Emotet Malware Document links/IOCs for 05/10-13/19 as of 05/13/19 23:59 EDT
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Epoch 1 Document/Downloader links seen for 05/10-13/19
http://adlg.creaciondigital.es/wp-admin/EN_US/Messages/2019-05/
http://ahakommunikation.com/wp-admin/EN_US/Payments/052019/
http://aio.sakura.ne.jp/RMP/En_us/Attachments/2019-05/
http://aisis.co.uk/why-use-us/US/Transactions-details/05_19/
http://ajkhaarlemmermeer.nl/old_wordpress/EN_US/Clients_transactions/05_19/
http://alumichapas.com.br/wp-includes/US/Transactions-details/05_19/
http://apps-phone.ru/sendinc/En_us/Transaction_details/052019/
http://arouseshahr.com/pdfonts/EN_US/Clients_transactions/05_19/
http://artgrafik.pro/administrator/En_us/Clients_information/052019/
http://arthurearle.com/arthurearle/EN_US/Clients/05_19/
http://audioescorial.com/webvieja/EN_US/Attachments/052019/
http://autoecole-hammamet.tn/v8ys1qx/EN_US/Clients_Messages/052019/
http://benhnamgioi.online/hjcuqw1/EN_US/ACH/2019-05/
http://bim-atc.kz/picture_library/US/Clients_Messages/052019/
http://blagvam.ru/cli/En_us/Clients_Messages/052019/
http://blog.blissbuy.ru/wp-content/US/Clients_transactions/2019-05/
http://blog.salon-do-kemin.com/wp-admin/EN_US/Transaction_details/2019-05/
http://bond.com.vn/wp-content/uploads/EN_US/Documents/052019/
http://bunz.li/opendocman/EN_US/Clients_transactions/05_19/
http://buscafitness.cl/eowx/En_us/Payments/05_19/
http://capturingmemories-photobooths.co.uk/stats/En_us/Attachments/05_19/
http://cbl-mmg.com/dueadx/EN_US/Payments/2019-05/
http://demo-joomrecipe.joomboost.com/tmp/En_us/Clients_Messages/2019-05/
http://doanthanhnien.spktvinh.edu.vn/wp-admin/US/Clients_Messages/052019/
http://dudumb.com/tovlsk3kd/EN_US/Transactions/2019-05/
http://earnmoneymarketing.xyz/wp-admin/En_us/ACH/05_19/
http://eidriyadh.com/cgi-bin/En_us/Messages/052019/
http://erasure.work/wp-includes/En_us/Clients/05_19/
http://finessebs.com/cgi-bin/US/Messages/052019/
http://firefightersofgloucestertwp.org/xafzgw/EN_US/Transactions-details/2019-05/
http://fondation.itir.fr/wp-includes/En_us/Messages/2019-05/
http://forno-combinado.com/n1ohrq0/US/Transactions/2019-05/
http://gaugeelectro.com/wp-admin/US/Payments/05_19/
http://gre.jpn.org/DOL/En_us/Clients_Messages/2019-05/
http://grytsenko.biz/wp-admin/EN_US/Transaction_details/2019-05/
http://hargajualbeli.web.id/wp-admin/US/Clients_Messages/05_19/
http://ibleather.com/rytz/US/Clients_information/2019-05/
http://icebetesda.com.br/wp-admin/US/Transactions/052019/
http://idrmaduherbal.in/wp-admin/EN_US/Transaction_details/05_19/
http://jasminenova.com/wp-admin/EN_US/Information/05_19/
http://kashftsrubat.com/wp-admin/US/Documents/2019-05/
http://kinderland-hhm.de/cgi-bin/En_us/Attachments/2019-05/
http://kiselev27.ru/wp-includes/US/Transactions-details/2019-05/
http://kokintravel.com.vn/wp-content/uploads/US/Clients_transactions/2019-05/
http://lacvietgroup.vn/css/EN_US/Transaction_details/052019/
http://lamsaokiemtien.com/wp-admin/US/Transaction_details/05_19/
http://litemart.co.uk/wp-includes/EN_US/Information/05_19/
http://liwax.demo.kompan.pl/logs/En_us/Transactions/052019/
http://lsdmoney.com/w1u/FILE/US/Attachments/2019-05/
http://lukastudio.vn/wp-content/US/Messages/052019/
http://lyhnb.club/wp-includes/US/Information/052019/
http://mafzalfurniture.com.pk/tg1y/US/Transactions-details/05_19/
http://mayjensuharno.info/wp-content/uploads/US/Transactions-details/2019-05/
http://mayproduction.vn/wp-admin/EN_US/Transaction_details/052019/
http://mazzottadj.com/stats/En_us/Transaction_details/052019/
http://meb.com.vn/wp-admin/US/Attachments/05_19/
http://mis.einsun.com/123/EN_US/Information/2019-05/
http://montrio.co.za/wp-admin/US/Messages/052019/
http://moz3.ru/download/En_us/Messages/052019/
http://mozis.cz/wp-content/plugins/js_composer/EN_US/Transaction_details/05_19/
http://mrtrouble.com.tw/wp-content/US/Clients/05_19/
http://mtfelektroteknik.com/wp-admin/US/Documents/052019/
http://newsuns.com.vn/kcjhp7n/EN_US/Details/052019/
http://nhahuyenit.me/wp-admin/En_us/Transactions-details/052019/
http://nhatrangtropicana.com/wp-content/EN_US/Transactions-details/05_19/
http://nissankinhdo.com/cpzf/En_us/Clients/2019-05/
http://notsickenough.org/wp-content/En_us/Transactions/05_19/
http://odiseaintima.com/wp-content/En_us/Payments/052019/
http://ois.edu.bd/wp-content/EN_US/Attachments/052019/
http://pasa.com.pk/wp-includes/US/Clients_Messages/052019/
http://peters-werkzeugmaschinen.de/cache/EN_US/Transactions-details/05_19/
http://petsol.com.br/wp-includes/EN_US/Details/2019-05/
http://picturefilter.co.in/com/US/Clients/2019-05/
http://pinoy4k.com/wp-content/EN_US/Attachments/2019-05/
http://plastsearch.com/1/En_us/Information/05_19/
http://plus.mn/images/US/Clients/052019/
http://portal.maesai.ac.th/images/En_us/Clients_Messages/2019-05/
http://porttech.xyz/wp-admin/En_us/Clients_information/05_19/
http://premoldadosvm.com.br/wl6szr/US/Details/052019/
http://przychodniajelczlaskowice.pl/wp-includes/EN_US/Transactions/052019/
http://pursuittech.com/css/US/Clients_Messages/052019/
http://qddpqgs.com/wp-admin/EN_US/Information/2019-05/
http://questxchange.com/wp-content/En_us/Clients_Messages/2019-05/
http://rcube.co.in/BackUP/US/Transactions-details/2019-05/
http://recnicki.ru/wp-includes/js/jquery/ui/US/Clients_Messages/052019/
http://reliz-dance.ru/wp-admin/En_us/Clients_transactions/05_19/
http://render.lt/deze/db/EN_US/Messages/05_19/
http://rouzblog.com/wp-content/US/Clients_transactions/052019/
http://rungvang.com/caiyz/En_us/Clients_Messages/05_19/
http://rvo-net.nl/plugins/En_us/ACH/2019-05/
http://ryselis.xyz/wp-admin/US/Clients/05_19/
http://sbs-careers.viewsite.io/css/En_us/Transactions/052019/
http://seguridadmilestrellas.com/modules/En_us/Information/05_19/
http://sercommunity.com/cilecuador/EN_US/Details/2019-05/
http://sextoysrus.me/css/En_us/Transactions-details/05_19/
http://shahinres.com/api/En_us/Attachments/2019-05/
http://shirting.si/wp-admin/En_us/Payments/052019/
http://sicherheitstechnik-essen.info/wp-admin/En_us/Transactions-details/2019-05/
http://sinhle.info/idbtmr/EN_US/Attachments/052019/
http://sklepzielarskiszczecinek.pl/wp-admin/EN_US/Clients_Messages/05_19/
http://slati.hu/luza2/US/ACH/052019/
http://s-maruay.com/administrator/US/Clients/052019/
http://soleyab.com/cgi-bin/EN_US/Clients/2019-05/
http://sorenbam.ir/wp-content1/En_us/Clients_transactions/052019/
http://stahlbau.kz/templates/EN_US/Clients_Messages/05_19/
http://stjaya.co.id/wp-includes/US/Documents/05_19/
http://stock-footage-free-europe.com/www.stock-footage-free-india.com/EN_US/Clients/05_19/
http://substance-abuse-center.com/tsawym/EN_US/Clients_information/052019/
http://sumuktida.ru/certificate/EN_US/Clients/052019/
http://tabcoupons.com/wp-includes/US/Payments/2019-05/
http://takosumi.sakura.ne.jp/GalleryImage/US/Transactions/2019-05/
http://tasekcement.com.my/cgi-bin/En_us/Transactions-details/2019-05/
http://tatc.ir/wp-snapshots/EN_US/Clients_transactions/05_19/
http://tesoro-japan.jp/ww4w/US/Clients_Messages/05_19/
http://thanhphatgroup.org/document/EN_US/Attachments/05_19/
http://thehangout.com.au/wp-content/US/Transactions/2019-05/
http://tosekara.com/wp-admin/US/Documents/05_19/
http://truyenkyvolam.mobi/vtwdoxb/En_us/Messages/052019/
http://tuyendung.life/p/EN_US/Clients_transactions/052019/
http://ucstandart.ru/wp-admin/EN_US/Clients_Messages/2019-05/
http://upick.ec/wp-content/US/Transactions/052019/
http://upwest.jp/baby/US/ACH/052019/
http://uydu.antalyaelektrikariza.net/wp-includes/En_us/Transactions-details/2019-05/
http://vitamia.com.vn/svbhoa/US/Transactions/2019-05/
http://webbox.pro/instance/US/Clients_transactions/05_19/
http://webitnow.net/wp-content/US/Attachments/2019-05/
http://woodic.cl/wp-content/En_us/Transactions-details/2019-05/
http://worldz.neklodev.com/wp-admin/US/Payments/2019-05/
http://www.cbmagency.com/wp-content/En_us/Documents/052019/
http://www.tanjabok.com/mail/En_us/Clients_transactions/2019-05/
http://xenang24h.net/wp-content/US/Transactions-details/052019/
http://xn--80alhlhbufhdhf.xn--p1ai/wp-content/US/Clients/2019-05/
http://xn----8sbgvdeccdbf9abeufxe7h.xn--p1ai/wp-admin/css/colors/ectoplasm/EN_US/Messages/2019-05/
http://xn----ctbjnkdio5a.xn--90ais/wp-admin/En_us/Transactions-details/2019-05/
http://xuatkhaulaodongbatimex.com.vn/wp-admin/EN_US/Messages/05_19/
http://youandme.co.ke/wp-admin/EN_US/Clients_information/05_19/
http://yunuso.com/cgi-bin/En_us/Information/2019-05/
http://zavod-bktp.ru/webalizer/EN_US/Clients_information/05_19/
http://zerone.jp/about/EN_US/Information/05_19/
https://akihi.net/Animals/trust.En.myacc.send.sec/
https://bitmyjob.gr/wp-admin/EN_US/Transaction_details/05_19/
https://dp5a.surabaya.go.id/wp-content/EN_US/Clients/2019-05/
https://impactmed.ro/wp-admin/En_us/Transaction_details/2019-05/
https://nariyuki.jp/cgi-bin/US/Details/2019-05/
