Daily Emotet IoCs and Notes for 05/17-19/19

Emotet Malware Document links/IOCs for 05/17-19/19 as of 05/17-19/19 22:00 BST

Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.


http://adamjaneomir.kz/old/verification_area/net/ENG_US/myacc/sent/
http://blog.meditacaosempre.com/wp-includes/open_network/com/ENG_US/accounts/new_resourses/
http://callsmaster.com/azureink.co.uk/sec_zone/US/sign/com/open_docs/
http://doanthanhnien.spktvinh.edu.vn/wp-admin/verification_area/sec/Us/myaccount/new_resourses/
http://eidriyadh.com/cgi-bin/trusted_network/seg/ENG_US/myacc/send_files/
http://extravidenie.ru/wp-content/trusted_area/seg/EN/signed/office/
http://giveaways.secondtononenutrition.com/calendar/trusted_area/net/US/sign/office/
http://had.at/language/open_network/biz/en/sign/sent/
http://hitotose.org/public_segment/com/Eng/logged/new_resourses/
http://inted.org.za/adminer/sec_zone/en/accs/com/open_resourse/
http://lettingagents.ie/wp-content/open_network/sec/ENG/anyone/office/
http://montrio.co.za/wp-admin/public_segment/biz/EN/logged/sent/
http://mrtrouble.com.tw/wp-content/trusted_network/seg/EN/anyone/open_resourse/
http://myschool-eg.000webhostapp.com/wp-admin/public_segment/com/US/signed/sent/
http://sosyalfenomen.xyz/wp-admin/sec_zone/sec/en/logged/user_documents/
http://thezebra.biz/wp-content/secure_zone/sec/US/logged/office/
http://www.zorem.com/wp-content/public_segment/sec/Eng/accs/open_resourse/
http://yoloaccessories.co.za/ukhz0yw/trusted_network/ver/US/anyone/new_resourses/
https://adamjaneomir.kz/old/verification_area/net/ENG_US/myacc/sent/
https://engenerconstrucao.com.br/nfuvi/trusted_network/sec/ENG_US/accs/send_files/
https://had.at/language/open_network/biz/en/sign/sent/
https://thezebra.biz/wp-content/secure_zone/sec/US/logged/office/
https://www.zorem.com/wp-content/public_segment/sec/Eng/accs/open_resourse/



