Emotet Malware Document links/IOCs for 05/30/19 as of 05/31/19 01:00 BST
Notes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.
Epoch 1 Document/Downloader links seen for 05/30/19
<none>
Epoch 2 Document/Downloader links seen for 05/30/19
http://211queensquaywest.ca/cgi-bin/uRJkIBKaqIWAzTxhbKCUMxa/
http://adminwhiz.ca/FTPwhiz/jgldbTNBgBbUHdmt/
http://agendaportalvialuz.com/wp-admin/FILE/oZgfCbCUQFayep/
http://akcaydedektor.com/dosyalar/lm/kz0ytss82nghog4w4x_vyydeidib-41148966122/
http://albatroztravel.com/wp-includes/DOC/XjFjqrrQp/
http://aleterapia.com/wp-includes/himt1nj-mgxgmm6-jsmjpxv/
http://alihafezi.ir/wp-admin/ANerjZIINpRHYq/
http://aliveforest.com/wp-admin/Dok/rxCCNFtEBkAGgl/
http://allaypharma.com/wp-admin/Scan/qywlvf1egg0kgk055d2ee_0b76l5-6114076748/
http://anayi.org/vendor/12d81-1qy4imj-msgxza/
http://andreasherbig.de/admin/esp/yau2xxtnd21tn4xtx_xxvwsu0q6u-685408551/
http://anklaff.com/wp-content/uploads/lm/PXdPfnpwsFEUalWIzPCh/
http://antiraid.org.ua/jwkg/DOC/hjtgvz06ogogu00_os2b9-61932144775/
http://arq.holacliente.com/capriccio-web-pedidos/capriccioweb/backups/Document/YxpWfObYOSbNVXq/
http://artworkshopsinternational.com/ewpd/1y2e-m559vsx-iqrs/
http://atech-consulting.de/_notes/Document/hu8s6pm8wzqne_8jzle9bew3-1292452363/
http://atlantecapitalpartners.com/wp-admin/mslzeFgUdwfdiiMvFhMORyUBeSYZ/
http://bangobazar.com/wordpress/fSKXhcwawEMiBKEpNNq/
http://bangtan.az/yfvxdx/parts_service/ux811t8fb9l1shjgq3cqslrlpnoi_2yvvlnz-98770782433/
http://bcadvenco.de/sb3t2ym80/FILE/0kmhat6xr14g906_j87tgy6-23699990534148/
http://beekayagencies.com/font-awesome/2qcuj-oisk1r-swuuwld/
http://beshig.de/Scan/xx6mf2l4megi27x_aqzyyj3-173457882844/
http://besttasimacilik.com.tr/wp-content/uploads/gnetrg1o_fpkmc2y-595917581/
http://bgfbank.ca/ebanking/lm/i8x0vlrpceb_f3qgu1p77-209998747323/
http://boshnakov.com/VisualArts/vfvlg4qm59ripck22fi0mnmwqfo_z5r4h-7122529632245/
http://brik.com.br/wp-admin/INC/jlbyf0e67hluqmwab6_mccdsdx-481225552473/
http://brkcakiroglu.com/wp/ycnoo07gcms47q4x_jilxy86jd3-92291441/
http://caducian.com/wp-includes/FILE/zb6bhqah35_ky3ryuf-354599330/
http://cama-algemesi.org/wp-includes/FILE/2v778xm1yvw17mhpaa1de3oxni_ye89vcm-7764862970/
http://cocdatstudio.com/greentreevn.com/esp/AbOdGbhIFfhis/
http://comega.nl/cgi-bin/Document/1le1bpzvfauc1nnhajle_1fnot-0521551399/
http://computer360.ir/wp-content/Document/vnZBYUNBUtaszLjNwPLqfkT/
http://darkparticle.com/wp-includes/upkg848hx3_j9mqs-53728257/
http://dautuchotuonglai.com.vn/wp-admin/FILE/ysjxirpjjm4ob_f39l8z-64165881581302/
http://deepsteamclean.com.au/cgi-bin/txq2m3-3b8zmi-uvlaca/
http://dehydrated.sk/cgi-bin/FILE/QSMycyGH/
http://dekhkelo.in/cgi-bin/paclm/tcz90ln7m6rc2f1zs21b8ska0hd67_k3gspvt-5742695405238/
http://delpiero.co.il/xzig/4sonl6eogw_cm8hviq-90178285/
http://designsbykarenpolack.com/wp-includes/images/INF/FZKeFdASHrbDAAue/
http://dev.artoonsolutions.com/linkedin/Inf/y2bla1oq8ct4hf_0on5q0-91901972639280/
http://digitalkonten.com/coba/Dane/PZqdtVCOFeQIq/
http://dongxam.com.vn/vgw8/DOC/zLyXUOnYqFeMFi/
http://dotnetdays.ro/wp-admin/4gp8-p5vul-olvu/
http://ediet.ir/TEST777/INF/459w0yvxmowylvc99k8nbl03mkp0_e1cto1-2620173149134/
http://ehebauer.de/Modellbeispiele/FILE/twqBmAopVORc/
http://eiba-center.com/test/Document/8oncgdmkporam63y9bxrre8k5ey7hg_2o49azzr71-435965837/
http://enagob.edu.pe/nuget/LLC/vqsr8lna27ug9nv2feb5jgz_v7ipufb0-702026703803305/
http://endofhisrope.net/2008-08_PSBearDonate/ni5ef9rgv8vpnvdf2wknvy_1fty18-5560290098/
http://enzopl.com/wp-content/uZsgNnwmBsWufLFyEpgVjjYGFuk/
http://espace-photo-numerique.fr/wp-content/Scan/ruia86y2tqhrh_3d0fakiz-124892431612642/
http://etu.polinema.ac.id/wp-content/PLIK/qmkozdou9gnrkf6uyorks0_45sszesb-655632009742560/
http://exitex.ir/wp-includes/Scan/1p0f4k06detvu_1vntk5va6-2400571204/
http://eyedea3d.com/Renderings/Pages/pjg89mwtz6q7ok9zyvboaa_6hjyvi-28229335/
http://fashion.uz/f88d574c68281d00e544bcd6cf02fb8e/vXuQWDqBTepGz/
http://fatafatkhabar.in/wp-admin/esp/uvn4mnxxgcs9dfqhj_iymvu-8126361721242/
http://filmcinema21.com/cgi-bin/Document/oIqjnBYqeDwoSspLnaQbfC/
http://financeroll.com/wp-content/FILE/FJqJeHbEScgeSUGmi/
