accounts.docs.com/
http://fitness-equipments.me/wp-admin/trust.myacc.resourses.com/
http://flash.ba/wp-content/trust.accounts.send.biz/
http://freelancerakash.com/yourls/verif.myaccount.docs.net/
http://ftwork.co.uk/old/sec.accounts.resourses.com/
http://fxbot.trade/wp-admin/trust.accounts.resourses.net/
http://geeyun.me/wp-admin/sec.accs.docs.net/
http://georgisil.ro/ltjv/secure.accs.send.net/
http://giambeosausinh.com.vn/wp-admin/secure.myacc.resourses.biz/
http://gianphoihoaphatgroup.com/hbqu/trust.accounts.send.com/
http://ginfoplus.com/wp-admin/trust.accs.resourses.biz/
http://gjtsc.com/wp-content/uploads/sec.accs.docs.com/
http://haisanthuytrieu.com/dgs/secure.myacc.send.net/
http://haisonconsultant.com.vn/wp-content/uploads/verif.myaccount.docs.biz/
http://hannahloweinteriors.com/wp-content/trust.myacc.send.com/
http://hc12366.xyz/wp-content/trust.myacc.resourses.biz/
http://highef.com/css/secure.accounts.docs.net/
http://hocngoaingumienphi.com/wp-admin/trust.accounts.send.biz/
http://hogiatech.com/wp-includes/trust.myacc.resourses.biz/
http://hogiatech.com/wp-includes/verif.myaccount.docs.net/
http://hssco.ir/wordpress/verif.accs.docs.com/
http://hsweert.nl/wp-admin/secure.myacc.docs.net/
http://iberian.media/tmp/trust.accs.send.biz/
http://icobweb.com/upswing/verif.myaccount.send.net/
http://iddeia.org.br/wp-admin/sec.myaccount.resourses.biz/
http://ilhankoc.com/bzgxi/QUDqTuqOEnZ/
http://imagesbrushup.com/zy9j/sec.accounts.docs.com/
http://industriasrofo.com/Connections/sec.accounts.resourses.com/
http://inetpact.com/css/secure.myaccount.send.biz/
http://infoforbiz.ru/assets/trust.myaccount.send.biz/
http://innowat.com/wp-content/themes/trust.myaccount.docs.biz/
http://insolvencyinsider.ca/onra/trust.myaccount.docs.net/
http://in-spe.pl/wp-includes/trust.myacc.docs.com/
http://in-uv.vn/cgi-bin/secure.accs.send.com/
http://istuff.in/heyi/sec.accounts.resourses.com/
http://jati.gov.bd/wp-admin/trust.myacc.resourses.biz/
http://jcci-card.vn/wp-includes/trust.accounts.docs.net/
http://jcwintersconsulting.com/cizx/verif.myacc.docs.biz/
http://jktpage.com/wp-admin/sec.accs.resourses.com/
http://joindarby1.org/oeof/sec.myacc.send.net/
http://jokercorp.com/wp-includes/trust.accounts.send.com/
http://joy.do/wp-admin/secure.myaccount.resourses.net/
http://juiceworld.in/wp-admin/verif.myacc.send.net/
http://juristelektrostal.ru/wp-admin/sec.accounts.send.net/
http://kamir.es/controllers/secure.accounts.send.net/
http://kevs.in/wp-content/uploads/secure.myacc.docs.biz/
http://khwopringtkddojang.com/wp-admin/user/trust.accounts.resourses.biz/
http://klikhbnr.com/wp-content/trust.accounts.docs.com/
http://kreatis.pl/sitefiles/trust.accs.resourses.com/
http://krs-tech.com/wp-admin/sec.myaccount.send.com/
http://lacvietgroup.vn/css/verif.accounts.resourses.net/
http://luxuryestatefinder.com/l9cy/trust.myaccount.send.biz/
http://magikom.kz/blogs/trust.accounts.resourses.biz/
http://maidservicesandiego.net/wp-includes/sec.accs.resourses.net/
http://maxilofacialosorno.cl/carevservice/trust.accounts.send.com/
http://medyalogg.com/wp-content/ai1wm-backups/trust.myacc.resourses.com/
http://mekosoft.vn/wp-content/uploads/sec.myaccount.resourses.com/
http://michalmielniczuk.co.uk/wp-admin/sec.accounts.docs.net/
http://monuahrafurniture.xyz/wp-admin/sec.myacc.docs.biz/
http://muzey.com.ua/wp-content/verif.myaccount.docs.net/
http://mytradingrobotforex.com/wp-content/sec.myaccount.docs.net/
http://nagajitu.net/wp-admin/trust.accs.send.com/
http://nainai.lt/wp-content/verif.myacc.resourses.biz/
http://newlitbits.ca/cgi-bin/verif.accounts.docs.biz/
http://nissanlaocai.com.vn/wp-content/secure.accounts.resourses.net/
http://noithat-fami.com.vn/om8n/sec.accs.resourses.net/
http://noithatgothanhdat.com.vn/wp-includes/sec.accs.send.net/
http://numberonefile.co.za/wp-admin/secure.myaccount.docs.net/
http://nutriexperience.org/cgi-bin/verif.myaccount.docs.net/
http://observatoriodagastronomia.com.br/wp-admin/sec.myacc.send.com/
http://oneconnectacademy.org/wp-admin/verif.accounts.resourses.com/
http://ottawaminorhockey.com/vurv/secure.accounts.docs.net/
http://ozganyapi.com/wordpress/secure.myaccount.docs.com/
http://pcccthudo.vn/wp-content/uploads/2019/03/sec.myacc.docs.net/
http://performancevitality.net/partner/verif.myacc.docs.biz/
http://perrysignslondon.co.uk/wp-includes/secure.accs.docs.net/
http://petnaestrada.com.br/cgi-bin/verif.accs.send.net/
http://pinarchitektur.online/wp-admin/trust.accounts.send.com/
http://pinpointtracker.net/wp-admin/secure.myaccount.docs.com/
http://pp.hotel-le-verdon.fr/wp-admin/trust.accs.send.com/
http://programmernusantara.com/wp-includes/sec.accs.resourses.net/
http://projektszkoleniowy.pl/wp-snapshots/secure.accs.send.net/
http://psychiatrydrugs.com/wp-includes/verif.accounts.resourses.com/
http://puneetdba.com/wp-content/uploads/2019/secure.myacc.resourses.net/
http://quantrixglobalservicesltd.com/wp-content/secure.myaccount.docs.biz/
http://rajasthanrajput.com/wp-content/verif.myacc.resourses.biz/
http://resourcesyndicate.com/resynd/sec.accounts.send.net/
http://revestimientosmac.com/m6y0/sec.myacc.resourses.com/
http://reviewhangnhat.info/wp-content/secure.accounts.resourses.com/
http://rezepte-gesundes.com/wp-admin/verif.accounts.send.com/
http://romanemperorsroute.org/wp-content/trust.accs.resourses.com/
http://school118.uz/wp-admin/sec.myaccount.resourses.biz/
http://senturklerforklift.com/wp-content/sec.accs.resourses.com/
http://shanghaitravel.live/cgi-bin/verif.accs.resourses.com/
http://simcom.ir/wwpq/sec.accs.send.net/
http://smithsvineyard.com.au/wp-admin/trust.accs.docs.com/
http://sonaudio.com/wp-admin/verif.accounts.send.biz/
http://songdung.vn/4d4ixle/trust.accs.resourses.biz/
http://sonnenblumenpellets.de/wordpress/trust.myaccount.send.net/
http://sooq.tn/g435goi/sec.myacc.send.biz/
http://spnewsthailand.net/wp-content/uploads/trust.accs.send.net/
http://spyguys.net/cgi-bin/sec.accounts.docs.biz/
http://stoneprojects.com.au/wp-admin/secure.accounts.resourses.com/
http://strategicseminars.be/qsql/secure.myacc.resourses.biz/
http://sukienthienduc.com/bga8/sec.myacc.resourses.biz/
http://summithealthandsafety.com/wp-includes/verif.accs.send.com/
http://tallerespeligros.com/un4w/verif.accs.docs.biz/
http://teiamais.pt/wp-admin/secure.accs.docs.biz/
http://test.cablemar.es/ixuw/verif.accs.resourses.com/
http://test.hotel-zulawy.com.pl/wp-includes/trust.myaccount.resourses.biz/
http://test.ruiland.com.mx/wp-content/verif.accs.send.biz/
http://thaiwoodproduct.com/secureservices/secure.accounts.resourses.com/
http://thedatingadvice.com/aust/verif.accounts.resourses.net/
http://tourbromomalang.com/wp-content/sec.myaccount.docs.net/
http://traveltoursmachupicchuperu.com/wp-content/secure.myaccount.resourses.net/
http://ttytnguhanhson.danang.vn/wp-includes/verif.myaccount.docs.com/
http://tusoportunidadeshoy.com/njd4/trust.accs.send.net/
http://tvportaldabahia.com/5isi/secure.myacc.send.com/
http://ulco.tv/1v7wu20/secure.accs.resourses.biz/
http://unitedworks.info/test/sec.myaccount.resourses.net/
http://vivafoodsdelivery.com/wp-includes/verif.myacc.resourses.com/
http://vivekmanandhar.com.np/wp-admin/sec.accs.resourses.biz/
http://woodic.cl/kfvd/sec.accounts.docs.net/
http://www.aim.co.tz/6lk9csp/trust.accounts.docs.net/
http://www.dktepdvpiti.com/tardal/trust.myacc.resourses.net/
http://www.inetpact.com/css/secure.myaccount.send.biz/
http://www.pomohouse.com/wp-content/verif.myacc.resourses.biz/
http://www.unborncreations.com/wp-admin/secure.myacc.send.biz/
http://xn----8sbabmdgae0av6czacej5c.xn--90ais/test/secure.accs.docs.biz/
http://youngwivesclub.co.za/wp-admin/secure.myacc.resourses.net/
http://yourbikinifigure.com/cgi-bin/secure.myaccount.resourses.net/
http://yourmobilespa.co.za/wp-admin/verif.accounts.docs.biz/
http://zemlakdrillinginc.ca/wp-admin/secure.myacc.resourses.net/
https://000359.xyz/wp-content/trust.accounts.docs.biz/
https://abafer.com.br/ekmr/sec.accounts.resourses.biz/
https://acquaplay.com.br/a/verif.accounts.resourses.com/
https://blog.bestcs.in/avhs/sec.myaccount.resourses.net/
https://blog.daxiaogan.ren/wp-admin/verif.accounts.resourses.net/
https://coach.getfit21latino.com/ResourcesPDF/secure.myaccount.send.com/
https://donations.mogpa.org/wp-admin/verif.myacc.resourses.net/
https://dp5a.surabaya.go.id/wp-content/verif.myacc.send.biz/
https://drtapaswinipradhan.com/wp-admin/secure.accounts.send.biz/
https://enpress-publisher.com/wp-admin/trust.myaccount.send.biz/
https://fmstudio.cz/wp-includes/sec.myaccount.resourses.net/
https://franosbarbershop.com/wp-content/verif.accs.send.com/
https://frequenciesoffreedom.com/wp-admin/secure.myaccount.send.net/
https://happyroad.vn/wp-admin/secure.myaccount.docs.biz/
https://inam-o.com/old/secure.accs.send.biz/
https://insolvencyinsider.ca/onra/trust.myaccount.docs.net/
https://jcci-card.vn/wp-includes/trust.accounts.docs.net/
https://jinkousiba-hikaku.com/wp-content/verif.accs.send.biz/
https://kreatis.pl/sitefiles/trust.accs.resourses.com/
https://lucky119.com/wzzeb/trust.myaccount.docs.biz/
https://noithatvanphongdanang.vn/wp-admin/trust.accounts.docs.net/
https://noyieweb.jp/images/secure.accs.send.net/
https://numberonefile.co.za/wp-admin/secure.myaccount.docs.net/
https://orionsexshop.com.br/wp-includes/trust.accounts.send.net/
https://ouropretocultural.com.br/pdf_espanhol/secure.accounts.send.net/
https://pinpointtracker.net/wp-admin/secure.myaccount.docs.com/
https://pizzabro.de/wp-content/secure.accounts.send.biz/
https://sampoernagroups.com/zohoverify/sec.accounts.send.com/
https://servyouth.org/wp-includes/trust.myaccount.resourses.net/
https://thebusinessmonk.live/custom-files/secure.accs.send.net/
https://thedatingadvice.com/aust/verif.accounts.resourses.net/
https://tiendacalypso.co/wp-admin/sec.accs.send.net/
https://vitasupermin.vn/wp-includes/verif.accs.resourses.net/
https://vivekmanandhar.com.np/wp-admin/sec.accs.resourses.biz/
https://www.cxta.com/ynibgkd65jf/secure.myaccount.docs.biz/
https://www.festapizza.it/wp-content/uploads/verif.myacc.docs.com/
https://www.jiajialw.com/membt/secure.accs.send.biz/
https://www.salondivin.ro/tur-virtual/sec.myacc.resourses.com/