http://1mm.site/calendar/Document/SyCSbmjCNBLJMhV/
http://1roof.ltd.uk/creationmaintenance.co.uk/PLIK/0b7yzogc9ssofb8efy4o2otyua0o8_769kqe-314850535719656/
http://2mm.site/wp-admin/parts_service/mKgGhvCsue/
http://30undertennis.com/cgi-bin/SSciXOTzaMbU/
http://37p.jp/PLIK/ABmcygtH/
http://3e-science.co.jp/0bnr/FILE/uqftm5q5kyuw46b1_lncr44-686604949932/
http://4mm.site/calendar/paclm/xs7iayebhxav43itekey_684m3-36315752815490/
http://51wmys.com/wordpress/sites/jcpf6vdw8w_aynhf-24814159993785/
http://8poverh.com/wp-admin/lm/iwy6t7o3eo78_0ypzx0hes-26872424816/
http://academia.sprint7.net/wp-content/DOC/y2o7x25x04us850gpca2ogh_mc4rmv-270782010665758/
http://ackosice.sk/wp-content/INC/57pds8qj977fuqw_bjxbdhsf-3574519625067/
http://acolherintegrativo.com.br/wp-admin/DOC/hwhyCUiZwJgDRgE/
http://actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
http://adbee.tk/wp-admin/DOC/vr23xzu3_4fu1rill-05769244/
http://adepterssolutions.in/news-admin/sites/KwMonjtPbhHoTi/
http://adkhw.net/wp-includes/lm/AspdvJqqENclfsu/
http://advantageautoworks.com/wordpress/vky2upshs_7vkn3a-4894152276061/
http://advokat-kov.ru/new/parts_service/2cljnkezfje61yi5i3gidtylki1t_pfjx11gy-0167021759547/
http://ag777.co/cgi-bin/LLC/sfsn56f9mmil3omdgkmw3866elq6b6_aqjz8l-158616319099840/
http://agents.map-link.co.uk/cgi-bin/Pages/dxebbm7rfe9yjkcu1s0f_owwlim3rvt-900385447853124/
http://agrobanaselaras.com/wp-content/uploads/INC/scl0jn4di5vbchuyunuyep8eryel5_jmybt4onpm-91631390137833/
http://aidencourt.com/wp/LLC/raf3n3odxco400jjjpi2hf290qlgl_prw4uxr0-7763309726/
http://akaprintdesign.de/wp-content/zojdg93o_xynmmr45kk-00422649/
http://akoagro.com/wp-includes/r04fyabv1mtksp1tgi5mnhgnxparl_3p7hn1m-18151334886016/
http://akoline.com.ar/Argentina/wp-content/uploads/js_composer/paclm/pttymks2m_1wjvsp-040621983/
http://alex.zhivi-bogato.ru/wp-admin/LLC/vgxNGmUlHZIkUdBmyVtyQJrztdjj/
http://allbusinesslisting.org/uploads/DOK/lATaKZeIkwAwpVfWgKTuQRLrIUKRRl/
http://allhealthylifestyles.com/9yng/lm/isd8j0bsmhi53u3lxao5_bhas06a-10817970098761/
http://allinonetools.club/application/ximd7u7nigxu9r_kc6bgdfo-958450195888/
http://alphalif.se/css/le1kcb7jby_5xu6hgr0dd-93379625880817/
http://amarresyretornosdeamor.com/wp-includes/esp/neJynmXSShVwzuVQWBaeQrwvj/
http://anarmed.ge/wp-includes/Document/vfh2cntlby3warq_v2gqag9b-5724108769/
http://anayi.org/vendor/4t9hfvo0mhuo2wbm4gnybzj6_0faosb-30207636/
http://applesin.in.ua/wp-admin/Scan/VKGUJAoK/
http://apps-phone.ru/jutorje32/DOC/JbTiJsOuYLfycnAcnNlAVftM/
http://apptecsa.com/phpMyAdmin-4.7.2/Dok/asbgcruv4k6haf567dfcwtekrl_e6601rvc9-9233947367573/
http://aradministracionintegral.com/wp-content/uploads/esp/xdesZvyAHcDjfbkQTOQgaOeeFRQ/
http://artislandjp.com/wp-content/iwyzezhokhmjzqsyxpoxaazvajjys/
http://aseanarmy.mil.id/adminos/lm/AHFYbndZNarqnjoX/
http://atkt.markv.in/_notes/parts_service/pZuTaKnhGoNklbzKb/
http://auhealthcare.in/wp-admin/Scan/dhyhfkp3rpj8hi10fvk_pna118wt6-536580263/
http://autoscostarica.cr/wp-content/Pages/wmog67unlko5a6tgteoplvhxqc9dd3_wuo9ve-955815100504/
http://avitrons.com/uma-site/lm/aSPFbPSLPFVHslSsMuAbPhxXdfv/
http://ayashige.sakura.ne.jp/CGI/INC/l66nxpe9j_i5idhzxbj4-17570585088/
http://ayrconsulting.com/ssfm/b5kpfyr4brv5ulcvzrj4x4p_1ofz2gukj-441557287873828/
http://bangkokyouthcenter.com/wp-admin/Scan/ythmkuqzd_jmgn2yp-175573459555500/
http://basarirerkekyurdu.com/wp-content/3baoaipzi6mqy7whlt33b7vmtdum_wig6m156m1-615007073/
http://basswoodman.com/janahenry.com/INC/gw9y5bij19cs7fk8_w7z306-48284886/
http://beau-den.mrcloudapps.com/cgi-bin/sites/k9i5flfy09jn2_u8dj2-68720464/
http://beenet.ir/wp-admin/Dok/RcYBXGZBCaSsReYhmJhMFEj/
http://benshill.de/wordpress/INC/zbkeaxnq23_kc7ybzr8-58810947871/
http://bey12.com/sircuss/Document/weSFwOcnrd/
http://biederman.net/clients/DOK/dc9v71bcybeh9bmdsqw1y4a6xq_veb2196wtl-65827335/
http://billy.voxmagneta.com/wp-content/paclm/aiis129kg7ihz0p50gkjgiafh9okbo_1l7vp-334229597472229/
http://bimeirann.ir/cgi-bin/lm/zep2i1tfx9606nz9zmc_01n5iwx9hz-96231646376136/
http://biomedmat.org/INC/erNNZoxosDTbeJAaGHmcdAzgZrJryi/
http://biyoistatistikdoktoru.com/wp-content/jlEzCPsEEfOdjSUjIFIJ/
http://bkarakas.ztml.k12.tr/39c0ef/lm/b0qb5fmtznzk5u6fe69otm4l66c_936pijskp-49454200064264/
http://bkkps.co.th/co/esp/cza0kklmw_r38hfwkh-761849473941/
http://blog.instacart-clone.com/wp-includes/SimplePie/parts_service/uatoqujs7s7ediuaxvs5cuqm_ddt16mxu-564056354031/
http://blog.orbi-imoveis.com.br/kjbgta/acmreyaa40e_ps0whshh1b-198803276009/
http://blog.vdiec.com/wp-admin/INC/nzdpfqq4n5heq4tqyqtb309jz5wsp_gvx0ok-68900526928509/
http://blogs.ct.utfpr.edu.br/mansano/FILE/oHGsFrZhNkGrfNgnF/
http://bloomflores.com/cgi-bin/fkeae3awg9k6b2dwmkpxxa64v7cw_4uaqa-69978485/
http://bluestag.co.in/wp-content/Document/ei8b4ogccm21_j0o9skc-45698780357431/
http://bmwselect.com.br/wp-content/plugins/advanced-cron-manager/parts_service/d6yju8iv2d8i2jvtfqb3_90xlab0wz-784476784/
http://bornkickers.kounterdev.com/wp-content/uploads/VlYEBegqcq/
http://brandimpressions.co.zw/wp-content/sve8uvm8csrux7of_xv87jqian7-12284113/
http://broadlawns.co.uk/wpThumbnails/lm/WHYzQPUZnZ/
http://bystekstil.com/wp-admin/parts_service/gyxp0yb8ny08cldus9_iz952p72ql-12633794221713/
http://canetafixa.com.br/wp-includes/DOC/TayOTpSUibJMGVhWPLYMQPNyAMejp/
http://cantaros.com.br/cgi-bin/LLC/cyUKxsPapH/
http://capnensensejoguina.com/wordpress/paclm/kzKgmvfbmLfTaweYZCZTpKhWA/
http://capquangvungtau.net/wp-content/INC/5b1yjo3a2czeua96f2_qh216c-6624318531002/
http://capquangvungtau.net/wp-content/LLC/XInuBjIcLLCEjfhkP/
http://cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
http://centurystage.com/download/PLIK/hhlqSJuAbGEHrKWlHXM/
http://cgfilm.in/oldsite/6wz4jweq0kim8lp1u1rtxq08_x46qm6ak8-1916202749831/
http://chakravatnews.in/cgi-bin/Document/lc9l0567sgloqwgr06yn9wz_v66bhhvoc1-9919282734635/
http://chavooshstudio.ir/toq7/FILE/e9wj6l1f84zgvtbnu494vq59_dhgdvdhhn8-52283825654948/
http://chchomesales.com/x3ufe9/FILE/kEffPHaZ/
http://chirurgien-ophtalmo-retine.fr/wp-admin/Document/e5dkvpp8hhx_fc568mru-29493963168/
http://chugoku-shikoku.cms.ripplewerkz.co/wp-content_exported/LLC/acx3ms62n_e1toyrawk-169922458553753/
http://cib-avaluos.mx/images/Scan/UCPljcvhhdDDmN/
http://cityhomes.lk/wp-admin/lm/shYRNVogewJZZFBOfyKI/
http://cityride.co.ke/admin/WAmaysZuJKaZyzxTg/
http://clipsonline.org.ua/wp-admin/Pages/f7c3q50xzoah3besqoua9uby_krc9wg668-22608382178/
http://clorent.com/ajax/parts_service/ZWMuHHVvXVmquekqkXQMtCzr/
http://colegioadventistadeibague.edu.co/wp-includes/lm/iindtspj7l1rjua_kth52-09810828625/
http://congchunggiakhanh.vn/wp-content/FILE/yvGqWEsTeGqWlbJVMkCCMoLbqjKutZ/
http://congnghexanhtn.vn/cgi-bin/lm/HXiFZxIhssOosIxXZEDO/
http://congnghexanhtn.vn/cgi-bin/sites/oi2h8eb32rlswyhyoe274vh802q_vd3boc2o-7590611699/
http://cosplaycollegium.club/wp-content/ht8p0y2d05e5ydd4nvl9ibnzp_r3teinnq3-7560842820/
http://cosuckhoelacotatca.net/minhan/esp/TozTzAGvwJy/
http://couchplan.com/wp-admin/nspeBheHdcQO/
http://crservicos.com.br/cftv/v54ucb6oe1ycj93_fusektth-564258474/
http://dagda.es/wp-admin/pbjEjvXCDCMbLyYV/
http://ddmadrasah.com/wp-content/parts_service/n12d50ylod2r8t6x44vqprh4_ex47v5-9015107945384/
http://deavondkoeriers.nl/wp-content/pEVkYSbYDwzbGABbDEaT/
http://deerworkflow.com/wp-includes/0eou090z19swauw26buowtra3bfhgb_0rmujb2-12142489/
http://dembo.bangkok.th.com/wp-content/uploads/5qp5o49wh8s2hd8k15hpcqs84ohe_4fhs4f5vr-877540190855384/
http://demo.lamppostmedia.in/tms/wp-content/themes/education-booster/IxHdbmBIWcygyaHuxaYbmT/
http://demo.madadaw.com/wp-content/tmp/parts_service/wduag244xpe8ong90jzuan4khkot_0iumbotp-231441578681/
http://demo.xonxen.vn/wp-content/FILE/32ftgky4_gkm4dui84-280515485541283/
http://demo2.tertiarytraining.com/joomla/mLLymnnckRYZM/
http://demo3.bicweb.vn/wp-includes/FILE/oal3dsh1ii8hwcsrsr6_9wpmzfop8-9587817864/
http://dev.strkdesign.nl/dtjd/qm79obxj5xy12zee1n72jf4z_8akps-7089410334/
http://developing.soulbrights.com/wp/LLC/sRaNyeFYEYvlkWkyCDFFTjqH/
http://dev-visionsharp.co.uk/vendor/Pages/DJEMrSUpZmzimHRPvtsUrIld/
http://devwp.absclp.com/wp-admin/DOC/3p06pqb5cxah_9o1a4f-661424221533445/
http://diamondgroup.com.vn/wp-content/tafun4urfhay_l06akx-911889611836/
http://digitalmaker.tk/wp-admin/sites/9g8kmp2ao8qj0d43j70scd_2jg9b3-4313814001/
http://disperumkim.baliprov.go.id/wp-content/Pages/kolVuRhGjekQm/
http://diu.unheval.edu.pe/spi/storage/LLC/tqebgnahha7xvpxpmy_422q7ygl5q-528592909998856/
http://djdesvn.com/moviewebsite/Pages/rt1rxg7fgo6o6oisb7sxipslefg_qmjebpo54-2478286189/
http://door-craft.ru/wp-admin/TTeicudkghGGhchRwqL/
http://dorreensaffron.vn/wp-content/uqt6yec3dw_zp5io-680559949308/
http://dp5a.surabaya.go.id/wp-content/sites/EKZfdNpWZotyFtajzRWGdNyTuawChG/
http://ea-rmuti.net/pi/wp-content/KkRXhcNMAXLyG/
http://eco-chem.hr/wp-admin/Pages/eSKyupWfFrbpzSD/
http://egplms.okmot.kg/wp-includes/parts_service/xzree20twuo7qxj92l1tz_4fxhkz8ot-60264947320/
http://elegant-dream.com/wp/pomvntHWuAykrASSUUbTqp/
http://elenamagic.com/img/DOC/mzCJBBMHCSX/
http://elephant7shop.com/wp-snapshots/sites/VwFWTDwJBGtNo/
http://elespaciodepopito.com.ar/cgi-bin/Pages/KgaILaBUBERrNMPzUdrGAoSHi/
http://elmassahome.com/tr/ftcerrgd5qagqsqw7msargkyy_s91lj0fiyp-431699449079/
http://elysiumtravels.com/images/Dok/jQyHnaZhuX/
http://emmaxsimon.com/wp-content/Document/bveowJpDLmSKBIizwkDrjGI/
http://empharm.uz/file/esp/zdsoz58k1vg8s8i0putwi0o_tt8criqm-280927037619/
http://encame.com/cgi-bin/30qp3tb67w2txlygzm22sgi57_dqxt1l-1977495695975/
http://enjoy.cat/wp-content/uploads/FILE/2gkthv5jgk5by3go0p60q_mgjyu7d40-005984582898580/
http://eric-mandala.com/wp-content/FILE/WJeJoYaBKhIBALNtKpbjwy/
http://es-noujou.agricom.co.jp/noujou-doc/GMXqAuJPtJktFz/
http://fargopetro.com/jynne2w/LLC/9emy1c5slucz05ztsb_giwscuomzh-539483200738252/
http://farsinvestco.ir/wp-admin/74bqrll2fravktt7jkycl_535qav-869522814724593/74bqrll2fravktt7jkycl_535qav-869522814724593/
http://fearlessprograms.com/wp-content/AsFahoxNfqtWVWeTIGuuIPuB/
http://femmedica.pl/COPYRIGHT/w2eiyop64h97ht6i3rym_ghznzynpv-411526644922/
http://films-ipad.com/aeqr/IzKENJhvMnbuYHdfhHanLEDQqlaiT/
http://firemaplegames.com/screenshots/DOK/36p7ai74pwfft83s39lde90v_ysp3l3vt-52256482068972/
http://fish-ua.com/wp-includes/mKJniNvPTvRiCKd/
http://fluo.ocebo.fr/wp-content/uploads/lm/iDMGmpdFajLhAaanraVYPp/
http://foreignmartbd.com/img/NjpdBAKUgztNDZIn/
http://fridgerepairqatar.com/wp-admin/qcCkBGRgHSDDG/
http://fulan.tk/wp-content/LLC/r0gy18x366omf1z9zzz38_pj5h3pxf72-6411330379420/
http://gak-tavrida.ru/wp-content/parts_service/xj9ep58gcu77dv4a_38ghv2-465992270155987/
http://gamemechanics.com/images/sites/ARJgpwEUKDppqpSvtntoWtdhkHD/
http://garageprosofflorida.com/wp-content/INC/xm4qz42spqey0xbmlse935p7n_htnif-808927181/
http://gargprinters.com/wordpress/sites/o9dj2vvbzymnqesqhfizz3h1ab_g5vk3aqrq-24829672015508/
http://garlpex.org.zw/foxe/FILE/pmtx4alvqq619qw_kwra3l-4924632531868/
http://gen1.vfull.in/wp-includes/Document/wdvy75bc_gi1o7yipk-037024338/
http://gestaonfe.com.br/images/tsf79gpe1yrtdtnjt61y3f90j_hi870-054128199/
http://getagig.com.ua/images/lm/a6sym90g42a_8d5b2aq-8151006185/
http://getcloudptt.com/templates/Pages/xxl0cq8cqezqz4621v0cce94y9ghf_ij61d86-70440851677/
http://gharbkilid.com/wp-admin/sites/RxYjIvXJDTyfeEoafgPrkSlmU/
http://giakhang.biz/DronePhotos/esp/oti52aat89098xmvyn4g4a2a01_1usqbam-8733587385/
http://gigmoz.com/saicollection/9tnulb5pniumdu53qd5adk_k9gzahh9o-436784313075/
http://goldenfibra.com.br/tae0de/DOC/p2ap0ealmknrs68fu2v6_tgp2qiy-39049131/
http://gomypass.com/wp-snapshot/Scan/dkqsehu8yatspxp10w32fx_xcu1yo-9516608289/
http://go-offer.info/wp/DOC/PtnjlMhFeuxJeBQbxRE/
http://gorinkan.org/DVedit/INC/cgyfeo3enwqh1db8t6a3_13xbr8q-1836727870671/
http://grandesophia.com/wp-admin/LLC/vmnifzb771plk_x7koaqogml-8830515802620/
http://great.cl/ortuzar.cl/esp/ixjwtev0k5ze2_6pt2rqck3-52580352/
http://greencampus.uho.ac.id/wp-content/uploads/esp/fexcocn582zqkrx45qc979i_b7al0se-6012446038782/
http://haitianshowbizz.com/cgi-bin/FILE/c6rc9mi35xjbms6eeqdm7b8y_zviyle2ozh-383346665690/
http://hakan.gq/phpmyadmin/INC/09j3zev48v1si2_dvo5k-186622991462132/
http://happyatomy.com/orderV2/FILE/21y5pfd9mbj0nhwilkh2epwwp_2nhfk1n8-9381369434931/
http://harishnautiyal.com/wp-content/SwmtrAVpRSZRQocyqGSAurQn/
http://hartwig-paulsen.de/_private/INC/DPbFHjxz/
http://hausgraphic.com/_FF/StIWtZpyZAcRNVctmJbPp/
http://hazama.nu/MT-5.14-ja/Dok/6fdzvo5g6gn6s4083n5vpi5qmcbf_rl02uon-0394150359386/
http://heartburnsafe.com/Heart/INC/wpb3sxn9o1zj4gth_ueiavrvmj-94874739/
http://hedel.jp/monte/5xnah88x5jqvjzaw5z_uak8v-172663407/
http://hegdesoujanya.shsoujanya.com/wordpress/DOC/TGfFtNHVzaTZEqlmHrqcdL/
http://hegelito.de/Service/sites/olwt0ulb_e9xabjilc0-8978386499534/
http://honjia-machine.com/wyxey/jvha7a-b5yoc-hovoj/
http://hoovi.in/togb/39l3-2tn8mn-capx/
http://hotspot-systems.de/jonsfishingsystem/ufo4anic25v9hory_hvtia5t-27231959/
http://hskf.net/090704/paclm/hmyglYOW/
http://huskennemerland.nl/wp-content/Dane/GdkPYoUjjerintLfNC/
http://ibuying.pk/mvmbb6/Scan/kycJsdNnHnGwSCBEAAHeiLuMhLaSG/
http://icpm-cipm.org/wp-admin/paclm/QVUEilLc/
http://ideenn.ml/wp-includes/Document/QwhCDlWSqrNIU/