http://findyourvoice.ca/wp-content/uploads/Document/rclXkasLtkNCB/
http://froehlicher.de/cgi-bin/sites/hhgsryTHOVqERL/
http://fungames4allapps.com/wp-admin/lhzhnjd-4cp4xm-affe/
http://funsportsgameapps.com/wp-admin/x9olmfo-z7ei6k-pcxpp/
http://gafrontke.de/Scan/sPyCScoxptIz/
http://garcia-automotive.com/cgi-bin/53034evrhbqrjf11l7nmk1cia6_v5btiub00-26351845/
http://gbdou130.ru/cgi-bin/INC/nfha5w32nb89wdvq8w1mep27gi4864_7ctqbo0s-528025325147/
http://georgielink.com/wp-content/Dok/n547p7xd9uo7v119smlxtkgwev33_7vpl6pww-06672640804/
http://geosinteticosrv.com/wp-admin/sites/uxVfpIUflfUJEbuiazCaKMyFvO/
http://gigeveryday.com/blogs/Document/IZrYFEPxyiHcixJpiToRcavLaIvhK/
http://globalhruk.com/globalhr280318/Plik/ui6b2qadu5djjjawi3thb3_lqlck6-70220690735905/
http://grafikomp-web.pl/images/paclm/qz9gnqox86a836cnaqmi34dpk_z1w9s07-6758905517/
http://gragliaconsulting.com/wp-admin/PLIK/prscjjxynl7upk6a17halbt56_0lemhjjk-53679232646/
http://growker.co/growkerdemo/Pages/UeWxULNeXsgu/
http://grumpymonkeydesigns.com/wiVHXlcWCGfSrJTOXjdCltGrEp/
http://gundemakcaabat.com/jumd/lm/x42ani1hukkebuzybc59yg01ni_dmiev-68340372338/
http://gutterboyshermanus.co.za/cgi-bin/Inf/g6mcdlibpwwvmc4v0oame_lef7c183o-82526644904/
http://halffish.co.uk/wp-content/5a096qn-76gnh-juzxt/
http://halffish.co.uk/wp-content/7pg6es-an498a-cnocjix/
http://hangaroundapp.cubettech.in/wp-content/uploads/Pages/7mgk2m22u6e662od3lmrsu9ofsc3_kq6rlsd-92667631798082/
http://harrisonlily.co.uk/wp-admin/sites/340qe1qf0c6ao2n5r0o2i4vx_wgthfya5-49077983376/
http://help.shop123.net/help/DOC/JyywdyyizPxZdZkaUZLqE/
http://hifucancertreatment.com/wp-admin/sites/8qxe396yjd3y1evjonfiw9pgcdxue9_k016mrma-55260168521/
http://highq-music.de/Ebene_zwei/x9q7w4cxmawfflyhg1_zgzvsc-472965344/
http://himappa.feb.unpad.ac.id/images/rbvoi2-63gjefe-qbrc/
http://hiringjet.com/aaupdatecoreo/sites/ixw2adapg3q5popb0_71yus9c-3510138678458/
http://hobus.zema-sul.com/assets/Dane/kZyebrWGHT/
http://huitianr.com/wp-content/esp/8s66j69uhdt0wy73_4qphkljo-506335159/
http://huskfactory.co.kr/ztu8/911i32-23epgdo-xtpjvnq/
http://ibfengineering.com/wp-content/INC/pqCbrIdaZobIAsU/
http://imagebuoy.com/cgi-bin/DANE/kkwmcpppl6xv1uu3710aj42ik0z_05qdb5-471297979285946/
http://imagesbrushup.com/wp-admin/6qjxp-6vodp0t-ldovai/
http://innmo.cl/wp-includes/paclm/ulrJBlWLlHaZwTHFRmxZai/
http://insitupro.cl/cgi-bin/jqz7cly-wc86n-udss/
http://institutojuventude.com.br/wp-includes/PFjifrNzBaEEAvgUwT/
http://interia.co/wordpress/Dane/tby46a5dk6yzlrptuva3lqzy5r4_85to9h-38090025/
http://ists.co.nz/5cwffq0/esp/tNVZzsepAXMDVhLmj/
http://ixylon.de/_wp_generated/esp/ZCFcwwsPbCzmUJ/
http://jamesapeh.com.ng/wp/parts_service/lb691n3t3hg9i7prhomskfitp313v_duo3m-989273786/
http://jasrajkalianji.com/wp-content/uploads/fa13lpz-m7baa-zyyab/
http://jazz.devdemo.biz/wp-content/rpax1s-flb0twj-shyexf/
http://jbwedding.co.za/css/esp/qtrgcp7mhq8tmg5n265xbukp_qpqopcjez0-2596232733401/
http://jfdmuftitanvirdhurnal.com/wp-content/esp/x79hnzmh3ejk84gl7c_nso9c-355431769/
http://jfs.novazeo.net/error/FILE/bpxmgq2e62j_9c6fh7ht-814432846698/
http://jmade.ru/system/s8wttt3-rxw43-cycphfo/
http://jorinde.de/Scan/VCxIIEmovC/
http://just-rights.com/cgi-bin/LLC/CFUtgmFyOoIILBoQKAgR/
http://kalanam.com/wp-admin/Pages/mkLUqAaVSTiGV/
http://karnopark.ir/wp-includes/zbzaj8-t1fld-zpumwd/
http://khoayduocdaihocthanhdong.edu.vn/wp-content/Plik/nhtek6b1heol169wqg1i4xt9iwa5_a0im7ttz-332385928588322/
http://kkss536.com/fwbd/Dane/baBuNvSGcMMTtmxD/
http://lacvietland.com.vn/wp-includes/avi03v4qjz06lq6_4fi3vx2-74442750378695/
http://lavinnet.ir/wp-admin/dok0-1x5nhft-ednmtue/
http://lenakelly.club/wp-admin/pb3qj0p0wh6o8_rbfo5-70737820/
http://linhviet.com.vn/wp-includes/yAUcguABSvIGSWibwc/
http://losethetietour.com/loseadmin/INC/oTUemDtSxBNvtIOEMhs/
http://luanhaxa.com.vn/public_html/LLC/sukKsYHVpceeVGKMkiZxwilzqIECCx/
http://maanash.com/wp-admin/INC/qo7vgv8c57p18r_zrx6v2l-710512963991707/
http://maissa.bio/www/7yk69v7-kp75m-rjartek/
http://malekii.com/clbv/jq8df-7zetr-qxop/
http://marbellastreaming.com/admin/oSMKzwKMQQKIQBdOtQWSX/
http://mattshortland.com/ozXYuMOiYlguFF/FILE/4ffkoq818anu8bt6_p5k9z-08161156/
http://maul.hr/blogs/kaj1cr-nl3nn-wwaatq/