/
http://192.144.136.174/wp-content/INC/LYcsWaUII/
http://4gstartup.com/wp-content/LLC/COfrmugcpIOEYNkHlXQKX/
http://5151c.cn/wp-admin/Pages/pwy9qlm7grbyr7j5t97oglxntvgg_hsh1799t-646996337353919/
http://9933.az/wp-content/LLC/6ph2d3hy9cxmypxhxaq3n3mmln_nq505ig9cf-284464809/
http://academic.ie/error/Scan/8ygdtxqmxnx0i6f343n4g1dxmk98_easz9a21i5-90983660/
http://ackosice.sk/wp-content/Pages/mz9baiazvn3un5e31dp9_rll1kx8-43767854460/
http://aesthetix.in/wp-admin/nnrgw8179ka7yzgt799nydbsechs5g_w485mw-9039736828/
http://akeswari.org/wp-includes/Scan/NRgtuE0DmxEc/
http://aksesbelajar.com/1rfq/5d0ivvw5cxhwhjj92jp_2o21aw-38711891620037/
http://americanpatriotlife.com/wp-content/PcSeumASzkBIpvfvJPBbFENgjKedWC/
http://anneko.co/wp-content/uploads/Scan/ZwJlWZLCLlq/
http://anshibalapan.kz/rlidgds/FILE/zq2t9qxei8aokhrnos5ugex0ul03_wc2fydnea-13642553156/
http://arcoelectric-idaho.com/wp-content/sites/hwhsaMJvOjoVHUbjBSTh/
http://b4events.it/ggrmwpx/jfIvRPxgMES/
http://banhtrangtayninhngon.vn/g6ce/esp/kvmtedfro5tcxbah0yz5aj3b_n6x9a4-5841358650/
http://bbctechnologiesllc.com/c2cs/INC/qbcz32xu92x00rsqlhz_pd00v0m-41136552480655/
http://bdsdalat.vn/cgi-bin/INC/bos9lxzna29lsyi1clme6se05_vnwyihpt-647885291573/
http://bejix.cn/wp-content/DOC/wu7vi5ys8i4ihf0ym_rrfprb-421640917/
http://bestflexiblesolarpanels.com/local/INC/ZROPVyXnFTicrXwGFOQ/
http://bkdd.enrekangkab.go.id/awstats-icon/INC/2ijymn26v7uarffbkd6lx_u0p6k569-27092581718/
http://blog.connect2school.com/WP2/fnWxFaKQCypWZiiVriyZFlgo/
http://blog.kingtelecom.com.br/wp-content/3j57y6gnx6_v785i0xb-4191312943/
http://blog.mazaka.eu/wp-admin/DOC/pzxoo2uy_knpm5u9ru-74491240662868/
http://blog.sabkishop.in/iwnq/LLC/xd00pw1f9ic_gy3cvmy-486221392/
http://blog.s-se.ru/wp-content/paclm/zkovy02nnutr0jjeg_6sai3a2wd-885879232997/
http://blog.steadfast-inc.com/wp-content/plugins/wf03fx7w6uv_lfhqooa56u-248047369/
http://blog.taxmann.com/wp-content/INC/kDSvKbPatSbXtqkFmEZqw/
http://blog.winburnrc.com/uploads/aalkowg7imwmxydqi_irzxw2-61291258298548/
http://blogs.ct.utfpr.edu.br/direc/kScyjjaDwMkMIvbnmGA/
http://blogsuelenalves.com.br/wp-content/FILE/rfruTfMTupjpqkwEIarWLv/
http://blueombrehairstyle.site/wp-admin/WTwFtrmTPyVSnESPjOoYOLtaIc/
http://bodycoat.in/wp-content/FILE/lHHnjYARzarrfJOaUUVxjqdiHI/
http://booyamedia.com/img/FILE/o3996ZMupUjV/
http://brikhotsoattorneys.co.za/wp-admin/Scan/ae6ppq9o2sz_yrsmo-7414038499081/
http://c919.ltd/wp-includes/js/tinymce/FILE/b7x4qk9djlfmhbgm4baqtmecxqrbi_y1gar1k8o-844248121/
http://cbl-mmg.com/fkya/paclm/rPIDBOQIFfWncWKfyrUcPKM/
http://coachbagsoutletfactory.net/wp-content/INC/hQYoIbbJjQkUUcrsCHE/
http://colormerun.vn/wp-admin/Pages/vumsbdgcjm17n8qtawde80lovhz_hd2dq07-777785434129/
http://community.diygeeks.org/wp-content/Scan/it53y8s7pkaizwi86h_aodr24-4164303803/
http://conceptcleaningroup.co.uk/wp-admin/RxvHrSdGSlfoZqOKGnON/
http://coralseasanibel.com/wp/Document/PTzybdTcbIDXQDtyHg/
http://corehealingmassage.com/wp-admin/TwhjPoZom/
http://courtesycarrentalbvi.com/wp-admin/LLC/gfewDoDPvGVWBfuzCjHhrBGjKgbPU/
http://dcfit.co.zw/cgi-bin/esp/sofkjyvvbmigfzj6xr5m3vfm6q2_fxofwekbl0-9953622915/
http://demirendustriyel.com.tr/wp-includes/LLC/8hrd0iaxtfca_drf3g-28237112672512/
http://dereza.by/thw4fgg/nmmbf-0hwiou-ziwmln/
http://dereza.by/thw4fgg/paclm/mgakkFzHUVVQWBQsMYqfeB/
http://detmaylinhphuong.vn/wp-includes/fonts/INC/6yh3xdsw_6902e0q7uk-20835125/
http://dinofils.com/wp-admin/7f53kw0suia3ty6mepq0nk5vqgpro_cspbx-45988021188/
http://dotnetdays.ro/cgi-bin/INC/73s559zuqod8z_g39odrkgg6-58079281636/
http://drkamalsgroup.com/wp-content/uploads/2019/04/IjEzvbBVv/
http://ecocleenfranchise.co.uk/widenationaimages/parts_service/ymFlZGNrUVVVpJoqnDlbYgt/
http://ecominser.cl/k2rojqs/WibouBpB/
http://economywindowcleaner.com/wp-content/LLC/xsk5ok6vtaggflyxax99dxlatptel_ubtjmzrld0-590157321/
http://ejder.com.tr/iuLYqpe6E/Document/skMwrTWsxo/
http://elitetransmission.fr/wp-content/Pages/ttrgxyacs2qcnklru_0jk32o4w-47168856156/
http://elokshinproperty.co.za/jtau/paclm/8ouar200imvhee4iy_f85p9l0e-62227938/
http://emersonprojects.com.au/wp-content/mndp3n5ia73am8h1_y58xx-933473224457830/
http://emgi.com.br/qcf7/paclm/ik6esrg52s7mo0oab5u847b_wa5y5dse-5036135867/
http://epsarp.com/wp-content/sites/bHgZrPCbDbqAlDAYdnJSk/
http://eqbryum.ml/wp-admin/Pages/r55lwa7xff7muytssw1pc_i4a8w44at-785512967/
http://equintl.com/wp-admin/DOC/uGroXsNXLXAMptvBvNAlhAmiehXUc/
http://equipares.org/site/wp-content/uploads/2018/agvlv16v64t0_44u9e0cr-5813176666637/
http://euwinecn.com/aa/hNDAhgQcvlTRtnJFxTNU/
http://ewomg.com/blogs/DOC/QHpryPqastqd/
http://fasian.com.vn/wp-includes/l7qivj8vt61s_a54c4ub2do-507402877790120/
http://febsmarketingnetwork.com/wp-admin/sites/mttnpZsVcwT/
http://ferrywala.xyz/wp-content/INC/w26vor8fa_1zlu05-559390994/
http://fitelementsfargo.com/wp-content/themes/gpukJrTUc/
http://forumbolaindonesia.com/wp-admin/Document/qvkndbamk21wwyjigi_048gkx5-5506768399/
http://fotobot.ir/wp-admin/sites/kkeb60wfibwst8utsbrquceq6gkh_or0pbfdl1c-754853850161/
http://galtest2.lansystems.it/old_bad/wp-content/languages/files_mf/Pages/rgaWNAUKI/
http://garden-solutions.co.za/wp-admin/DOC/irln2kvzv7yt0861rcrydr6lx_bz4tu5w-44510095419116/
http://gasdetector.dlvcorp.com/kosk/LLC/ODzDoYvGPJIESoSrUinLncHjfhAzHF/
http://gem-st.com/wp-content/parts_service/YReZAzpfGeeCSDdJLNGzN/
http://genercom.co/wp-includes/paclm/zJVaosialBsMME/
http://giambeo2.ballybeauty.vn/wp-content/ol0x41uj8rswaoo8j8p2ot13rm8_v2gf16-581586352038/
http://giambeosausinh.com.vn/wp-admin/q7hkjz-o7bnek5-hvgj/
http://gkmsm.ru/abuebz0/Pages/sedHliEaUfqrmTGVfmUvIYukOMQ/
http://globalautosaleslanka.com/demo/eyefyyXO/
http://globalmanagement-ks.com/icon/Scan/9uu9lvymdfla7abw2_t45a9-6549953609441/
http://gn52.cn/css/Pages/CmUzPDxvmcX/
http://goldflake.co/wp-content/DOC/gKdReBNPojKyHuBMuwejXE/
http://grandview-property.biz/wp-includes/FILE/CNHVOwKibgeaSNdRUsduFcTEDhlD/
http://grinai.com/web/iiz36l9bg_s0qjcz-661523208732/
http://gshcenter.com/wp-includes/INC/9o00dwr7_7bqcxz-902762918614/
http://gwangjuhotels.kr/wp-content/themes/INC/zi10oh8x17sow03sjd0gmkhwe73ie9_erzxfxy-08010765900018/
http://gyanenglishacademy.com/qzdz/JgeofgzEkrEOJ/
http://hadimkoygunlukdaire.com/wp-admin/LLC/a91wy7mq9qjman84_wbmw5h-5132787275214/
http://healthyruns.com/mb0b/Pages/4fe72wms5jwjy4xmd17crc3tqy_0ohwtx3by6-52970741/
http://hniold.mageexperts.com/html/parts_service/vpnfoa7tgl_qbrtpv45hf-64095293/
http://hr24.com.ua/saeu/DOC/gbbVNHvZlEDKZnqyNvimmS/
http://hubrisia.com/wp-content/uploads/DOC/YkEbhBHCuzUtrv/
http://humandevelopmentmag.org/cgi-bin/Pages/tomamkpzkwed8lahovafiih_0tt6gowlu-10562221070/
http://iimmpune.in/wp-admin/paclm/ufsi70uv65ehpl0fbmw7wgbgqemr5f_k46l8nl9t-02473911646814/
http://imboni.org/wp-includes/INC/fghz3tbu33yn_k66ebx-54661321/
http://inbudget.pk/cgi-bin/8y4owvesd9adv1lndmyvc_ow5s4u5-86373036587784/
http://inoffice.lt/wp-admin/lm/mYoJqtZkiHbtYOqwpWOTJhgjtb/
http://inpolpe.com/stock/Document/ofu14i5Xo/
http://insideoutservicessouthflorida.000webhostapp.com/wp-admin/fFHxSlaakMvhveUIioZauxXt/
http://ioszm.com/wp-content/VKvRtbEjecrTUWtZwLJPTASMB/
http://isais.or.id/wp-includes/LLC/49cbxeqakcy5shwwg27m_efdkv6ht-7871582409411/
http://isesyoyu.jp/about/LLC/mZ1wF5rYnD/
http://itai-ziv.com/wp-content/LLC/0Oq6cCbn4499/
http://jeannegh.com/wp-content/LLC/OyNxaZXYyhUYuomVB/
http://jivine.com/sechdule_css/Document/zveixqtll5o1qxlkdlkwwxt9_z2kzj-39972165/
http://jjescadasorocaba.com.br/cy3l/DOC/XvXcaodnCAhcgnSOM/
http://joelscoolstuff.000webhostapp.com/wp-admin/INC/z6ayxgq90dnienk_cd4ob-621061856/
http://joepackard.com/_vti_cnf/Scan/KeKA6fVN/
http://jsantunes.pt/wp-content/uBmDOLnXXjORmjqjFQO/
http://jvmahlow.de/wp-admin/Scan/td8nxrcnc9ntmco49_615sw-577633401958136/
http://kashmirrajitravels.com/inslawnetwork.com/DOC/RsrqryjkpcTNCjW/
http://kautilyaacademy.ooo/wp-includes/Pages/VxCgAezOEYFOJjATKjs/
http://kidscountnebraska.com/wp-content/Pages/cuxkCsUZPHPJygMchNn/
http://kitaooji-kinseiin.jp/wp-content/tdns46unnon8jp2d1kz5y6d2ms_zzcxt56kd-15051739986/
http://labpolimeros.eng.ufmg.br/wp-content/languages/Scan/otFLJySrnIhKGIkcldvDG/
http://lejintian.cn/wp-admin/lm/CUBhsurjIYlmEDiyUA/
http://leofy.in/gelp/Document/ec8q7ph1xjushb36_qsj7y7hhm-550883703428/
http://likenow.tv/wp-admin/Scan/8enhnhzil6srybsha7hds_7vmf6eni-6977368107404/
http://listings.virtuance.com/wp-admin/jlrubop9_zkct0-800845530/
http://lookingupproductions.com/wp-includes/INC/9r9hhHW8ClD2/
http://luanhaxa.vn/sqeh/lm/xyrrhdcyuk_qyirb-35314660/
http://lunchenopdemarkt.nl/wp-admin/1gx9f4i18sbtpgnay6_pzk58cuf-16086185627/
http://marinapuertocancun.com/oxbs/Document/or8qjmvo4enscx9g7u_yx35q4z999-77184234256576/
http://maxgroup.vn/__MACOSX/DOC/4duyq5gmcuu375q2589qi8k0i3k4h1_cgufr5-8018679562762/
http://mediaworldindia.com/yb5u/Pages/rgjwca60yjh_5br5da-48500802082/
http://mickreevesmodels.co.uk/micks_chat/FILE/UAduuYQEihX/
http://mindscom-learning.com/tadart/lm/xLBIADVVRoM/
http://mobilabmb.ro/wp-admin/Scan/aOeoCGqCk/
http://mountmice.com/wp-admin/includes/FILE/zKt47WG7/
http://mountmice.com/wp-admin/includes/FILE/zKt47WG7//
http://newlaw.vn/wp-content/efvlskulqypsl2nd4orzyvhl48g_329lp0eh4n-698685444/
http://nisi-web.threeon.io/db_dumps/FILE/ebk0cs8q4rkl0p40l_xgwtjp-892746124109/
http://noithat-fami.com.vn/om8n/DrTYRsrUBPflQwsmsHtZHjjfH/
http://noithatmodernhome.com.vn/wp-includes/FILE/8ki8brhz6a_l02dj34g37-67868487985325/
http://noticiashoje.online/wp-admin/1zg41spy6werdeneaq171gwp_cztmh-387974113007906/
http://notspam.ml/wp-admin/Pages/espLunAjWsTlpVEPozgWEc/
http://nurai-balabagsha.kz/blogs/Scan/thTxiTOGduWJiqhGjtazjsYswMRxs/
http://oldays.tk/wp-admin/NrZonfrDZuhzrZPxJEtA/
http://oliveiraesouza.adv.br/wp-admin/StaaBYzcwaSzfcfvYaioiZ/
http://onlineschool.center/wp-admin/Document/yGCsJSbouQBN/
http://onvacationbolivia.com/wp-content/Document/xyff3cuhe6mq9g65v1zo_5tcb1cxnk-0364266887510/
http://opportunity.aiesec.hk/wp-admin/lm/TpSDwXjG/