http://idesa.cl/wp-snapshots/sites/JWTDkdJTEDEsPCA/
http://ikoym.top/1/parts_service/dq444l3aqmdfnpemawd0a_qgxpaq-78515102739513/
http://in9cm.com.br/LucasNievinski/9o7573w40425s_xp9q35wxj-746490859/
http://indieliferadio.com/Document/TdevOMjwyNWT/
http://indoorpublicidade.com.br/wp-includes/n3jq0t422r2_7hnky38vs3-83093705/
http://inein.mx/scss/jhkavc7zpcet_noz7a-08940771/
http://innovomkt.info/templates/INC/gw3ylizcuoloa_fizi77v-661011974372431/
http://ipc2017capetown.iussp.org/wp-content/Pages/GZBqnhFjUhCY/
http://istanbul-lazzat.uz/wp-admin/Document/xve9hvwg_ako8h5mh2-1809207412/
http://jdih.sumsel.kemenkumham.go.id/ildis/FILE/uxlmc3g0i4e6k6yx7fuupdxnd_9bq12vn6-86392596458481/
http://jesp.ieconom.kz/lk/fBguxIaXQeHwCbzc/
http://jessijonesstar.com/pyro/Scan/vds5n53mk9elu9s_dfv1fy32zq-9079217218065/
http://jimenezdesigngroup.com/wp-content/esp/ny6kwhjwwognk_bc7qcu00wj-81739611/
http://jmade.ru/epiksel/esp/v3ptnnl6fs5al_84jtwamp-82243430084/
http://juttichoo.com/wp-admin/ntsl5a8pj4jracl8o0i908_gxolr9-70253791/
http://kadindergisi.net/wp-content/GHHJnlWfdJ/
http://kejpa.com/webDAV/esp/z3y7ucs8qsqmh58s6854abo5l_kpxeu5-55695822989700/
http://kevinjay.me/wp-admin/Scan/mhcFhjKTBDXbhXrJjZPrsXCbOBtSpL/
http://kikinet.jp/album/Inf/RlepFgbeAChcdMiqgkiIkHSuxktIX/
http://kinderarzt-mistelbach.at/yioc/rFBGsmqWwCEPGFLbmitGH/
http://klychina.chttit.ru/cgi-bin/Document/27iv1yrg28deb9qia7mqcxifb_3wawzt-20640129400/
http://kodlacan.site/permalink/DANE/wtSKvxFllItEwQq/
http://koroom.net/39/esp/hgkrmao0oggay4b39y2fs0oa_wkkjz-94827413647/
http://kulzein.com/tcsa2fo/titjckjb80xyv6xjs9l879gv_vwuyzcy9pt-31037587938083/
http://lab-quality.com/nmkh/INC/vrAqqzJgLmVzNQoLVPd/
http://ladesign.pl/cli/DOC/9q2zhkcyggh1shu00gx_ov7jndh6k-09455198824059/
http://lbtesting.tk/wp-admin/Scan/sp8s3jj8t3ub5v_09dte-646541542/
http://les.nyc/wp-content/uploads/gxx2fawhru6axeerjk3p_7i8z1vjilh-3529283555185/
http://levantu.vn/wp-admin/sTCRRpOIdrr/
http://lifetransformersgroup.com/cgi-bin/Pages/tvCqHKJxMedVIEVUGmrzWUgpORd/
http://liliputacademy.com/js/Pages/sZVKaWgsdTqOMYLAkFZJ/
http://lmichellewebb.com/wp-includes/sites/lsiUKvhcKlmkTYybaSHJLJ/
http://loanforstudy.com/wp-admin/ov2hwgntpx2799cy9l03jak78l_babkq6fwe-55008712818495/
http://logisticshopping.com/syscargo/parts_service/IgZWrtZJVuIoPbUpyOPl/
http://lovelynails.ca/resources/sites/NqdWRIqg/
http://lp2m.iainjambi.ac.id/old/DOC/lJhTnEgCMyanM/
http://lukmanhakimhutajulu.com/wp/parts_service/kMPfrxNgryCHxScxdLmmX/
http://mahala.es/wp-admin/parts_service/bFCccFADAwzYYDtnwvMasFaWXBTDI/
http://mak.nkpk.org.ua/wp-admin/sites/BrbskSzZ/
http://manovikaskerala.com/administrator/parts_service/bqtc4tof2ixrqmcm44_h1inlhsj-70729598/
http://mapala.politala.ac.id/wp-includes/Scan/84lyfqg006n3tnv_pqc15-6573296772/
http://mara-bau.kg/wp-content/SHRhAKyYBmz/
http://masbaheri.com/images/872c3i63o7_eilxd69-588594012261116/
http://masterchoicepizza.com/wp-content/uploads/INC/gc2cbhec5tyopayzcmhxcdl_kdwcp1hlhz-488338475754039/
http://matthewvincent.ca/cgi-bin/LVhtaFwlzUAwJkyXycaF/
http://melangeemall.com/images/lm/3f7jx00qxwua_qi82cgg4z4-42435752/
http://memorymusk.com/wp-content/uploads/ubzaztj2m1frywtpj_5k0m2-0542235047/
http://mentes.bolt.hu/cgi-bin/parts_service/aDwJLsxguuiEFHR/
http://miplusmutiaraislam.sch.id/wp-admin/Pages/xn2yogtul7r_unm2vayqlk-14939001/
http://mjeas.seas.num.edu.mn/wp-content/Pages/pDsDoOJCwDszXUYkcTBwtPAR/
http://mmateoc.com/wp-admin/DOC/ApRKphCRhUWHU/
http://mmm.arcticdeveloper.com/wp-includes/FILE/6uwflygw7h3y5oypxrje_m4zz3w3-175725723317644/
http://mobuzzasia.com/allfiles/temp/wp-content/esp/UOajIKNOgPXkYoUbrJBVmOM/
http://monument.rsvpu.ru/wp-content/esp/mgh55ffaukk4m1m8wq_osnbr8u-8826913633/
http://morshinnet.ru/wp-content/esp/omnwwCrInZBUDTQJZjBwaewWIm/
http://mroneagrofarm.com/wp-content/yQSOlwihKvauXYrdesnywE/
http://msinet.s87.xrea.com/ogasa_data/lm/wrqrib4qqa_g37i0cgy2r-75961413357/
http://myhealthyappshop.com/au13/lm/purrrQeamZXyiCDFDm/
http://mysterylover.com/corenascreations/zencartcatalog/cache/LLC/tYTXviiUWFyKjmIVRksMFt/
http://myvidzz.xyz/wp-admin/lm/0xmi5dgm2nyy2zv9npukw_024pc4szh-039929300/
http://mywebnerd.com/moodle/6mzlj4vumsbdgcjm17n8qtawde_0lovhzq-587627277/
http://nairobitour.co.ke/wp-admin/Pages/BcqgIgdPwXdJamjKuWrgLdFcKdCA/
http://namgasn.uz/includes/FILE/ynjeciuqbao1oqoo9uo7z_ivwitvqu-8170101122772/
http://nature-creativ.fr/wp-admin/Document/druVFmMEHJaEgMCYeUgcOoSXXe/
http://nesrinrealestate.com/wp-content/DANE/KtdQBcEuBAybuVnLqt/
http://netmoc.vn/wp-content/esp/4gkdpldabt7lt1kem40b5d4oh2qmht_orrf3i1sj-710246102774/
http://neurologicalcareofoc.com/jutorje32/OfpUqeUuYdluaSgfbIe/
http://newmarkettowing.ca/wp-admin/gsikuf1n6mzsy_5pukqn-469095634853/
http://newparadise.com.vn/wp-admin/DOK/e52jnca99j_ufwvghp8oa-92780853/
http://newwebsite.smex.org/wp-admin/LLC/yebukw3dgwgzq5ebygh_n4g4iort3o-84431657/
http://nieuw.goeieete.nl/img/Pages/rBjqVNNdsgDpMbInHIZDFVjf/
http://nissandongha.com/nwlv/ns27hw-99jsfnm-otiw/
http://nissankinhdo.com/wp-content/INC/cxINdPbSHvWJLYkkGt/
http://nissankinhdo.com/wp-content/Scan/EOqiZAqSehfbChtjoOZ/
http://nomatyeinstitute.co.za/wp/esp/jfgqbhr1towl9iedhe6n_3i2npjtm-227259736608/
http://notix-test.ru/zamki/jwgiy866pt1ct8zemzx8yrku3b_6m6s088-5933526545566/
http://novaan.com/wp/vNzpvVYF/
http://novocal.com.vn/wp-admin/bh24s1-4rs2e14-mlmrf/
http://nppaquasell.ru/templates/FILE/UStyjgzpCUKEe/
http://ohioamft.org/images/esp/whoiy5qxbjnrp1gmegkx8_2dy87q342n-1691925380481/
http://old.oleglukanov.com/cgi-bin/cesbtj755s6p0fcyvimmnneg38ms_go812f7-566475421578787/
http://onetouchfootball.gr/aqqf/parts_service/pmtwlshs32bqzll_ny4lmq4zgp-1593792866860/
http://orida.co.th/ywhv/lm/gy7eo66gr0f42jbdj5z0wu6_cunzn61nf3-608153857217416/
http://orientaltourism.com.ua/wp-includes/o0v7314-lskye-wiwrc/
http://osarofc.com/wp-content/0xza-146jk-vneaa/
http://penis.tips/just/parts_service/IjjaTgJJmRFScXZFNNVFeOHCX/
http://permanent-rf.000webhostapp.com/wp-admin/Dane/gyLjTtnSncdMgmLDW/
http://physionize.com/wp-includes/paclm/wgkcgc583re0c6veyxfn1zf4u95uey_u407xg-23929936006/
http://potolkiakcia.by/wp-includes/Pages/chMDiBTNd/
http://priyainfosys.com/products/QpIuZyAaFgoUpASiO/
http://projetoidea.com/cgi-bin/Document/ntdqwygpvi22hqbr_hb35nj59mk-67421750/
http://publiplast.tn/wp-content/INC/QYcxBmxCgLSPLghKBguFACNdfmvt/
http://radharamanudyog.com/ocart/Document/OGypNMTNpuyLKmRqlArCGKd/
http://radiomediavillage.com/bin/DOC/llwYAboSHCIGNNMARHVlBwgaSW/
http://rogerfleck.com/hbadvogadas.com.br/Document/gxx8rxyyf7zuz_slasi-93220491303/
http://rumahrumputlaut.com/wp-content/DOC/m9z2zfv8ty8piy8n3n673jni2_7qxt66f-060570155262/
http://sanko1.co.jp/lp/FILE/k518bwvfhrv_zicsevw-386184410493840/
http://saraikani.com/wp-content/k8hnlok-v3ab90j-xutmihs/
http://sensoryexperiments.com/wp-content/DANE/FwfQCkHKhKDKesvfHyklppxJlRZDz/
http://serialnow.ga/wp-content/Pages/kyvw2rg8l34j7cr3h5axgi1m4mn_fzjqevf-97122936/
http://shooza.ru/templates/LLC/e4l23sr2r3hheqvzrcwwjck1_0fo7f3a-47531229276935/
http://shoprobuy.000webhostapp.com/wp-admin/parts_service/eoBFtBVDFjICdeSlcN/
http://silcfertilizzanti.it/sitemaps/LLC/FEJXQIywhanjVEqcTh/
http://sjhoops.com/EPXHHogiQGyFotfWP/
http://sjhoops.com/LLC/zaHfarwetgvtouIYgJgqLdr/
http://skylineindia.in/wp-admin/Scan/VAscYQjBlBTEsDRpM/
http://snsyndicate.ir/cgi-bin/LLC/NaQGnVzXII/
http://socialfood.tk/wp-admin/Document/udbPXVWIqpPGLQtXY/
http://sparkcreativeworks.com/lightcraftdev/INC/ODhhvAcQbGfLKu/
http://spoorthy.ml/test/sites/yKMhqFRmcsGL/
http://stahlbau.kz/templates/lm/f17n2xp441oxn32cl_nnajqd-37483536518/
http://tabea.co.id/_tabearoot/Pages/q0b9ltiv7p0hqmp_jamyvr-15838314/
http://takosumi.sakura.ne.jp/GalleryImage/Pages/gvxyFfuTznyrvJlUA/
http://tamsuamy.com/images/DOC/n47uq53evl5k4aok0m3u4c_matymqo8dn-00080612/
http://taubiologic.com/wp-content/parts_service/om2cmp12f6slvrgr_a0i4f1e8uf-95220990/
http://teestube-luetzel.de/cgi-bin/paclm/nDitKtuX/
http://tetrafire.co.uk/wp-content/Document/YaMgagUqzQWDEVDtgpE/
http://tgcool.gq/tmp/DOC/eypKUMPXOajRnKn/
http://thebiz.000webhostapp.com/wp-admin/LLC/IkIhMNlLflglVDFyNHbiCVSd/
http://thewaterstation.co.uk/q95z/Pages/sZZeohQBUAmaA/
http://todomuta.com/tm/FILE/nOaAZQXqAbdXG/
http://tokoagung.web.id/mikhmon/parts_service/VOiGbJVVelmFDeXTv/
http://tpc.hu/arlista/oOIySDvQJLfLQTozFfQyENEHfoXvs/
http://trangsuchanghieu.com/wp/Scan/jsePFSPOMxTUeX/
http://trichromatic-transi.000webhostapp.com/wp-admin/Scan/aqwzhfwvyhst8ai86uuw_m452ok2g-451213844234/
http://triseouytin.net/wp-content/Document/nZSzHrGPJqQHbgU/
http://try-kumagaya.net/4_19/sites/wBeOmDMDBpaDEZXArZGswx/
http://turbofilmizle.cf/wp-includes/Document/4qxat60pq97loocw9o_0kp5t-807583314427/
http://ucuzgezi.info/wp-includes/sites/mkngjwv5m6l1sv17p87yx0_pknytr-75251279104426/
http://uniquedestination.mitsishotels.com/wp-content/uploads/doc/uddqppobklwrngqgyhlzwyp/
http://usgoldusa.com/wp-admin/vfkyadxlebnftqaq5r53pbjg_0pii503-128245217/
http://vhadinyani.co.za/assets/FILE/cd2tgc9o5lnpawduex92nw1r_0ijph-743646261560585/
http://vibeshirt.de/wp-content/sites/4808gr7cs81o_xv8lp5-90716048173/
http://whitesalon.nl/img/Pages/bf6xoqb8_4hmms-704596943740/
http://www.actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
http://www.adil-darugar.fr/wp-admin/Document/e5dkvpp8hhx_fc568mru-29493963168/
http://www.cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
http://www.cbmagency.com/wp-content/Scan/qgi7r0g6neq5gak2d1nlamx5xu_sxbdyhu-88393500801483/
http://www.lmichellewebb.com/wp-includes/sites/lsiUKvhcKlmkTYybaSHJLJ/
http://www.mahala.es/wp-admin/parts_service/bFCccFADAwzYYDtnwvMasFaWXBTDI/
http://www.pomohouse.com/wp-content/LLC/bs5wlwidu_lhwh8-6531737739304/
http://www.wwwhelper.com/comm/moneymakers/css/paclm/58odajp5psbnf3zdrg_nxffzku-08384326922/
http://wwwhelper.com/comm/moneymakers/css/paclm/58odajp5psbnf3zdrg_nxffzku-08384326922/
http://xn----8sbabmdgae0av6czacej5c.xn--90ais/lm/04af9pc4r_zr8957e70-92859625159/
http://xn--c1akg2c.xn--p1ai/wiki/images/parts_service/sk3oe3zcspzdec_1u0sqevw-31877200/
http://ygraphx.com/DEPARTURES_MAY3/DOC/DiCLLsMFNTLXBwNMLIfFEpOIrupJ/
https://acolherintegrativo.com.br/wp-admin/DOC/hwhyCUiZwJgDRgE/
https://akaprintdesign.de/wp-content/zojdg93o_xynmmr45kk-00422649/
https://allbusinesslisting.org/uploads/DOK/lATaKZeIkwAwpVfWgKTuQRLrIUKRRl/
https://blog.instacart-clone.com/wp-includes/SimplePie/parts_service/uatoqujs7s7ediuaxvs5cuqm_ddt16mxu-564056354031/
https://cgfilm.in/oldsite/6wz4jweq0kim8lp1u1rtxq08_x46qm6ak8-1916202749831/
https://computerbootup.com/cgi/PMdGhLnrayipIMmHiNVShzAXmxzvV/
https://couchplan.com/wp-admin/nspeBheHdcQO/
https://dp5a.surabaya.go.id/wp-content/sites/EKZfdNpWZotyFtajzRWGdNyTuawChG/
https://euma.vn/wp-admin/FILE/RXePxifApJpAmSHvbPeEBjbC/
https://fargopetro.com/jynne2w/LLC/9emy1c5slucz05ztsb_giwscuomzh-539483200738252/
https://farsinvestco.ir/wp-admin/74bqrll2fravktt7jkycl_535qav-869522814724593/74bqrll2fravktt7jkycl_535qav-869522814724593/
https://fearlessprograms.com/wp-content/AsFahoxNfqtWVWeTIGuuIPuB/
https://gak-tavrida.ru/wp-content/parts_service/xj9ep58gcu77dv4a_38ghv2-465992270155987/
https://garageprosofflorida.com/wp-content/INC/xm4qz42spqey0xbmlse935p7n_htnif-808927181/
https://giangphan.vn/wp-includes/DOC/tvohhrTjpSH/
https://gigmoz.com/saicollection/9tnulb5pniumdu53qd5adk_k9gzahh9o-436784313075/
https://hakan.gq/phpmyadmin/INC/09j3zev48v1si2_dvo5k-186622991462132/
https://heartburnsafe.com/Heart/INC/wpb3sxn9o1zj4gth_ueiavrvmj-94874739/
https://idealo.zendesk.com/attachments/token/mzOHqTed8eyvyHn65rLav1rEZ/?name=INF_718967_0546774.doc/
https://kinder-camp.com.ua/wp-includes/LLC/xc7nxo2ywi8n52lu8_0fye8j-33860168/
https://liliputacademy.com/js/Pages/sZVKaWgsdTqOMYLAkFZJ/
https://nutshell.live/wp-snapshots/Pages/jzopxeblzz61nek_dmf5x814m-670538746883/
https://onepostsocial.com/wp-admin/IZUAnTNTiZYOOMjqWFxpGmts/
https://onextrasomma.com/wp-content/parts_service/oglr7g1ozcgl7iem9rugqohcuhrt8_itksg7f4w-7376898186/
https://paularosalba.com.br/jbcsoz/LLC/DNEUpDmjRKOhXqJgAXwLJKjNjvUEs/
https://pkols.com/ltc/lm/y0qtzd293a46_edivl-05667044/
https://potolkiakcia.by/wp-includes/Pages/chMDiBTNd/
https://rumahrumputlaut.com/wp-content/DOC/m9z2zfv8ty8piy8n3n673jni2_7qxt66f-060570155262/
https://sensoryexperiments.com/wp-content/DANE/FwfQCkHKhKDKesvfHyklppxJlRZDz/
https://serialnow.ga/wp-content/Pages/kyvw2rg8l34j7cr3h5axgi1m4mn_fzjqevf-97122936/
https://tamsuamy.com/images/DOC/n47uq53evl5k4aok0m3u4c_matymqo8dn-00080612/
https://ucuzgezi.info/wp-includes/sites/mkngjwv5m6l1sv17p87yx0_pknytr-75251279104426/
https://uniquedestination.mitsishotels.com/wp-content/uploads/DOC/UdDQpPobKlwrngQGyHLzwyp/
https://usgoldusa.com/wp-admin/vfkyadxlebnftqaq5r53pbjg_0pii503-128245217/
https://vibeshirt.de/wp-content/sites/4808gr7cs81o_xv8lp5-90716048173/
https://www.actyouth.eu/images/esp/i2b08crtzw5cemgb_c9lnt9-19555073384/
https://www.adepterssolutions.in/news-admin/sites/KwMonjtPbhHoTi/
https://www.cavalluindistella.com/wp-admin/INC/02ssocd4j70na2_vwo85-981220018653481/
https://www.centurystage.com/download/PLIK/hhlqSJuAbGEHrKWlHXM/
https://www.teestube-luetzel.de/cgi-bin/paclm/nDitKtuX/
https://www.vigamagazine.com/wp-includes/vf31tim48_w3w3dhra-43233738464585/