http://maxad.vn/cscart/paclm/nbvqjivi2o25nxdn4_p1cx07em-34326722638191/
http://mazzglobal.com/51655165g/i17f1a9bjgesszk0_81gdc24k-18444014202520/
http://medtechthailand.com/includes/jhysv-p4ude-eyrlne/
http://met.fte.kmutnb.ac.th/wp-admin/document/oq8wzjr532y5obd3g_bgjqpiod3-7712741001967/
http://mgeorgiev.site11.com/wp-admin/PLIK/5xsa15h1gu7pue9oiq9jnpgy_uy3gyq6qib-59123496/
http://mindymusic.nl/US/esp/aozkgpui7vvqpz3e_8tczjq27-640947323/
http://mjkediri.com/wp-includes/Scan/FgYgnSrepOM/
http://moneytobuyyourhome.com/wp-includes/HlghjhkGEK/
http://mote.vn/wp-admin/d0km-1jinj-hlnot/
http://mtaconsulting.com/wp-content/5jdnn04r9_8exdkhlo-201012899235/
http://mulinari.med.br/homologacao/wp-content/uploads/INC/gzppinu9ltkaig_su53ecqpe-86320592/
http://multiadatainternational.org/opal-logs/paclm/xTVzKdHQyyujRe/
http://mumbaicourt.000webhostapp.com/wp-admin/fNPjtKWLoqxapZWeTwTCATFKWYjF/
http://musikhype.de/wp-includes/esp/NeuBtTXupVJTrSgtzgCMBzHXGV/
http://myofficeplus.com/Document/DOC/NPNeMWEIEqbJsQe/
http://mypridehub.org/calendar/vo292i-fq5xyc-qyvvrfl/
http://namanganteatr.uz/videos/6r8c6y-l61lu83-ajezpvw/
http://ndm-services.co.uk/DOC/lm/kirsc8anl2obkkb8kjuzalcu7rr_kizfx5g3-689378703394670/
http://neelsonline.in/wp-content/0khlik-gffdw-hptnmxp/
http://neroendustri.com/newsite/6o4eorjp42d3zy_x6ms16jnmg-0304239427/
http://netranking.at/wp-content/FILE/lpDAHwpJzlmVJ/
http://nextrealm.co.uk/cgi-bin/8w2i8ylzveploq9f_6j6ij0-682567154/
http://nexxtrip.cl/cgi-bin/paclm/zKjOywFurzeSMIpdkuboxhdwyTMeEB/
http://nhatduocnamvuong.com/wp-content/gbWyRMtWxEUmjlghipP/
http://nightowlmusic.net/reference/DOC/l29h2lm0r6vpuw6v4hjt4v_db2x446a-645341033965123/
http://noithatpaloma.com/wp-content/uploads/cgxec-j1do6-niij/
http://noithatquyetloan.com.vn/downloads/cpdizih-sz8pmmi-vsznx/
http://norperuinge.com.pe/norperuana_archivos/Pages/jjzywqoggleqye2ia7owdboijgco5x_l6sutq4i-1864307550/
http://nouvellecitededavid.org/wp-admin/gfaz4j9-c8tk06-bapqkr/
http://oesterkrakers.nl/cgi-bin/Scan/9owaftu0z7lc3gw0hsrfv239_d45fuwapv7-06579273612768/
http://oficinadacarreira.com.br/wp-admin/Scan/bARIkDRxrxgvHTceXPAYoLSDUKJc/
http://omnisolve.hu/sites/Pages/iinhmqmyn7xlh_r84gvw5vd7-0051916833/
http://onepursuit.com/wp-includes/Scan/xbfpv1qb6yg_y2t1mot1-547023491779852/
http://onestin.ro/wpThumbnails/FILE/4o2up4lwzoaafd64w4c3tk2t0_7gmgqn-74402121536/
http://onlinemafia.co.za/cgi-bin/ay341aj0ct_7e8gv2x0v-4928522797/
http://oppmujeresmich.org/web/esp/87epa6mx8no6ztd_cdp79934a-265779557479686/
http://orichalcon.com/GeneratedItems/parts_service/xsi1ue9nzxg_01lndenp-66470856407/
http://orygin.co.za/cgi-bin/vo7g6fhoxdur04w3u5jj_nzw2yohdw-12898478915/
http://ottimade.com/wp-includes/INC/ZLWveLpIxYSiAVnVxNGUdXzZWjvcE/
http://ovelcom.com/cgi-bin/TIiUbNptglMlDsuV/
http://ozganyapi.com/wordpress/2ufrsxw-lvejcr-azjbwwt/
http://paifi.net/ssfm/455b7158xjgnhq5zf90qjakpjoo_a5wz85-51998664/
http://panet.com.br/stats/sites/njse5wcorh7u64gdhxo0059mi12_onhaty6x-17998620611/
http://parisel.pl/temp/Document/DCjmvktlcqOywWgvSk/
http://parser.com.br/10/uemdtsxbnvtioemhsuwnzyjd/
http://passelec.fr/translations/XmMCGkcPrsWtUUVmXlSslYZkiy/
http://pbcenter.home.pl/pbc/sites/PUxCKmLk/
http://pcsafor.com/coches/ruk6jsknrrbeoy91_lvsat-989681296456/
http://photodivetrip.com/test/LLC/sbwx5le0k1fxgf_v6be0jxfra-37193886141/
http://pilardaleitura.com.br/wp-includes/zmVROwQPWxCxCpqwnGkQWocMY/
http://pjbuys.co.za/EN_US/FILE/mn5oblpmldqnm5go1qofxvzsizx_4m4t3116-568597395577409/
http://planologia.com/mail/parts_service/cn1yathgn1rs0_mhayfznqy0-143270358110018/
http://platinumfm.com.my/COPYRIGHT/FILE/7gu4jre63b30xfvq_2zr6zbvm-2568302471380/
http://pmpress.es/img/n1y2fm4etxbgbk_bz3ojs3c3-9888480883658/
http://pornbeam.com/jmr0q4ekkhebbu92anxz13z4k_gt5h3dt-730001972445594/
http://precisiontech.com.ar/wp-backup/5e9zuvx-4oz09-wogxnq/
http://produtosangelica.com.br/novo/nfjb55u-saqw8c-gzori/
http://pronnuaire.fr/wp-admin/7pjq-eyt0r-rrdaq/
http://psmstaffing.com/backupdir/Scan/aCAIbZWPgQKR/
http://pufferfiz.net/Files/Document/3a1sm8skeuzgl7cqyy_bmwlr-415254194580508/
http://qualitec.pl/images/INC/832x74abrffu77vfdt_05vnmis-7201257285/
http://radarutama.com/wp-admin/DOC/RYPLhhNafifOnyexrtXc/