http://optimasiinstagram.com/wp-content/sites/XtGYgwXkDjyUngdjccbuyCzOaj/
http://organicsoilnaturals.com/cgi-bin/CDkPCakisBYsrrtMdQ/
http://ortopediuzmanlari.com/wp-content/nlew5xtyg8tgoo4_0ha8i3tr-46738080/
http://oushode.com/wp-includes/p52qit8igtsbl1iu11q5x9og_ngj2jtxgt-26697814/
http://oyunlist.com/wp-includes/FILE/E0dQF3BrjsK6/
http://painterzindubai.com/cgi-bin/lm/UAebSiKTegqLVzjfz/
http://palmiyetohumculuk.com.tr/ac/FILE/cx381gq8uamy_w639rrebp-0084802356989/
http://paulstechnologies.co.in/wp-content/whv1j27989t1wgoxk6l4d98mkpx_9dw1ti50-762822895267/
http://pawn-stars-shop-uk.com/njvs/sites/YInRYQRoca/
http://perkim.bondowosokab.go.id/wp-includes/Pages/jyatnkrij4q4zawhbxf9cj23fq6e1s_tf6ku1s16-697389466881345/
http://phoneringtones.info/wp-content/uploads/qx93_k68trw3j-15334/
http://photo-midorikawa.info/blogs/NehDOtipfblhIrbhQaKqHjGWxsa/
http://phukienlucky.com.vn/wp-admin/lm/i5ht3uo4i6dh_stnro248-12071005/
http://piegg.com/wp-content/77wszn7k8xpxs_97swpij7dc-39610063200/
http://pindekoration.online/wp-admin/FHEtHBRYvLndohrusbKOWs/
http://pippisvillavillekula.com/wp-content/Document/v5ds4g78blp6omprrtsk7idnink8no_mbvx3ng-74129967/
http://pontesgestal.sp.leg.br/antigo/DOC/JhfJgoVQyaWOHkaP/
http://pr.finet.hk/wp-content/uploads/lm/tJqbOIzpNnAojYjKfZZTHURdjYo/
http://pryscillabarroso.com/wp-admin/paclm/vqjl1ioxg39a6blblyirkq_cxfhick-442732817/
http://radiodetali-skupka.ru/test/NvsyvArgbUg/
http://rajachomesolutions.com/wp-includes/WCFVkOrSYEDRATDAUkVq/
http://risefurniture.com.tw/wp-admin/Pages/iJffXGPsBTfSbUPgvzxvOEsGtirG/
http://riverviewtaxcpa.com/uaoa/parts_service/zwbmrt1q2x58yuo_8b3j4-28129348/
http://rongsunxanh.com/wp-snapshots/parts_service/vwncn2bwcs0q3i_a0i19md7-2717020378875/
http://safesalesnembutal.com/dgbx/paclm/vxa4bpqvkpjcosnazgotks88a_yi3g70tt-384757861/
http://samcloud.spacialdev.com/wp-includes/INC/FhWddbcmDtUNHeeTNOUrBvsB/
http://sciencequipments.com/wp-includes/Scan/opJSwsBiMWVgvdWnArGVo/
http://scrawk.tusarranjan.com/cgi-bin/eaa21pta22pr6iykyyees_lbpo77dbp-41382782/
http://sdn36pekanbaru.sch.id/wp-includes/17hw-m4u9z-wyqfnf/
http://seashorelogistics.com/wp-includes/paclm/nq69a2c65h1fypr61_04awey6h9s-343465956/
http://sekerlerotoekspertiz.com/wp-admin/lm/djbeximl_b6ijux6-508278719010361/
http://seniorbudgetsaver.com/html/Pages/d23s9qtqxm2fadyv_unfiuqoma9-551449315/
http://shahrubanu.com/fkix/427zyjgqewhxzauclqwgpo9qe7icwp_qvp9i63-13273134/
http://srishti.saintgits.org/2017test/igyu321k9z7paz475xx_3u8wakyj-2226599603/
http://stalwartint.com/wp-includes/oxgzjt-7p3n1xy-tuwxltk/
http://static.solidbasewebschool.nl/zqs4/CDxNhHZgvvweaSyYM/
http://stlouiskitchendesign.xyz/wp-admin/paclm/iBJyRZwYcdJBHeTeZgKMXiNYmiJkGL/
http://stylmusique-dance.fr/wp-admin/Scan/gc02l101qcp0fb3crq_t59tqt2lt-359499060193581/
http://suckhoechonang.online/wp-admin/esp/1x0unvft2qaoi5ifkbs_omcsx43rat-0154653460/
http://sulfurvacations.com/crdservices/6g9j4aud1mkkl99ijuv3sbeq_t91rmyji7-08924296/
http://sunrayindustries.in/wp-content/uploads/lLnphTVtuoqRO/
http://support.forumias.com/wp-content/uploads/parts_service/wmXAenxRqOIJhc/
http://t3-thanglongcapital.top/wordpress/parts_service/rpPyyYVy/
http://tbwysx.cn/tools/6svcddg4f1fs70445xempwv3nlj_kf2cjdix8-32340747881580/
http://technologyaroundu.com/wp-admin/LLC/8zucy2lyrgaao9kx2ptuw_adwlfe94-302815615289/
http://tempatkebaikan.org/wp-content/FILE/FILE/7fHC23c2p5/
http://terminalsystems.eu/css/INC/wsaaMiF87o/
http://thejewelparadise.com/wp-admin/Document/xtHPDkvQRJcQCyBYoCN/
http://thientinmenshirt.com/anx/lm/vcAfPBOEqhcwUUpnETk/
http://thomashd.vn/wlztvi4/Pages/hSqJaRvn/
http://thucphamvandong.com/wp-admin/INC/4zxy6wohuy5oi56vuk_geba0-87278418202/
http://thuexemaydonghoi.com/wp-includes/DOC/UjThFKnWkCpRvnwhiaFslaBEIji/
http://tipa.asia/wp-includes/sites/134r5p8kj8a3lriryjrq_g3tkvxrb-2655475700978/
http://titancctv.com/img/f3q561kb_4hz9e-274656581165/
http://trangsucnhatlong.com/cgi-bin/lm/KRpYktxNuJSE/
http://tuankietkhang.com.vn/wp-admin/DOC/SRPTReQwAhQlUwuIOAJqFGAGXH/
http://tvportaldabahia.com.br/wp-includes/lm/gzzz5mmk7azg5588ps_7f3s67y-35513447950/
http://uberveiculos.com.br/wp-includes/6b2hgaij5nwk4jyksy7l_zftgygk-538562898836565/
http://uckardeslerhurda.com/5ala/DOC/OyMKYkpOuU/
http://ukdn.com/TempHold/esp/yQKTGLOKeWoZVhRHUpPRSxFsROHXB/
http://urbix.com.mx/phpmyadmin/SDnjSGLMoQfmJDRodqqZx/
http://urfaprojeofisi.gov.tr/wordpress/esp/QTRDDjhcHyypwHPSoyAbNFEOHXg/
http://valleyonlineshop.com/91/paclm/b3uk5rgs9a6ocnatocfy4dhd7kr83e_doib81a4o-79134162245067/
http://veatchcommercial.com/wp-content/Document/6cvgndodepzh2ylq_uei79m76-80083264081347/
http://veteransdisabilityinsuranceattorney.com/wp-admin/e6u3tl33f_srobva2p-05883247/
http://vic-cash4cars.com.au/wp-content/LLC/h9srpbxwz74iswwspuxgg3nqbt6ixz_c4ad5-20336652544/
http://viettrungkhaison.com/wp-admin/esp/kcRZGnoGRmZyWSzIXtxZoxDxIRYO/
http://visiondivers.com.au/cgi-bin/Scan/0kqbwuqg45c61i7_26k6nw-26176637028/
http://vivredeprinceintlschools.com/wp-content/DOC/pWGSuPqizJglmA/
http://voyage.co.ua/mailsend/Pages/jk5dyxkd0cb0jh8jy_lbnqgf-33112876/
http://vps1.globalintvps.net.in/wp-admin/GocJEAVdXe/
http://wave.ternclinic.co.il/wp-admin/5hrw1b7upoo_nmmwh5rr-60403298334/
http://wellmd.com/wp-admin/SJSYwQyghaqk/
http://westerndesertmob.com.au/blogs/parts_service/qPpYQXHxJa/
http://weterynarzpodlesny.pl/wp-admin/wMlWHKqHiilPWIYja/
http://wigginit.net/wp-includes/zx8r3i7y_ehwsl-588034380/
http://willandskillenablement.com/wordpress/parts_service/4j4lev0dai5t3wwcwxey0r3sne9n_uz0btl7-4518299129/
http://wisconsindellsumc.org/psnlo/lm/rUIpaWVqZ/
http://www.bimeparsian.com/jz/esp/dccKaumjHEDnzyzm/
http://www.dryvisionbasaksehir.com/phpsite/lm/GWAAZrrmocMLM/
http://www.economywindowcleaner.com/wp-content/LLC/xsk5ok6vtaggflyxax99dxlatptel_ubtjmzrld0-590157321/
http://www.rosenfeldcapital.com/claimnote/Document/m1n7kgnpx_od7e07kh-4148993504643/
http://www.steuerberaterin-vellmann.de/blog/wp-content/zYNaHPdFRXPFScDLeolQGyEmflqIjn/
http://www.tpc.hu/arlista/INC/zc8e7mbnfbyibeil6cpr40t2_egfrju-908915343535148/
http://xn--altnoran-vkb.com.tr/cgi-bin/Document/bHKDPmjljGCAXxkNlDe/
http://zerotosix.com/xclrqe/FILE/TkaQWUDxqVrFOGVxEwe/
https://5151c.cn/wp-admin/Pages/pwy9qlm7grbyr7j5t97oglxntvgg_hsh1799t-646996337353919/
https://arcoelectric-idaho.com/wp-content/sites/hwhsaMJvOjoVHUbjBSTh/
https://blog.thaicarecloud.org/wp-content/esp/pVbpncDCtzkAknbFKdy/
https://chunbuzx.com/wp-includes/LLC/PblfqESdvw/
https://coachbagsoutletfactory.net/wp-content/INC/hQYoIbbJjQkUUcrsCHE/
https://curmudgeonintransit.com/f9fm/DOC/fj19qanep33_msiv6q-949526099/
https://dec-u-out.com/wwvvv/LLC/M3NcmSPRY/
https://demoo.tk/store/tvrx2le53p2ph_63qresymi-20666281672606/
https://diaocancu.vn/diaocancu.vn/lm/BuuZMQGIlmaNGE/
https://diversitymbamagazine.com/wp-includes/LLC/FczZHqnLBvCbrbhATryXlijvhHdb/
https://elitetransmission.fr/wp-content/Pages/ttrgxyacs2qcnklru_0jk32o4w-47168856156/
https://eqbryum.ml/wp-admin/Pages/r55lwa7xff7muytssw1pc_i4a8w44at-785512967/
https://escolabarretodejiujitsu.com.br/v5bd/FILE/wt8rnjq52zjgsk143k0mriprv5z_sl6ui62cg-0835748684/
https://everydaygoodforyou.com/wp-content/Scan/GYRHKcxXuFvyRDf/
https://fitelementsfargo.com/wp-content/themes/gpukJrTUc/
https://fleurycoworking.com.br/6v6s/ts6ufepur7u0c_u6k2n1p-038515080596/
https://fotobot.ir/wp-admin/sites/kkeb60wfibwst8utsbrquceq6gkh_or0pbfdl1c-754853850161/
https://grinai.com/web/iiz36l9bg_s0qjcz-661523208732/
https://hadimkoygunlukdaire.com/wp-admin/LLC/a91wy7mq9qjman84_wbmw5h-5132787275214/
https://hubrisia.com/wp-content/uploads/DOC/YkEbhBHCuzUtrv/
https://jvmahlow.de/wp-admin/Scan/td8nxrcnc9ntmco49_615sw-577633401958136/
https://kidscountnebraska.com/wp-content/Pages/cuxkCsUZPHPJygMchNn/
https://kozjak50.com/pmdi/FILE/mYy29bTJ/
https://listings.virtuance.com/wp-admin/jlrubop9_zkct0-800845530/
https://luanhaxa.vn/sqeh/lm/xyrrhdcyuk_qyirb-35314660/
https://marketingunitech.com/wp-admin/esp/GQQvAUKZwvcNsZOuiZpUx/
https://maxgroup.vn/__MACOSX/DOC/4duyq5gmcuu375q2589qi8k0i3k4h1_cgufr5-8018679562762/
https://neweducationsite.com/cgi-bin/LUYvJWOQElixOte/
https://noticiashoje.online/wp-admin/1zg41spy6werdeneaq171gwp_cztmh-387974113007906/
https://notspam.ml/wp-admin/Pages/espLunAjWsTlpVEPozgWEc/
https://panelli.kz/wp-admin/Pages/mAWlGWHyssWkIOHAGPaaxNQNzRDSP/
https://piegg.com/wp-content/77wszn7k8xpxs_97swpij7dc-39610063200/
https://salondivin.ro/tur-virtual/1hygpz-b5ex7rp-uwhljmi/
https://servyouth.org/wp-includes/udda-e1pdc-wern/
https://studioeightsocial.com/adwt/Document/vd71k4ua_fwk0gp-742999824629/
https://tatsuo.io/uw0ldzo/FILE/bp92oyylmkllrs_cmtmevs-5106762849/
https://thanhdattourist.com/wp-admin/DOC/VYkywxMerYGIt/
https://thejewelparadise.com/wp-admin/Document/xtHPDkvQRJcQCyBYoCN/
https://thinktank.csoforum.in/wp-content/uploads/2019/DOC/SdycWQvhYEVfLIkwGYEuJ/
https://toyotadoanhthu3s.net/wp-admin/86s0vl3wunz4vg4w7veq6l53i_gd5dy-6390446360/
https://truyenhinhlegia.vn/wp-admin/esp/zzrvDhptxaCNTEuhrqDxHPRU/
https://tuankietkhang.com.vn/wp-admin/DOC/SRPTReQwAhQlUwuIOAJqFGAGXH/
https://uctuj.cz/DOC/parts_service/9gnwxfd1lgsqkuc9ubcq_ko25hpj-021295563/
https://ufc.benfeitoria.com/wp-includes/uMTeSxmlmOXNcHjqrptcnhzb/
https://urbariatkavecany.sk/wp-includes/e18ct7nfb92lr3i2m5p2fmfvpge_h95pvij-515950320361320/
https://veatchcommercial.com/wp-content/Document/6cvgndodepzh2ylq_uei79m76-80083264081347/
https://www.allowmefirstbuildcon.com/35rnm2e/esp/c8frws6nxk2ttaf6r898572_975855y-7811681013/
https://www.bimeparsian.com/jz/esp/dccKaumjHEDnzyzm/
https://www.mobilitypioneers.lu/blogs/lm/5yqyc89z7njo7cvw7gj_04roz5d-5355090859891/
https://www.newlifepentecostal.org/wp-content/uploads/2019/LLC/LLC/p3k5n42wjwi68vvbjo0aqpqlf7qr62_ul9b8-95646978580162/
https://www.ryblevka.com.ua/wp-content/qrBRyjUmVghuaTLERuZmjEJABTKadT/
https://www.steuerberaterin-vellmann.de/blog/wp-content/zYNaHPdFRXPFScDLeolQGyEmflqIjn/

Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-05-02 19:30	(From ZIP - JS Based - Fake Error)
SHA256:
ddba8ddfb7c42acb88fad6167a50fe635cdc0b0fff6cb60f5e3042521f2b178c

http://thecaramelsoldier.com/wp-includes/ihzn9vr858/
http://tucsonpsychiatry.com/wp-includes/pd70/
https://toyotadoanhthu3s.com/wp-admin/hf4zkre2/
http://trackledsystems.com/cgi-bin/jqywt14488/
http://uzmandisdoktoru.net/_wildcard_/c52633/





Creation Time	2019-05-02 17:42:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
b58e3864e562525a60699e36a8ad7a3ab401249bdcd961337acedf902d4909a5
a31b9ebd3c79ea7d6240df25a22b699a77128eb315c332af18fdba229e784926
f6bbc014c60c228d15455feea62338fee9208970a48cce3b3ed7a77ba932454a
499b3a9f33e403cade37a86e6687127799ea93e99a552449997923911a98137a
2ffdd515695709b45de9c46598821cecdee63edc6c59a31842f2013330789131
8d2de893cfdff2bb43f45e0daec423ef070eb67df0dcdf7b9393113b122f8a9d
20b5c05fd912231f474b6cfb1c82ea1a952d1d835e6c7b39e8dcd38b16edb0e8
f8c9d27529f9d2bcce30ed8f010f5f246d5fd4e7f83f3b0b28a4bef3f255d441
a9eb728aa0336197b0774902ff30fe603b21351282f64704cc81bc1a3ae780ca
72d94096212d0967a618fb2e02725fffc3a533b4ce962cec04cf5f619d4862b2

http://thesapphireresidence.net/wp-admin/06038/
https://toyotathaihoa3s.com/wp-admin/9tyajmn47897/
http://uttarakhandvarta.com/wp-includes/zzyyxm762668/
http://theanwarofficial.com/sitemaps/j7xrxu5162/
http://ukhuwahfillhijrah.com/site/c139/


Creation Time	2019-05-02 11:37:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
1eb9f65fe87d06dd3526e5f30f0f1523479ff7b8a54b08dc30e836d1d96bfa41
e004665169889580886ca75a05f8d7a7739a39a94e2eeaa95bab00d9618ad8bf
32dde8bd2ec90cb902ec6388b633a90e6576b0e230f5caf5c031ce870aa75118
84cc9df67defd40bb40d149b493ecc31e3b19eaa24cc5bc98d7d71c96b750896
d458f166cc96924dc0de21457fc0cf3f794e70f2758ff014f8c5a4e0872d5e44
5cd8f49395d0be8d0495633f2ca6f5f275f5fbb83ddd7e078784220141865029
4538e80e3e25c5be4491c0b52d4119d71654604556c6c3b9fd79317d4aabb18f
afa805779d05d4746cdd39e3f7ea8586b4cbb7736badb85194a673fad468ceaf
afc2ac4f3fc0cd3719696f2428c5c615b8bc418b4e7e497ed38babb64b0ed6fc
02dd8f41e51cffce4934a64a6a17f23a901155cc742c4cc1001ae0a2104625e3
786272ebe38cbd68f38a43862963357185ce28cf57d0d2816020dcfa0cb76de1
758618b1815537ec64010eee51a98afd94ac2d582eb17574712cbfca113202af
e98d6d03d74c3b122f5a6eb72ddb2c864f825343a68e873179659ec499320532
2a6df9cfbc9711681e8feb8466b61866ddcf4a8273907263c891677fa0db4d9d
38f06de9e7af1ec6849436d3e82b02235b7ab72524cf22bcf954875e54a68bfe
bfb762973e7154984a922fca7b00e8169a93ca7fdad035c807e0f83df3daac67
6b1c137386864e9e3f2bf4fab7cf7c8b55b600f6b346ee3c7c6ade2d8f47c46d
e9cc355b9b2c501a852825e354361d39910f68c1be617cd4370d32f2f9d65ebd
27965403597d9dce6ba0fbc8d3f907fcf228898f52db58015a628f15335efcc4
ee12d6a7678d385cad6d92d505223faf379e765e2e4aa55694b49d462445ae64
da90642a84ccf0e03150cbce192af56cff8e5ec145fde46e2d41a86989219d28
7caa4ded7e7be4167ac5991e8a563e231ae9b80813dd36f5618494e30886a700
5949291f649526ff88f4742c813f89abdcf6e06335b1d42ca740b5e775a58169
3c76fe0b00eee4d76979eb6f27a9395ff952967b39a6c02e62f5e988ca351cb1
7e5a6e6ecf5554cebd655af3e1db09d80552510bd42af3af1cd364fa84fc788f
52977ea9ddbf4be1c05c0ea100009b32ad85f4be401e647c9fe13a3057413c39
a84f95c0558d7b9d3a2a1b254ce94e82033e880445bc33e19ad57c8d76b90ca7
d814311450dcfc2294c8276cdf0bdc1758016f3e66ddbec0086348ed6a0eba04
75fbe40d61fa1f15700afa46c21b4626dc159ee772727d0ff492e1e599e21f90
a1e6f1e524b4965d9e6feb6b062b305c77414f2b47dc58c16c8e6c0a1208d4f3
652e50579d8b42205db403c898b6a29eef395121faa1f3a8d5e44cfa151c682b
777f9b3a59f8082a608bbfee166e2ab7632a742616ba2c28e410580bba77b7be
6316788989ab49e76f6ea46f35787128eeba3bb4cb860b36bbff791ffbff9a0e
9afded52c30b230da28ab2add95ce4e0e2edc0165737a3a2a49ba51885835e9b
6d1135a4791ba0ad4224d6c35d0229086bad56c922883e201d7a2604a6aa0e6e
ccee766fefaeabe6f07024efd2e73d697fe96574890859807ac8120422de6b8a

http://programmephenix.com/wp-content/languages/kjdx0ls2/
http://axletime.com/wp-admin/r0gmx40208/
http://5elements-development.com/wp-content/uoesp16/
http://bestphotographytnj.com/rrm9/lm83yx518/
http://citilinesholdings.com/wp/cysk9wh832/


Creation Time	2019-05-02 07:58:00	(DOC Based - ENG - Off-Center - Light Blue White)
SHA256:
27f9f197a336e93d2f520b60ec3fa4e8e3b062f994f772e2af261414d2b26705
1dd502d8d280a322cb97f2f738a3d731ea48f849c9d75a52300b56e293a09818
553239859b03fa874dbb1da58799b9b0ffe0007f1d47c930848d7ab6098de072
98ac62c5a32ed7eaa42cc552f172e968b09292c15233a19c7951c9ef10dfd84f
ad79acc87367bc014f33526b79ee8a0e71097eb2e383da4efa692e27e96273cb
f9b9b2777dc0ecea0601696230bc2cfcac0452ccff119a84bc86c14b81d02ee9
f2fea5754bdbeaa1aeb9b44499df21cd6f1c53b7e01ddf028548c443802aaefc
1a83e067999d7270f9ffc59b474e317606e5760643632a3aa57547427ed9b81b
7c26c03904ba19298d89b86815c39fce874013b15fd899a6f92672715da85f66
2cec6207e10f66e6f17e2e562947c2d87e578e40ff39e0ffe919d539a5028bfc
44b41f3c72d6b1cda27b4799895105e931f788f21d2a46629f42fd36fef89b1b
92f10ba771b25d6adf4c786a0d65a97a7a1b5c90beb90545d12f3f16b68e9c52
c67b5c47df7b5d0346a97a59471c44bb6e71b3b688e19114ce2cce04b2375f9b
ec3dbdea4bf7ccf93ce6a7d14e3fc767b1568fc966fd412c48ae557746732479
d5924eb822b796f9b27ce2262b065c7fb14fc235bad718dd09766db22315d0a6
1c60cd89f7e71dc9867ec2c1ad7327f555e7cfb26315267798ee54d4e414eb57
b9b623468f7367c94da5eab9cef1341d56a50a2880730fa3b3e933263c329f3e
8d2bb644ad211dbf798452fa2d112bbfe2a45e8359543f6c3527eb0794535de4
4210f3dd7b7dff7c6338ada3d0dadaeb6f35fef0288a679a80d8496e15323b3f
f6dc8645861e69c7413e6960a98eaf11b90c42d2e841523fb88f542b2ef770f6

https://www.limodc.net/bwi-car-rental/mpfg47/
http://hibara-ac.com/wp-content/uploads/r5zg416/
http://thitruonghaisan.com/wp-admin/d31l9/
http://ezviet.com/m267lxk/w1/
http://losgusano.com/emmw/z5vh6c090/

Creation Time	2019-05-01 20:15	(From ZIP - JS Based - Fake Error)
SHA256:
b4be331a9a01e5ee347770bbd63e1aa54d07febc0e3a7daeb77d171b301a483a

http://dac-website.000webhostapp.com/wp-content/7876/
http://audamusic.com/wp-admin/nt4v5zv04/
https://apk5kmodz.com/azlp/k751/
http://escoder.net/cgi-bin/u80800/
http://puntoardg.com/ybsph/yXP/