Epoch 1 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-05-17 19:20:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
c56f1cd31df35fc20332d1c7a674250e2be07f027a748859e4944257668c78c5
70bf8924b608b94c7329cbadcf040ea8b1e599460c639610d540afddc39d09b9
867054a65bd27308c9687cc81eff60031e4235e255ca30773c9f31570245f9b3
e38394e5722b5b5d51d5f7db40f68781c68a234bce7aadb9fa43217084bf28d0
c9a57d9792b15f4a84e414372942ec82a02c9b39af2504faecda147b48ef9376
c01e4db4293d7a126ec2bdfff940fb2d8ec78b81e40d6d9c200df0452ccc7941
7192dfed090c2fdba074293b37d16363973c97d8147082a51dd12daa6b585669
11ec8abbafb8846496755282478cb7142297bd33f72ee15c4c7db9e6b893a2ee
99f4daa4ac2e95fcb8c9e67c987130742a1f571aae9efe80ebd872ca8dfc9f75
818c0c5aa031db8ce30311f0278e7a4c7dadaf465ff8e8172e28dedc9a7a1f9c
1abb99f70de46aa78138218d5d50bb03bf91043a3621b5420d55999181c766c4
f05ae8201109ce38a2632655bc234fed437503fed2fce3c9377e8a4004eba633
45c04f08be86aa4652c2578e2392f854ec4b97cd8f5705e69991ddae6d8f257c
a398598a3bbaa614124140f3f8706eeb3535b6c35d03cadd0e7d8d69301cd840
76e7f91fd62cf3b695fa783afe7116a7221af8b0abf47f617e336953a33df4ca
ad5305b6b5ea8f465de11f34610cff8d2f6ebc09c83cecde9c82bc01fe2b7bd8
0a95c32c6ffa69ffd58fe8985ffced665b7d9c555c225e07e8c5a8469cb36787
c85649a71e1fb3cc3992c2c7c4d105fb4ad0a908a4e17d4e99dcb0155345ad04
1842925c235cfcfce70109c3b97ff58c4a776e2522223c24b748fbeaaea6da6d
e489d1b3a1dd4e4b56000c91c274b5a2dc0098c2e1c2a2cc79f08b35fc687d36
760912d42fb57f5a9542e9c825fb06cd19a90cb54edb471d4538697d00fd3d40
fa882ca370c645562311811d9567f8a8b5f7ba1029b43041bfc5f1e350c3e25e
880d6bb1dfc065b8a5780b4bcbe41426f5892cafaffdefe36ee00fc7df710d4d
308f95b66be6e919bd6585b4a444ed628b324db39e0cbd685f330dc422c9b9e6
b6d663e7c98c2cba2487ec427c3d6a3561ccce56f065d65c11d37d741cbd2875
e4afa95e6d8fee739beb203e0d5b3024432e1772d6a652ee08c090de54327383
f7125666500137305cfb74c64be7937230d562590a15ea6bb1762ec0dc7c39ed
5cba4db50d312712ba3db0b0c0e8d752a329e680a55c6a43d14ebf60d3f28ef4
5b5e8d48ab265fc865ac55b35006a054d408b2f6ed6ed9e7b0a29327d5f075bc
6c963120cd298e8d4e9c7370657c00461b7d0e3fb6d670cae2ba508935f913f1
f69f1b42177a9f8ddacec146f0e2225784d9e73b69f413f2cc6bf131fd6841bc
854a9e2ba9fb300a1d20a120aaa4f2fde1d76ad4f1fe1e6b366e51f30fa5ec1f
1d4055ba61d59a306a5023af4cbf04b044564faece02d908bc096dfa24c47683
de53350f67e4351b7c2eb9c1a3d93e0920d92303d46746aca7dabc90871858eb
b7ea8f64cc8dc5b1ce458118d361b981e244a5ba376ebc836246c1fd77f81a75
2939512fa557f4e50449965b72a05d992f22ff9710241744d3c0e91c76d9295e
c828f048e3a3adbc6c584e3b296aeba067fadbbc8f50c86230a4b04fb1d2fe03
cfdca182492672248a7f3af9ed3ed4ea359711f31936f674ad629b92b7f5c1dd
692541a096a21584f1e2f1d88ef3fa9a185be41734b9b87c996c1518bbb4f5f8
a147cc6e92ceb4db735dcd63162789ebda78cf5f9264d2e6b9d8cec01d26ec01
e1e8d905f122a48fcdf692f1f67903b72f9ee7bbaab609b40794ed94051f5b0c
b8b9d94290ed2a1f33388ea5b3524c85fff648d9c621d871a3ecec3f520a1d6f
dd1ec24587425445d7e480e14cec5cc8b6bfc13c9f07899f4f2f8745bd126ce6
75071845f59b012e89d2bd268622920152636053b0a0a4144597766d048c0fa0
9ae71c28b40c7679aea8330082b9512b74f6f2466b31600cd55ba82b98d5d24e
1951ba12799c5ca0de175a132be0100caa97a26d04c7fbd32db9a208428ecb47
1a113744b019171137426cb3f81af6866b3d68ecbd1e1f94d785895ca8011e42
a0192530ae854c9140727d720158a5935ef2682d6c8719492d4b8cd6da2df3f4
b643a9933a79746544cd3c2002ea0ab2c22c1ec327e36b2dcdd0f81c96be0e4b
bac4c7d853d8f5cb3a5779926f957281aed52e71f2b17bcef4d8d83f8adfff89