http://ranjithkumar.tk/wp-admin/esp/LNSylPYaSzekKFLZDprkzQL/
http://raporto.com.al/wp-content/INC/POUMCWjIbLyrBVzKujiNeEYH/
http://rclocucao.pt/wp-admin/parts_service/vttatprzenvmtw_76qed9ax2-59780589/
http://rcxmail.com/gallery/INC/NGdILJYAYXbvcjwkv/
http://redakcia.gamewall.eu/wp-content/mufrc-53pp2-cdqntqn/
http://redklee.com.ar/css/7lj8ipbwzyz6ye7ajn49pi9w7vn4w1_ju2uco-4894799229/
http://residencemonique.com/wp-includes/DOC/RaWMlCuOJGzBfNTbaIjmN/
http://rickgomes.com.br/wp-includes/sites/xa3wh98uf0tcupd_fovwymlx-5057433442179/
http://rivermeade.rece2.co.uk/wp-admin/hyxn-mi0bd1-xopm/
http://rockthetek.com/wp-content/FILE/egCMJkcNTdrXOPTZGBpoPmaUDpVbM/
http://rsia.kendangsari.com/wp-includes/sites/jb2v5u4vro36m4o15zhv6hwrpkkgt_6228uh4r-2280455687/
http://rudybouchebel.com/rudybouchebel.com/Scan/KnschlDbPCnUxmnYxfyZCjuhYcpjbR/
http://rzesobranie.pl/!OLD/Pages/ZkaLfcNLXJxtQFVYnwJhCcfWctZJyx/
http://s1059078.instanturl.net/wordpress/kxlf8kt-7kqnu-hxsoax/
http://saenz.fr/Files/Inf/h38j0ql9emleqxjjrepupj_03ay9n-022007196044/
http://salon-rust.de/Fotos/DANE/UARiCHLkfNzsSIkzweTcpUPzQGLbM/
http://saltandblue.de/_archiv2010/3jx4sh533_qszc3-5398991722/
http://sampling-group.com/local-cgi/DOC/b1qyz9zd6u7fkraw74s4h2_67zmznv-7279456399299/
http://sandkamp.de/Bilderftp/sites/ya0gn5dv_plip6td-85739464849/
http://sankat.de/agent/FILE/dudvfsWiGEoVEnPDwfSyjxUY/
http://sanko1.co.jp/lp/Inf/ZeKILfZvhaqxnwF/
http://sarutec.de/cgi-bin/DOC/xxmufduk6yuhxg4tvnutx_i0h1kfr-797860169236/
http://satit.pbru.ac.th/en/installationXX/Inf/bgpazl43l3itkgkphg86dbdx_znajxcdnr-4387203861/
http://sb-ob.de/cgi-data/Pages/4mvxmdvze36n30fnwrzwyihqh74px2_emjc673st5-45267850133/
http://scampoligolosi.it/wp-admin/FILE/NvazGJMAfg/
http://schaye.net/cgi-bin/DOC/r5hf5sny2swepuqc0yge0zf4z_51lly6asq-5931021365/
http://schluesselmueller.de/Downloads/Inf/x6ehsznvkuaubyfxjrvgwsxq5e9ni_cgco3uxqi-68024924006/
http://schmitter-mh.de/bilder/FILE/HJEjNqWHK/
http://schockenhoff.net/cgi-bin/SUljGppBcglbQygpSLapbPaSpHg/
http://schreinerei-jaeger.de/Bilder/Inf/kfdpkuc2vd42v06ve7re9vw7vl_at46g4k6xz-479356062067890/
http://schulungsakademie.org/cgi-bin/paclm/FzwnZBwEfiMaZPDafvhHLkn/
http://sdorf.com.br/novo/sites/49r81jh91ta3kv1_r6vvzc-37446666423038/
http://searchingworks.us/pushingon/epzhu-f81kaxr-qsloszv/
http://s-e-e-l.de/cgi-bin/LLC/8009bndfm18tb22dygtbmynvx7ua5e_47v4mrr0-73811913413472/
http://shikkhanewsbd.com/wp-content/sites/1s66xpkamsufnm33_bz8ho1sd3-603700895900/
http://shinaceptlimited.com/maintl/68oq8-vt88ov7-wrzv/
http://shitoryucatalunya.com/blog/sites/DTnEZYqmQyyCbmUMG/
http://short.id.au/rss/FILE/n0mna08h008hdotwe7t0_vkvtoo7-01972413346993/
http://shreedadaghagre.com/journal/5kvusod-24lwwhb-qsse/
http://sidekick-inc.com/wp/Scan/9xjwo1en_7j0ee7tu-10889232/
http://silver-hosting.xyz/wp-content/3dn92rq-huxug-rijirxa/
http://simmonspugh.com/wp-content/jrhujge5orqr8_2yjtn9-566225317236241/
http://simon-zeitler.de/index_htm_files/hg0qj1nc3ntdnat_93cumzhzf-0237662952/
http://simplyresponsive.com/wp-admin/Scan/uikOfpWXdpwxyqyZncoCHJLObjG/
http://sindicatodeseguridad.com/_borders/5m58jo1sxupu7b84oqgwwrgua2_yqqawfjrgf-01178369583/
http://sindicatodeseguridad.com/_borders/5m58jo1sxupu7b84oqgwwrgua2_yqqawfjrgf-01178369583/\/
http://singers4all.com/cgi-bin/ez09n0ny2hcn_g7sd0e-188440162615/
http://sinmai.com/0677744065017/EaEKUByEymrE/
http://siranagi.sakura.ne.jp/201611/4tyn6g6083pgtqzcieoz6y2cc2z0b_5db7in3ch3-6524113546/
http://sistemahoteleiro.com/clients/esp/WIMSETtxwEKjBp/
http://sites.webdefy.com/velhightechbackup/FILE/8hrcg505m97yu500nktr_cj1yw27e6-42170109393/
http://sixthrealm.com/js/LLC/1esz6wwz34w8kscy7_epfnn2i7y-61039944211/
http://sjhoops.com/ldpodcsqkae/
http://ska2000.com/bbs/Pages/e03fi8sg42t7s3g_wjno7m1-74103918631693/
http://sketchesfromheaven.nl/cgi-bin/parts_service/hcfcxevu8h2gedvvf9ark4fkoz3_1wq85bub1k-5315627553/
http://skygui.com/lm/55248ks6um5i21asgg0x3h83ir0zkm_rzeyc7nzf-7305247397639/
http://skylinecleaning.co.uk/contacteotcam/sites/pd6b8ygc6e5863_r0g07-459871542/
http://smixe.com/jbwhzay/owaqafj26_145sfchk-86466482679085/
http://sn2studio.jp/about/paclm/RdRcYSzYooMIPRrdJLQ/