https://www.allowmefirstbuildcon.com/35rnm2e/US/Transactions/052019/
Epoch 2 Document/Downloader links seen for 05/10-13/19
http://0xbitconnect.co/wp-content/9b1nwg-5mixk7-xizo/
http://5711020660025.sci.dusit.ac.th/docs/parts_service/6hze5fy79odzu2h8dsa9z9f1y7id05_s60267hm-0741181456033/
http://aboutliving.asia/wp-content/uploads/sites/c3flha16_bd8ifiizsy-1755712220/
http://abughazza.com/hsx4d/esp/u75rdlq64ir_20ffez-369627642185527/
http://acgis.me/wp-admin/rx09d8g1r4t_1ttn4g56-11387282/
http://acuiagro.cl/img/paclm/CfyZzKaWQCwfZWx/
http://ad.hiro-web.com/wp-content/INC/52my0lpu4o8en637bxdaibpddz_06d44yrg-90897854468/
http://adrolling.co.uk/cgi-bin/Document/xnps7se5p9027k3gosifzabes1x4n_27jlip-740191600447332/
http://adventurecyclesga.com/wp-content/esp/yevpby0nccm_zoe8m1h9ck-78619337/
http://agatestores.com/wp-content/6dzzc-lxlbm-aqsfkpe/
http://ahmadrezanamani.ir/css/odxco40-jjjpi-xjslyy/
http://ajkhaarlemmermeer.nl/wordpress/wbmp-ueex5wh-lupkqk/
http://aliattaran.info/r6cqohl/Scan/bElAKQUYJahJwfQZLSxm/
http://alifjayamandiri.com/wp-admin/sites/ov4js7cotc88c7ob_pj1axoc-3347004315/
http://alistanegra.com.br/cgi-bin/ix1jc21-at6z6-qzgbh/
http://alliancelk.com/kiffsnew/wp-content/uploads/INC/oZlQjvMVApzJpQsjllmgWCTtIm/
http://alvarorivas.com/wp-includes/esp/hJFXcwnrxkNKSheVBAvCQYbLrZyMdW/
http://anjoue.jp/academy/9x81l-c8ja2-wrakkkd/
http://apprentice.omonigho.com/glvs/Document/n2o0iav23cqis_7p4q74u3-26655344673/
http://aradministracionintegral.com/wp-content/uploads/esp/e37idwon4_fxm7w-790747758741175/
http://artemodularplus.com/wp-includes/sites/kpmfAEgsMyJdfJE/
http://artsrepairandpersonalcareapps.com/wp-admin/paclm/vtgd60y4fh6benwb7i8tt1l4_kuidvqj8h-32557428957328/
http://arttime.ge/intwx/zsCTxwfNteXaVIFkckcqQUvhsSL/
http://asrsecuritas.com/byc/dwz5d-yz8tm-pzlzs/
http://austinheights.egamicreative.com/cgi-bin/ciizKcrGGHWLYGFtsnYCkwz/
http://autobike.tw/admin/Pages/SqrceLCZvIvosiStgCzEZkXCo/
http://autorepairmanuals.ws/homepage/bSDjvZYCUYyxvldpcWiSpz/
http://avk1.ga/wp-content/LLC/wdzCMGMnnmSQm/
http://ayashige.sakura.ne.jp/CGI/parts_service/7ec58rbmpeljgfjt353y4zk3_5w3dkxp2nn-4885842641/
http://ayashige.sakura.ne.jp/CGI/parts_service/ksDqudmXNvlaBwGVoFEf/
http://balajiconstructionsco.com/wp-admin/LBNSTYdfSVfGQHZBCyCK/
http://bardhanassociates.com/wp-admin/LLC/PCEZhxZWFR/
http://bayadstation.com/wp-includes/parts_service/bil0nnimor9hvq_rizlw21c8q-4388807057279/
http://bci2017.finki.ukim.mk/wp-admin/xnIZaMIJOIAyKvcVfFXfsEjAbFdCj/
http://beansmedia.com/zeus16/wp-includes/Document/znqCiBYIwffGnyNlnyWnO/
http://bestflexiblesolarpanels.com/local/lm/dzs338ndcryc_7hj0k67v7-151885441189255/
http://beton-dubna.com/administrator/rIgYVmGnihsTKycqhoaSfBEgfCjn/
http://binoculars-shop.ru/vc4n/tu7knd1-gh2iylp-ietkpgx/
http://blackdog.sakura.ne.jp/bbs/fv1i3uw-kdm0fvw-acfnf/
http://blog.8500km.com/demo/u42o_oahjzvg-2201864671/
http://blog.blissbuy.ru/wp-content/3lpcmuw-pyzoq9-sdvd/
http://blog.dymix.net/tyalu/paclm/y4iba4pd6h7mgxp8a_w9crct4tvt-04858064696/
http://blog.olawolff.com/wp-includes/sites/feMORpkEyzPPjNgTiZSmG/
http://blog.ysydc.cn/wp-admin/GLcYGEFSNIWOJveRO/
http://blogs.ct.utfpr.edu.br/direc/INC/uIdEMaPKdBqQYlDQHdzQyh/
http://bocaskewers.com/wp-admin/FILE/JJGmtbMTHqOHyqlXnLJtzZWGnZ/
http://bondhuproducts.net/ewjdmwf/7gjyjj-l0zzl-iwxxxad/
http://bprmitramuktijaya.com/templates/Scan/rz0b7sn136lfafd_jkoqphs-52318851/
http://bunz.li/hcsr/paclm/iv1m7z2ov4aeyd9oowc_4z35x-71533411096933/
http://buyfirewall.com/imgdb/Pages/HSlmCXxcwXoqxoCJlVCBKbGSOk/
http://cafebuenavie.com/TEST777/INC/GApYOkxztqgJefHbjQlbdlyXSagKW/
http://camponesa.ind.br/wp-content/uploads/a87nb2-0m8dk-uvxe/
http://canadiantrainingpartners.ca/sitemaps/Pages/ZsHxialPFwU/
http://capewestcoastaccommodation.com/wp-admin/lm/ZgMwFJefnDWnqQOHmiuoqMM/
http://carmelon.ofekhorizon.com/wp-admin/paclm/nNuMvduUZWoNsO/
http://caycanhnamcong.com.vn/wp-admin/paclm/vAsvjFdWUn/
http://changmai.info/jng/nq3u0e-k0a8o-wirw/
http://citywheelsagra.com/wp-content/ezhlem4-8ir5xz-jrnlh/
http://classicimagery.com/documentation/tnlwla-fvc1vd-qnco/
http://clientes.grupoendor.com/test/parts_service/0gym60thth5g5qdr2uph8i7x_o2ycvck4b6-49652223430/
http://cn.willmoreinternational.com/qher/6dk1x3izjg86s5zqcavcm_n97ccg-5164862602815/
http://coebioetica.salud-oaxaca.gob.mx/wp-content/uploads/nts68xu-zmfzf-rumb/
http://comicworldstudios.com/wp-admin/q4prc-3lyaa7n-uuvaxum/
http://cortinadosluft.com/jfntu/uxkBAzqCzkKHrgDB/
http://crsystems.it/images/Pages/HMCcZTrAEup/
http://cyclotech.tk/wp-content/51jp7z-lff92-erhx/
http://dalatmarketing.com/wp-content/8ze2s9-8t0a98p-psay/
http://data.iain-manado.ac.id/wp-content/parts_service/xhgoodKaIgTrqSlftsrtI/
http://deam.cl/cgi-bin/QWrRdQEWFZnP/
http://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/
http://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367//
http://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/\/
http://deliciasurbanasfastfit.com.br/wp-includes/parts_service/ccHnNrMqVuBfrRopPOjX/
http://demo.risovation.com/cgi-bin/Scan/QmiyARpzzddjmPmLokQsPQqdwaUp/
http://denlo.biz/cgi-bin/LLC/o8b9ocxhij9ixt3ypyz11v5h6xv89x_dysptk-3735705121/
http://designbaz.com/wp-includes/7mayq8-s2f91v-gvonqoi/
http://didaunhi.com/images/esp/DOzRRoNDqFQRzzkpiZQPPAKfC/
http://dinsos.lomboktengahkab.go.id/dinsos/paclm/XgYZazOrZIlspAQJ/
http://direccion-estrategica.com/wp-includes/Document/hqk6xu23qi_n0c4lroufh-8391193796/
http://dmamit.com/wp-includes/parts_service/UIxJOOXHQttwCXbxGajffNfXeGA/
http://dompogrzebowysandomierz.pl/wp-admin/INC/pvi0fvideljqxp73d19_74ww95-45963944164/
http://doretoengenharia.com.br/modules/paclm/BGnxsIujtoqkW/
http://dostavka-sushi.kz/wp-admin/qxs54u-p7683a9-dxrophg/
http://dreamvision.bg/wp-admin/xQqEPheE/
http://drivedigital.co.in/landingpages/INC/qAMIEkvQptnxnmAvsRJfrQstywgLOT/
http://drmarins.com/engl/Pages/xFLRPevIJyDdyNEAUIdsVckgkUYZr/
http://duwon.net/wpp-app/sites/rahRSFgsiMcsLaYgnxZg/
http://dyussh2oren.ru/dussh2oren.h1n.ru/qj93a2r0nx7r2fs9ay5xf26_ioqe3-04093985826555/
http://egyalfa.com/cgi-bin/sites/zbautlxqx01b_chwa3vyfgk-467301109571/
http://elbethelrevivalchurch.com/wp-content/paclm/oi6r8vqp8_d12q4qa9-676027339171769/
http://elielcruz.com.br/bootstrap/um71ex38grt5c9wtt_g46jgk0yy-59642532/
http://elrayi.kz/mvc/HKnNoDzHEuoxNbZzlDCu/
http://en.efesusstone.com/wp-content/uploads/parts_service/12cg6f6rb7c0q00nw567b_1u2eg-64424404/
http://engenerconstrucao.com.br/nfuvi/sites/MseVOOlEmisvQjGBuQvXHcfGyQLtJ/
http://ensignsconsultants.com/wp-content/Scan/6pp1tyfd7wjwqk374jd5kssdpkriu_1fo2ye-1740947321/
http://entertainments.rocks/29sonpb/lm/79evuf9qgo0bwvx5tii4617s2ff9_97m48z-5396900312/
http://esmocoin.com/engl/parts_service/b6gt2awkm968m9yi2xe716cdfyas3z_zb7fkhkfn-8090263878/
http://eurotechgroup.ru/wp-content/07h1f4-f6bcu9-oxiix/
http://evolutions.global/pyz/FILE/0xix83py9hgzwhyi4il8ykq0dn9c_svob91-45176553/
http://excellentceramic.com.bd/wp-admin/DOC/kGOwSaasKsfhJhhYLWSwISlxGu/
http://eziliwater.co.ke/wp-admin/ss9iig-36iip2-nphcuf/
http://familyfilmhd.ml/wp-content/FILE/tVoMVZPbNPDdDrAvPLRsxtaiBlK/
http://farabtrade.com/wp-admin/INC/IKAMnrliXLfaDzxkPKKeiaIBcvk/
http://faroholidays.in/cgi-bin/Document/HDPnIYRWAhaTMKpiqLrsmT/
http://fewyears.com/kowashiya/INC/nWtOgBAOH/
http://finbuilding.vn/wp-admin/fowpdhg-i6c0a0-gyagrgx/
http://fitnescook.com/zkmvoy/Document/0i0tmte2j5dgqz0czbhz1i_fse85asv-20096055257/
http://foixpropiedades.cl/wp-admin/paclm/mr1o0z3wdk2wf7hgqc7krpgk_jjs98ll1-879681962301939/
http://folocadla.com/log/25qw963tf6l58f0r6plfqeje66bicp_jjulhtp7-16656441/
http://food-hokkaido.jp/cgi/paclm/ripYnnysgRkSKjKvWE/
http://freecell.id/drod/papkaa17/jc3dj-jcmow-evagto/
http://fujoshi.net/808cho/2tbp-bk9cf-fmova/
http://gale.diamonds/wp-admin/qsvpcrrj5amttznatfignagem_cm9dhc381-9826921230510/
http://gamudagardencity.net/wp-content/iizYwbOxxbCxFLCZvrJk/
http://gconsulting.dk/phpmyadmin/parts_service/eGYiGZYRyUKJfHNXRyaHom/
http://getyourattack.ru/readme/bt2s8jp-5qe63-mzey/
http://globalonetraininggroup.com/tovlsk3kd/Document/lTgayDRWQhImhDRlCcwhe/
http://gloryschools.ps/wp-content/DOC/9s8kuapzm_72l0jm9-63616227106/
http://godrejsalon-i.in/wp-content/logs/FILE/lRaYcIFhANdNbTKyRvKryJTOhVhc/
http://goldenfibra.com.br/tae0de/nccy93-vyctr-kmyip/
http://goodmusicapps.com/gc41e1/INC/yhyepAfntHbNI/
http://groomertracker.net/wp-includes/kzmrm3-n2ebtij-rvxqwj/
http://grulacdc.org/nsjqpwt/LLC/cfBXXLFVZixMy/
http://halliro.com/adenta.co.uk/Scan/rgwgcdrmkbu_etvwkzw4-406488951309/
http://haovok.com/wp-content/uploads/2019/lm/gRBYtWtGm/
http://healthwidgetmembers.com/user_online/paclm/OQzxPUnpssglRmLNvurrzrNFgbm/
http://helpforhealth.co.nz/css/acbm9-kwj7h-peujkrt/
http://hijacketwanitamuslimah.com/wp-includes/INC/OkzjoGpxA/
http://hotelcaravella.it/wp-content/paclm/g6zgf9vkaq488xwpr_p2i5erdv-069151302586/
http://hsm.co.th/wp-content/uploads/4mkw7-ge0t7a-bgwea/
http://hunde-sport-freizeit.at/images/yijfdcgfc_drd7p3lnl3-805700180798168/