http://munteanuion.com/wp-admin/8ny9evo5/
http://healthytick.com/wp-content/uploads/w85/
http://lafloraevents.com/wp-includes/q1/
http://giumaithanhxuan.com/wp-includes/m3455/
http://kulalusramag.net/calendar/wwql8uc746/


Creation Time	2019-05-17 14:30:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
819ab52e52c297347cd1bad4084e8471ba9c93d703ba3cbc876fab73563e8e9c
a13ae5724a99c6daba33e6315062f22fa4626fbd7bd3e9957c50a043d4b1e654
26c075cd553a10f85fdae3549e13dc89a7eef19a18b3923a9df5d98484e36369
3a6367008f935eb38f7b1427cde51e227984cd70e4f0ce1a780c9beb588a6c74
7b78d8a43cc4679d957c96adc9f47f02737604f467ae0006cbbaf2c1705ffdaa
2e80025f194a852888956538135b099b885b6bf4aada5db2e2399205757141c5
f020cc5d9e3f169bd2c155676e6c92ee7b14e12f5643a1ee6284f14b9603fa37
2ff9e37e83e0023bcc678ac743ff3217f41042b2e98bf82d31e6eceeb5fd722c
4a9d62214f2ad64fea06f2ebd732c63d1474c2a3811302e984e39528167ed835
3ea1cb216379b980b98072a9b216b05a4d90bc9ec5ebd35d0538bdbb0239c0fe
24641c1a99addc0f9f35309a36953bc78939f5dbc7e802dea8f215a96582a979
8fbb5a1fbcc888bc4f8f570c85661cb4b9f6c034b9efbb33dba2ff49ed8a8d55
a0c791d868397818483f64ac74c97c0467f71f9e226ae6a989a1aff18d590fc6
70e4f1456e99d0d44284aca59a395e5808c30f781a34928d2f80fd9989c2a06c
8772a7e196e9bd918200036694f2766b70994b07dc8c8cc1a8f6fe658853f454
61a9446964a94b7814b05638ec873a1c83ddaf04d82995ed99a92c1db84b529d
783f1613c31b05278f66692cc9cf4d8186237833a95103e13ef4bd2e70a3d277
1a806fd396b8823785f6ba871e95955ad76132f1eb0fddd88a66a960fa4ca157
7a56e929bb472531ab37c188968c61eb697ad6800eba77252d514e05b122da42
3b7514aa510415630f938206f77f157717c0deb55a0d2700291bf6bb2367e526
615275427d4732b3ffd9abaea16457fb6f6627e221555a729a404953117c6e01
a82a5bb9f568bf1c2dbb0cfa775f6d86a71cfca1e783dd790434c7691d3c573d
ce0415b6661ef66bbedb69896ad1ece9ee4e6dfde9925e9612aec7bbf1cb7bc5
d1deaefc8538e4bda63e23fffda9b67a7a83c0bd330581d95f6c00bf661f933c
b332cc2f9f0e8a460d1b69de6debc0afc98a5fe9724d2ddf4448e8c9d0b168db
634dcb0a5ef30ce7fa66f49c1f2e2b819531c20bebf1ef6110e393893b70b0f6
e5bf1f965ee66a7b0974972ca92977e8534afedcd839b9d8ab131ee10a9e4f17
4f140a17756d5254f1e5b5792d50b9b3ea22574ea0ba9baeb68cc1981fe7d77e
a350b81ac763eb36cdfbd0dc52449af7223059f4b00a85eed43a58ff871bb643

http://hpaudiobooksfree.com/wp-admin/6ns631/
http://aldocontreras.com/wp-admin/hqw76y14/
https://irismal.com/tutorial/addnews/css/25301/
http://irbf.com/baytest2/3zf1ba7569/
http://hanabishi.net/rikkyo/kw7/


Creation Time	2019-05-17 07:25:00	(Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
a4db63ae9370261c1584e603e2d082858bf0ba5c3aef0ac620e76178fbe9fc79
fe856c6ba05dfefd57a384cc901c94a03402765005687f06f927f39292970935
333001a58a1a60a14661a9db36c44c14a66c1bf21f3c1360a22ea7d94f6da02c
cb3f1f122e3a6c11554d22de755c6234ff3c97f10678340536ad535bac5a0604
c96e00e7feddf086c07dbae67794e8b3229c3225c9d5fea5e3bc30fe346afb58
fed668eb24ca328b99050e8356c01eccd0cbf390855c763c46fd869e0905e126
f0fac2d475cc31f62258c513432d4fb9db6505a8527d54b69b6290fa466541a2
b335f1f67f8755a146974796fea45c3f289b8e75076f549f1d7fcfabbaa21fcd
abc11c290e52cc53cf38892bf89b0ca205d0b329358ec2eec9b087418d6db701
2b99c802bceea92b291ad6afe4d930d575cded3434eced458891bd164f242a68
e5f8e609f1489702a1b2a793ffa81996c8602499b73cda786691a28a66e3ba3a
4d6e52c9502c0f48da275a910b0c47b3c3a016ddbc4ed210e3fa13c8e8172556
4fcdff510ff87238071a015044d840627c95aa7030d47928a7ba177d0b47977b
fe86d7e431d22812fa2ab998fe70de16517dccb0f2f06d04f8d47b19c0d7fde6
5543e676a138bc104a3d162aadfe9566cab3df165b7f8180be18764346eb5faa
b0016e459a1f4c30a38fd5574090e696989fca9e8d9cd6830ab52dbfd71dc497
ca88b0fb77bf59490d06ae30c49d31c358154f2787f1ce9c99d3f5daebbcfbb7
998d693263dc3d5c32e70964e6ed43852e7a88da9951f085c5d67fded13f21e3
923977f74bc7c5b466c53d1c76961ff3c2f860d992124ccc1eb22aafa2ebd35a
ef6ec6ff2febf1a15213a7e0064746929a2fc40e0a3bc946c2115a53ab04961f
68976bbf2c8706a73fde0743c18e207f853d9914b7a8f55b4ddda1a8a88e3a58
241ef2cd9bdf1b105b51eae5b58b8d11e2ab34306781ba926eadeb34898e5379
3871ba5f1733ba61dad62fb43b7c649e392841b326d85ba63d50c0d5aa10beed
044d13f08d442a540f2992030f6a347e802fd2a07e956e860baa7bad0eca81f5
2030bb87b7253368bd608882d2c4d2b365aeccd41e40679148d171a1fd96f9c7
ffed5e3a535a2df46b55302304840c96928d5f95cc71d4d209a7134dde25f959
e128eb718262620d14e9a6ec6d2ada7c3644f0a92fdcef0d68b988a44b9d8713
5f4ae2baaccbf0412d2b428b34cc713cd53eec1d588145b5f3caff4103a1e8f1
fe1275d3cd0cccb635d03a4ab67605d0eb23dce52dbd5197c25a85770d003f30
e784f59fbfa82821fbbbec7caa6855156f339f92203087870bfedee386dc98a8
57d724dec8c4a24618c1d3b04e6cf7f990a0d1bc48b4f08572e453e267f3a17b
704b1e097d9c913acd3429ba8c34ceab4208d451aa610937d8f4f4985fcab831
fefb35b7b73be4dc4723c5f5eb6e24f6bfc6f307d0f60bce3eb1960f321aac6b
f96528dc70948567aeb68026441b4c4a14bd25a45de50d4fec675c80c91287d2
12b3a4a90c5b27134dc54ef4f9fa56627da81b4b88c8807fce8cfefa61c88986
c6e1331ab2b2997aa81bde34cbffc9479637b29a1c909ae8ec0283961c874a81
a26e5443d48b38cd364c21057352d743b8e54cad7736e499a4559e41a1ca8a36
f97ab5ebe08fdb20dfb7187effcc64fdf703c01310d8a2babc2c65c6707fb129
ac3940724e8a2fe9cbcc9f3455ee1fc1e85644cece587f91f11967073346a23d
28bd3b3e923db6c93c8ca04491e07b127dbd0ed01fb3cc9481c0ab543b447a3f
035759420aca3b28bd1352f166a4cd34bd0ec2686a8ba6d9177ba500087481c4
881952be84631f78e621548c27c17d98ad5e9d28e59a4f52217b312e6a14cd29

http://gadgetandplay.com/wp-admin/0q7eb83365/
http://dragonfang.com/nav/1ogg550282/
http://everythingguinevereapps.com/t70zrh7nk/b0099/
http://goodmusicapps.com/gc41e1/t44/
http://brahmanakarya.com/fonts/euq6651/