http://sneezy.be/files/lm/trlnuyp6txuxkahdf140m_b2ofh0v-1283763430810/
http://snippen.de/301/sites/ICmlFyqgGCmcBnjoVnpOGzHE/
http://sntech.hu/firebird/paclm/KLeRbuTHrGSvzT/
http://sobontoro-bjn.desa.id/lama/ybrhrf-9gnp8t-rwcdn/
http://sofaemesa.com.br/wp-admin/INC/SNYnpjmRQlpbhgUX/
http://softem.de/TSV_1861_Mainburg/Pages/IhTNCxjEfBayZzNzqUKWY/
http://softhotel.com/cgi-bin/hsKPeXHFNs/
http://softkiyan.ir/wbcx/parts_service/uj7ftl9i11k6xa75xww93c3g2tlyjg_dg2q7037d-12648867417/
http://solutions4brands.com/CREATion_files/INC/ka96r6o5ysrymdmfs9r_kplh9-4260408219/
http://sonnhatotdep.vn/wp-admin/3rjo15c5ga7frtejwoczhes0pyvpj_uxrxoht-3907344799/
http://sonnyelectric.com/ssfm/paclm/pyrrbh2hrzehzcctv3xg89_x9edihqp-692656290/
http://soundsmarathi.com/npbyz/tqh4tcbm2_xuoq752wg6-45735872/
http://sozialstationen-stuttgart.de/Aktuell/Pages/tdptt4lj_n5v6z9cap-785205044/
http://spedition-wissing.com/cgi-bin/INC/9uppuc04tt1woq8ff95vhvw3nocf_3i1bm-3484897225/
http://speyeder.net/wp-admin/lm/qxd8wlvn7ym7644j29_op4217h0z9-1219866213/
http://spideronfire.com/css/esp/lhtbsyThX/
http://spiritofbeauty.de/AGBs/FILE/KZQzKdKpSJJQRiBAepUIdJlD/
http://spitbraaihire.co.za/Scan/tNsnmSNUAbtxo/
http://sponer.net/bilder/esp/7w0o354uuje9ns_f6nbldn-04871546209201/
http://spot-even.com/cgi-bin/8sheemf6odalslz82yzg5e27bmtz6u_bhofk-37233441460/
http://sprock.info/vy8reapqoupbraytr8b5_ce3dkv7pb-1118168094/
http://s-schwarz.de/LLC/DWVNXqowurLxxSJXjM/
http://startupbentre.com/wp-includes/NstGfYECuqbTVwrqDDSlmfptpkx/
http://staszczyszyn.net.pl/lucja/LLC/GTbGgZEgRqkAodO/
http://statebd.com/wdljqgs/Dok/wtwg4cz94f5l16vi8xfwjuxjab6_c7jqzf714x-2393803667/
http://stattplan.net/sites/quyvspvNlZI/
http://steller-architekt.eu/cgi-bin/Pages/mUXgcJlupFdaQl/
http://stoeckmeyer.de/cgi-bin/FILE/lzCpUaSdKTCThTR/
http://stsbiz.com/js/lm/ZCrYGQlZe/
http://studiospa.com.pl/images/lm/7dejdpjj4vfshi6u46jlwgd5z83_wr00qdh-73288207/
http://stuedemann-web.de/_mmServerScripts/INC/x40seazb3ebenxrbsiir0s5u6w_mu2r36os-6845265520045/
http://stylishidea.com/arainorio/FILE/LcfpjnwhyoYkVYZrKuBziKCePnx/
http://sukhumvithomes.com/sathorncondos.com/uk5cevaat66de9h4itfmf6vc_tgfuq9e-569515944/
http://sutceco.com.uy/wp-content/jigojof-ze2j0of-goyb/
http://svgcuttables.com/aahurguy4r6e34ce/DOC/LoGSftJSnmfNgZltgDCqEyAPSI/
http://svirid.com/site2/parts_service/VoezUBojKBKpPbvWSPtWgROFjpU/
http://swandecorators.co.uk/cgi-bin/Scan/KIMACowDpVGfL/
http://swernicke.de/cgi-bin/FILE/yeoq4gzjkyu9rsja_zaxxvklc-40471033965045/
http://swiat-ksiegowosci.pl/attachments/lm/tvjOgMVPKXSOHfTuTiuhhhCxU/
http://sylt-wulbrandt.de/assets/INC/EqVqeadlJdH/
http://t0nney.com/banners/DOC/eey8ti0mce6u50lo1d97k_6mp6buqjb-105020867/
http://tanabygg.no/wp-includes/DANE/DAOWTIAMU/
http://tcsiv.com/DOC/b3nyy6htv_uggqebju-768156738/
http://teardrop-productions.ro/menusystemmodel003/esp/rl65kshppfvh27yk5_ys96f-24114552/
http://technicalj.in/8lfp/doc/9fjik6x06odem1o_fnypue-757633306338/
http://technicalj.in/8lfp/doc/lm/icozf99wjuihh2yry_ssntsxxd-31095594844199/
http://tecniset.cat/docs/FILE/gZJWAgcnAjdbha/
http://t-ehses.de/cgi-bin/9ikudmcf6oofi_w3saqvcu-874708921091582/
http://telechargement-ebooks.com/wp-admin/Dane/rOvFSFmGkurjCNIYAbYLoK/
http://terifischer.com/LLC/sites/UjhzZMGWPoHHWcTRwbiVDE/
http://test.upa24.com/wp/s6vjuln-77ung7-urqz/
http://textildruck-saar.de/wp-admin/paclm/chq0vl0mpuc_xql810r36u-72512773/
http://thearmoryworkspace.com/scripts/Pages/YPpgmEXQgUBlDdGnRgSCJLhvS/
http://thebohosalon.in/public_html/DOC/zaj3jos1vd8o7fpc1pd0ngpkbu_w2wrpr-110381007402252/
http://theexpatcoach.nl/wp-content/INC/wzzemxgvAGsW/
http://thefirstserver.com/backup/verg9is7t_k6holk-693999004328980/
http://theinncrowd.us/wp/07uta3ihpis1diu4hqd9_nsf98qgiyp-252422439473045/
http://theliveadmins.com/503bluewaters/plik/ffhjpnwchxjd/
http://theminiscan.com/img/Dane/yFRYVTUpCUJMJHqgL/
http://thurigai.com/pgoc/c0e6-ptfodc-wvocc/
http://t-ill.de/cgi-bin/whaxk2qj5mjya8ph17wm73vjsp824_3q3m9gtd44-21333014/
http://tlb.atkpmedan.ac.id/wp-content/uploads/INF/lphGMnmuxagTHJ/
http://toenz.de/EAI/DOC/xQIugSawlwnvJExxoxqd/
http://toools.es/wp-content/TlVyAAgUYgDSvWHAUiVLJHxVLDstZC/
http://topgas.co.th/th/DOC/jqoqrrvmqn7s2tiz739nc0_wswqx7-6218834525/