SHA256s for Epoch 1 Payload EXEs seen on 05/02/19


a5bceba5ea336ba98164a941924b1c043c495a2a84c1091905d0ea6425299b0f
04f38a4b742b88b501a3ed1949023ba9c92619dad4bb293c5903142f90fe9700
e935a9fff5f8a88ea9bee6b7e903dbc6d5059c48a031b38f2ed1229da9393fda
4c2e68f3c9d1f5ceb2090a75cd637ee63302a26cc145334ef3650dd2769cb339
1a4c6749ba27d2a039df15e770a16e900f50d97cb298e8e1b4bb638bf760db49
3c0eff5ff26c90f89652d5e4e00a8b856e055b70378f364a30ae1c50fe41cf3e
30bb20ed402afe7585bae4689f75e0e90e6d6580a229042c3a51eecefc153db7
568d7b11f7989feb867ee6c9839d6eb9b7b9b6baa46837ceccf4085b7a91076b
7ca8ef9629e18e231f5b2075f0c37ed9a31ff8043df1609ee727027bc31f5124
ad2875ec25e06a49783e8688ddae5c0779196b21fc6436d5ab0645c10865618f
3ac469ccd3811c1ee2bd467d1836a43c512ed97d3ad9fa95962459a66d6fdc73
b24adc8f170e8b393ed6f9150da0a4a7af9fc75d6593f06653b2bc081ded2082
bd12a552b826f4ece4698d6d6b69420e44f2671b93825b700f9bfa4ed4936c02
2d4f18928d962328d1559262138ac55ca2c54f5ba3b1a75c9a753d4507468910
6f7b0a65b1dfd3695dd2742a40f0e298a9c85d7c1d7110a61069b1998a5846aa
ae8267af65eff4cdf73ba260478b3848b2786a9d0a455e3b8bae4a2180a7a6cc
d17ebe662f643cf09eeb752c5c762ff4bed75dabd4e4b7490622376dc7e38447
c32f22932584a6548c881f59f956c7b8121435502c56add50612e6dac2fed73a
9d2f44585db7cb66f44520117b5f8e19711cc2df4965a3d504b8f69632c94ee2
1025982e1f880ddc6d51a7287dba197240d03e5f2c8363de3919adc61a138d86
de4510ddb3bae906a10446c0858a587b1017028e7d35131812f7026473a0ca21
0dba12c2686eb9ee98c7ec57b3563a4237914fd4e7d5b940345ff6c2e422fcc7
efc6a6d22ddbc378486fc556655dba16d9e86edad05760993233238dae2e1cbb
b9b4beb9f6b55ee5066b4ba0b87cc2cf0dbcdae67de621fcf104ca1bae24d680
e5cf907f0100e637e39f8b86bf1ab2b9f745bb894bb7da4156a0644fb80d669a
864f5badb39b5785404d804530ee1c4f8017f433949a82e5d50705c165720bb2
4fc09e2b1e35cdf526af2826b3f13e8bb2c1be4205b3fb54abfff3a99277d0c4
05c1e1df147e37a53870ecec18bf84ebc33ec3803684bc56556f28a6a8bae385
ddd6ba58895766f143214f081b3e66d68ffb11086828cae056f91d1dd0efd945
3741bbd22b53cf49f0b880bafba60ceefae13255dda495247e1c6272d890d3de
7d3b811a7ce139de1c6481dc43c63a480c00f2f97ecbddcdb073ed2c8cf3ba03
0b09f773617976cc5fbe67f400efd09a16615daf714ddfe5de29a840e62c5d04
a5679ea7d82a2a6af0f79a3382e73ef859545e8f375595cbb85b072d79a96a8c
126ac7eae544dd51c67a075c15e3b8689e37e4e157be5c2be6ea69884a01d6fc
cf7ec2151d5e3196cd3635e12bc4d69baa8acdbcc79ece436829a124416d23f9
b93e52f1b7d03a8ba37add647403b8267773de119e63f6de9f5b695ce78d1f5c
ffbaba3df6fc217783b117a25e9ce24bf400dff5482a00193707ae0d3d8ebef9
ba887d40e8a7b2c00625b25a8484e39cf27ee27b1204f333b91af8c8eb7771c7
1d4cc6c8106f90a0f951d2958baba66d938f95e845c0904c606ce7c81914b24d
aa31ca1a02c0c7d9d9393fe24bb0b17cf5366e02fd71a630ca4e2fb5647c63e0
f9f9602360f67e1e2b9c0e89e55b83a75fd72821b34f8c3200da7e0801178b5a
2308bff272f4ef2511a0c2d32fdb46181ef3b83752c24219aeaccbd6c110cfd5
2bbf431e5764d340352da793ef5dfd90b4aacaabee7a20bcd90f4d0cb1496067
29486da6be3a1d12fd4012a9190c3752f7b3847272e452df53c589fa47464657
e7022fcc330ae61bea926a4f61247583c20f79533328c4280e01cbed47df639b
556aa6b77f53268233a517a67f428ed92d10ae077a57831ededdcce16c4a798f
4fac13173ada1e96e17a0d53076adc66b9bb41048ce4e56f59500adc5cb85fec
c352e77c458685679a5b9f20ff3b26f5f42f1d09388d06a7849b45747a6704a1
8d419457d93c921795eec27924b152d07efa96558782272950fb7d4bc651dc94
2c4a668f43f2fb12d7bf99ec1870ef7c7bdc33b7201ad753265d9778cfaee578
390c430b9a3ed2abeba28fa34487f234c6eab3b18a47812d89e276a7320758e4
ca982bdafa4eec85775b2f47759ff83ad62a87b93f961b50f0f865cb25325075
d03fe574f8fa6126c74541f11474d9559c6dd8ce949e42fe5c0ea66dd8d4043e
652824737480bb50d7d9943a8dbf5a192b600b5792ed0e5916f929fb52c2a90d
fe2959b5c241e78e8d99424af50cee0bc108d8167ccd30f42643f78e304d26eb
893ae5cf3c326e9d6aba877510cf9b2073b5d67d8e557941b2054c78ba6b7745
503c1f8d7aa9fb4c335f44c62390c8ac7daea8ccafa019f6bfa54de41f0915e7
01b00324f21fb34576505a85963ee46153a23984f3959b640bd9daffdd0fa08b
cebe897a6c2c1e119084d1b68ff9671e4405e56ac3eb973d052ad724e0745ef6
d521cc53fc4f5a882768418c22eafef1b9290d380b77cce118b8c6a669444f30
880bb6ea2a938a960827dd2c5a0ad4dde3feb6736e77e19f927ef4a99b4372d8
94b73732e0ae9c95e418d4637e5d0b964fbbc74e3182d4c6c840e895cfe5107f
f294fbbafd14536e870392e30a4285b4a65048ebfcf1858291cb3699dd4e1819
6c5378d6ba6ff07b0ce0f2f025cc8238c1dc1f81b399180d92f03c9239f49341
2cfca42cbb8df0aae0fbfaf6c3b77452176285b9ff52da37e56791aa51ee8652
09ab57c6d3d152efdab9eebf9aa4fd29f585ee6f647406682ca179102b98116b
ce709530a954dbe87dd829c4187dc9265c4b4acedeb708b6cd200f047080b261
303cc3af9f31366219c6a2358c05a24531bf260b6defc9b6897392d211a5dff1
5aec0b4289fac7e3413bd12dbb1840fa69a0d104818580ee1a812b5c2126f32f
489ed6140b742d4bb2682ff7da80c5e2d67499ca2f97a1e2930472d4ab08da61
5d4d3fe25bdd869847ba085274734d7e09afea99f172f855a21065c8710e1f74
bb4cfd3ba84467535b7e164fa165c2b10712c7344a9d216b18874f34e649e6bb
8401b00b6fb0f3bf6507d6576475c909a6a013b998449a80b27321d6fd52f0f9
164f46a11704351b8aa0c8a049be812bd7e992ba764a69ab6bd373c3e1db788b
c6bb94a5f0f1f297ec0e6b27067100a596920603d5ea1e2484f95060c2bc1bd9
acba54a4b5b72bba9b5b9036485fa0257c5dda20856f360dc8ea8cf0d764bac6
5478f7400c77e6347d2002d235f92e522cefe6eb2902618bc0f0e40138419f55
e1822ac2311a869c8ea79c59b2e5c3081ae000d500d7e09574d651ca3e538c39
f157b22a20feeb0434ca66806ab77e590603a97c863656f0f734f1cde5e87b95
6d7f0b555fbb9279c1de3447e01004c99813e3772ae41ae67742fd67560fd57a
f5764b9f57309dfba2a87b93497cf9162fca2f0dfc110ccb2ffebb16a54681d0
f4456e473304e3d438a3e7cf58d601c5b56d16b1b81ddcf5e5e16b1ec20c172a
6fa555681b9e23903a652e6f0a5bc22f5db618b00c263dd874636502ed731e3c
79d80412f4d09dc31d5f99ad663931b38a477bb0a6da8685376163dea21d947c
9a7424efcd36756301589ccfa23cfa42ccc82e0fee29cb61fa3ff404714ba879
7602c8cfa06e26a6416250904e17e088fbbbff8d7ccb2d3dd258c60a6920e843
4384db57f8098be4eb16caa008dc7d87a349b02d9574c4ab5b13f50ee888fa54
90cb1f8d6e6d54ac207dada4c686c794ecc03bcd232719e7bf37e1ecea96a199
b6b3e4bb2918655597fdb1363119ec230e3c8d37794059dc4b2f976c4a204608
e392370cc393aa7f23fd365625779b48d09669e8699fa09239bad257f4c418aa
94e3dd6d07d2ccb2b4a5dee974af9c815c25777aa5e87962348d24f5991a182b
375ff9ab594d2ef65fb6ef221e261220cce769eddf71869eb469914096f61819
40f21c0af710962bd103f0d881a6f0bfd3ae9d2f0c1c5f8a1dcc90268ad35579
48fd75ae1e9bca0a3a1666b035c50bf8b9595840ee865233d8bf58aa979a9c53
5820dd4ee3893dc9f2a0cd523d4927cd23a9e4fb63a8d8dddd78e79869fa4333
f4aff8cb5dfb1fe35444eae46866e318398d96163eae5de17e8dd2921b91dc4c
d68217e5f0980a040567a66fc1f2c308527c44d69800122222b5c4edb12c390d
83f4a0e4957d574fdbd7b79b99e511fe8a8b99c70b57b509fd9a571193188e3b
40622910c037949966d62be0a7187a8a290b500f18303e08d9a492533dcd8c36
6d88f78c1a1a57962bf393715e8968a68c5afcbcecb3e3883180b4291afb1a9d
2588b5c34a3b67739e23fcd751fdcc24d94c52319e18e4eafcb6e7fbba21abb6
223fc1e77320c0a515a20fb2de9c1914a47708dad5aaae4454b91288156dbe6e
84d127321b93032e15bd170a291b072c548b12882c53d367aa52698bcaff12b8
48260c3ffe79f8cf498502778c192a2cfca7b69866141a9a88fa75b0d0093557
66aa942d8dc8714c54e31c733d37d5f6d29eb27ff64e3cdac40ee9ffcbed2f42
c7a696fb7cf6e210f114ffbf88e789e075904358bee61d81d4bf85312707312e
93022b11ce1b14ce27a6edc912fddfca63cf53a844845180409a11c2fb1c5d7c
c31465c6ff3fb1ffbf48da86250e8ab62e8d192af81c886d1293d0ee082117a2
1b6aa692ba88e13ddec659e9c601d305146fba99e16181467cdfe49c7b109918
79a44b5796a6c8f3dbe3050dcb7cd9a53abd0b568903b5eb079d33d93f1d8a7e
c37f470bdb9d07f59a00c714bca64abb91584a040387d1a3419cd97e7b90bd22
0e54a79e6387d6d2d260fe44680f651db4148d65d579db5fc284abe9a951e984
f9cbb23ef0d89593cadcfb443b6ec7eb789b3ab5cd7ed2afbbddf53be0f5e9a7
3b5acf6213221055de8d43376ca1cb56555d30a944ff9f60ffe8cec6a8bd325b
643e37cdc1863366d925409441ed240dd926040c0cf0ba97eb31167b111236b6
f357e35687a83a0dd1e8844ef01944db9658da4d616be6174b0730ab07f26578
fc7cf3f6bf9b02163ad46c045e008583b8e4432ebdbfb2f7d2bd4f098a91074a
ed397a5790f55d0d2a2439c5657763b99ba756247a8c8327ebd450b575ca218c
d7adad75b676060b0065fce8d74f3a41400a2b9b2e304fff8c7cb6a016877398
ccd26cf9cf606fb49a237a501e9e441cae962090bb6e5b24e4e93898ac5b3383
73d49eaa2981d7de3ed1b0d252823c62c86ff1ca6ffd8e6c9d0aa294da75efa8
8d8e3670e4e0aefcc95ac53fe2a5215b2513cbd804da5db6d754d026a3d64f5c
29ce6ee552676eadc8f9c770d9c789c21d323a92acb61fd5471053f51ecc0e44
c6a767ba8c7fbd15990e376a2ecf6acd3933770982b7c591d35cce684770e719
39c7cb54f8880626d582bb00f43aa28087558ef73a9b311bf6440ae168e6acc5
8761299b8ebb2aed97151601195f42ced376e2e0aa83f99f0bbcbb00158627b7
bfa9f4346764ccf4f2b721cdb1ad12813907113071e7c4336cb0f68f12a04ec6