http://husadakarya.com/wp-snapshots/FILE/t1wynz7m1h2om_3962c0pdh-33634489/
http://iberian.media/wp-content/parts_service/kNPBylOT/
http://imatics.cl/wp-admin/6iresi-mhcb81i-vzeaxyi/
http://inf.ibiruba.ifrs.edu.br/wp-includes/7ed02ii4jlf64usb6vw_8ci26pcg-029095337179630/
http://inf.ibiruba.ifrs.edu.br/wp-includes/8wrm-wdw2z-fuwk/
http://inf.ibiruba.ifrs.edu.br/wp-includes/INC/cAmmtECONwUhu/
http://infotekniksogutma.com/blogs/paclm/69h2229wudpdbax1nkzv4x_uezv4-787270625/
http://ing-de-carli.ch/apps/paclm/l8gvd6aj0k7zjyganm42jpb_p7yd8-12675808481064/
http://innhanhsaigon.com.vn/wp-content/paclm/ig9nwl873swba_0twmhr-139615015627/
http://interlab.ait.ac.th/wp-content/cache/d81mzmq-fosl9-xorltbb/
http://interlight.seogurumalaysia.com/wp-content/DOC/LzgpXTEqghCRDZbFYtehvCtfGjeXF/
http://jagapapa.com/GeneratedItems/sites/hkqxj32dk8wa00n8xyodvla_mj9sc-7489447242172/
http://jamsand.com/about_3/paclm/OsllaPAGnGOHMo/
http://jandersondesign.com/js/rCqWsnrWJnAyoIuDkhEZWbn/
http://janec.nl/INC/6mhrloffz_piw5g5bci-69126736929/
http://jaspernational.com/css/esp/PUmBhwECGeLbtMjHQBsecsTLKIERK/
http://jdrpl.com/cgi-bin/rcu2mr-4lhy680-kqahgno/
http://jespositobuilders.com/cgi-bin/parts_service/ZuLCNKxAbk/
http://jkncrew.com/esp/hvrJgrBEtx/
http://jsc.go.ke/wp-content/uploads/1i65w-ouoocl-sekjr/
http://j-stage.jp/parts_service/miGnxydJBeWQcxMlrkIWayQM/
http://jutvac.com/css/lm/SvkTiVffJFjKEnxqnE/
http://kabloarizasi.com/wp-admin/esp/fbe8arp6_935orj-581215178074/
http://kanax.jp/koku-no-mugon/kieaqWtWQUch/
http://kanisya.com/cgi-bin/LLC/ybzbkNTJIgHNzHgORgZWcoULRKY/
http://kanoan.com/cgi-bin/KnLSEhvhByrMdJyndQuqH/
http://karenanndesign.com/_vti_bin/esp/8mdys2sisoj5veh_cegy3gle-41684013/
http://kavalierre.ro/aatq/Scan/HcezRVAondbZWOoo/
http://kiichiro.jp/blocks/paclm/OrEOtIlgvMfQZNzwHtnyBvQCehcHBX/
http://kinotable.com/image/nlyt204pfwxvp2_s5s081inzc-01418077986/
http://kirakima.sakura.ne.jp/_yoru.html/lm/KitGyeaokbtqqnqdXeggNeoqh/
http://kivikoski.dk/IRS.disabled/Document/z55jrpm1xlwc_t6trfk45-242881053114814/
http://kivikoski.dk/IRS.disabled/k3slxzoq6j6hws82_8gf1d-286702854274/
http://klassniydom.ru/wp-includes/Document/1nmskwvo09l2tbxulma6dhn21393_p38q6-283503568/
http://kndesign.com.br/alarme_files/DOC/CMaBzJzQQmzlagoVZdgFCEGHDaDZo/
http://knutschmidt.de/logs/INC/PUxGUbFFQSORHjAweoLXIZr/
http://kopiroticentral.com/wp-content/parts_service/oqw472pajmixlzhtb5xben_39u2d3b2-83233810/
http://kuestafm.com/wp-snapshots/Scan/qdvoenwehnqgmzm_410u0vhwj-503972874491300/
http://kujuaid.net/2005/DOC/6u9917zb_fyugiclmdb-71542144755215/
http://kumalife.com/Library/Document/rqtpzqh7ys34_9p01g0g-6505566292/
http://kuyabunso.com.au/cgi-bin/JgmErotxDwSHLcpSIATJGNLqBzvy/
http://lapisvia.com.br/qqggee/lm/22cytxvf3g31rmn7hy8a920q2b_fpjhcp5n4-96280875559174/
http://lategoat.com/wp-content/parts_service/RKWNMojzVfImpFCGljLLAUoWRwt/
http://lc2training.com.br/arquivos/xamwlw8-dms7o-dtjbne/
http://lejintian.cn/wp-admin/parts_service/u0hovmjmmyv1l32_tyg484j-650166756659060/
http://leonxiii.edu.ar/parseopmll/DOC/WLgCIKKjkpjgxKaFZOjqsrHWTouY/
http://lequie.de/wp-includes/Document/ttsd60xlxo3oqslq2wu_vpwnlqz-8559418497685/
http://liga-ufa.ru/wp-includes/20sqosnc_2w2m66ig0-35289411921395/
http://likenow.tv/wp-admin/INC/RhgBqAEYbWYVSZvzwmHKMsyeF/
http://liva.app/old23/lm/52phbtbd5g1knm3umn8iutsyzq_p2j5oog6l-607579896735/
http://lorikeet.in/wp-includes/1g1wu-z3p2mrl-olsio/
http://lsdmoney.com/w1u/FILE/FILE/qcx1rgwmc09z9r5rmzsqxjosu_1hif5b11d-304008003724/
http://lustamleben-musical.de/cache/NZqWvsPfoEVIzWrhRSfxJ/
http://lyricos.000webhostapp.com/wp-admin/parts_service/ajwzgt5ybmh6jbdoqrupuw_w6kvakdex1-161044460219/
http://maestrianegociosaltorendimiento.org/empresatips/paclm/wJjefaDKHgJmsJlTzpkCYqIJkt/
http://maltestefansson.se/wp-admin/kzXSCWlKeedtd/
http://mannifest.in/cgi-bin/esp/qnwyjd7ro0aoau9giq4par_xmc18bn921-60232736987/
http://mansoura-institute.com/cgi-bin/Scan/MkndjdepoeJnS/
http://maritim.ca/Common/INC/brvd47dxpd5jbcxat2jqbmxlye_a73ny5p-605274374591424/
http://marketidea.in.th/wp-admin/0mkcr-mrfa9l-xurtcu/
http://marsik.by/prft/lm/pGTfeEgiDxC/
http://masens.be/wp-content/INC/pgv4zwmfw4491_ihmev2z3-333794514/
http://mazury.vip/wwrqj/2nbol-s2iin-rparhh/
http://mcclur.es/mccluresfuneralservices.co.uk/DOC/tuZHZVLGaHMuzCpjw/
http://mcclur.es/mccluresfuneralservices.co.uk/z9aoj2v-avqh9w-qynsbbd/
http://mediafrontier.co.za/wp-content/uploads/2019/Scan/2qic3ym5zbrmes46pz60ca3b3h_ope82iv-5451732251/
http://mekosoft.vn/wp-content/uploads/v7tw-huhsd5e-zeaa/
http://mesoforex.com/wp-admin/PKrSrSAmcy/
http://metro.com.my/calendar/LLC/yQQUCMpSrzqpKMBuMGtLdaiB/
http://michelletran.ca/wp-includes/r2od-b0f14-cfgxwpm/
http://mihalych.com.ua/wp-content/DOC/v0lbqv52oa9ttb6j06830o89id_ubs605g-210161115131/
http://milneintl.com/wp-includes/Scan/afEEIkjqyMsZeMfv/
http://mondosabinaimmobiliare.com/wp-content/uploads/lm/PbRQNRwlicbOlqLCfAJBaqRf/
http://mvb.kz/wp-admin/jrqyyNLscnn/
http://myphamvita.com/wp-admin/or1fkvw-hh2y3-mkkqxj/
http://mysterylover.com/corenascreations/zencartcatalog/cache/7949-zhv1x9l-neiwp/
http://namgasn.uz/includes/lm/DHPJrTcUqeixWhCXPE/
http://ncep.co.in/wp-content/uploads/LLC/775sxxcrjiajnf6fe_9a6ri2-07542030562904/
http://nch-kyrsovaya.ru/wp-includes/esp/0co9n9igh412a2q7hc0iu4vxc2h7_i68endvtkv-044871272613754/
http://nedapatra.com/wp-content/wEOFlxzZHp/
http://netmoc.vn/wp-content/esp/fmep4j2q2lk2ods963wd_go6wpghnnl-16767374/
http://newlaw.vn/wp-content/nuifvvy-6846u-ogaufjt/
http://newlaw.vn/wp-content/wbqu-3rwy357-taka/
http://newmarkettowing.ca/wp-admin/DOC/EaKhzntVrjZeNZnOyIZGtBzsH/
http://nkipl.com/wp-content/sites/jnhjo4a084lph1d_a7oedx-69653973153/
http://noel-cafe.com/wp-content/hWJukVrjbuaqWoDPpeGxX/
http://notariusz-balas.pl/goqtirm/3j9p-heahs6-yvrmt/
http://novaan.com/wp-includes/wrfxa-ti770h-pkvh/
http://nsco.com.pk/cgi-bin/LLC/arpHkEtvCK/
http://nswsecurity.com.au/wp-admin/esp/np7tc762t_n4x0sm6-4407602030/
http://ntad.vn/gm931mo/icegy3cvmyp2qo6qx79_azfag-16232805427625//
http://oasiortopedia.tk/cgi-bin/8tvf-tm3rv-bqkzv/
http://odac.co.id/inbqbmw/DOC/egsykrvyjicl7mezng5ae_pev0218s-285583824746639/
http://officesolutions.com.bd/wp-content/parts_service/zv6po5ck8pbq4sm7u0o3nf8q3p3ocg_i2uj5pa8np-974865408639391/
http://ogrzewaniepoznan.pl/wp-content/esp/0ppo3bcosmjv634mtci7y79u_ksy4mqnwb6-585873021848031/
http://olivecancerfoundation.org/bin/LLC/4apv8tuf2wjs17t8lmt3k_z4iupivthu-2440354989878/
http://operationfriendtofriend.com/wp-admin/DOC/ONlVlDaQNNzFYjqjt/
http://orangeink-tattoo.de/wp-content/uploads/szjNDOiOOcpHHvPNyrSvzwGwJt/
http://ows.com.co/cgi-bin/lm/UoCsrvnJhuzPsUpeBqYjGV/
http://parbio.es/2d3uhijwv0lulb0p_afppy9-5420642518898/
http://parquet-san.com.ua/rbci0gd/lm/VkuPvBRTifXErdWxZGZHywSviJPo/
http://parvaz.me/gkjgo/iazuv-32wnjt-oawe/
http://pensiunea-anamaria-bargau.ro/engl/Scan/oAhWYNzR/
http://petfresh.ca/cgi-bin/FILE/vEHtfMkiR/
http://pgneetindia.com/wp-admin/mwhGBJIuoXklfZjZjA/
http://phuclinhbasao.com/wp-content/uploads/bu5q-6mqm33-sajpb/
http://phukiengiatot.us/wp-admin/Scan/vlmq7x5uctd9rpmc2ijnddelnb9_thpt7-19986497392/
http://pincelebrations.site/wp-admin/LLC/28cw99x5bzlnxeq9x4d2cx_nycsqfx1i7-612010142030129/
http://pkdhondaotogialai.com/wp-content/paclm/22p09rxzs_qaydauags-40299352319/
http://pop-up-brands.com/test/6usr6w-gqh47-mmpexfk/
http://portal.maesai.ac.th/images/lOTElcljRgeXG/
http://ppprime.co.th/webapp/DOC/OZzsUDwEGuX/
http://primenumberdesigns.com/mark/Scan/9cgsa6vd0t8y7cz9d8_fk85anlh-6195230624/
http://pronics-reh.com/wp-includes/Pages/JMtKEIEjOZkgvVkWnzQ/
http://protechcarpetcare.com/wp-includes/parts_service/znnb0e0awx4vx9kq87ny3zu90_akm6pfp8df-231360640/
http://psicologiagrupal.cl/wp-admin/Scan/gj1ftralcdu067bc8nb2_okgce89cp-79147648/
http://ptims.no/wp-content/Pages/e9b524blnbwi79gg_xafiog4bec-95472157/
http://pugiduck.ru/wp-includes/Document/xCzlzgmfp/
http://qitravels.com/wp-includes/Document/5eb8t989_l1961-1504135581/
http://quadbeetech.com/wp-content/parts_service/bUnrWShjihQUzNmYe/
http://quatangtaynguyen.vn/egw5/INC/IxGCFpGuVzhuMRl/
http://queencoffe.ru/luxlkq/INC/SNeSqKTvsuGWvhW/
http://rajinder.tk/wp-admin/paclm/sxwmi3zs37qlzg7kja5s0qttlxa3_017ereto8-605645520403894/
http://raum-zeit.de/vhjb/fPOAURnL/
http://rccgambghana.org/wp-content/QaOdVZvzvkAXgl/
http://realhr.in/wp-content/DOC/RltBeOnMTxhwVAxpEgIyp/
http://regipostaoptika.hu/wp-admin/kj6e-o0135-heldpqp/
http://render.lt/deze/files/ext/meThzlxRRjwSYYYFJKzi/
http://revista-rda.pt/wp-includes/lgz316h-4y55a-zeieg/
http://riteindia.org/Scripts/yh71cjozyfd2bxjqv122bw82ry6_iza4h3jhy4-341696027912427/
http://rmgproperty.com.my/wp-content/lm/fQnhwoNTbuKaVKNWKh/
http://robertocabello.com/wp-includes/y3fb-1i99t9d-befe/
http://romanemperorsroute.org/wp-content/SFXYXtleyyXjhCbyNrkHHjzenEG/
http://rosinance.com/wp-includes/esp/FPqJGukYRFtDnqVnkgyzBLtoZdlIw/
http://rostudios.ca/store/FILE/lfn1rszufp4c9f5qjv3u67pfm_wpafpiixmt-04140375847/