http://tpc.hu/arlista/FILE/PCMhdodoDFN/
http://transparts.com.au/wp-admin/zar69ggal5qo8q2bycx4_358at7nc-6580311888206/
http://travelhealthconsultancy.co.uk/images/Document/IYcohDlOsshJTGlFbLOVHIMs/
http://travel-lounge24.de/TRAVELLOUNGE24/LLC/nx4o19c75zt_4rmaxin76-37714499/
http://traxl.de/cgi-bin/LLC/hNOnvdyytd/
http://triado.ru/parts_service/ABcNmDlWhvwLMEksVDmScUmYSqEWV/
http://triptur.com.br/jjrtf/qJxlZIXtIqkrffnURy/
http://triround.com/ACCOUNT/esp/lvzvhbafuqhde_8yv0tj19-358469872383019/
http://troiano.de/cablewizz/Document/DABIElfoICuhmqEjtWVj/
http://troske.de/Document/hhm05zky_cbw41-435550350/
http://tschannerl.de/_we_info5/parts_service/gomcnsdFn/
http://tsukasa.com.br/wp-admin/ho0zr4a30c6r18nbbzb224_g9dupkacu-40594964493/
http://tubbzmix.com/a/parts_service/MtYLufETQbqxe/
http://twitcom.de/cgi-bin/VesqvjsNJMAcdxXJTO/
http://tyralla.net/auto/Pages/0kekjlshyzvbp91hgpmy487b4_n3uxjup-69616585865/
http://tys-yokohama.co.jp/FCKeditor/INC/QDHuFkBRL/
http://ueno-office.net/3guP/Scan/a5356z03tgd7g2306tllo_myr6sg9g4u-756010564/
http://uhlandstrasse.de/designs/DOC/16d8wyuadburgjnibk61rqyx6sf5p_mybor9qqoy-330487695/
http://uhren-ammon.de/cgi-bin/Scan/0397591nw5_ksfyei07q6-97007324237/
http://ukdn.com/TempHold/oCnADqXVbFDuTwM/
http://ulishome.de/LLC/2qqowz9tura_lv6d7-7750932419/
http://umramx.bilkent.edu.tr/images/m5xu-xm0tkj8-thurd/
http://universalservices.pk/cgi-bin/sites/yrft3tipgo6kd1w_6lw3k-530049724415424/
http://v7gfx.de/20141024ebay/QaVDzYwTWVHOuS/
http://vafotografia.com.br/Telekom/lm/q8ewfow2cfmtq1m44_osj32pg15y-174346886771/
http://vaisofasangphuc.vn/wp-content/FILE/bbUNukWQYZUmLeAevkxzzLobINhTK/
http://vaka.net/blog/RCbnQysPiqq/
http://varniinfotech.net/vender/958nck-c9a6xq-apga/
http://vdhammen.com/cgi-bin/paclm/01lb1z2q2_imx3c-370788005621382/
http://vdhwatersystemen.nl/cgi-bin/paclm/hy338u4ot44qwsuciy0f44xy87ah_12z7z9-087033653/
http://vectoraudio.es/cgi-bin/FILE/w9j5998u5e2ky818j8nwn4_0jdz30-6358217015199/
http://velameweb.com.br/feng/FILE/6i1crtonvz_ek12eb6552-71277234/
http://vermessung-lechner.de/_private/FILE/a952g1fxzaf1iteh4tdufvlk_jqhad-1003838872/
http://vertientesdelmaule.cl/wp/ml9k-45hsvo-nvjx/
http://vets4vetscoop.com/wp-content/DANE/msk6w5kr6l8_lneqqqcsu-183806797955014/
http://victorianlove.com/postcards/LLC/qGOJFVtZPJfgBTFnxbNcsLyIyUiNm/
http://villhauer.com/_derived/paclm/ob023uqo2zph6v_e8txqn-3442414077312/
http://viola-zeig.de/bWNdCUmrdfrrxOwScxFbb/
http://visoport.com/hksquash/sites/bSSZACUbZSidwxzUG/
http://vlinco.net/poo-l/catkceKASBcotowCMAs/
http://volvocoupebertoneregister.nl/admin/INC/GokPtaqVlbWfbzjiKY/
http://vucic.info/Document/vtwRNgavz/
http://w3brasil.com/sistema/DOC/NFliUUhjfGgwTETPcBXJzeUcfzQdFy/
http://w3tk.de/cgi-bin/pnziKsxvKdKByuwybZgOeaaSYkU/
http://wachtscherm.be/wp-admin/parts_service/huem58o1ig8s58vw70yh6bryhlcp54_jtrqr8h-725791126480738/
http://wackelpinne.de/_borders/gafueavglki7mdv7knce9v3mnv_iljgwodxil-68356441831/
http://walkinaluuki.pl/beta/lm/e6znhq7eq0g1nt9f14gb765h_1898qpfmur-23901545806/
http://warmer.de/cgi-bin/esp/GICvFhDeUZusUbj/
http://wasseralfingen.com/cgi-bin/FILE/215gz2m2ytxm9o_dn0c5owwjz-251846549/
http://webap.synology.me/bicyclettedepaul/wp-content/uploads/mxqhm-fx0ly8-aoqpv/
http://websapp.jic-shop.com/wp-content/uploads/8iat6sf4x5vd2xi1g_x6lek6-796715108/
http://wegner-lehner.de/images/Document/fbqqlm51g9ig3pr3ggwbowe_mvggijzmi9-209844723/
http://werbe-lange.de/cgi-bin/zb94k538skc_oe5w8798-12640324/
http://werki1.de/xixNykjQY/FILE/q260xh3609qof_ki853t-83225121/
http://wetechnews.com/wp-content/DOC/wlpbkhcfq3t7v8_vcuyxp4-84888206791/
http://whiteraven.org.ua/wp-content/uploads/gz4zye-hfoui-hotk/
http://wiedenfeld.eu/Bilder/LLC/8l20v24n1edo3ze0tkpcagf6tmp_umoxgs00i-4709829738/
http://willemvanleeuwen.nl/autos/paclm/gbnkkdd247a_6qbsnf-15323210856883/
http://wolmedia.net/zdgfarragd2/paclm/IIYbncXznEjsmCHAxRQRPUQRaHe/
http://workhills.com/wp-includes/parts_service/vptpcy40_4d3gh26vgs-42779146603420/
http://wp.blecinf.ovh/wp-admin/w6i2t-l24gm-thwhqvp/
http://www.adacan.net/wp/FILE/KhbKFKSM/
http://www.cardippiemonte.it/wp-admin/Scan/uggbwoxftdm0teba1y340q_fkmy2-82975173614296/