Epoch 2 Payloads by Document SHA256 - All Times UTC



Creation Time	2019-05-02 16:38:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
990801c1de058647b506c19565ee7abf0c886af33defe87c185c91aa65f9b579
c775e0d5046bb333d8ec48ccee14f6b50a394d750836412c56c98f100efa3718
8217083c9e4b5ff7f2e438a2e50d8fbc5f75cd170801dcbd6bf1592b4ee6e76e
4146e3cf4f60248ab8855463ad47ac44eadfa77f85a93d219f31d7ee935d9da6
b9f18fa8392dd9be62fa5e88a7ce0d5e94998280d5e5021f073f6ba5bd3aa43f
8d811bece1938911aa657dc5292eb1d12e09c27c1c53b0933cd390e1713fa25b
ca8b291d0dc68db57dcde7e61fa81d3da86f9c65c5006a6228e7fb80cd8ee651
f268669cf7822cdb42f9407a39e23549e79930c64deabf9fb45acb7c33aca728
aa801261e72e6b957bbe8aca839c416734b1739fb133a1890f59c191768d72f9
15d6cb9824fffd568458004f7229d69b27e35d5832a06314821f924491c61f3b
f38d5609ce63487e3e63cdd748f198d3e2afff98ee43ed99880ccac6a883d3b6
4f1f1458e0c5595d9643c0247bdffe0f225ccc61594a91c00ca039d989b946b7
24f92e105f2203de4853e057f2ee4a32695a1d1cdf14d7d58e0e533d72e5d96f
aebc1103f9344e4926c8904a4f9a6eaa1edcae4a8eb2fcdf5c19d535737a0b57
e94720b4121c2f2d41e0ee3d754100229d76b7f7085c5700cc059ac806f0a59e
61084b80fc69d146f8193be390def46f1f2098dd074a893154d32a5baaa2017e
ea4bcbe90240950b3246ac90b8c4dbf5c2f03b839328ea0583e893e0ad72ddb9
e3a103a9172dd50524b0c0964de06d03923e3570e35af57064955fbf000d459b
354a0c17e9b347d1d27a3b8d605f7f1bf162d5ed17453430d9bd70ad026da3a2
8349b412581a466e885158f9a83aee010856a203586fe21fb479d87fd23c2826
8d2c0506d65c170fbc8989260a0f3a61ec6ca809c9d462fcb858cab170b6a92c
279da8586939650e58af66d116101b17bc938c19bb18661aa9f44475bf1a5478
4a4e5f7221b64a94e9ef4e6aa74464802d5156b0fed3258d36bc778233fbf8aa
4f5f72888a2a10ba0715f11df129cff23d1ca9b1931a51e7d9fff93734f9fd92
ad7f8db9d25f63a5eb7a79a11d3a565cda0c31bdb3d6a4cd1fe72426f9fde0b5
0971308893645e1e89941d0f1534015f97e2cb928d9109721c7cd7cd0ea1cac1
6c1d9bbd9dcad8b950dcada8139a8b21e31036ae9d319050f7513d240ef31995
63c779e66565a408efa9dbe3f38629a8b2e231eacfb78c1ea20f16d254eaa2a8
f3e6d361295086c6ba59367cd7509a310118f08c0d0324141b41b42dfbbc0657
a4439bd06300584d703127e8fd1d2261eb45b1a90ddcf65fcc8addd697a6a8b2
abc589d5ec63138ee0c588f744cb6c8ba59baed47e9316419c174ef6e6a7e393
7b492a6aa0b683eb1c70b5363eb6649a63b0cf81cf23c8534546d71a762be37c
cd75e6f5d568dd055fc68f5d4fbd544dc851fb2423d08aae37d5b8243cd14e49
e13b9bf9d03d25fea984a5ec113277a7ee1b22941e392cc3614867c272dd3fc4
a0ebfc81ba0f08dae4cfdf68e03efa80addb7ce41083ecbf98370acd020459ff
9412268f1f2c0eb9a06cc682d774e05495a3b4e468749c77e157a5a354c2c8d8
77eb40705926158b5dc43657acd06acbd152a96b25ffa0c7570deb2d30f30a55
ddf9e67e5268bbcc69f0fc467ebf6dbf3a7a669e89ee9e24e4e40121a5546933
5f4e455a7b03f049de3775140eec2cba95103b1cbb11acccd700533724bcffea
48735c4ff3f7651891f927ad38236a63867ffcbd2a702e9a79daa03cd9c63420
77097aa9879009420abd97243ad99b01d6f37aeb4a0f10db935af76d24071f60
d658d1c903a310720f251727c6671496fd6e83e4993c4646ec6bd48b2e3d6207
0b1310aa7bb2e7465a222a04326079ef48b0c163b96e95a1860e79666b479b7c
1ad6ccae75006eff67a6adefed9ab969eb30456f9bfa2badbf680767f36e4ad6
5a065c412c5ca5029a12a0c5bb8fc9ea3fbe72f7b3a89fa7fbaede2f06ae8185
0a0052896d023efd6db21fdb504e996474df83abcfe4ffb55b55bfd894125505
0b7bd2da70c954088c58dbc28b9470dbb262ba21c13648eafd0a15b4814cf9d2
0aba359f77ac576510a26b160b60e4b0bc470db5ec0341e64234681ec8c607c1
592706d46283eeff5a73e3bc816333334ae78f9d1f8162cc5517f402646e8f71
e2ed5e816faac04190f6bbfeb09ed618a79bcc85d5a3ea6ace4a678cb715f4a2

http://pressuredspeech.com/dngn/cEmgNTByQ/
https://phoneringtones.info/wp-content/uploads/qx93_k68trw3j-15334/
https://freewallpaperdesktop.com/wp-includes/50lz_zkln03lbc-8209361/
http://safeservicesfze.com/wp-admin/ZmVYmAXv/
http://noingoaithatthanhnam.com/wp-admin/voytvHre/

Creation Time	2019-05-02 13:11:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
d8c7142deff2a26b21e0a6d90be7dc9c182f9d0d1f12a78a73827f6ad9c28bb6
11f45c2f0d6d243306cbd6c70c01f1efb2050836b14f4d669b7a471511ade739
ca014e6230918cfcc607b656e4d58d48a11f073abd1be05dbf3c5fd93c20bd5d
ca20d2a716b4f8a6f33a2817ea8dce45a08cf19883ad41b221fb2b12b75cceeb
31828b00ccfd454be6bf5ba07bc67f0986b28057583cc2812a5e690c9b9afa8b
29d5a0eb1f8b938839724b100c9d78b140e82567e8addd0d15bf06f98e61de90
6fd96bc05d0194613f21bd6315bfbf2d6e4606b291ab673209ebd70ce801b5c1
b35b244a1b523f3cf796b6c6dbfe4a4d0fe1b3f733b6410dae9c86fb60128318
733c298095ba5ebf571f1a1c965b4241dd96cfff7626aab4c287eac9bc45f7d8
8e9d93194c497235c8905b587e9762771a44df5b5a62e334e0cb27a7d4f0ec3c
61363331b4ed5c211a5108f4820e0e7b31451bb9fb50da87d537b88e01159528
692814008db3acff680edd583633e98789c8458f795753f459410f89869d59cf
24654f8db73340d450b7f0096eb353b5b764a0f53403da045534f4fb1407171d
5df383f04feac1ecc7ff1cda2e577d97e612db6ded6d2d33830eaaa3fc0d569e
3c37cb5bc7d34a299c3442b5d9877e8f4932af1dd6ca5a8b139a668fed5f9786
676593b3137422bae95a34c1bc6e6c4966e8a1895feb948faa1c8edddef80e2c
0b0b4e6628b0e040b4d1f188dba616fa53dfa0100e25ced74f9ee3ede164695b
94f9a3e8cb648efb537b8a9a1e4510d286b80f06b04a72ad3ef9c4c474bcf810
456c3edf43e0677174dad7da916faec9c2534520655a62ad5be950b123060dae
e1d98af63da307eae302d60d18a6b0be7361cd92514a4eb2a22209151d035348
fa0e3b3660ec8e52b4817f8e030a678bdc2308af9c111f8241901d1e0a7396db

http://pineloautoricambi.com/cgi-bin/CfXHkcupBR/
http://thaiherbalandaroma.com/test/yoWfczmHJ/
http://fiestasendirecto.com.ar/wp-content/YxOBaTgCa/
http://www.thesamplesale.co.uk/rprv/0xsqzs0va_mh2r8-58/
http://tarh.card-visit.com/eal8/RZnFltETpR/

Creation Time	2019-05-02 09:19:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
986dc14f11ea0f528b1b42056dff88e24e1834eeff08334897ad814335a6ba87
d208f3eff68d5739131aeb2b16c66c1b6afb8fae27517f1b7b9029d4ef8b1ce2
b1dced28edb0f204dfeddacb104281bf43b041d6dfb17f063aed46e5b5437998
460bb3ec0ecd906a65785dd78b0cdc5493f99adc417a5f8dbde21ce4a9fa9112
a64dafa37b662494a38730bcc5e028b2531be116573db369d5afc8d881e33f8d
c00f51900f0ea1f2b2f180fce863a775f22285c5e714f71db05511ebbff40bff
71f892530436e11f487144a6a0938fbca4ee47850fa221ca6518d6c2f9e4c837
71bc0919dd2d7b84656383c07b7ea006e3c3e303c80a3d4b309485417aecd634
2582818939828ca255c6ce74274a0ecac3f7d0dce6167eda77d6db061ab2a485
8715b1a0fca07aa174dff8f761755d3879f305b1c5201960fda42ed8840822ae
b0ac55a9a3533916702fcb365a321abaf4990b73459a2fd1a32a3378cda957ed
ba194c165790fe37e147a5148a0e460acbf65bdbafbf0928bc1bd762359e0691
f369360d06eb8817d505540eef0a467948a1eac2752e0eb89fa308ce02987389
c4bb3c6de8d16d8d68841fd2fd8230fb13d8f7c51feaced318d5f41c78f15da1
fea2192a0625af323042fe1f31e647d6a4be939d0ad615b8eae445e1d29bfd8c
19aa70715bb894cffe28f94b04951b36d44de3e38e334f2885d281dd464289ff
05a8d63623061e357e6537d32e097ef07f792fbfbdbb534d37533e5f9632c5ad
195a1fb436c1c7497259f18d4332423f886a38242d824dfc498ee40625ab82c5
1c97b7f3209e9d9ec53eb970c19973fd0a805e6f621aaedd613235fc9fbe453c
0fce56ba5ffc2f0f9d972591a22a18532cc8b5fbf0a807cbc4a61f4077e15098
0902f960b630274cb21ecbde3e6224d1f72d570c624965528a3b02266630e914
8e4a311d2368b3ef3374691d891e860542fbcd33a8c5df81d9264762449a41a5
7f1c516c36a737bf48d2ec5556e1e3232d47994d94c10675f7c00ba10b04aa00

https://fepa18.org/wp-admin/vZJPXdJUKbsQoR/
http://infokamp.com/edmatvu/XcvhTJMoveELDQSwTUGIwp/
http://aaitrader.com/wp-includes/TdWfQOsyteJAaXt/
http://hoststore.ro/wp-includes/iIyDhkZnoKGa/
https://ioszm.com/wp-content/VKvRtbEjecrTUWtZwLJPTASMB/

Creation Time	2019-05-01 17:22:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
17f4ae8fba484e7fb87c16216ece4622556d70db4d807d8b0a4ac207eba7d015
1f7f4adf00079e629d57f4d60246bad091aaf746a26386323e414d5dfe9cf126
57f935a706180e4e617c73331cd0a57f8ae1fcaf0537e0fd11294aa0e20e0feb
8849cbdb89ef44865f23e8745eee176d529ca564c20c66da99aa5c04db555ec3
d450310c315301ebd8307408f8a534d6fd108c8649bdf0557d2c375fd7feeac5
e67b66b18eae119a39f810d45ea3987486699e4d7b83f2a43150fb4a865870e2
8c2940f2a0b9eeb17e9bbbb8c465085982bc20dbe2fd980c532eb87ca96f2090
e5bdce92d2075dbb2d3f7601032665a77672b238c34b72edc5af8dbc0ecd7912
e39ace0837155e85d59f5059bfe202ba3de02a88c848a6067c9965cadb79c5ae
d0cfa6322bfd78d66cbe8513075fb57b181eb60560ed6558c707d38110fc9c95
22b56c3fff64cc6ccc21bcd5ac8a4ce68a75b19d7586475acbb445a45144e401
677e0cc93380965dc2a1f323cf07e84848fcd41950daf4158e244113536896ac
a2fcae9f16ba8a88c03ba2fa986fa6f148dbaeac41f94546467a81b9846ae9df
4208aa9b2a8e40195be3444efc9bc9cd2accf732b249c921025207feb62a0970
f65dddc5f054d91554fe20e60a06c22d0a8a6cdd6555ba5c7098e06150c66ec7
6a817c04b3ec3fb6f85801ecf4999db95505445ecbc8f741cf2985972f2d6f75
07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
895e4424f07b9de1284d596c17b8e10dac11fade371885fb4e8d9c73bd2721ce
314285230457396f78090f46f2faeff452e0f80e97f1b8fcc3371298cad19557
438757f58f956c0bf3c4d88c3270f25c6bef6cc6c7599d01e2050871e1c7cced
b4acd9d62915cecb1ba384e9ef86b7b9b26f38f0c0ee405ba3b4a396b44b56a9
bb393d58b6809fff86d32f6a6b5f3af0de4ecdc371a6454ecd9fd2e47f55e59b
af6b2d8591fc986c0fcb199d2526efc8e0089ace577fdbb925a7334ba5eab4ca
c0d56c06f445e3284464894bb9855dac7036a7f5e0da7183ad31c6d0c2477db2
1f4a46bf19d090bee1282d5920e1ce502620c0a50cb4d5165d735d5b52e4a79e
51d6fab6ccf8fb3460ce156af02cfcbaf6098f74d37e5d323a3d9e2c07e4b8f4
e12f25d5aacd3c073171d6f5613fcca942c7cf9cec4cedbed74acb9dbee513de
f28f62f33ff6ea0d8d9708e54142e83603afe0bcdcf1206bca2f2dfa00e05b0c
8e56b9601576954a6830441430cdbf339831df28e8b6a4c29fa76471d83594ce
fdafca6a40ef4527b1dae33e85b89efa3d854bf937e4cefe026518f191309470
fdafca6a40ef4527b1dae33e85b89efa3d854bf937e4cefe026518f191309470
899845fe4fe39f97c37bde716b7ba0b19169ea817e93cfae5d7e3cdeed7fc639
811f6ec9cc7105d1b81e5352a0b9f90df420a293afc43ba91507952e7cb49f72
571210656adbfe8cde574bb15f96232169cdfb487f4597ce1a4532c7a0258f46
64b75110604d920b41da5dedf56cabebac63da64a209a35cb664ba69764fb8a8
f0f7cfb434c2a3922d011186c1bfeeebf9cf5444b33cf90104ae09407bb65e06
f9aa8059e3a7418a2e686036ca8198cde4ba026f1d0b05ba2a32774825fb71a8
72f28f83d17f71068693f8f34ea40d09dc75d111635427f1b58fa9d4cad29558
404f20fabcaf9c4c086a38eb1cb139e49e2e08d6249ef41b88d7eb2c0e628bbc
394d047267664ca7feaa87df65b83ef559a4a97d7660e855fd84ad39ca15c17f
f485bbf5f58215b48cf1d3435a75007749edb2a502238899c462b7f8b47c410e
3b338a2b75997eba6f9666aaea6f422da3e38754657f4be7f7e0e9967c479a63
fa4963b59046a924250a2c0d7599ae98fec4d4d0ba1cdf8de575a7438c570563
897c6162e1f5089706797ca8cc5e75026d5bbc7707bac7271767e378815e514a
9af59ed0cd1f739a62f9e8f478b2d237913d0949d9ca7b0202a8d22115323f94
9c51bcdb82373007744c0dd18a11c06decaa000f48880f23f1bf9a335e5af053
60fef10a83e873748b44cf932f3e0fa0a0d891f414e591696daeefc00f0d01c9
fef5c94f160ac594834251f184900922b8b802d3b8460c3dd75f74e895e7fee9
fd0666be8043c1d58b39868e5236856bd32f80fdeb994081e9a1c59974fe101b
dc49d2d7421719050d62368d665c84629bb08d6874ade0bb8940f133b619d9ae
854cdddb19feff91dc4b4fba1ec91452c996a460cd5bd9ea2ff6e88f8c20f66c

http://depobusa.com/foamorder/tObUfzBc/
https://www.plvan.com/wp-content/vPTKWuAOUoglbXLQxJufgAVZbW/
http://hsb.pw/e5t9/zbqlHAhTtRZd/
http://mestand.com/wp-content/akMmnMBbAPswO/
http://jobstud.ru/wp-includes/QIUEwMypGbuDbhAaEimcRofGNckbVn/