http://rvo-net.nl/plugins/Pages/xytrREUQNapLEbDamWezKKbukGkYF/
http://sahulatmarket.com/wp-includes/qof9z3w-enve7qn-kpsdr/
http://sberbank-partner36.ru/tmp/esp/ctywa59engzmvjr65f73_68km4kxan-9236305614/
http://school118.uz/wp-admin/fojyx-e7tbpge-cmfvos/
http://scopo.in/8apkkkh/LLC/QYBHltZKlEAYuzNNlhtEvRf/
http://seethruwindowcleaning.com/vajolg/DOC/gigc53ef9pu87e_vecrb-94592711838063/
http://seikolabo.com/wp-includes/sites/ypnvfuy8j_vl6t0-32051380084/
http://seorailsy.com/ww4w/lm/b7gm3eq7e9y_7lknujo-21675234/
http://services.malaysiaboleh.com/css/frYIPlBsdjfIPpcai/
http://shaadiexclusive.com/wp-content/46v2w4-qz5g9hi-ddavfdd/
http://shikrasport.ru/wp-includes/Pages/IJrOdBKNcjNbIIkGFWOKKf/
http://shop.deepcleaningalbania.com/wp-content/FILE/gkfy0uk8cmqk_loe22-88959229/
http://shoptest.ml/wp-admin/INC/jmsr3ocufnvhc3q_wtk7vrb1ih-4905144411268/
http://shvedshop.ru/tovlsk3kd/LLC/AJwNKBGrrwMYmsQEHkueqZCuy/
http://simplifyglobalsolutions.com/xgcwh/parts_service/DRGvBguspZs/
http://sinantoprak.com.tr/wp-content/FILE/8t1jt114cckxjz_p3oe3-63771027545/
http://skycode.online/wp-admin/INC/QLDSwWULQwIpzuZhQ/
http://snlifesciences.com/wp-content/LLC/zpyk9l3c1c3q1flj_w5bdwfy-1128901820/
http://sobakaevro.ru/wp-content/paclm/lt63iey8qk72_rp5g0nmvbe-953829737136736/
http://socutno-varstvo.si/wp-admin/girb-jw5fku2-ekjpb/
http://songdung.vn/4d4ixle/INC/XyoGxMSoAYq/
http://sph.com.vn/3pql2w/c4kp-ahi3iw1-refr/
http://strazak.waw.pl/wp-content/z68r09m74oqce951eovz049kcs5_d7ww7-78151153/
http://strossle.sk/wp-includes/7osx3-5uukdl-pffi/
http://suadienlanhthaibinh.net/wordpress/paclm/QrYXxASIDbGjDrsLVLqlNJdpj/
http://suckhoevalamdep.vn/wordpress/DKXJXxWluamOXIdv/
http://sugikahun.design/wp-includes/lm/meAUulLGFcZWtmEWK/
http://sukhiprasadsatyanarayan.com/ijh00uaxy/owr5-flkpjgh-aghnypf/
http://sultv.pt/cgi-bin/1yqmrza-4frv7-sqwcq/
http://sunpet.com.vn/wp-admin/INC/d0pvlwaj1jj_cvq3o-6108898585/
http://superfun.com.co/wp-snapshots/3meaizs-wqvtywf-kfbwz/
http://supervinco.com.br/jslaqvc/Document/ZLdETDjWtKERoZnsmjm/
http://sushilinesurabaya.com/wp-includes/esp/9hiqzbvv3lqez3u_k4gj2-6319207089/
http://svetovarussianlawyer.ru/wp-admin/paclm/HPniqkfhaIqYRPAXoPtEZ/
http://swtsw.top/wp-admin/uz98i-fpmkem-utse/
http://syafukuseijyukai.com/wordpress/qoskh-gcooki0-fkqp/
http://syroco.com/wp-admin/fxbx-cdv2gl9-cwvt/
http://sysconmyanmar.com/wp-content/uploads/2019/05/fgvkw-3j2wze-gzhrctc/
http://syuji-higa.com/codepen/wzao0uffljc_8cojxsc1eb-81719304345808/
http://taimu.jp/dairy/npzmndu4zux_d97w2a16-788758797/
http://takosumi.sakura.ne.jp/GalleryImage/2svog-7uktrtv-ptwaf/
http://talbiagroup.com/wp-includes/UQipOXZHqP/
http://tattoocum.xyz/engl/DOC/TsxGjoCfDP/
http://test.desidcrea.com/wp-content/esp/vLOlEdFvWqhDDM/
http://test.desidcrea.com/wp-content/LLC/SIacbnRLJFPSTxZdNEp/
http://test10.ru/wp-admin/sites/EwiaLaLctqRlDiUVvzv/
http://test5.freebottlepc.com/tuzpq/FILE/cooujsc19a2cegnj6_tcmotog-266543746/
http://thefreewaterfoundation.org.za/wp/paclm/MDyDRtPeGRNep/
http://theoraclecasting.co.uk/wp-content/esp/rt3hp3hijd9qd0pe81adh9ldsktk_xcw6g-684265640953/
http://thesocialmedspa.com/ilbo/zhcegjt85w5qo3aw_5gr5nn4co-89534336453000/
http://thetalenttroupe.com/talenttroupe_27Apr2019/kmYEYBNzoOZcvnPmMrFQCSXE/
http://thienlongtour.com.vn/9dguwyu/Document/DSaWEuoDY/
http://thinkblink.ph/wp-includes/yedvhGzEZOyG/
http://tienphongmarathon.vn/wp-content/Scan/suEAwPKZxHIU/
http://timebank.ai/wp-admin/Document/SXtmLuuaUV/
http://tngeblog.com/wp-content/eOoNYdaXJJfTVftGsKN/
http://tpc.hu/arlista/FILE/xaax234mcwydae902gf1ya_wnz0g3-226314364698937/
http://tpexpress.vn/logistic/Document/LTPsgfIxpeV/
http://tplstore.com.pk/wp-content/parts_service/ai9n9b4k5h3ww_fq7qn4-9523200758376/
http://tradelaw.com/Document/z2yj-j5sak-qrjssz/
http://traineelaureate2019.com.br/wp-content/DOC/dxKcnaqfCUrPOxYjJEl/
http://trangsucbaccaocap.info/wp-admin/esp/f8zuuyoperm91xj87jr13g_339tk33niq-43502552389516/
http://transfer-1.ru/wp-includes/Pages/RMdEAirmBCpuYXSZkYrNJ/
http://travelwithsears.com/pantallas/sv1i-8cuy3d-wtpg/
http://trentay.vn/wp-includes/o99g66-vqkyz06-ntfjz/
http://tsareva-garden.ru/wp-includes/sites/UogXYZHsUUIIBvMk/
http://tsatsi.co.za/au0aag/parts_service/66vn86cuyg804mls4_ahos19w-822538932904122/
http://tuslav.com/wp-admin/18yp6-9acrdg-daxjemr/
http://tzsk.su/luz/lm/u67641l242_1maz6-315164677876/
http://ultraspeedtv.com/wp-includes/wcw74fk-o02jx-renmr/
http://ussrgun.000webhostapp.com/wp-admin/pzkn-ffz73rv-irbkz/
http://vancouvermeatmarket.com/wp-includes/sutpl-6hnad-ggjjpfj/
http://vanisoftware.com/api/public/qkQTUbJo/
http://vantageautocare.com/anfdu/paclm/YICQkKpnRErgaGmsdAwfL/
http://vaultsecure.eu/wp-admin/FILE/KhPcnYIAsVmMhF/
http://vds-vloeren.nl/wp-content/LLC/gSlMTysaVxnDGZhKpjN/
http://vegapino.com/wp-admin/esp/XBCCzqPIqSBkQlhdkiplheIkCLZK/
http://venezuelagana.tk/wp-admin/73rw-2471ye-jhpkfdq/
http://vforvictory.org/dojhcl/Pages/eiOTgsaHSKREcCGBdp/
http://v-gostyakh-u-igorya.ru/tawj/INC/DyuZreGAQfGvdeyfoZVLMvWlY/
http://vimefulland-athena.com.vn/2yr5qnp3/f9aaz6xt7hvd79z_uf2jw6ty-457154914260/
http://vipro.life/cgi-bin/lm/aMrvQePJxl/
http://vistarmedia.ru/wp-content/parts_service/JFoMkAgeP/
http://vivadent.krd/wp-admin/paclm/GASTcmyNIMvsQ/
http://vivax.baytechsoft.com/hkwud/r41lq4-p60rfu1-cerdkf/
http://viwma.org/cli/Scan/aosWntODCVSVOGVd/
http://vlxdhoangmai.com.vn/wp-admin/kfMNdVaIkT/
http://vnseiko.com.vn/wp-admin/yjvNexxUxeEgEyQwUqnfSIkN/
http://voassistance.co.za/wp-content/esp/mISXAzeQhqTwNFriJSoqnogPa/
http://vovsigorta.com/eski/zjz9lmsr9c0u06pm_t7bw5xb-2129698569/
http://voyagesochoix.com/wp-admin/Pages/KfPirwtRlOzEXnROuFLUpHNKW/
http://warwickvalleyliving.com/images/INC/ycpxzj66dt2fqx91_94htn-4597536559236/
http://was-studio.com/wp-includes/Document/zg943o2bnpsc4ukw_ztcsu-25937618/
http://wb0rur.com/certificates/esp/54l6g2wtlrxxogdt1_9j2dme0-557382127/
http://weartheory.com/admin/FILE/GxzmtorlbiLiQMbMiNaxmEsBvHgfPQ/
http://webshop.se/u3j0/GbzIZOukGhpzRgNxOXrLWtzSvThe/
http://wediet.com.my/wp-content/hv2rnpv2ve_l5cbtsm6-19777051790/
http://wildlifeassoc.com/wp-includes/Pages/JudXMgiIFjnyzsxcFztuakEcUIgaj/
http://wisconsindellsumc.org/wp-content/9sp6-xdrwptc-kkovg/
http://wmzwq.cn/blog/u63z2_hbljf2m-6/
http://wolken-los.at/wp-admin/ylDiaqDYZvsEUqwzuUYBL/
http://womenofthebibleonline.com/cgi-bin/PFMqpAiTaCyekmbmmoFSwsXAIjQG/
http://wordpress-263723-820316.cloudwaysapps.com/wp-includes/parts_service/DdkQiEVJWgjYpqYVwDkIaP/
http://wsg.com.sg/@eaDir/sites/jHxMXwXZoKKJhbfqITnjpjD/
http://wss.bg/content/uploads/VpiYIxzzsIvFOJvTWykhlGpFcJsuB/
http://www.camereco.com/wp-content/languages/4b3u-9vk9z0y-wmztpu/
http://www.citrixdxc.com/wp-snapshots/parts_service/qEkwIAxwfTVtpEDixSmDMrVE/
http://www.digitalmidget.com/llama-speak/aCBPrpdBwjmbEF/
http://www.lombroso.com.br/blog/Pages/ecfvyhGmCgqTEaqPOSQhKfMQGzaR/
http://www.mahala.es/live/c453k5-fn42h-iklsbb/
http://www.nextleveltravel.es/language/INC/daTpvRgY/
http://www.pomohouse.com/wp-content/INC/jy5yfs8a0sb4wb0tf2ebj_2axwtvd7b-2482537198857/
http://www.shirdisaibabamalaysia.com/wp-includes/Pages/jffLyYJxUi/
http://www.tanjabok.com/mail/ytfy7ii-loz9z-udyd/
http://wywoznieczystosci.pomorze.pl/wp-content/nlu4ory-1qpme-glkml/
http://xcalculus.xin/cycling.xcalculus/esp/gv20ibph6x_fmz0yw-11364222814587/
http://xginformatica.com/aydasesores.com/LLC/qulNXemGvExWiOtrr/
http://x-mastournament.be/wp-admin/Document/x2ufn7lgi7jmlu36wdwsiee2b_horhwmvnn-13060748934/
http://xn----7sbcihc6bmnep.xn--p1ai/lyc/WVjmovKadLwdzPXcar/
http://xn--80alhlhbufhdhf.xn--p1ai/wp-content/v25864dkt8nv4m_e0bs58-0172637623127/
http://xn--n1b2bxcijc4cd4cfb.xn--h2brj9c/wp-content/parts_service/hzfyboLJSVXwnRHhmpo/
http://yashitamittal.com/15gv/parts_service/y9ra0t8dy9yyqfqprs1ikq_hz1l7-69692875/
http://yoloaccessories.co.za/ukhz0yw/qany-2urknrp-pfdo/
http://yta.co.in/wp-content/Scan/cuqxonq39272s2oiqauu1qj1_dxnkrrd7-25108329564550/
http://yumitel.com/cimg/LLC/ieEcQMpnVTVEbkDegVPciEckT/
http://yunuso.com/cgi-bin/Scan/y6wgipe7kvw9_d0ufw2ny-10571936872123/
http://zachbolland.com/1drpn/aol_files/Pages/wicc7nkdgl24r7h1mvhngeal2h_sd1k3yl-50162319/
http://ziplancer.io/wp-includes/LLC/9qanm0kl3w7eb4qxprq_fafbwi6i-921486917037/
http://zonesoftware.co/wp-content/uploads/RlRYHwyYIpCLBQpGkXK/
https://0xbitconnect.co/wp-content/9b1nwg-5mixk7-xizo/
https://1forexsignal.club/wp-includes/LLC/0pvyblasun71ljugjn_t4wwwiti2-69045780/
https://acgis.me/wp-admin/rx09d8g1r4t_1ttn4g56-11387282/
https://aconsultancy.com/site/parts_service/QIvKpCvHKlKcdhZchUKPweSz/
https://acronimofenix.com.br/webmail/parts_service/210xve7buiaw2mfr_fcpn87smw-727557583464/
https://adventurecyclesga.com/wp-content/esp/yevpby0nccm_zoe8m1h9ck-78619337/
https://akihi.net/Animals/Scan/YyrlKWYgTqjlqUoWI/
https://akihi.net/test/sites/167i2xvlgyis76mw61uvqqme13_b0af62-171181877/
https://andythomas.co.uk/document/INC/iuqvosMe/
https://apps.cartface.com/wp-content/plugins/hunl-vio2dux-mdmh/
https://auter.hu/adatvedelmi-tajekoztato/FILE/lmIYooxDDTutZV/