Creation Time	2019-05-16 18:54:00	(Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
10cb461f034cbcfe4faed747d91b826aa9459acfeb93cde10cbe68659b8e62dc
a1b9ac9217d6974e6fba559005534a5df695732ced4c919c96560e672e9d6463
552bc3e2c64bf4966c50d3dd384356a840d131e1e6b687aff806ba9cca0d366d
bdf95e634aefd58257e8ba9ad6d91d8d0cde6adc56e8a5a75f83c57972929c36
bdca737e9e2d0bba7e5ceaa9972f2fc6dd20b70d635441ae29347df9f9ce41ea
a7318799a7df2cbdbae4f5adfb9ea79af117c04bd3efb2aa8a1dfdf8e69559f5
82064cff056fb6514e7a6e1c7d53a9787d781fb2ddc07ca040cb16f3c6510ae3
0f2a584014289c47cdc796976d2a965fb8328ff4f3c5c33a770937e78be221e0
0fe8b5e31ca7373c954ddce16f94828262118c54cff6babd27d105b78b4173f6
2524b9bd80954153584086257665967b6e50366599589a4c249866b0c447a362
6ff2fdb711f9b0755b5b331d66f0d43102acdc4ac3c711921d7c45e653b2064a
2a3bd111f0dfa423f6853c241293d3de96690a35af46140e291bbea2a23a2fe5
c6f6ac66b02f2fe931c8931c7d188e4cb2d731349797acd4230a81fa99ff8e4d
70063b8eb7d523ef93c96d5fe64c94ca44e48aa015f0f047ffb7f7aff16f3270
0a64fe70e950c0f6ff25eec15840a49a1d0e9872de204c856a94f63b69fc051c
30d2d040ef433edfdc2024e7e73a6c7832a790da66d7d913c0544e721bb0f5d7
427f3b9394d9a163cb762d1f2db1d7d5b04c04a3c70f87f1be6e61a7190bccfa
6583156133cc0f82d096684680d2aa8edf3b696051c600b1d966c540042bd251
d9deae5480a330b86c1b08bc03ffa5be028f96d22f6b3ad945faa5ee6d8afa8b
b01f9590c9ea1ef7fb4077234246f064aa0f51eab98524d80ba6ae90a6a46e0c
ded971a239028a87f70c2c0b50c1f7fd7d18e620531363d521d69a31a7b5fe29

http://blog.apoictech.com/wordpress/wp-content/9on272/
http://blacksilk.xyz/wp-admin/4b11ihx1465/
http://cbdpowerbiz.com/www.thejourneynew.com/b4bqg3/
http://vmsecuritysolutions.com/cgi-bin/qh6/
https://itreni.net/acc/7fk45918/


SHA256s for Epoch 1 Payload EXEs seen on 05/17-19/19


27b2bcb2b0bf777208f330b3c6cc92fa40875b1cf6c6294919632d3bdd189d62
f1c04fe9bad284c27802f68bdbeae1f8fa8a964b25fb1daf251435273549210d
ea476bde26c2ee905eebec36b92c2413fd44bca34038c12c962816238ed3dfe1
89007bc0d5b127eacd69f2b7b2308060a2d3d9f0a0fcafb43f039996f6e953fd
9e2afcf53b382a27c6c4b477ca5f2de1eb2e0dc25bec9eeae30ce64166d0c616
8278580d68600f0e0532774bff62fb86a4844b58e4b49d0f18338233afe21cf4
63a48b87df78532280c3da79a79d991df5087731b17cf6404f7edd14031328f6
acb60482f0df85652bc524fb8bc21a5c9804afee122c65836da09eba6942be99
2329223b71b5afc522f3db436f3f494b00feef6390fa632738a068b35ea1b2df
d977f8609ea47b593773b374db94ce929479d71da28e5a602e155557460378db
d8b22d6379a1a133930f65d94a0337c800180fd9cc3b161694cddc9099a73342
f9df457b3295195f81df180949d8da34854e3f7923078b899d3b8bddce14173c
29c33c50123e01a4b87f834ec7c106e8c0745aac0bfacb5694401c8239ab44c0
aa0a18052aa46a75d0fb371673fd91d6caf7a11f49916b2f2223ac779795cf09
42c790c3de29f086a6d352a293335009599d2c9157575e4b71143be37af5dbd8
7c25bf4029f7f448a6baa757bf8d75a381d3d00a3bf0791b3d885f0e707cc061
753590e3ffcc3be801541f9eef7386078037a3abb310e7189a61ad5ee5ecc716
c357fdf1671c8d08b9af9327e39f888f1867c6eccd3495b974a3a2743bd878ff
2ff49f863d244723958e7d0d18f44729b361b91bd711e07182ec7ae44b3f327b
b3c9f36107f11c0277a984cabdfee49af052ba176df5153999ad1978bf58c642
19a4827d85259f0525409fefb00499f1786bc807020c707575b3f5c22ab5bc64
1b31921596c3e7cf290d2209ad19bbbe62353b3082b0aae29e71360dcd75a64e
9f163bfe37d14f227683e7878c90f4220e0c358a50d8c363ce73fdcb6022b8a0
64f1f0fde11122c44a4f43d7b9b72cf032a46ac053122ddf53b3e26ecb1fac28
d6bb3261cc8c42de3557463c86f188df9c22ffb65d50a81a8c909d8768aa9017
6a061b18a6e7b05eedd4d27b36d6df01b9660b3d18b9134177ee49d46eb07635
382b4b101375465169585da7be2b555d1cb7d67bbf46666b6b036b1ade8b6047
b0c45827c169df0b99fa9cd7be05dde1650bd2bb539902ca97168a3a515fd6e6
02335a161f82a00e49236eed60fde62d124bc49f2f3a777090298f2e53c46597
91075e5da3ec163ce0de1566cae48bfdd4b69bae778b6e99a9cc8b406e2b83f6
e42e3d5a450e717be1bc370931821bf5abcd5f571874010e25b9d3c7bce2e759
d6689ebcb0560cd3d08e650ec460f867040857e11c9d4a6b25b7f1424dfa2562
aafdc5d1587830a073b05484d1dd2f05c6289fd29144fbb5983fc2af323eac37
2ee191e046b9650bd6f89a9abdf531c5a188e8855c14f3db9965bdb2c2fb5259
e65f453ad8fb27e7f673a01fd7258674e64184c14bba14c3ccb387583f5effc2
5e4c8f10aa8ec434d61ae7299a2d5b49e9ae2e4c28cbbc7ce0d56ec06082cb53
efce718eba8c612661b25bde99e259b20fee3a53cf2e8855aca0c160167aa89f
2f04778423745d878d8a129da28c3340b62dc5e0fd623eddddb30d17cb139ac1
1606ed13d2db767ff25692fd698da34d161f36d9b8e53fa72d3bf53538007688
217835033f5bc59a6bd0eaf6326d2c2c5d5e5178d37d88dd1a3cf4682f0c10e7
02a319c6e82f38c2a58cb0333c3e986730209733a144c6fea6dbaf9edb3387de
4dc7752758b6e1ce1e0b6c987504a5281581986ae53e7d78c6a9cf6840be61a9
b42b15274663dfa85b571d1aecd241de5da0aea1b6ba2689d420d4cd78338d69


Epoch 2 Payloads by Document SHA256 - All Times UTC


Creation Time	2019-05-17 15:09:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
4a0fd4461dea1997cadda12e640ac903a00804f0b8043706cfa2f6bf0a629489
3eacfc188d4965afc5a7859cbfa609b042103c5d259bd5e06ac9b09193407e5d
149491df7598cf25ce82f3d2246e38d21e4b58405a46d01f31578e74d14c67e9
22f7d6e09e2f04ef2ba9adeecb526bf08fb557ce34d903ac78b3be990774d1a8
9814ca1124dadd3009d9f097df9c035c5b45a06259385522d4dce2e62b532d35
27a7986a402e6037a9e2a4306d260c27f9d1cf071f59dd3031b06b74e7c4741a
f0be6dfb361a60ce3770a477d552bfd3d81359bd31bcefbe514136f3ccbbf26d
bf3dc06dd46376f323b13db12632c039bbb98306965f2feaf14de148a73a5b7a
811e5c04ac9ada5df45bac988186d05c49fe5f30e6f54f96cfcf3b75701f8cfd
b8c88fb199d1b85bbdadfa6eb18900e10b45d9648d58813a3299bd78ffff95ca
03ea657e32c37a7d18bb1c8cb7e56f009698cb62a588957ab74dcd8d4a93add4
0e06d29508e63b8d72fef84f963e5fa2c17a7898a3f763bd30e614cc359ba0c0
905054a52591125d76babef888817ac143acfd554b34129b3eefc4ed3354f63e
e561a0d7b7b38f5d8be3cb5e975490f9bd7c41a9a355f10f3caecae7c1266623
d6d51555cc035085285e322944c51cec777dffa169b38eb06ab1c9aea8160d84
203ca10e70143c45ef9d4b69d0a3bfa2f6f1a7ebb736e03c112a3d9258938b0b
17d1c9a1c70ebb895138658772dbe0665ea167068a2bdfa9f33fc384f9c10e1f
b25a8e099d490509c036caee67954897a8640a214b708325802f61828f8053c4
4bb22eb17b6ba8363d24def18eb31eda7b7ef4b1ff153d0404c064f8cd678593
fe2e69bb741ee10c1a6c2252c9401eee09ed1676ad5520be302d5432ce8b355a
a00d938cc78698d9d5c30a475c012748592258d6a5b9a98c5760b6c4f818f1c9
e7c7c35bf00046380cde5ac06b2fead195e24e5498b743ab4d805f196fbf4997
476cee5037d63ab853ebaa427f79f267a9423f7822939dcd094ea6fedb9ca9e0
ea33d741a3e4ad54074d248ce9d1d759470e56fea67ba20c18b6ea3142abff55
02cfd79618fda7eade1d4d54d40e00a15a73449c06a3e97b4b121a8d4d6f040c
1a6515b41a9ec86c47a257b04247296b888d0936032359e6595f73ac37938b84
e9e9f78904bfff3c083ac80f14b6b67eb9548de76c70c074436c5c3be0fcd6e6
5aaac9264dfedf06565656951652b0afcc57e0bec7f8419bc0b0c7c601e11884
1db77a45f15a989550dc663bd1b2a564928b08cb6131c190448ed24308bcfb6c
bf87ade5d3fbd0a6cd7b0f8df8ee288b908db87a97a7cfab811932b9f33daefd
57ec5c2b96dcfcf8d25079d2b8ca1580f02fcef60cd4f915e68eaaa73c830b4b
8da733b501bbdf4d70a053a083bd0727c9e3a37e0fdae3746e9028f852070a44
ea84a2a33a8cb668fa85132c86063a43bab138500d3357e06e695815f8195e40
8cc4b7ea51080429a29be059d5b9e7f6fad8756cd9b4a216e6862de2a1ca178e
867694a9389b1ccb6e0398fe65cfce4abb2342dc96227a70e0752f4674c31b3c
de7a0ce73512161a0e4b5541199a1054b36e72cf54d29c76e64b2d8bb3cfdbaa
9dac448f232b14f9ad5c55c1b3c0fc014fc087b9169395d3da26b37505f757cf
04131cea09deb5cdffd93baf65ba690287c452d65f0f763a7e3551f02fb4a6a1
04ad51702e9f3cbfdf956a3bc4eaeb69ff16f23ea9b7b981d023ee11a15b9dca
882ffbf086e84f11e69e931eecd74ed054a7e16c45edbb9a060e340411454eb8
8116959a8fa860ca947bd8d9ac9969e0f7f5916e906485c29b0ea0213f498a09
948492b0d42ef7a7ea0826d3d9367e5b0bb81f24a7b4f81b5853617b342b3d5a
3b916160839e3b5e737f8942687f521056c21076e24a11edb927dde7b8384464
a806117a0132df55020530c7745b81351a3ba2aa71116e2ef8a31cc0e45d9398
7dc3a96aa7e9be4c64c1a02ec364be0a46d3f417cba20a5e1d00efe801ee02f1
1284f9d42544a53cb472449914be3819ad74ceaa4d663bcde8059cf1c9311223
185d29bd2b5d6ddd77b04851f905fd4d85b36f21c3e57f613d07d7f88f576ec6
4787a29c36f495b4260c86542625bfd1f887982f9cd1cba4d9947f0bd2ecb878
fc77369ca75960fe87084b42ad52f1eeb681a77a723f4dcf1dff20f2c837a5a5
241a37ec6cb4c435bcea7e4f9c74edec59a3d8bd803e271a32f2a0e8e1f88549
9e0a52655df1a1292f1015fe045166e47a93ceba2cd479e88a129773f0dcfe43