SHA256s for Epoch 2 Payload EXEs seen on 05/02/19


0139d5f3393114110523a0ea71b7b30d501be5c38f396cb942b71702bdad5dba
b92a484b17dd0e44b952822ef0820900b931f77480aad707f4e7d8af3f641694
fd6154f314914fe0e0e3dbca0be331be70dcab5e0bc8692e882d041053a109cb
1b488aac749d96e9dd0091608fbea2467ee5241f4c4d6f7c099146396b8f53be
fc317b28b08515c6c5b16cba48deb8afa50d4f1292e79ce76bdee19dc913b461
4b7f66ef2d6ad844e08416508a6f022331efecb85655a13a8a75f7732ef58412
4b633f5e8245c61f3ec3a46cf245acb56f66f7caa72bd6157a01f422163edcc1
682725e8ba8b5383e9cda584b67be4b0e1a4b521fe1ac428bc2699f65dccf7bd
14da8e8051b0b163bcb6a6cce736bab0173804c8da57ce12eb665e630e1e229a
4a0dbccd45e0163057fd7cf9f33719f71768868381ca95ced1c7ebf6620e4aa5
61a108b133f8964df693cb0fa7087b680066cba4c317e73f05d988da74a5990f
a360e01a8777b08b618e01677c264e3f45719b0da50f24d783660626cfa7cea4
27d6f4d39b0af4ec76b0372cfa69a3ca6c11004d3c9ba8bc082fffefc48e8c35
710db143dbac331d8f696b67e39604391a269696d957afe0cc4c798ddc1c1526
39f70a1393856b97175b5aa8eda32b6da0f6600f58ffd029d65826ce8a707650
9c80bbc85101eed3a43886d783dbcbeea4fa72898406a07d8b710f79044fc865
eb8099bc018fb1db097f303b99dafe4cb07d81102209cdfe2406eabc97f66d54
35c2d04c8b877ce46095f02273b0c23cdcfd7e9e76e93e195bdef170baabcc87
c7a6a3f927f5a7ada67f91c8609a3745ee579c3e63b76147494e50cf77a79614
2f51263c1a9fbdecdd806809b39a29fc8bd1f84ba6dbefd260e12f3960d1d7bd
f3131feed900a3128d1fc6da0cd753d717936037fa92b04fb9403e3abddef267
6657685b186d7e072376685468ac8f2ac64ae76b586b02afac9be5729f2817f1
8247f6298dbfb5aa6d7f9ce1a58576547f7cdbb089d76129268aceb367ba7d42
cc26319bbb77b56f938fadce821cc0e6aaeb047b9a2dbf0bd2791be32bdf609c
6f35d5ccbc35c1b6560e9c242274c13d2880f34a03caec1d9004ebd0d142e32f
c6ae5257ff2633ebd01a8103e43d7bb35a142e28a9c7d068a4beee163f350288
9d762f0b106089ce170f31bdf626c248d5eadc8372dd3def6df531d838933544
2e8b8ad9a3f86d616b0e51a4c69dd57722f1a31528ac75ea58e1994687a63a68
5d7ba6f8e8b2953de1b71a89a41f5c5460a897eeba86db1221424c20e34b8de6
3bcd74eb064d631d895d6bdccc6446fe9c0e53fb5cfadd03ec349cc2508745cf
c7e31bcd18e097b53f77aac99e9e3290ae208ffca36e4011d32de04e8d02e883
8dde5c3df0af262a5252549f3288f42aac599a649afb5b8fb7a7d18429ad9d75
3dc47ff912ce79f18c177a5e114c2cdd7e30962ca08107546cce59b28db9825a
9d5af1e5e35581344aca81cb15c9f94bbf26f767a1259f82dd33ec58af16a0ce
34288f730dcccd5152294b5ec6ca11317d69e333e9f34e597903d47b87994115
b164b6db06e4372a3d9d3177725f8d64e424a0cb5b97fef7564464cb7e55d6c3
44cfe6a073ba14f3d23fa0a340f8b49f050f20f78200ed0abfeb6b6aecb7638e
90762b10adaa2ef61827e0e617e36809a4c56359ed56c8c46d179bae058c9f4c
fdfdf45dfc03c3c2991385f7dcdeb33e8ea3cd5eeec19ed8169432284a4292ac
8f3408f3fc81e83ec623b7d1d2b5ded56f62ac74bbb9470db439467d93d688b2
3f79f7ab88c5bb3682dea5d8899823bfd3dfac0c93b5cbc9ee4ffb98ccdf9056
f579be47727e9be4bf7386cccae98af8c5762f0de67e6ba3f050576827d0b366
c05a889d62751e96e5fa2d95fde4692eebce6fd1d1427becfaa25b93d1e59d39
3c2e9ce3f68e52a9f944fbf723e265f99710913459cde221cdc17d34f28449b8
67ebe896ba8c32528affc78733dfc20284c1f8bdfbfeb6e58658aaa8e08e83a5
5e7ba25c34a6948780320423c4f1554098e2e59c221f44ae409c168016fdc34f
b100b8905ca0652747efd09bddd043cd2f2c0e075baacafe5b01ab1ff5a4b6bc
b6ddb89d617f97116cc3e3ae894cc62f040968c39c10b8c1c542d5df77212ec6
2b43ae0e2ae9dcec606ee2f6ef183caf00b85b7f3207e76e86433d4751c1323e
c67e18ea855c49bc6c853b6970f1fb7b2901041a5b290218e7fd52279c122fd9
c4bf558fdb6da807060414d7146c338c50e66037d88cc3973e8cc2ded57d8d0e
37466c19bba687306f7bb9d15a78f2542390d2887ab99f89f3e52c0b6dabe33e
b7f145c761b67d8702f25c301e148f8b14582d75e2e9c7c9a0e108b1f928c0ee
5a25325d8e0b04eb42f5a4e26b3d67e459d21f10ab5e4648fd544a209f5aa23d
1b7c6c4aedb6e643487ca113608d72f09a431aa3491acae8458587b63de65fb2
5ddf46fa58889a227ff95ebcf05061769a5e526c7a7f097d69412839d39fb291
15cc6aea744144130950dea1abac2401d1f51c151e7c664ebc3e3df4cd6b1909
100a63eadc781896e7ad9def4340ebbe9f221798aba83ff2b580ceea2ccc38ee
852c81a19ec64efdbb3353b2dc3b9cd564996e4b29361f884dcc730717ab9df0
3fb189dc99f52402bb2cb1336b35afd2e221e607f60a7b3780528c6543409fea
c4e8255fce89155bfbbd4767862733971c9306aa6a2d01fe82cbd45334387ddc
548c1bc7710a59d6ad33c3c3126508e52e63b8570badc3887f4e67fcfb6b91d2
d6a27acd253a1946092d2b1abd800789c9e43df52cf5a522531028b4a5bec82d
57e8da94216e5bc5b28a79c465ef8040a4db12aa06ad91fdc3b562cd906cb051
55f5b6dc1e0ff0b674b322b301385c13b101259787e4ca977f4e7ff9a086b211
4e845c1e743375ea8c337d42e4d30ff4491dd1fe34afbd7bc260ca10a99e8c5e
8448c6957d755834a7f644a8d49e3094adf5c506ce32e0b157bfd7d60d025e6d
efecccec4cf166a4d72bc2dd68f46310c55ce88131f910660635403633bed7d0
25d5ce0c95bfc75729efa56d8d0dec4e249144357bae0ccbca17f61a873f4089
7e7aa221638881cb37b280fd9824e7347fc4b519e9cdfdcc546ad5d3de1f78b0
611500650f0bff1315099d3712d6a443e13d3c488040a0bf3a5a5aa6471ba946
853409f1c256b9151a2567ce0c75d86fdea92c4bfadc8ae9381460b8369ef597
9c88fa19bd75bb4c34a5fe25c27a2f08846f4463268453610b00409fbae31cc2
2c5d86005043ea6ecdf66fc7fda301bbd22d9d5aae2115ab30109bf941d5dfd7
9ef9c01f42b204d85975d5475f9f6493afd2292a68666602cb8516bb8517a103
b4c619d17fc86b39bdad1cf76a416eab966d5a8a46ec8b25164414d7c970f447
11e49778e470f4f98b729147fbe63029b9c22fbb40dc061ba3ba5c7edbc36df9
ef85f1df03308b40716507203a71e1501ceb5ed5d71d74e1a089ddb8d5c0059d
8e870cdfe40e7b11d7a2b7978ad1a7abca3c1a276db07e33c9a1494ad4153ca1
723e2a6cac714b533b3846076907899d9833790528677c81d2acf3679474b9e9
c3908e765c16319d95467f2e0257edf0df968d889caaf3262e9b9fad3e76b916
c3f0273a8a97fbfbdba8027da06fd0cfcff36abba681359840cf99a71f81b0fd
6f6f1661ea7bc6f022f88cfc059e5fdf016d794fd9e5432082b56c879618b8a3
338f6a6cc054071c08a82b6ae8460427126e025225359e0b16f0f54a32fb67c7
bafb626f61ebbc0f7056b8f9fba4995c8241077288084298b8134680445dddae
53b2abce85b3f2c261c33d98567c316e43f1ba65ed76e36b0850499cc68dd43b
5f0a0eaf37f81de04ad022348e50f126dde35354bfacfcb1815777049dec23c2
e3b923ed549a34b0309be4e0b4538fa6f1f881905af7e622e95c827951de59f7
ccf8423c8dfef5e0158bc8626dff73c8ffeed44facf62e8d05316ecda01381e6
44c47ce3b9f75b3d8775be16a0b2927a7602d0d61f5c25fd213c7bba9dda29d5
9484b9ab6c1e6ef3a5ba75ee23766a6996067e57105df6c8e13efaf9ba78a823
eb0adf723100d7c2044bb96d333f104e0a3c62ae8d1baec91f40d627ff428628
e442a8c1b7e19e2576f40ccb6751d7d34a2c56249ebe5583fb698790e28c8a6f
0866f591f33417377d087978c66e6939d36c32bd2d1e7e572f24730ea80559a3
cccc1ccc54f9d889539cacc4be1a2d54f3813979a64aec5c8b27c12631fb26ab
35cfe4d2460b11ea8c240eccf2129a92f263b990ce1c06a1580ac90ae36ac4c9
fabc080faad015e151c3bade908ccf70ada8828947461c2e1c26d07802552dba
d62668450c1a95a5560756d37f6128ccd5ead425b11a7ffde131df4975c30bbd
34eeffa1a2d0facdf46989783ebdc5b0cd55a71ee1b535d93ea7a2102fc9a83f
fbc2eaba1caa3bc650e3d098c9b7cdd45178c72b799f73169498819dc957d5ae
a25f2e639d0f10ef4a503441d050263fcf75965fb9335045b6700b7a94c7bc7e
f14ab77fa8c5bbf78a33c843c46d91f3a8bf67645389df08f10e51f03e449939
16cc274e63b246ab057793f97f645321dcc64d7b8c90179f24b68953f98f8fcb
60ba7d9129ee291ca713d86d91c8d8b8138c356e30c5a58cea1863e093a5de4a
4cefba804d352f991a08307af38187df192d0116521a6647bd3007b5b20ef48c
4ab07124fde0875689458403fa298e0413ca35f60baa1aff655bfc738d3f9e0a
ee5a6caa4444084871449cf6f2385c6191f5c382761cd6223f13ee08efcbd624
fc48b19fcabae3d5a4b9d2254fb3e42ef6ebfd721981229258c13b92d6d264ab
299c75f64d439ad734c456bebc444b3635339fd01c79e8fd2cd423e6418ed80b
1744dc89c20bfcbae1f7fb2a3026e6c306a81049c38b9900099ae54ea9791c42
93cf79ff996ba9e30f92fd3d0a7e2e27cf3ac0759d1bc3625ca58dd882031f6d
4cd9648a811b059ee43540eb499b46a15d8f8e6314c400bce79b86afd185bc38
19a8fee1ca628e49c2ee43acf796c6cd0a6065d9bfb1759e93d3fb0a83613c01
d53231f84eb46224e4f7cd3c7e0bfe2bc09efba6f0302c16ebcf2d6ade912146
38a7c5792b7e10728d7b586fed4ee8e2719f2738ece96f2eb8ae080163abcd6e
6f76f6b51b9a9cec05f4150034c2bc9f6b0d7275563f8b68c245876155b92059
f2ded594ad73d56c20117ed072c03e1d0b0c8ed099cf1c806a84506a410013b8
8d7709ed6d34e8637aff2a8aa78c75440874f7cfaf2668377e92f2ea405d130b
21f24e8fcc40ed43f86acfba78022a53b93456f770c61af6e9e62df8070df9d2
f0d9f9f83c550617c9c5221b9a277926915eb983cb629968ff0713384e9d56e5
02338fd1762aa746ee87612d92067e73f787a5c7d13f42d44058ba11769bdd19
d530161b8f01c24699e97cebd206c50e834e74c352e9defb50e194a2be268974
82a2df016af0708a590457d9b6b2db96800e30934e7b437c1a97fef85faf45ae
df1dd5f50c6a365a3327d6d985a7d15aa14ebdaa6cda563ac57730e53dad964d
1c66cdaf670fde0ed8a09346395839c6ef8b7856a4dc1801d7eb3d64b6576c57
8a8a99282fcbe466ee20cd9c90a8bb7b109cf8b1e1598e30df6b6c9d2869196c
b2ee80cb05e8f2eeeeb74c34e2ec8f890280ec2c990ccf4eb7df93f078986be6
cc7f943b05fa5d7d63caa25e9f7b4bd883d1f43759e5d085269d1c0b3e9f9969