https://blog.mymealing.ovh/wp-snapshots/mookm-bfbwg7c-gdqrmpa/
https://blog.olawolff.com/wp-includes/lm/pHtbfyHINEhxHnjeuIQSN/
https://blog.olawolff.com/wp-includes/sites/feMORpkEyzPPjNgTiZSmG/
https://buxton-inf.derbyshire.sch.uk/wp-content/rrpnthz-mw1cqv-kivs/
https://cabindecorpro.com/2pol/parts_service/7ci4ep7byrn5wu5204prv4nvo_1yhqddpb1k-8890423987693/
https://canadiantrainingpartners.ca/sitemaps/Pages/ZsHxialPFwU/
https://caygri.com/wp-admin/OYzIKKktwdME/
https://deliciasurbanasfastfit.com.br/wp-includes/DOC/mbphvd9r_r4or4-37681815367/
https://design.bpotech.com.vn/fueru/m91cu-41qbnnv-akvbm/
https://devandtec.net/wp-content/3yn926r-krfqg1-sgedfjt/
https://didaunhi.com/images/esp/DOzRRoNDqFQRzzkpiZQPPAKfC/
https://dmamit.com/wp-includes/parts_service/UIxJOOXHQttwCXbxGajffNfXeGA/
https://dp5a.surabaya.go.id/wp-content/i0vccrz-b69c8p4-wbch/
https://elbloggo.de/kram/wtf/DOC/NeQgytWKSAvBcrBCLw/
https://engenerconstrucao.com.br/nfuvi/sites/MseVOOlEmisvQjGBuQvXHcfGyQLtJ/
https://ergowag.fr/wp-content/uploads/8y904-f2aq0p6-lwcrkji/
https://esolvent.pl/1/Scan/l4hv06goy_6ralh-7437919688982/
https://expeditiontoday.com/wp-content/FILE/juljzqwqg89goz13ll_kjsb64rpqy-8791587564/
https://fgm-powerenterprises.com.pk/cgi-bin/lm/nv0kijmg1ldv8dfs_7f9fa-565498287140/
https://freecell.id/drod/papkaa17/jc3dj-jcmow-evagto/
https://gamudagardencity.net/wp-content/iizYwbOxxbCxFLCZvrJk/
https://giovanigioiellieriditalia.it/error/8b5xkcrj0lm8zh9fsb0i_10ewtdf4w1-28645202875/
https://harishchaudhari.com/iuqcn/ObrkiwgsxgmCNOsGm/
https://heritagehampers.com/wp-snapshots-hacked-remove/s9myp-nyow6v1-svzncrf/
https://icdt.unitbv.ro/administrator/parts_service/w8qca00eqy7nq01gf918yqpr22z4_rpev90d-196767120862359/
https://inmobitech.net/fhfu/Pages/40t3ol3pcmlef18x2b_xfx7s-468859724607005/
https://innovate-wp.club/wp-content/uploads/qys2ebt-iwbbk-alhrxs/
https://jordanvalley.co.za/wp-includes/Document/ujphaxe9mddatnxfsy59434_8hi8ods-77793165/
https://kampungjuragan.com/wp-content/uploads/DOC/zo6sp28hcim1n1cmpmsb52h7dt_vo8rxx-0375938552/
https://keaimi.com/wp-admin/Document/dzs9rwyyvl3qvozjcx_ispwqu81h-812551102/
https://kerosky.com/wp-content/DOC/dktSNTtfSpqXrZblmTRXtE/
https://kralpornoaltyazili.xyz/wp-content/hvw7phwn8hss9y4q9k16_03fucwvlh-747676090634209/
https://kralpornoaltyazili.xyz/wp-content/tt13c-539ty-vvqfr/
https://liva.app/old23/lm/52phbtbd5g1knm3umn8iutsyzq_p2j5oog6l-607579896735/
https://logopaedie-stuerminger.de/wp-admin/SteXhisNbLpTIWaEOAlS/
https://lucky119.com/wzzeb/u3a7k6g-80iywm-pnmkh/
https://mamabebe.pt/wp-admin/v3gft3-nknh2q-ebfypda/
https://memcom.bradleyrm.com/wp-includes/paclm/om6bqfr63kf_5d8inhyufd-713057321763/
https://mhfa.org.mt/live/paclm/cx3h7v0y8cwr5hjsvfk_ay7qw-04997084013/
https://mybestlifestyle.com/wp-admin/kft55rx-5jf54hl-iqbrakm/
https://notic.fr/wp-includes/LdMJIMLSPrBUhzV/
https://notlang.org/cgi-bin/eedqg4-2yl0s-bxannkx/
https://ortusbeauty.com/error/jr6x5l2-gxy7qnp-clulnfu/
https://perumahanbaru.com/gading/FILE/m6piknegtaj2lt6p0yz3vc2c0_ug6py-81955318960920/
https://ptims.no/wp-content/Pages/e9b524blnbwi79gg_xafiog4bec-95472157/
https://purplebillioninitiative.org/wp-admin/v3ox-xalpj-eecdrtg/
https://rccgambghana.org/wp-content/QaOdVZvzvkAXgl/
https://rezaherbalstore.com/cgi-bin/LLC/YuagloANTbSQOwHMgwaPzCfYORX/
https://richdad.today/wp-includes/7kok-50f69-vbhnwhk/
https://roubaix-coworking.fr/wp-content/wj7hitf-vba84p-iyluwe/
https://royalqueennyc.com/wp-admin/atix-7iyhw-cpls/
https://salomo.tk/administrator/p65w-qd0i39-ficmgpj/
https://smart-ways.tn/ind/Document/zCYktFvdoMzwrA/
https://solmec.com.ar/old/sites/t8md91c5s0ktltc7r0wryrquiq_auy5xftb7-2182217120241/
https://sunshine2019.com/wp-admin/Scan/rsRhqSjc/
https://tamta.gr/wp-content/l0rvc-p7cfefj-mikhg/
https://thesocialmedspa.com/ilbo/zhcegjt85w5qo3aw_5gr5nn4co-89534336453000/
https://thinkblink.ph/wp-includes/yedvhGzEZOyG/
https://tukode.com/dem9bd1/pzf67e-wjzhaa-iyuid/
https://uniquedestination.mitsishotels.com/wp-content/ewww/FILE/pcRYLteiBahDfrSAYZtMOGiDskGL/
https://viandesmetropolitain.com/wp-includes/LLC/rkwg7tv6z769bn5ghhaedigsh_na4e0i0-5143260342/
https://worldtouriosm.xyz/sitemaps/Document/u74c4g7do2_hm23qc3-2455270045016/
https://www.bspro-corp.com/wp-content/qqnf-teedbp-vzsvozn/
https://www.clinicadentaltecnik.com/wp-content/mmjmtp-9v60tm2-dpgj/
https://www.duzlem-tr.com/wp-includes/Scan/z7h2wvvl9p64xyn1wa_nzclfkk-51827067/
https://www.livraison-bruxelles.be/wp-admin/mUeWUbeFOVXTwegeMO/
https://www.telepostal.coop/cache/DOItWsxzzYzEdYJdEGuWOzRNcIzAjZ/
https://www.trvipifsalar.com/wp-includes/DOC/vwaatfVfwmZFru/
https://www.zixuewo.com/avatar/FILE/RpOpdWpZ/
https://xcodelife.co/phptest/l5xdpgj-5iavz-lysemj/
https://xn--22c0b3ah2c9bxas6k.com/0869595264Line/tv6cmh-ry9zv73-iphfoa/
https://yashitamittal.com/15gv/parts_service/y9ra0t8dy9yyqfqprs1ikq_hz1l7-69692875/
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019-05-13 19:26:00 (Password Protected - Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
c413ec81ba6f7dba1cd9deb1c992ad3827fd5af72b09c0dc219d4d1539f34605
http://xycindustrial.com/wp-content/uploads/3oz5f80982/
http://arstudiorental.com/ecmyl/papkaa17/f8vhktx2825/
http://technosoftservicess.com/bhldyu/un96/
http://egresswindowsystems.com/magiczoomplus/vh8/
http://star-sport.com/lacc/8v0hb1639/
Creation Time 2019-05-13 14:17:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
422be47da833fc2a2f16070afee359ce097ada74dc8a0bd85ba8a98b3964955f
1e445b9eec7c210246ee83d30249734f99a65aecb2f106c119024c74852f305e
5f6d4de04ed65785278d9299141e909aa9b51f3c3a922757c3fa294f7b97b833
93bb07db516a600938125e66e1b7485532cbe48d5e7d52c69c59415fe78464fb
064008d6121b82acec1bcd2fd1ed5e70c027892e8136f1db56e55d36b272770c
e110ac93d2711e1fc065e7000e545b1062e8f3f48ee2ea341e00cdfd329bd51f
18eeee27889c61c6df63b0db40eff09c9cd6d0bebc8601d8eb1adb25c56c2fcb
http://videos.lamaghrebine.com/wp-admin/r94617/
http://warwickvalleyliving.com/images/classes/du4yz01294/
http://amachron.com/1e7t86n/dbi6281/
http://mmcrts.com/11/0qb064/
http://xginformatica.com/aydasesores.com/g0183/
Creation Time 2019-05-13 06:46:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
0a74fb820b6fb828014189d3ed16724b5af86804556810f202e66bacfc54256b
34d0232516166b85aa2e47207ed428b6bd8388d1c4f0eae38bcaa4aed7e864a7
201e08956902260f54c9b0ab368ff82d6fcf615fac93096b351755bf25ecb146
9b4a493d0f455f645d056ea6e5da1a92d0dd70a0a091d50f4aa2a7a3e4a9735c
6f4e1b6955744f9ccea95955f3a32fe8ea4c2c7f085a22595ab2fa7072762ed9
ec2d92f3fea50ff99653474c4f1f323f34b682466d8d522a20b92a19ebf07380
155c65cd20ce5963c8c99f0003c1ee344780ef1f2f6d397de81230eb7b67b1ec
27e01a8db25c86b942c2ee0e64a3e367fac01b213e8c082a585048fa54e0b325
c1852f177c903ebdbbc3c34d1284f41676262e1a243ea7b35ecc9762ab0c6a20
66ba37dc935921cb993db4580f446c784067f658eb30ef2e19121adae3b59676
bbfbde5e9d9514836d5fd35a839c4b9c61481078ee33f052cb125fcc5e396a57
8d3462c81fe2340ca9700793ea8206bef1908ad934cfb501fd41eb7d65ba7628
5c01cd32bf2748335ed158600c594e451ecfef17cab80485f37eb936b6bdec13
f48cac8c548e2e11a0a805545e9a5dab697d2a5fc1b9f40d1811a165a5be824f
https://baovechinhphap.com/wp-includes/gdmiad3/
http://ds-cocoa.com/css/ptk903/
http://corehealingmassage.com/wp-admin/ufbyw973/
http://derleyicihatasi.com/gecmis/or116/
http://nhaxinhvina.xyz/36e/nnrm97524/
Creation Time 2019-05-10 20:10 (From ZIP - JS Based - Fake Error)
SHA256:
1e16035f416b56b7d0cdefc0fa398428a625786ff2cbf818c002b0d01cb1ec83
http://manhajj.com/wp-content/hljk27/
http://passdir.com/wp-admin/x9nkw36879/
http://blog.kibblesnbitsblog.com/zbdzij/j3163/
http://phumyhunggiatot.com/phumyhunggiatot.com/vlv0n3008/
http://oguzhancicek.xyz/wp-content/covmv18/
Creation Time 2019-05-10 14:15 (From ZIP - JS Based - Fake Error)
SHA256:
acef7ed794876bb721db7e52f3733cb7cc4586ccd06d02229376095aa31b6ad5
http://grasscutter.sakuraweb.com/wp-admin/i8lh0984/
http://earnthenecklaceau.com/revisiono/x2o14295/
http://profesja.biz/wp-admin/nton2im76/
http://608design.com/2769/4pi419/
http://ashhalan.com/wp-includes/m6l22229/
Creation Time 2019-05-10 08:00:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
25ea7b85b3c5157bf24c5a3aa4661202e9de5b851540f3ff29fcd6026fa647be
438375758d2ae8891fa32d5147db6271384a8cc4ab47a68f8f050bd340ca652c
daafd7de86aed162a2d09d1cbc34acf0b80e88be7b18871a31c31afbbd6fbc0e
5f34852ff0ce290e1e9cb0f13bbb8558ad64a2a0f2b6d0700f09708b08d0ebd8
fdce6d0b881089e8eefc611d21f5343ec817db9e06be231b35ae84db4b8d2cb3
7466d73030d905c7399f186fd48d464046d5ca16453ab8ea60b69faf2c5b223b
http://resourcesyndicate.com/wp-content/cd7yd93137/
http://jyosouko.club/wp-admin/lt801/
http://tacticsco.com/Prod3/b83/
http://tradelaw.com/5tkbl01337/
http://instasize.org/wp-content/f09y73/
Creation Time 2019-05-09 21:30 (Attachment Only - From ZIP - JS Based - Fake Error)
SHA256:
0088adb4e86956b8b15a3cb45156f74a95644c88ce5572ec601e10de5ba1badd
http://thepngbusiness.com/wp-content/5ecnu9155/