http://naft-dz.com/wp-content/cel3xz7ik6_u5a7be-354524163/
http://fullinnova.com/video/AXINpXSB/
http://novametal.cl/wp-includes/3r5l_nt34dqjxr7-3/
http://ortodontagliwice.com.pl/wp-admin/TIPFceap/
http://avrdevices.ru/Soft/ZIKmwKarDQ/


Creation Time	2019-05-17 05:55:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
af6fabaafa47d6413ec3d4f4e17147baf9ee8edcfec6e039aa6209704dd71caa
eb8b638faafccbbdb03c1f1b88330482eea048ff20467a65f7f9aa8c2fabc829
701fac449cb6911f208c69f0d108b68890db9a4c9c579f88bffcbc2a7786983c
7cfe416b21c8f7637e9deae7a76baec5d7aaf28ec2a5af339bef9df852066854
f33a16e2cd688471babc7e21efdea5b44b972a440eb505e04f606586d3548596
590233566df677701505fa92488b69a803482f2228bab2ab5b31e84ee6d56e83
dec2820e893385e609fb5a1f2edeaaf7d06bbbc4fddce6499f5e034d4d8df346
89d028c23624816d3b1c34f28acb7ae32d92142060c5a43ac19a03a5fe041ef9
01f38b6e3c169901189bae59a2b7d5d61be6998a8b9a79bc1198786e36f90006
c95d7dbdaca7aa20fc8e384aa0fa99a3d8f9cc426c8a8b956e8751759dc98bad
46a7c6fbc6556569e46de0eab69feaa861ad612f83e29bbeff301b51549a8717
ce0de64b9421a663165e5edad87c2d77e530a1c55c8c7323d13caa898d5d0699
28d9332fd2b107a7579b147dfac9fac3c64b4b84a900b0f7b4d9825729c02f31
a12309c590377f6fef758f1957a797959a7b82723b2835c69c0018758931d306
16b073a56a77d960ee2a7c6426a4da145ca030e2fe9212df4ca41108ee86435b
ff103d14150140826c3cf984f74a8ff1cd150bd97ae36c4d2497e134072e4b49
18b46db60e8072005dd984000486ccb230ffbf2db1b4dbc7051622ea546a7f00
24b50a35f37950ea20fd32c7a206e7e75a16304fc5740a12e78a5b051354cae3
ca6f5a2ad809fb47c66425b4dfdf8e68e61f602df04858c211dcf0b680a74e11
adda97c27fbe9249055b0af372e69209d755cfef5246f23f740a6d9e8b658231
2abc288e11628e9af9cfe5aaf602f512abf6ffcd72d3c446c41ac2dd620799c0
26b0b2660be3e246f487a7f824efb63f296d6221aeae5fb5c661adc82c78dfae
a38153871ccad831b791c726e169a8750203aae8f8543f013336a4ee02e95893
8e00a33702efda087f6971215696e0433ca9521b3af2ee39d2f53f780981d397
b7b8b52b5f519a6c168912a84b61360631ee6e9d9ebce51fe8b7b380809cc8bd
904a35d7f7d6e22d6002a8b8e13aa1ad04c828e7fb4148ddd393e5f1dd713a3a
2d702bad28921c0c1a8c3d99f090670249f16dd593d70c50127bd54e35a98f93
53540919e8052a5a6230432f0f0b56c36b8a20f65c8cb8003711aa6ea3acf6a9
cf9168f4fbe25b2e016f76b00f0fb8983dd6dbcac9d3a33a2917efaf494f7936
34df5911c1bba87333ed40548fb698052a46159e75029291c0c006730c4dc539
189340825b7d2939acb8b4b65cbc19539f94cb984116a08e643ce24a70bd8397
b9596c878e0d90bbd5fd5462846626f10333f993331b3ab6b6b08e578da9bc57
ec32583ad17b097816c35c7a796813175f0aa8bc08bce768e25972e5b73a7f2b
2bf98481098d5927da4199e7665a2d8842cb1ee6375e08f816692299cd4c84aa
fe4876086c674ae402a39e5b7ddde8dac211c8cdb752ceb7a142a06450274d43
f467517f2fbc08d4443a80f0c2843fb40393b61b06fd16af5f89a28e7344d7b4
ddf0b4acea25137a223b60140a358b67b90d40ea8ebc934e5a6b07ae6c2832aa
362a64ac706cf9696784029c5e5986931708ab119aa27f80ec9a872c54e0c08d
1959c9bbf9e403822f83e760ea65512f37203e0a9feaa18563d225d227cf98c2
a4919eb78c8ff12ce6a5e5bf2916401075803aa17c52ba794547d2a56f0d0834
f26778f3956e663364680c130d32266c7e134d7fe03b41727691ee3ef9feba69
6adfbcd91edab98c5ae5c5a0c62cde56e87850170b3796cc3c2e1ddb91b24e7b
cc3d8fd0922892a2853fc70d776ff73ac0e06675feadc37931f94161fe4cb01d
e2ca9436ba7167fe155887227ac0c5d43f62afc4d00d607aba14aa37b6804988
311b029bd68850d06ee38e92aa4953fa1f2ddbe50b1b784cce071da5951bfb93
8fbbb4a8adb4695e6d1fda756ad74ae0af09ffeae168943b18a86521a17430c0
94b81e4fbf93a7895f9fc71936fad29ce4a65bf6d3c61689d066d06b2371a8d4
57280eeda1321fbb4652f0e76b8ab6d069aaebfea15609e8590f5ee98f819d66
65b353cfc943e115e97c6934c0aa6cdfcac487f55e7f012bd2c0d335a5b05437
be600bba7b64514294d4fedb1c5f5876cf59e0ed5da54804601bd0c901a3acd1

http://classicimagery.com/business/iAGKbxfsk/
http://edandtrish.com/blue/8wse_zrdnx2c-9775/
http://finetrade.jp/data/mFapRrNGE/
http://meenakshimatrichss.edu.in/wp-includes/zRunsGcls/
http://tanibisnis.web.id/wp/xa9o_88pj5mcr-26/


Creation Time	2019-05-16 18:51:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
185fa1380d4b9eebc11ddba1d58063b23cc6685b7d0958f12551b6a53ee8c448
e5477afe73e59b8b7425b59c6747842d34c5b9adec829a2f5cb0f7c612af8401
c66f97732d8e95bd54ba80858d4bd75bcc65410a310a7aaf83857f2c64ef6528
beb226928f863ec63aade13e7a676ebafaa5b1c1f74e796c4e2deabbac939f48
0794d6c309ff5e047307be22373c6f9211575c7c625c06c64f9c159d9b46e207
01fe579a4662383f97070270f32e36a83af02e5815de65440333cdab3d982d3f
fbae6682dccd5c48baea8e3a6c710f10ba9adb63b968fb15e361a57dacd24252
64d6dd8cae1111f471ca600828fddb8c73e3186f064338a58465a47d91a0c208
1efb0018ba2d5facf16aa1307bd349af4eaf61925d05c8e445e95a9a0db0ea74
a2256001c8036708c781f69a4e082f649bac0c8222ea3d4689f8d1c0d7bf2f74
aaf5278609df25c2d31ef2310f720d4fdcb5601824bdd827e599bab8e51f234d
ae5bb6a0f5643213b70733207a024c1d18b0113b8c6377a642e15f59b0c308ee
30ad69b359df6bed53c2e6acff205d81754ee36bbdbf36ef90f60ad1eec7f99c
e90d542a11be7c8295bd63c58d800c9acb93f1daa2504009651d9af98361a6af
ea6a8d54107aa9da030dda914d682912a6a3f9d8f978a5ded09e160b75baa687
92e5e4a608f28eb39f833c84655267009c31996a515d3101746f1f0251487d1b
25d8d626d420204a2821eccb8da309cc9ed4f0f4a9f31d1e15d760da9644c111
ecd1d2c25fdf788170749b506ce3afd1bf711411b12258e0debf82cbd8102ddf
05adb931a6a81a896f64e0d66be0fba92e7d117e660cad0dcfa1589f449950dd
378296ec7636eb0fd3af3bfeeecb5eb2128356f3200f50a48dabecce4113d66b

http://legioncrest.com/wp/pyepn1uq0u_1cn0tfaqg8-54319762/
http://rogene.tk/wp-content/lDVAyrLa/
http://electros.co.ua/wp/ln720_ugcn2s1wm-93/
http://modeloi7nove.cf/presta/oaFqMJPhd/
http://deviwijiyanti.web.id/cgi-bin/rbfyme7h_yctqp-7/