Epoch 1 C2s


103.201.150.209:80
103.213.212.42:443
107.159.94.183:8080
109.104.79.48:8080
109.73.52.242:8080
115.132.227.247:443
139.59.19.157:80
144.76.117.247:8080
159.69.211.211:8080
165.227.213.173:8080
175.107.200.27:443
176.58.93.123:8080
181.142.29.90:80
181.199.151.19:80
181.29.101.13:80
181.30.126.66:80
181.37.126.2:80
185.86.148.222:8080
185.94.252.249:443
185.94.252.27:443
186.139.160.193:8080
186.71.54.77:20
187.188.166.192:80
189.196.140.187:80
189.205.185.71:465
189.213.208.168:21
190.117.206.153:443
190.147.116.32:21
190.171.230.41:80
190.180.52.146:20
190.85.206.228:80
192.155.90.90:7080
192.163.199.254:8080
196.6.112.70:443
200.107.105.16:465
200.114.142.40:8080
200.28.131.215:443
200.45.57.96:143
200.58.171.51:80
201.203.99.129:8080
210.2.86.72:8080
213.172.88.13:80
219.94.254.93:8080
222.104.222.145:443
23.254.203.51:8080
24.150.44.53:80
37.59.1.74:8080
43.229.62.186:8080
45.33.35.103:8080
5.9.128.163:8080
51.255.50.164:8080
62.75.143.100:7080
66.209.69.165:443
66.228.45.129:8080
69.163.33.82:8080
72.47.248.48:8080
77.82.85.35:8080
81.3.6.78:7080
82.226.163.9:80
85.132.96.242:80
91.205.215.57:7080

Epoch 1 - Spam/Stealer C2s


31.172.86.183:8080
104.236.185.25:8080
50.116.63.9:7080

Current Epoch 1 RSA Public Key



MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB

Epoch 2 C2s


103.255.150.84:80
103.53.44.20:80
109.194.50.231:80
119.15.153.237:80
119.155.153.14:21
119.93.243.2:50000
124.123.42.93:80
133.242.156.30:7080
136.243.117.85:8080
138.201.140.110:8080
144.202.9.18:8080
147.135.210.39:8080
149.167.86.174:990
149.255.56.242:8080
162.243.125.212:8080
167.114.210.191:8080
173.255.196.209:8080
174.93.130.148:8443
175.100.138.82:22
176.63.173.71:995
177.230.108.144:22
177.242.214.30:80
178.152.78.149:20
178.62.37.188:443
178.79.161.166:443
179.14.2.75:21
180.150.87.75:22
181.39.51.243:993
182.176.132.213:8090
182.188.47.206:990
183.82.110.170:53
186.4.234.27:443
186.85.38.31:443
187.189.195.208:8443
189.134.78.42:50000
190.112.228.47:443
190.193.18.37:20
2.50.4.159:443
2.50.52.255:20
201.220.152.101:80
208.78.100.202:8080
211.63.71.72:8080
212.22.215.140:80
213.14.166.152:990
216.98.148.156:8080
217.13.106.160:7080
217.199.175.217:8080
37.211.38.50:80
41.169.20.147:143
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
5.230.147.179:8080
50.31.0.160:8080
50.99.132.7:465
58.65.211.99:50000
58.9.168.7:990
59.103.164.174:80
62.75.187.192:8080
64.13.225.150:8080
67.205.149.117:8080
69.198.17.7:8080
69.45.19.145:8080
69.45.19.252:8080
75.177.169.225:80
77.56.253.112:80
78.100.187.118:80
78.186.5.109:443
78.188.7.213:8090
83.110.155.238:8090
84.241.10.111:53
85.104.59.244:20
86.99.35.122:20
87.106.139.101:8080
91.205.215.66:8080
92.154.101.154:50000
94.130.35.140:443
94.76.200.114:8080
95.128.43.213:8080

Epoch 2 - Spam/Stealer C2s


198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080

Current Epoch 2 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

Credits and Notes Section


WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1 and Epoch 2?


What is Epoch 1 and Epoch 2? (updated 03/07/2019)

I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications. 
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more 
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen 
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same 
time period. 
Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those 
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on 
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this 
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

Community Lists


https://pastebin.com/ZrG4Esuj - @HerbieZimmerman
https://pastebin.com/aYRnNU44 - @malware_traffic
https://pastebin.com/SNWLK5BW - @ps66uk
https://otx.alienvault.com/pulse/5ccb53f09ffabffe44f5e5f5/ - @SecSome
https://pastebin.com/XF9r4JwC - @executemalware

Credits

(OC from @JRoosen and/or combination work of the following)

Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, 
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk

C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192

Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro

Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt 

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, 
@urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!

Daily Log 05-02-19


General News: 

Updated regex patterns below for E1 and E2. I received about 21 malspams. A far cry from the 100s I used to get. Others seemed to
get medium to light volume today as well. Mostly links for me today but a few attachments in the morning EDT. It seemed like
the EU received mostly attachments at least according to @ps66uk in his report here:
https://twitter.com/ps66uk/status/1124042396877111296

In other news:

TrendMicro had released a correction for their article here:
https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/

@HerbieZimmerman Documented some incoming malspam from Emotet:
https://twitter.com/HerbieZimmerman/status/1123954979805511683

Brad at @malware_traffic received an email from Emotet today from his "Billing Specialist" and documented it here:
https://twitter.com/malware_traffic/status/1124040302191415298

@SophosLabs - is observing an outbreak of what they term as a "novel ransomware" that is possibly delivered by Emotet.
You can see the post here: https://twitter.com/SophosLabs/status/1124095568999895040

Personally I have not heard of MegaCortex but this is a new development so be on the lookout!

Email Template Report:

All of the 21 templates I got today were based on some sort of Invoice or Billing ruse. They were all generic and mostly from E1. 
E2 sent me a few toward the end of the day in early evening EDT. The templates were the following:
___________
Example #1


From: "spoofed org" <compromised@poor.tld>
To: "Victim's Full Name" <Victim@yourdomain.tld>
Subject: Invoice for you OR Subject: Open Past Due Orders

<html>
<body>
Attached please find the wire transfer form.<br>=0DPlease let me know if yo=
u have any questions.=0D

<br>
<a href=3D"http://lejintian.cn/wp-admin/lm/CUBhsurjIYlmEDiyUA/">http://spoof=
org.tld/inc/77736998644/spoofedorgname_36756832446_May_03_2019.doc</a>
<br>
<br>
<br>
<b>spoofedorgname</b>
<br>accounts@spoofedorg.tld OR billing@spoofedorg.tld
</body></html>
___________

Example #2

From: "spoofed org" <compromised@poor.tld>
To: "Victim's Full Name" <Victim@yourdomain.tld>
Subject: Paid Invoice

<html>
<body>
=0DPlease find attached your most recent documents.

<br>
<a href=3D"http://gkmsm.ru/abuebz0/Pages/sedHliEaUfqrmTGVfmUvIYukOMQ/">http=
://spoofedorg.tld/files/IDWGI-132-G4422/spoofedorg_28062590710_May_03_2019.do=
c</a>
<br>
<br>
<br>
<b>spoofedorgname</b>
<br>accounts@spoofedorg.tld
</body></html>
___________
Example #3

From: "Spoofed Full Name" <compromised@poor.tld>
To: "Victim's Full Name" <Victim@yourdomain.tld>
Subject: Re: open invoice

Dear Customer,


=0DThe attached invoice is showing past due on your account. Please provide=
 payment status.

http://blog.memareno.ir/ozwh/trust.accounts.docs.biz/


=0DThank you very much for working with our company.

-

Spoofed Full Name=0DOffice: 906.842.6564=0DT/Free: 1.809.653.4564=0DMail:Spoofed Email

---

=0DThis message is sent in confidence for the addressee only. The contents =
are not to be disclosed to anyone other than the adressee. =0DUnauthorised =
recipients must preserve this confidentiality and should advise the sender =
immediately of any error in transmission.
___________
Example #4

From: "Spoofed Full Name" <compromised@poor.tld>
To: "Victim's Full Name" <Victim@yourdomain.tld>
Subject: April 2019 Invoice

 Good Morning,


=0DNeed to know where to charge this invoice.

http://data.iain-manado.ac.id/wp-content/trust.accs.docs.com/


Thank you for your business - we appreciate it very much.



Spoofed Full Name=0DPhone (Business): =0D825 080-6931=0DPhone (FAX): =0D825 08=
0-6477=0DEMail:Spoofed Email

-

=0DAs always, should you need any support do not hesitate to call us.
___________

Example #5

From: "Spoofed Full Name" <compromised@poor.tld>
To: "Victim's Full Name" <Victim@yourdomain.tld>
Subject: Payment Advice Note


 Dear Gordon Powell,


=0DCan you find out how we get paid. Is it a check or bank transfer? They j=
ust charged us $532 or close to that. =0DNo one told us anything about that=
 I just need clarification on this process.=20

http://fitnessdenofficial.com/wp-content/verif.accounts.docs.com/


=0DThank you for being a valued customer and using Spoofed Full Name.



Spoofed Full Name=0DOffice: 967.700.2378=0DT/Free: 1.860.655.5990=0DEmail I=
D:Spoofed Email

___________
Example #6

From: "Spoofed Full Name" <compromised@poor.tld>
To: "Victim's Full Name" <Victim@yourdomain.tld>
Subject: Your Spoofed Full Name order has shipped

 Dear Victim Full Name,


=0Dcan you re-do this invoice?

http://data.iain-manado.ac.id/wp-content/trust.accs.docs.com/


=0DSincerely,



Spoofed Full Name=0D486-629-9586 / 486-629-9092  (fax)=0DMail:Spoofed Email
___________


As you can see nothing earth shattering here but it gives you an idea of what to look for. Example 5 and 6
treat the original sender as a company with strange phrasing. This is like saying akward things like:

"Thank you for being a valued customer and using Joseph Roosen"
"Subject: Your Joseph Roosen order has shipped"

Not sure how the data is selected to fill in the templates here but I think Ivan may want to lay off the 
sauce.

Review:
What we know about the threaded templates/reply chain:(changes are marked with *)

- Emails are sourced from once (or still) compromised users all over the world.
- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018 until at least January 2019. (may be up to present) Also have seen emails going
back as far as June 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
*- The injected reply is usually prefaced with the following: 
"Attached is your confidential docs."
"Attached please find the wire transfer form."
"Thank you for your help. Please see the attached."
*"Load instructions attached"
*"A printer friendly attachment is now included with each email."
*"Click on the attachment to open or save the printer friendly version of your report."
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous. 

Link Regex Report:

Regex directory patterns - The following patterns were seen active today. I modified some of these to make them better. Any with *
in front of them are updated or very active. Yes you want to take out the * in front because it doesnt belong in the actual Regex. :)

E1
*https?:\/\/.+?\/(sec|secure|trust|verif).(accs|accounts|myacc|myaccount).(docs|resourses|send).(biz|com|net)\/
\/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-59\-]){6,7}\/

E2 
*https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
*https?:\/\/.+?\/(assets|blogs|cgi-bin|demo|direc|Document|DOC|esp|FILE|INC|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Scan|sites|test|themes|uploads|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,30})\/
https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/

NOTE: If you get a lot of false positive, try adding (\"|\n) at the end of some of these after the last \/

These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam. 

Payloads Report:

Still seeing E1 and E2 going back and forth between the new and old loader. The current state of things is:

E1 Distro: old loader.
E1 C2: old loader.
E2 Distro: old loader.
E2 C2: New loader. Seems to be stuck too.

Everything on E1 was straight DOCs today until about 19:00UTC and it switched over to ZIP/JS. Distro had the old loader until 1300UTC and it switched
over to hash bashed new loader with 15 minutes or so interval until about 16:00UTC.

E2 was basically straight DOCs all day with the new loader in C2 still. Distro had the old loader until 1300UTC and it switched
over to hash bashed new loader with 15 minutes or so interval until about 16:00UTC.

C2 Report:

C2s did NOT change for E1 and it remained at 61 combos in total. - recorded above
C2s did NOT change for E2 and it remained at 79 combos in total. - recorded above

Closing:

Not too much changed today and spam volumes seemed to be up a bit today for me. Honestly overall, Emotet is less of a
threat for me lately because it can't seem to deliver the volumes of malspam that it used to. Even the reply chain type
emails are pretty bland and lame. Perhaps Ivan should give up and move on to something else. :) 

I am out tomorrow and @ps66uk will give this a go. Have a great weekend.

TT

Sandbox 05/02/19

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 C2 run on 2019-05-03 at 04:00 UTC - https://cape.contextis.com/analysis/71309/


Epoch 2 C2 run on 2019-05-03 at 04:00 UTC - https://cape.contextis.com/analysis/71307/