http://mitsubishi-3s.com/wp-content/languages/ly28/
http://allweb-services.com/public_html/gjyy1k7550/
http://www.bostrowala.com/calendar/imislh90839/
https://seethalekshmiconstructions.com/wp-content/jm72/
SHA256s for Epoch 1 Payload EXEs seen on 05/10-13/19
0f26aece79ffc1391a075d3ec4bf67602ad2a05d81ab7fdbe1140f428f31c775
a4219f684442fdaad3ca1289c3286cce878931d3402337c665ec828dce888a90
6415eeaac24577befd62654a3d51d4ed43c7c090bf56f95da681343b5caaf0b5
227fe209442cf07476ef2abb10c1a24501df4ba04af1d8de78fadf250de4d160
ed188eb2acaf1a55d733695dd1f50acf150e96689afcf02fb901668256dc9a8c
b45fd9115e23766c7276964936d0687a0ac2bc11be846a1e7b8ea8caf41c31c5
357d65d8e44088895d46376222ecb60311b52ceb76b4ff4fbd8fdfe4e6f5bf6f
509f8188469fa79d4dc262a9d3a47e33ee55fcac9eee69e3072df02a6ecf0c17
ae8f0d9499b8878a45d2575928f1f31a250d41f4025dc81978afbe122c276920
4ee74e9e2462745b75086873f668b2d1bf8a209a6eba847a9025c91433eb73ab
3254dbd7bd08138c955df88ac1565c8253c1cde173eb94921088ac61ccda80e9
7eabb0409ccb46674274b5a02bcdb57773a0e14431263c1faa07e82347456d64
8bda842324027ce405bc39e7d2ce4b49052ac3c7bf625a66a1b07a8ae60daa5b
20643ae7d51fa554dc8d0b92724368ea0860d2aaf5f35f0889684442554971c1
41a486b404d1e965e7cdde2bf7b55e3a8a97ab053e6e8d396688afab9977493f
7ee4312722b33b8500f94e541991bf4616ec4f6fe2983a73e2fe27081613b367
8a8e0bfd88f7bda974a756a7314470af7b841cc825f59748beab4c42a508b2d0
1018a965778899fc39b27af62bb1446861678c26b8b80e773ac4c3a60378142f
cd2c62439a6f5afa8cc89318891b35d5913bd3c52d60c1b8e346f9d0bec3fcfb
1d77957e9acfb85b974a4ce1860aced5db8aed3fa5ffcf4ca58df09a1c5f5eed
f29c69add5bcdf0ea8356869e10c6befc0eba84a28a72143f2ad999d2d2a53ff
f20285bc57c3c919aa3d2785b260c24cdc2d9001709956356859acceaa7e0b90
d1137c6c24fa91a81358d454840d332a92ada1e07e60738d9b8ab2ae18835500
ff86bff5286ca672d31e84d09ecc665132def42920cc8d68f48145b10f38d538
411f63d8ea34f5bb2cca22709e05a4c7114a9c175c6ea1b519c50b5ea2872b50
ffd244245c1f1192b6c70ca6fa46eabecd62c89f1494bc04cb9f6ad2a21119f4
dd84e9f0f2f5e5b99d952d568c7f72d8280a8375676bd79ef2514cb9178ae5f8
601661f37be101bc61a2e5fc0e7e7c1150b1a92a4faa48f6c4a3168ba9c24d95
6369a50df2f1227c4400604bdfaa9f747972958d6f4be0b4b67a6b54b0d2107d
bc4ed5528016a4825bd646ed97fbc0393dcbba0499e851aec72994e701486908
e67917f022f33793976a0e91f7a537f785a6bb40c8ec3150b9abea86e81ac881
b86b42debe863cc9fc44509d08764c225f133ff2cfad82a6b5f4920a48b463b1
a086047278cdbbb5dac071f126d4855aec81f84f0944d54280a9810fccbfb55b
7c53ad36f73ce92c07781055f5a1b255166b178b1f5d6b86b6c4f0a994caae3c
8208f564963c1b1ec3dac937603a9b4252577c5d828f1b4403b39bdb3eb2421f
59782b59a693b9e35b67e563fbbeac4284e0eacaab7a5b8f32f3de39f887e5df
cc11f6afd293560a957f095dd4012e939b4792150fd3f0bd4b3c6376bd64258f
3772b05750ffa57e5454a6d115f5c30053195fefaef61a8dd699188b4fb7d1dd
9392b5904c08ac166fafb9155aace212adfeda38d95bdcb40e6075a3a2a2858b
4ceba5ced7310077d76f136a9435c70ef44646d0589e36b332abeb61479734e0
6dd408c7d8a48c1dbeaa39b69c96646076eecc446ede3200ef0c85ef07303859
2df39d8e8614794a3a9b6ea3bef158e5416ec2c435639798dde780ea2b7f1410
ec46029b181181f2507ef2b423d978cccc381214835f74f02a1ed1ef85fc193f
b777ed8f5c8bc2edb1c78fb5dc3875982db01f19a949446e36353ec56e3cf5cc
0aa27218fcdf2935514add4efbfa32e59ab97bc5e9f2c6363a5d9f2296070b5a
c79e57415a1de59774f5e3434bd9f2b325fcb5c7092b4afb74754bf8f90b272a
6753c3e77e76a083ace8ccdb6d50fa9021968415404bb37332d7f30b3c8a4c16
abb7b00c4b6e41c8c2b16f47fb2120d03916a7c7d32a29eedab7e051a9cfdf9f
1d8059d2f0c574bf195e98cefbcd2a363e2e9770f840387cbaddb03262f0ea75
863529cc1cc29c3de587beec305e3b45d55ea4c7da7e33607c562e5450c25412
6e148aae77b11e77e1b8bb9389e5453803e31c79080e82ba5250e72def2ae873
c71a209800a34c63ba9613a32b2f722bd0c5c6e210463ca3007e3384e7752ca7
439d54630680daacae5fcfbf6ae79229795497c78093509984307583a72772a2
8b4b17d954761c44452d7a00baf50be055f145f58cf63db1067089394abeea06
092a9069f10d35f04e15a21cf88c7ca6b61c1afa2959e0f340b2a1de92da9885
810cf31232efff2191c62460f862d1e89885f159088c20a368123828a8f85d42
3616c39641334e0a8f1b842210cc309e9ec5f96ec989711f899e142e7ca9088f
25a26afb80dfe59a377ab22732bf0efe8e5d5cf88c23993ae088b8b610efd326
4f7b4552d85b123565428e0b4851208d6b33ef6888bf9fdfac36b78c67e35fb7
0454082e59a886a1b781ef99ce6faf2a97bfc2a5fd576a7b2fa01c039c2b2322
e18863951e17b6c5344229fa8c56461fcd477c1393a62d66a9f176c37c67c6b6
ee20882fafd076abc726699d169af824f038c22d347c984d7a8128beb44c22b6
943cb233ee53a575f343143e47b6064f224abd1842f4c09510801de5b64d6bfe
82f8bced5789a5acb98a578fbc5a28b56a6019750da36cc91683761740f0ad11
85ea96b6ec918a3587c8c7a2d9dfe33e5c2de25e5a72dfded03d2bc2586d05e3
d53d8975552df9f46b85659099523130410f3ad24c79c99b2df11376f70f84f4
a24e9693ad23759af4e0e31c8f81193a82a2f36e0b6cf240ea247a2ed868f148
ea1dcdf2038c4cabf4e61292c03277e51664da64fea0d857c0e25a8cf46208ab
7317b7d05c7bfc292f5106790f927cc1be06314b05b9e911ec7ceb2975e77d6b
ef19900098e94916a2ef8ce6f1af5e6919418eacba3bce57bac86ae9af12ffdf
debaf36f8763794b28183b507e9cf3d0085d9023bdda103d4f402fd95aab5dad
de4ee4f857c0dc6c3a339c9a8fddf7dfbce8a65c2522a7d636b8b64ee1153595
e03853c9185e540db3630f384720384670ac3f7dbf7e4f460446b15128987e6f
65621792c792005c023fd084217a3851030dffbcf066f9047b1f6459ae8f1b2b
f20c16a60ede21f7db94d40e5d73080bd92f89e99334b5c025d79472a11b2e6c
c76c559138a026d74b20fa90a27b5bdcbd4ad2b422799dba7e9fcf70d7f0891c
541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019-05-13 19:33:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
6e27b70e10089e9b815f7eab1b80e637e40733060f22a20e6b010b25287122ac
8f4a02c8a1ecbf0131226b34c9d39f5dcb5ef92663e8dc40f4b49392d606e4a8
19a798b57c3470bf1d7de42ca5ca6bccc6e55974ce6e63625a5e4b681c440abd
5c4496cdd3ee86af8935d9e1f64e6337c732741df7824571cf15e426f7913923
a2c86ee442e6189003747b161dcc36c2c569a74d96f0cc68e9150bbccefde54c
a7292870d07de0b4afc626e495e40af4daac91c7e19b36a7a783572f26b35662
efff06ca2c68747883b27ae3102b91edfccbb147f2817543219039446648404a
95b76cb37e2e3caa0e07f01c9aab219e128ea4ac3cab80aa48e9fc2733713343
baac5eeb90873f5781c9ecc9143537bd287a609e4dd9ce36b697e8fd1976b288
9cea1907b55f879861052c85d3db81e017c00adc2517d740c291b8d0316e6b43
3b33502eee805abdf772cff17265066d740c3f6c01d837510f58cb2e433ff5e6
cee6e8328110a0ba748a787b78d8eebed99ed183922003aa96a7ef7e235f306c
2b516c0d16970d0faa9e74f763ee14724579e15690dc06658835e0e5f5d462d2
a6cbf7c7f99de821b80884eb5076ff48e730075ac5d9c331eca9d0482e9085fd
b583ba4c5790fa703f047ee77bb5562c7ba09d4ea3845ebc1d0225173dbecf0e
0028a8ec6e89822bc3faa5e797caf836c057153d3f019d590741060716a55343
b0ba02974163d321b58322351c6ff306db87c9e1ce45a68e7558efc2f8303b82
2ee3c7107a9831e1b1d90d57365700c94ab4033e6515890204c82203e25c7808
652083730ca6c0f32527b1b7b14f69100e45229c016722bef50904c801e48de3
8813cd8261963dcbca65371321507b6502aa57883cd91ec4dfe8c5fe17e48076
7346090ed235d35e6a640f62b67cb02cfbd272a4a73ac4352bacd21e4f1c49e7
b311c5c0a459527071166668752e087223a3e5ca6a8c8319ec6ddb0f8ebb110e
f69b477c18524ba73acae4f93ae321077aed3645fd473eaf75cef1314dfd887f
492db6ac548104b627ee2881120eae5538f20e1db315e718e3b25de35f5f1bf6
1595c376a6dbe775478a9595ad780829572095d3264e2ad8dd6e9710f9a18522
fee909ec35382c82297015f542c7975ae152623fd04b05a73f81266d44f817fd
9f5351f25afca434053ad6ff7799422a3f59a83f09982e32a20048730fd0b5f4
3d024e0f7324646bdc397d5c2192820e2f73594afc77f3c509b8809d2a0c64f7
c0bd36b56a67c1be19e874287405076cdfca640755c790effe994b4de370abd7
http://durganamkeen.com/wp-admin/DgUwPMst/
http://gfpar.es/blogs/1y3p64_jyelzm-160135920/
http://yourplasteringneedscovered.co.uk/bfrye/eeURJGsK/
http://ladiesbazar.in/wp-includes/74yc005bti_pui2akdp-19152074/
http://engraced.org/wp-content/lwUhCxRzO/
Creation Time 2019-05-13 14:25:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
c171570c0949ae584d3ce11e007f204384fda256755150a477bf621831f52d0b
3081d8809d6e4dfddec906b6bc2fde8ea99ae2f2e6c96fc09ce6216ec413189d
8a45020788b56181e3d7bfc9aca0a8c72341cac08f87cc81d2f438183c4e8434
ba30141f7e490db648ad8e42062fd4e2b6f9eb324b4ef81063654794c244702b
d1fe265dd306d12a23abe6fb309fb7a55df3cd5072b13e87f9441bfb27bd98b2
41af0248fa854ba36a8ffebb928e34a3534a55a6a137710cf9075d54eb36e421
748ff7ea8346885bfee97ff2b16d3d4d087a49687c84ce3f8e2731479efda033
6c91e700f82440568c9bb8af07957861829be2801cda74f1634b68080007f492
470961ff90751cc95e11591bfe11720e7ca2c57ba385f7de6bacf250526748e3
cf0d3a4c0d0ee09b11d5d6d8a6cb8b36a32097ab9caf3756bdbaf68f5b6e8f7a
ac752ed59742f0aa2e2d9fda8cf70400e1697c456461ab7ad1667b50bb47ced4
61c05ab1671b9d2a1702fb7350a57f6ffc9cf9b71f3549c32cd97f31c1b2d34e
e813ff22c8fe4a93a6b3f393503d9faa86df48180ffba020887617ee3e1127b1
a483c77b4894eb63fb7c53b45d9a7cf8b7d2a11bf1b0a2f81f193d84053bc9ba
c54ee2aaa9c53f98119a50eda4f47b1435975057a61f4843e0a1694582aa0ebe
321386030e3165c45f3bbe0f42dc5832bfc6cc2c7546eee11b4fb1b8238a1ef0
604c80eb2c2e45827d4c907a0a0cacff9fa0f48b59bcba89dc38f27a12d4fcec
ff70948e53b3125d6019c6aec7af9e0c9dcdac12e3c3e1a4087f54ab07c3a610
6106e070e2c8b40a9994e18ad813479efe44ab0034d6c9d2fa38c306d335f95e
ba72f997f3aff24179ed4501ce5759a3a2ac3833fc62be48ab22a86e4cdc8706
c67ff883ff921adfa2dd849d135ab1e9f149024f27c9f92649f37e064c4df509