SHA256s for Epoch 2 Payload EXEs seen on 05/17-19/19


ff7283f7b9eb077603a6963f1c6f95abefd0d5acdae4bddc691ac57c3f6a8e05
20e2cc851e44161e7fa821ea731fd64937f571878dd382f1620636a82de4355d
3cc8b8f57e89e58d5ad07cc3ece6e5f33c93369ade7333390f7c0c4f034f8ff6
6dbfcdafa6bbdcad57f7fecb66ac35b425dd37040cf6f019f02e08d8322ba9a0
415342ef18bc4ee2d492937886fcb388c2fca0e7ec3b82ab710b1e44a6078783
5003644186b5b4432496b335655c5efdb873d1b5d01abde1dd0515492225f01a
fd885abd3c3895240c31fbdfba3d7126459b13cde19049b75075d5c9f3429a43
6947f554d7f50b1edbed490e36b4c605feb7c27829be16976d036871c9f88c1d
388158cf5652578bcc75be136a5429084df1384ab0c1abacd2c8a989619229b7
3a55f6c56e928d658f0ff035d17dc8761e1ff095ba80db6d528573c26abe9ba3
ed96364977f181ef7733a8b9a4940d2a529c7a1fd6cbb78130acb9c3cd60d4b9
204945ee1e17cb2684da4b1508ed2117f612d41b7f2f59d55a625db7fb5fcf36
5502789c6c29ebbc46628869afbd7403bf0d19444209d88e3aa743e2ee620981
41c552f75c1c081bbd6e1373960551b09acc3ab4e4f564a14cf19d2e94deaafe
eeaa43d154db6f483d7c70dfd79897cd5fd7555439219c8bae46cc2de700f074
ce2617f0cfff7d66c227cafef0f5b0b69bd8816fe392b1d7d5cef6e80123bc65
d3087e7e30f9bc1650c54c5b7398a195d27d77168023db8002c90b4ed9a5fb90
a75409c3e5590c092af6770e88b632fcc85e93ae3b2985d3520e981e4926a4ac
1001cfaa1f9df7bee979a80241bdc0dc69fb03870d18a095f7125d6670db9597
40cc9179fcafee740c01c18ac18fe12f5540699b17a65baf8e614661739aa004
4925e099c9cc7c804d88ea55c61c60054542a50b10ec7b545104971344793274
ecf2761f512e8508644abaa8b4b6eabcd526fa1199a840bf6a1376a58875ffa6
5be286b25a6db0ef6799547bde0e7fcf41587f04164abd5290751aa62d13696c
feee487ffb84ccfaf11643d2a8a84c146c6caa2cacefa41dfa77578ccdcd0580
74cb3663a5403993d5df536da6cfaefc73249fa19d0a11a49e4ff00a31595359
26fe1af30cc991c29c519bc2941c545026c077edf4b41c3eadb93f9d577f2bc1
408a6ca7d52f20cad7c9e71a06f41d38e9fa1dbfa9595b29987739cabc152e7b
6b41d80cc553fe9cf5bd205420da184c8f2e852192448302e9c053039190e806
e714d77f133da5e759a61ea1e696b0b0778b2d933596697fe4b756628732d1e3
fc64a7f68969210d1cc6a382ac9ccb9ee44ff1e661ae7e95fc21c87aa09bfddf
5e636eaad07c41e658980450b73c0a05103fd05f06d2523a2891b242861f6771
fd150c99a4ede861e01f0afcb0d6d058d28cca3eb2c6efd4389477adb2e94c2e
b07751e2d8f02638024ec922a8db2a9071c8787eaa353425dc795c0d45114bda
69415dca4fbaa6260cf2ef4813c96fc4dc7507b1d5d35d198c6ff5d3d34ef8e2
4415c821d0d79d7aa1da02200223a2ea40ce5b7f2c074d68dd14c423c7912124
7b218b86c4386b46122ab1692c9cacf18e67f78a88799b6f660ad4f1f98dbc4e
86115ddfcdb2bd7813c6709794a810d5e3d9f1c112f4b9759d14f4489422a121
8800bff90a5fe41b917e41b6b2a22bb3caef8cbd801ec212dc89ee53579d3799
baea1d3a3ac681b1ee4df16c86614f9ec005a6c88d29a2c91373c430c8e6285a
27aed9cd088b7ff8c2eed3e34427028ee4adaba5b410b3b79bc1c904d2556337
fad7b12ddbd41d1812846329bc29d1c471a33611e4eab0f8795e28eff891960f
6f46b194cf2e55c06686748b3377df2b436598f6019d0f3f8918c27ff5923743


Epoch 1 C2s


103.201.150.209:80
103.213.212.42:443
105.224.171.102:80
109.104.79.48:8080
109.73.52.242:8080
111.67.12.221:8080
134.101.222.153:80
154.120.228.126:143
159.69.2.128:7080
163.18.23.242:80
175.107.200.27:443
181.110.239.26:80
181.143.101.18:8080
181.15.177.100:443
181.15.243.22:80
181.16.127.226:443
181.164.227.212:80
181.198.67.178:20
181.199.151.19:80
181.29.101.13:80
181.30.126.66:80
181.39.134.122:80
185.129.93.140:80
185.86.148.222:8080
185.94.252.27:443
186.139.160.193:8080
187.178.9.19:20
187.188.166.192:80
187.190.237.104:8080
187.230.83.149:443
187.242.204.142:80
189.196.140.187:80
190.113.233.4:7080
190.117.206.153:443
190.123.35.82:50000
190.13.211.174:21
190.147.116.32:21
190.180.52.146:20
190.85.206.228:80
191.97.116.232:443
192.155.90.90:7080
196.6.112.70:443
200.107.105.16:465
200.127.0.8:80
200.28.131.215:443
200.32.61.210:8080
200.45.57.96:143
200.57.102.71:8443
200.58.171.51:80
201.251.229.37:80
203.25.159.3:8080
205.186.154.130:80
216.154.222.52:7080
216.98.148.136:4143
217.113.27.158:443
217.199.175.216:8080
217.92.171.167:53
218.161.88.253:8080
219.74.237.49:443
219.94.254.93:8080
23.254.203.51:8080
31.179.135.186:80
37.59.1.74:8080
43.229.62.186:8080
45.73.124.235:8080
46.249.204.99:8080
51.255.50.164:8080
62.75.143.100:7080
66.209.69.165:443
69.163.33.82:8080
72.47.248.48:8080
79.143.182.254:8080
81.183.213.36:80
81.213.182.115:8443
81.3.6.78:7080
82.226.163.9:80
85.132.96.242:80
89.134.144.41:8080
91.205.215.57:7080
91.83.93.124:7080


Epoch 1 - Spam/Stealer C2s

<not updated>	
61.92.159.208:8080
104.236.185.25:8080
50.116.63.9:7080


Current Epoch 1 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB


Epoch 2 C2s


103.251.176.34:995
103.53.44.20:80
105.247.109.117:993
109.194.50.231:80
119.155.153.14:21
133.242.156.30:7080
134.196.53.52:7080
136.243.177.26:8080
138.201.140.110:8080
138.68.13.161:8080
147.135.210.39:8080
149.255.56.242:8080
162.243.125.212:8080
167.114.210.191:8080
169.239.182.217:8080
173.255.196.209:8080
174.136.14.100:8080
174.93.130.148:8443
175.100.138.82:22
177.230.108.144:22
177.242.202.30:8080
177.242.214.30:80
177.246.193.139:20
178.152.78.149:20
178.62.37.188:443
178.79.161.166:443
179.14.2.75:21
182.176.132.213:8090
182.188.47.206:990
183.82.100.135:80
183.82.110.170:53
186.113.19.171:80
186.19.202.88:21
186.31.189.232:143
186.4.167.166:80
186.4.234.27:443
186.50.124.246:53
186.50.124.246:7080
187.189.195.208:8443
189.209.217.49:80
190.112.228.47:443
190.145.67.134:8090
190.25.255.98:443
190.25.255.98:80
190.53.135.159:21
190.72.136.214:465
191.92.69.115:80
2.50.4.159:443
200.21.90.6:80
200.85.46.122:80
201.199.89.223:8443
201.220.152.101:80
201.238.152.20:465
207.44.45.27:22
211.248.17.209:443
211.63.71.72:8080
213.14.166.152:990
216.98.148.156:8080
217.13.106.160:7080
222.214.218.136:4143
24.139.205.186:8080
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.100.165.6:53
46.105.131.87:80
50.31.0.160:8080
50.99.132.7:465
58.9.168.7:443
58.9.168.7:990
59.103.164.174:80
62.75.187.192:8080
64.13.225.150:8080
66.84.11.168:8080
69.45.19.145:8080
71.244.60.230:8080
73.189.66.63:80
75.177.169.225:80
77.56.253.112:80
78.186.5.109:443
78.188.7.213:8090
84.241.10.111:53
85.104.59.244:20
86.122.149.86:8080
86.151.202.16:20
87.106.139.101:8080
91.205.215.66:8080
92.154.101.154:50000
94.76.200.114:8080
95.128.43.213:8080
98.142.208.27:443
98.144.73.193:80


Epoch 2 - Spam/Stealer C2s

<not updated>
198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080

Current Epoch 2 RSA Public Key


MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

Credits and Notes Section


WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
 
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

What is Epoch 1 and Epoch 2?


What is Epoch 1 and Epoch 2? (updated 03/07/2019)

I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications. 
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more 
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen 
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same 
time period. 
Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those 
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on 
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this 
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

Community Lists


https://twitter.com/pollo290987/status/1129842897178824705
https://pastebin.com/KZ3iYziz

https://twitter.com/executemalware/status/1129542899098636288
https://pastebin.com/fUmUeWM7

Credits

(OC from @JRoosen and/or combination work of the following)

Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, 
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk

C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192

Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro

Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt 

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and 
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey , 
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch, 
@urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!

Daily Log 05-17-19


It's going to take me a little time to get up to the usual high standard and timing - @ps66uk

Still low volumes of emotet for me in the UK, not seeing many LATAM bots recently, predominantly European sources.

I noticed that my reply-chain emails were not using stolen bodies, only the stolen Subject: - the body is now a generic text as below

CERTPolska noted the high levels of #emotet in Poland, and provided a script to pull IoCshttps://twitter.com/CERT_Polska_en/status/1129382879195213824


General News: 

<..>

REVIEW:
If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
https://twitter.com/JayTHL/status/1126204098670411779

Email Template Report:

Generic templates on the most part, the usual body text listed below.

Review:
What we know about the threaded templates/reply chain:(changes are marked with *)

- Emails are sourced from once (or still) compromised users all over the world.
*- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
back as far as June 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
- The injected reply is usually prefaced with the following: 
"Attached is your confidential docs."
"Attached please find the wire transfer form."
"Thank you for your help. Please see the attached."
"Load instructions attached"
"A printer friendly attachment is now included with each email."
"Click on the attachment to open or save the printer friendly version of your report."
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous. 

Link Regex Report:

Regex directory patterns - Changed one of the Regex's for E2 to pick up more common directories that were seen today.

E1
*https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/

E2 
https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
*https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/

NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/

These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam. 

Payloads Report:


C2 Report: 

C2s DID change for E1 and increased from 77 to 80 combos in total. - recorded above
C2s DID change for E2 and increased to 92 combos in total. - recorded above

Closing:



TT

Sandbox 05/17/19

(all with fakenet and MITM unless spam/secondary infection)


Epoch 1 C2 run on 2019-05-17 at 19:00 UTC - https://pastebin.com/kHir6JU2

Epoch 2 C2 run on 2019-05-17 at 19:00 UTC - https://pastebin.com/kHir6JU2