4d1ad2ef591fbf5546a7223b6591038b3ca4258a608517d5634c7e5ff4cfa784
293187f963f219cb930afae2badf540798925c729f70f295c7d64a0a3f0762c9
a01eff028804839919ecf103267f2a7122e9ef008451f4139f7f2a5c10a12628
874ed1f694fe34dbf097b8f095f76d67b126998f687e00666519a9906b403bf8
c3bec45a3e16770819b2b693ca808df2012252354d015b6bb16797817768cef5
b94bdb5e5bb0320f6a98aae2374552b1ae7eb1a0ed6d8cdb7f7165d406c88f17
31f9229ebb3ddc02e71aa685b92be9cf1ad3a0bbb634418dee1cbb72e4a25791
c26895eabd826f2ccdad7823fee7847029920bd30407863995e8aea9312afbba
d74e281cbbbf1e4bfa5a07e46cbf41398393cd3ba620c414d9dfa39809951a0f
c3d42fdec1d3b23ef5499cced1308cde42252207d2db26c549508371b10018bc
https://www.andrea-alvarado.com/test/SSpxosbD/
https://xerpsoftware.com/calendar/ZjXKtAcn/
http://soafinance.com/wp-admin/fGJmODgVCE/
http://filosofiya.moscow/2vx0z2/qo1xf387_mpk9z5j9-84/
http://nasaderiksubang.top/wp-content/kuCtItoZeu/
Creation Time 2019-05-13 08:29:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
777e35331f48e956b0b64de933c018241eee10a81c19e577952f87462650054c
3f2d8e8ffae5c0287f11f4dd07689c0aeab8a63f7e45d95ca26a710a6694990f
cf2c316569c7df1157e658c7fc5939808a79d02defa7d1972c6150dba2673166
334ee234f995826164131c5a9c5e42f4520ec4173377d412d162a5d893c5e40f
47a1747386b6d6e00d697130ba22e6f1775f4706f7e6cd21675b0d60e32bdb68
5737ec1cbf993da2a81e5eed0a3c91f33bb7bb685887f74f3fa713f3138e0fe2
91bdd80a862adc5a695327cc6b51199ea04b89fa9cbfea94fe2b1094623af433
ce8e68203e960559cba1bab1185bdd1e5e3c41b022a656fef8603291c8db7d51
76a59533b873ffaa9eee579a018537d64b3dbcb8584fae195fe3e475583e6fb6
49fa1d08ab693824fec032b40d0bc1183545ffadf1b859d11718c1c1eba1b1a7
6b6feaf5c5b705ee1a1d906b58da9eecf7fbb483674c113b40e5c3ec3998b6c5
8f63667583d4e87abccca270b1fc4ae83393b1959d50937264cf71f675224754
06ec407213aa480c3a1aca7529896e24d5e25c2647a15b63cca7e468b4da14ab
5a2697ff84c4be628abeb20461bb9e931b48ec3aae0af53208ad21dd726622be
https://utahdonorsforum.com/wp-content/7n02l558tr_4l6lqd-8757/
http://daithanhtech.com/wp-includes/tlmvyggiwm_qiuyrwc-8/
http://alvaactivewear.com/wp-admin/zic3_6ikeysj493-496935535/
http://luxuriousroxy.com/bqiep/trLCslfrn/
http://mmadamechic.meushop.com/wp-admin/x79891cd_q7o212dm-21396/
Creation Time 2019-05-10 16:20 (From ZIP - JS Based - Fake Error)
SHA256:
2b695b354e1485292556309baf5e876b4a7ba956bedf9c2bfab60b3ecbe625c8
http://sunriseenterprisesapps.com/cuodwt/krtn2_z037v4nez-2713213459/
http://dangdepdaxinh.com.vn/dangdepdaxinh.com.vn/YddiJkmC/
http://timfazciencia.lfdb.com.br/tlymda/7otx2_85vxhm51r-96156741/
http://tejclinic.com/blogs/dLBixpKmc/
http://generatorrentgreaternoida.com/wp-includes/oZWjHPwWE/
Creation Time 2019-05-10 12:20 (From ZIP - JS Based - Fake Error)
SHA256:
9cc55391cab46feb884731f30349d70a8db8db242a5eebdd45fcbbc3f00bf404
http://tosetaban.com/en/lzm4t_j0x5h-611/
http://teamearle.com/wp-includes/NqCSyYVQ/
http://filosofiya.moscow/wp-includes/3voxm5_f968ep-6270/
http://veresk-studio.ru/wp-admin/wt3smhc5_le7xirr7-9265853/
http://luxkarkas53.ru/wp-includes/9meud9ms3z_giecxtp4-02870870/
Creation Time 2019-05-09 20:30 (From ZIP - JS Based - Fake Error)
SHA256:
8997170c64dd6443cff779a0e4f1809a61cffcebff642324fde8c60c874f7175
https://www.raum-zeit.de/vhjb/fPOAURnL/
http://wandererplanners.com/example/7x5sp750eb_rwr3i-95041763/
http://www.dreamvision.bg/wp-admin/xQqEPheE/
http://www.guitarraclasicamadrid.com/newsite/mwaJJrIq/
http://www.guzelsozler.org/wp-includes/ecmv_2en3a-3/
SHA256s for Epoch 2 Payload EXEs seen on 05/10-13/19
f4fa4fad684e10e5f4d016134c73eeec9559278da0cea59cb6bc1e8f8ec9953e
4f07207894325e1073a2c6386d15123f5f0a060226f7ee562596e32c5e4d6df7
6ac57cf002e7b9c7e160fc72ce04d625f997bddc6b68052046a803fcbb6c14bd
e8cbd95796d3165db9ac032ad33704c2668dd5546ede40d02bf28bb6eb6064b3
b18db08ab19c962f1ec24de6b90b691a021b5a715c2eea99599e97f05ba357e4
b90147971458e3fec3ed5c8b9bd3324a0fc0325758bcb23bcf30f15b1b2fe079
e8df46d9b1e43db7dcaed9c9a02f29696e049a9e73bdc4aa9593e3ebebc154cf
20cb9605cf67d648f4cddf9f093645d5194b088c782ea7b578f532760161fc46
5a79d5e88634ba8c44d2376c98ca5cabad917355aeb59865107b0ff70d9b0fbb
c7ed48ab29211227ab1d9c003cdf89705452c109b813557a6cd5475bec4c8f94
2509590f99488df80dc39c7eb729b4fca4e4f914c9c797075031a99e4688cbc2
8e2b0c0c6a173498fa6db603715d2def02ba97fe85d373adcae392918d59adfb
67f9cedf9ba1da6d2dc19ff7d5efaada3841a1c04789b45df6d03ea70b8c6073
d1f477ea052a18f58d24edd6a90d453f7c1b27761694f169edf88750ae072a60
8a58fd8f38cea33f1be14aa092be3dcc8611414dcb241b9c718bc5665ae6fc7c
7e73e8fadd8205245c82b5377864282f48a4b889361111605f46a3c2b5ff72c7
4689f2c11b2bdf9be1b10f08b9225dde4c5c7d92dc584851633bb0b7f7949e8f
ccb4e19b49db51455ca7951ca6041325c7e6d9e9eebe1c25dafc87e8dacba7b6
3a6ed9dcc362bd9f51546ee701a380e7df5020461159bdc22e84cafb4dd90bf0
a5672c94029f1ef5fadaff9af563f9ba702f0447be58d65d369d1bcf61cc7804
771c8f7a533bc08b72d8802f8f452ca46b5bbda66159c89854cf5ab213fe6f4d
791e00b00a9c28e0a2a68dcfee3ebfdc41e1e32e4f7d6e49f12b577cc736a3b8
69860fcf2ce1ecafe62ecf9c315c539a10b32d1bf541cdc42ecec09d6d962661
9972efc915311cef40320d1d6616cb80637f85d2f0c9e2864365141c862e1e85
06cd0e36148d4eb96e3484502f253a2dea623776fbd4200e4b8fe1284a481aa8
79abd4932636dac9fd3afdeaf52d1b6ee9ce892e3e7011f5ddae6d268a635f9c
965e2d3a8b1cfabbc96277276b8ec65f0827b2a3da24fd0d4225ef38ae8fc6e2
81b6455f04fffb12436f89d28805170db131b3194757e2ec0946aa2946cce337
bff0fb1c0eb61adafd235983adb8d8985f6225a89f5adf5fdf676f7b001bf3ed
b2dabf29021be5ae8c3205243c7755a13df9c58ea84a30baaefdef8aaabfc326
1ef97f716d3276acbf45fd27e9f189714f6209a7f94df2d3750a05ade1a26cd6
0c4068d8afef6cbed8641586454b4ea3052d0825e579644f58ce64d3a4550886
52633981af075259928529e089741f226aefb674c179982d1c45276c27e3667e
2cc3cd285d85c714a7f82fc477dbc8b33c47a5d3bdc2a2d717256e4f082757ee
e28323ab72fe01bc966a60fada6b7b87527fee5380c36c03002d7813c6f96e48
704b6e4f208e1ae169162f345f954bbeecbbf0ec18185378336d8612d9eb1b04
43414e6536a731a248bd6041c09e033a9219eafccdb8dfa4c92360018a3505f8
c6a54bf901d21f589ea312d4052c1e1e2dc45abc0fe76dffd053e0d056dd6cce
fbec9f47b8e1966a6dd46cbc18910f6425ac207e2243ceb6e7feb0dd62eb7512
2c344e4724f4debf0f02f1bf2210dc6c0027bfa9bb4d903b2f02f5eb66bd08cc
4c1aa545706d10cfca0d4412b6ca7289f071b96dd816077ad8c5ee755d732b8b
4dfda2299830ef85daf3b008fffa8502e4dc5b70dd9a3ad59d478722086d01d7
9813ebe5254e11c44e9863e88292bd71af5bbd60aafefaad3230e146b03b9971
16774d90ef4bbb1c62700b6e0843dfbb8b3f7f6099b9a05170d1ff9cf0db4224
045f655295c01f053be229165a266806a391bb327bb4e24e8ab32f6d36984daf
53253bb802498b790006818521b652bdcd3587de73bbf276049ed7d1f618979f
86e32974a57a7ce78909361259bcd522aa018c2c09636cabb6df50c438e45017
c2e1dcf9197a4c79aa084be81bd31f3933011ca4fd7f8cb0fb6bf98492629880
6593cce7bfa0a2edcbf729b26276d7ff208f6e20814316607105326665ba945c
d61348cde2624dd4b21d38d9173db2c4314c3c72b67ef273f9e5f8cdbcd565d1
36073f59bca9499716948068b64a57dd2306a2ace2a41fb415086e0a69c07170
2eed97816ed7aaca29840ed50538c8b5845403aab49f3b800f4dbef556134901
78b6eebb6bfdff897add45c9cea8eaa7e1ef594ba3d37be5696a5d550cf8b774
6ddba10f67159128ec852f7df0d938668f8910e36c6ef3796097cb91be6cd9b3
7418de536f4ef3a646f88159e0a670c1fe49cd9522ec7faaed94a96fa47e0329
ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2
998cd14f971b790ec6df859425779dd376d5499440f21ca476434c2041fb0b1e
8e0a9c4875852f54b36e34188e5626c75f38bff3f76974b5829d86f54e1bbf32
47c7ef922b31317c5a6fb1bd8fb5de37c531afcf5febd6a662cdfa662ffb35d3
bfd9e13914990ef97843efe8dff118146e597a0dbab2cad572d81bee61ed485c
3bab2115d649bb01ab37f83bb216a3b795828e65bfec6979c00aac5bdd60051c
18a5b8dc8438ed7341fab062f0ad46f9bad018724582bee8cdab23004e23762d
14f9e9c44d8f2dc9196b674e484cb1a77a202380735ca64558cea46bdc98f5cd
4da0f55bb36ef7d281d61277d68e5c6bdd2a065a6d61e62d7704fdcec6445b56
393c9acfe8403de9f0ea2fed42c843d6e7da7dfe2129b3ea976fc3cc84f1042c
4307d27d8687c1c8cb5a895368866714dd699bf35eced39c7ca4f6af87f3ee40
6117927c3aa4c7a5685a08b7ae8a9ff05d718beb5f6af83f5cac3201dd85b65c
99dcb332b07153191d45c23d1551e2e407ff581ac936d7bff28a0d0d81c88e5a
64c8860a8e1da04e50f57edd215d5eaaeaee14ef3fb450bf90e33733caf19be7
54dba7de43a2863d3a091d312d987915622068a027bd07ce63288083352902a4
f2e2fc9c53d0d16b1e7ef24a9ef6f742890432d95406062493748c4214a54d3d
3bae84c75d38f2b0ef8bedfffcebbb45fe46bc67737d7a1ada290a24fee30b37
f8c51f9049025063ab6416eefaaf059ee8f875c09ae619989e2af39da34759c3
28095ce9155442f4ad52b8bee5b6fb39991f80a1dcde899080c10caf990e2878
06d345a301ab85d79d760347292e27c4e17813e32aa759cf857eb45529f4484b
Epoch 1 C2s
103.201.150.209:80
103.213.212.42:443
107.159.94.183:8080
109.104.79.48:8080
109.73.52.242:8080
111.67.12.221:8080
115.132.227.247:443
139.59.19.157:80
144.76.117.247:8080
159.69.211.211:8080
165.227.213.173:8080
175.107.200.27:443
176.58.93.123:8080
181.142.29.90:80
181.199.151.19:80
181.29.101.13:80
181.30.126.66:80
181.37.126.2:80
185.86.148.222:8080
185.94.252.27:443
186.139.160.193:8080
186.71.54.77:20
187.188.166.192:80
189.196.140.187:80
189.205.185.71:465
189.213.208.168:21
190.117.206.153:443
190.147.116.32:21
190.171.230.41:80
190.180.52.146:20
190.85.206.228:80
192.155.90.90:7080
192.163.199.254:8080
196.6.112.70:443
200.107.105.16:465
200.114.142.40:8080
200.28.131.215:443
200.45.57.96:143
200.58.171.51:80
201.203.99.129:8080
213.172.88.13:80
216.98.148.136:4143
217.199.175.216:8080
219.94.254.93:8080
222.104.222.145:443
23.254.203.51:8080
24.150.44.53:80
37.59.1.74:8080
43.229.62.186:8080
5.9.128.163:8080
51.255.50.164:8080
62.75.143.100:7080
66.209.69.165:443
66.228.45.129:8080
69.163.33.82:8080
72.47.248.48:8080
77.82.85.35:8080
81.3.6.78:7080
82.226.163.9:80
85.132.96.242:80
91.205.215.57:7080
Epoch 1 - Spam/Stealer C2s
61.92.159.208:8080
104.236.185.25:8080
50.116.63.9:7080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
Epoch 2 C2s
103.255.150.84:80
103.53.44.20:80
119.155.153.14:21
133.242.156.30:7080
136.243.177.26:8080
138.201.140.110:8080
147.135.210.39:8080
149.167.86.174:990
149.255.56.242:8080
162.243.125.212:8080
167.114.210.191:8080
169.239.182.217:8080
173.255.196.209:8080
174.93.130.148:8443
175.100.138.82:22
177.230.108.144:22
177.242.202.30:8080
177.242.214.30:80
177.246.193.139:20
178.152.78.149:20
178.62.37.188:443
178.79.161.166:443
179.14.2.75:21
182.176.132.213:8090
182.176.94.236:80
182.188.47.206:990
183.82.100.135:80
183.82.110.170:53
186.113.19.171:80
186.31.189.232:143
186.4.167.166:80
186.4.234.27:443
187.189.195.208:8443
187.192.147.246:21
188.138.91.26:7080
189.209.217.49:80
190.112.228.47:443
190.145.67.134:8090
190.25.255.98:443
190.25.255.98:80
190.53.135.159:21
190.72.136.214:465
198.57.223.7:8080
2.50.4.159:443
2.50.52.255:20
200.21.90.6:80
201.199.89.223:8443
201.220.152.101:80
201.231.44.78:80
201.238.152.20:465
206.212.248.178:8080
211.248.17.209:443
211.63.71.72:8080
212.22.215.140:80
213.14.166.152:990
216.98.148.156:8080
217.13.106.160:7080
217.199.175.217:8080
222.214.218.136:4143
24.139.205.186:8080
41.169.20.147:143
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.100.165.6:53
50.31.0.160:8080
50.99.132.7:465
58.9.168.7:443
58.9.168.7:990
59.103.164.174:80
62.75.187.192:8080
64.13.225.150:8080
66.84.11.168:8080
68.52.43.253:80
69.45.19.145:8080
77.56.253.112:80
78.100.187.118:80
78.186.5.109:443
78.189.173.217:143
84.241.10.111:53
85.104.59.244:20
86.122.149.86:8080
86.97.246.229:7080
87.106.139.101:8080
88.198.62.227:8080
88.21.212.13:8080
91.205.215.66:8080
92.154.101.154:50000
94.130.35.140:443
94.76.200.114:8080
95.128.43.213:8080
98.144.73.193:80
Epoch 2 - Spam/Stealer C2s
198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1 and Epoch 2?
What is Epoch 1 and Epoch 2? (updated 03/07/2019)
I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
time period.
Here are some observations I have noted since I have been watching these botnets:
- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.
If I think of anything else to add or if anyone else has any suggestions, I will add them here.
Community Lists
https://pastebin.com/NFZ39h8J - @pollo290987
https://pastebin.com/DPZTtq1j - @ps66uk
https://pastebin.com/MZLU3zFh - @ps66uk
Credits
(OC from @JRoosen and/or combination work of the following)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 05-10_13-19
General News:
E1 seems to be going into full attachment mode and even may have re-initiated Operation ZIP Lock today with password protected
.ZIP/DOC files. E2 has been primarily doing links all this time. There was some ZIP/JS (Operation Zipper Stuck) on Friday but today
it was just straight docs being downloaded. I have been receiving very low volumes of late and a lot of late and a lot of delayed sends.
It seems like Ivan and the Emotet gang may be going after more quality vs quantity but it is hard to tell if it is that or other technical issues.
In other news:
Brad at @malware_traffic had witnessed a Trickbot infection today from Emotet E2 while in the UK. Here is his detailed post:
https://twitter.com/malware_traffic/status/1127978087407411202
There seems to be something going on at Sakura Internet in Japan. A good deal of websites have been used in Emotet Tier 1 infrastructure
here as of late! Thankfully, our Emotet fighting friends in Japan are doing their part to take down these sites and reporting compromised
servers to JPCERT and hosters. This is very honorable and the effort is appreciated! Here are some of those reports:
https://twitter.com/papa_anniekey/status/1128127426028957696
https://twitter.com/tiketiketikeke/status/1126975624793341952
https://twitter.com/tiketiketikeke/status/1127062950999613440
https://twitter.com/tiketiketikeke/status/1127870050168295424
https://twitter.com/tiketiketikeke/status/1128086029993332736
https://twitter.com/ozuma5119/status/1127219291030294529
https://twitter.com/ozuma5119/status/1127610430703038466
https://twitter.com/ozuma5119/status/1127619333444730886
Thanks to fellow researchers/Emotet Fighters: @tiketiketikeke, @ozuma5119 and @papa_anniekey!
Many people have been reporting the higher rates of attachment based malspam which is likely a direct correlation to what we are seeing
on the E1 botnet. Here is one of those reports from ExecuteMalware:
https://twitter.com/executemalware/status/1128001762512785408
REVIEW:
If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
https://twitter.com/JayTHL/status/1126204098670411779
Email Template Report:
While I did not receive one today, I did see signs that Operation ZIP Lock returned with a public AnyRun of a password protected ZIP/Doc
file. This is shown here:
https://app.any.run/tasks/8f47404b-7fd8-4cb4-9151-1d40336830af
While I cannot confirm that this was in fact received with a password that was provided in the email, the existance of this sandbox
run and the fact it is on E1 which saw a good deal of attachments of lately, leads me to believe that it is highly likely that
ZIP LOCK is back. Additionally, this particular example was very hard to find on public sandboxes.
I only received a handful of emails on Friday and Monday. The emails were all generic and not reply-chains. All templates were ones
I have seen before. As previously stated most were attachment based and this followed with what @ps66uk saw.
@ps66uk reported on what he received here:
10th: https://twitter.com/ps66uk/status/1126993275347439616
13th: https://twitter.com/ps66uk/status/1128078311773618176
Review:
What we know about the threaded templates/reply chain:(changes are marked with *)
- Emails are sourced from once (or still) compromised users all over the world.
*- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
back as far as June 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
- The injected reply is usually prefaced with the following:
"Attached is your confidential docs."
"Attached please find the wire transfer form."
"Thank you for your help. Please see the attached."
"Load instructions attached"
"A printer friendly attachment is now included with each email."
"Click on the attachment to open or save the printer friendly version of your report."
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous.
Link Regex Report:
Regex directory patterns - E1 did have a brief run of a new Regex I have not seen before on Friday. New pattern
for E1 *'ed below and updated E2 patterns.
Yes you want to take out the * in front because it doesnt belong in the actual Regex. :)
E1
*https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
E2
*https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
*https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|demo|direc|Document|DOC|esp|FILE|homepage|images|INC|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
*https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam.
Payloads Report:
As previously mentioned, stage 2 has been almost entirely attachments the past 4 days on E1. For E2 it was ZIP/JSs on
Friday and today was direct DOCs via link.
For E1 and E2:
On Friday and over the weekend, it seemed like the new loader v3 was in play with very few hash busted updates (3 a day or so)
and small file sizes. This changed today for E1 and E2 at nearly the same time 1900 UTC with both going to 20 minute hash
busted old loader style EXEs in Distro. For the most part this was mirrored in C2 updates also but it seemed like E1 switched
to the old style loader on the 12th.
C2 Report: C2 Combos continue to climb higher and higher on E2 now at a record 95!
C2s DID change for E1 and decreased from 65 to 61 combos in total. - recorded above
C2s DID change for E2 and decreased from 95 to 92 combos in total. - recorded above
Closing:
Another Friday-Monday report, another bunch of Emotet. Be watchful of the password protected (Operation ZIP Lock) type
attachment ZIP/DOCs out there.
TT
Sandbox 05/10-13/19
(all with fakenet and MITM unless spam/secondary infection)
Epoch 1 C2 run on 2019-05-14 at 02:45 UTC - https://cape.contextis.com/analysis/73519/
Epoch 2 C2 run on 2019-05-14 at 02:45 UTC - https://cape.contextis.com/analysis/73520/