http://www.eldoninstruments.com/test/Pages/t9tvf7gm_k85x8aq-152468665742971/
http://www.gigeveryday.com/blogs/Document/IZrYFEPxyiHcixJpiToRcavLaIvhK/
http://www.grandomics.com/rthzd/Pages/aqTUCMFCoYQyUKjffLyYJx/
http://www.sutceco.com.uy/wp-content/jigojof-ze2j0of-goyb/
http://wz-architekten.de/2017/Document/zclzGThoQNAsZPK/
http://xenonweb.net/animation/Scan/r3g9tnzmgkwfswg_lx779vqx-6732583283/
http://xinyuming.xyz/wp-admin/i3krt-mb8ubx-rkolp/
http://yo25.vn/wp-includes/otfvskbp6zytvva7azs99cpfi_h0pm828js9-162355524883/
http://yokozuna.ch/Document/xjrnx44dpre_9k3nieee-754410652693659/
http://yopmin.org/cgi-bin/sites/gVypIpkHmYfcNxUEmVnQj/
http://zaednoplovdiv.com/wp-content/themes/Document/nu8ugbcj_lbo4uxa4-801589900580/
http://zangemeister.de/Bilder/Scan/ezqPRrue/
http://zeroz.org/cgi-bin/ywvLHJtfcSPkOB/
http://zimmerei-woelk.de/Zimmerei/INC/tUyoPbLFBpp/
http://zmeyerz.com/homepage_files/paclm/yo5pldcq0j9icwkepvascb_iqdyr-580966208503/
http://zonexon.de/cgi-bin/INC/SexfsjrM/
http://zuix.com/leads/DqqJYCaygXER/
https://antessa.es/CopiaEurowin/lm/00i5mz9jtz9j7c_613rso0z-1523087103/
https://artworkshopsinternational.com/ewpd/1y2e-m559vsx-iqrs/
https://carbtecgh.com/wp-includes/INC/uh9dpwr0_lxdkg-9129473593/
https://danangluxury.com/wp-content/uploads/rtnc-6wbk7-uyqgy/
https://fatafatkhabar.in/wp-admin/esp/uvn4mnxxgcs9dfqhj_iymvu-8126361721242/
https://findyourvoice.ca/wp-content/uploads/Document/rclXkasLtkNCB/
https://garageprosflorida.com/wp-content/esp/nOwfeqdGdGPFytvSfBNaOmcCPCvgq/
https://genb.es/test/LLC/IfWwVwgehKVBiHryCHggYeev/
https://germandelights.com/_private/sites/sf33uikk4v_ljqnoq-96284606125/
https://globali.utena.lt/rakandaiutenas/lm/wXFwZUlbBfHHGkHBUv/
https://ichimokutraders.com.br/wp-includes/ii9ojbi7yszq_uozfocoa-323373521941402/
https://inovscope.pt/wp-includes/zbIlFyGYD/
https://instrukcja-ppoz.pl/wordpress/Scan/uZolOcYDvVxeBfUFpHBlIogckNCiE/
https://just-rights.com/cgi-bin/LLC/CFUtgmFyOoIILBoQKAgR/
https://kundalibhagyatv.net/wp-content/Pages/gMdFyOKNNJFfAAQ/
https://logtecn.es/wp-includes/FILE/2o72apy0yqnf5enyfe7n_t88h7-981601481/
https://oempreendedordigital.com/wp-includes/FILE/CIDbLJEWqmAzffz/
https://panet.com.br/stats/sites/njse5wcorh7u64gdhxo0059mi12_onhaty6x-17998620611/
https://pulsefret.com/wp-admin/esp/ZLjiSXdNOYRamtJHJBmEdk/
https://ramun.ch/bbq/esp/umZsbobvaPlRLyqqeIy/
https://rumahdiskon.net/cgi-bin/Plik/8vv1xm8e9djezzq5ocq0zevj_s0hv9nnrx-0105629677433/
https://rzesobranie.pl/!OLD/Pages/ZkaLfcNLXJxtQFVYnwJhCcfWctZJyx/
https://saltandblue.de/_archiv2010/3jx4sh533_qszc3-5398991722/
https://schneifelwetter.de/MGB_01/DOC/hMRrbmKrZQYOMhHilICiCDKJFQmEV/
https://sketchesfromheaven.nl/cgi-bin/parts_service/hcfcxevu8h2gedvvf9ark4fkoz3_1wq85bub1k-5315627553/
https://slysoft.biz/wordpress/LLC/5rlgd35790sg9o_zxv9qcua-709958061/
https://stack.academy/wp-admin/dPGfcCagZgzsSJPkXAlCx/
https://sukhumvithomes.com/sathorncondos.com/uk5cevaat66de9h4itfmf6vc_tgfuq9e-569515944/
https://symphosius.de/files/sites/DpteRHASECKSxJJLzZrsQLELaT/
https://tischlereigrund.de/cgi-bin/DOC/hjhh4vqnlgf1bp_y3a4z-779938398181/
https://tomusor.md/wp-admin/pOJHEhtEpwXy/
https://trambellir.com/wp-includes/FILE/episfvyt9cyiz92nf8j4rv0iwcbmkl_9for2f-2387753201/
https://transparts.com.au/wp-admin/zar69ggal5qo8q2bycx4_358at7nc-6580311888206/
https://trunganh369.com/wp-admin/parts_service/sgLeIxKgFOMqqAZApaTdWtd/
https://tsunagi4.sakura.ne.jp/avatars/LLC/wg49aqxhfpx_til9q8hlm-4513467709/
https://v-schomann.de/css/Document/shv9dmzdj7c5mwb7nat0887s1x1l0f_sxlrjj-56187756497156/
https://wakfu.cc/6djrp4v/esp/ceoEAmIqYYckf/
https://walkinaluuki.pl/beta/lm/e6znhq7eq0g1nt9f14gb765h_1898qpfmur-23901545806/
https://werbe-lange.de/cgi-bin/zb94k538skc_oe5w8798-12640324/
https://winfo.ro/distribution/Document/pk73hmi4abaybjj5_mx5ryy-259349664570229/
https://www.grandomics.com/rthzd/Pages/aqTUCMFCoYQyUKjffLyYJx/
https://www.kebaby.ch/wp-content/INC/fy3a9n91e3lzio68r_3bwvasfq-748601967591176/
https://xn--mgbaam5axqmf2i.com/wp-includes/Pages/upfrwigv_rsle5r-3024049911068/
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:05:30 16:07:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
SHA256:
182158ed5bf42eb1eda53bc800010b8e89c7eb78e140cc772c503bfbad8e37c9
33fa1d96f5df231059589144ce483d78b8ba209d4bfedfc189e3b229ab46e6ea
374cd08222fb510e72bfa109604a4a2962b7ae7eb88db584416bcf02c3a5a134
df383d21b5aad7b77977b8fabb5904c1b6b7559c3434c07e6bf35b797176a755
46b976f02d22e64b3b846e39da7be36f112f12c426b7c1be16707efd52513311
cced19879b6ea6fc76c58fa6092208f5fd2cbe3bb6072d717257f08549f132b3
http://barghealborz.com/wp-content/0yfq54824/
http://7starthailand.com/wp-includes/a1y5/
http://greenhackersonline.com/tikirnationalpark/697671/
https://rcarenovations.com/wp-content/9viw5037/
http://thememate.net/wp-content/g3611/
Creation Time 2019:05:30 14:41:00 (Attachment Only - DOC Based - ENG - 365 Blue Background)
SHA256:
0b1964fe9c71ce1b003640684d364a01a7736f678627e665d31da3efe4cb005d
4d68ad9e17a25c045ac732d738c0e2a80c477ce8c5d1d3965b9327e9916effed
99252abf437a5dfe2d769acc74af43cc68b0c3958fe7f5f9bf7bfad953bc29bf
f9ac3ae5163be2448a6cb5156658d41e373a650e3ffb8dd2edc094b641f184d9
http://sarmayesh.com/wp-content/q7pxn30473/
http://braintrainersuk.com/wp-admin/o3jh1036/
http://schmidtonline.biz/cgi-bin/v4d4gn9991/
http://schnellbacher.net/_vti_cnf/dp1peq43/
http://show-n-work.com/cgi-data/ys9z78/
Creation Time 2019:05:30 08:01:00 (Attachment Only - DOC Based - ENG - 365 Blue Box)
SHA256:
1fe902437cfca3852272dc9b759fcdb68d3d78d55a9698e4e2c22b8521df5c24
580605f08328aa011fae3d9d4fd1f1754f22f99b5739c4d2c93ba3e475656783
1b248ca550512e0d07657edb2f9ff0bda2b57be2b738b50473558c5c5016b11f
2429db793fdf1f6a0a39f454904e6b8204881ee3f966a81d582beec48dfc77df
a40acddccfb78844f5e852a7e6975ba3037a5870320cdcb837c7f64395224d4d
c4e7b042494326aaf5280b092dcb37f78f7c0774ae33b3f4ec74f97450e1b23d
af25ca295b2e8e5d25158e97414ea1ae013d476c00275533b66982eb5730adb9
225ed92feffd1bc887e5674df15691e941407bca6ff7853835f7a86c79060da0
05d89d7c3a7b7b9220e692b3eb55187cb68eea00947d58160241232b8dfe01c1
ae41630ece7aee4acacd325073e0d0b08c38cb5792afefb34f81bda97bfdde0f
45bab6f2c87bfa10966f81ede18207c68d66ed7d50ec7ee27693e4d3a34d9de9
f15691e83b372e4ee689a8d20186fe719fb43c3d2cb57b5cec317f3b7f48e7d9
http://rwbarnes.com/images/jq4/
http://innovacionenimpuestos.com/tmp/4d864/
http://sirinadas.com/wp-includes/js/tinymce/plugins/link/m8/
http://buildinitaly.com/domina/ucra25499/
http://ardosia.no-ip.biz/teste3/yhlnd594602/
SHA256s for Epoch 1 Payload EXEs seen on 05/30/19
dd46aeabb007a6b219f26e8b609a4ea2f17001e44708a4d4f0080e9674bb0d41
21dfdab17f4a02da47a31dc13ea9cceca894f346e5e44efb1b5e38d366373e2b
a29ba038dd360571e405bd1e787733c09cd1b19dd8ebaf5647ddcb4d4848c2d8
5d46ea468aca29882c2c5c7385dc39819dc4faef0d69e6d7f9cdcb2680f73094
d782e39fbc83411291dd73eb497fce03e975513a7ed964dd1e2b9c7d95226eb0
2656c7d60d677577bdea7e26c21187143fbd239b4126f539996be00ea900e045
bdf6cd6ec56afcc224da9476515eac82ccc524dbbb0e027af75998a2242d47f6
8ffacddb01072d0d1a50a0660629bada44843d18424e34c7a1930462bcd986ac
b4fc6b6baa6405aa6bcf107d6c9ab34caf4d7a78046b71183ab8609836131a69
ebdde13e0516271b9cdf5298fc079503e81e1637bbe58d3cd7d8e47c3902a0ef
289261b030db71fa35902296e2bdce03db019e77573a0f30711af38b7b50158e
93502a5fca62574d48fa9d640d3eb137d217df916394210587b1deaf0faa1edc
8151fe3ec3959bcb09706c6fdffbc65f98fa08233cbc82a36dff43ec0a928073
224c92ce7c1de8a1fadb0364510cb3e04bc6520f994938a7365ce6174ea98b5b
c237d202c0edb888ad8edb101167fc75d74397ce05d4e4d3ca812614c9380429
d9b7dadda039c07844f87a492bd872e30b003946a6018425f513ceba08cfdffc
c51205011b3874fdb96fe0b1121082c02522e36e3ea8e4f699cbf4c5d85016de
32e7ec99c86d941dcd381d4d51b561119099cdf286270b8c1834a826e0243cc4
2ff255b9149373244beb0f341817ee4f400fa29ef0399b7d2a02491190063f56
92a10b6702ef6f5ef38ea8e92e88614df25e93bdb707e12dabf378d6925418ec
5f77ee10bfa377a4bafbee240b767350383c11713cc3a17a232e71f9af0d9cb5
6fbbdcc9114eea0c4bb4322daeee3e47171343f7b3974dd4595e460d339f96c8
9ef2b5a5117033cd2af51816ef8f4f71ab18a13ff87553da8b4e18e6391470ad
d69c874535aef1ffb0caf29a8492d06e2e08fcd3152a864d911b7bbcba8a9923
47e8b2177fa8877f70ae80e38e9327de5813e02718b422a52705dfbea7f151b6
2f8ef40a0b6b6b2a928ac44b459f3802bad6b002526c26ddf3f7389a5d0c9dd4
7be0e9c07bcd72defb5ef68ff68f9874cfb56173e4163a306f5ff31de85cd3d4
92104692be7fb3c082f92f4def8d14e20eb25b87f4feb66ea707f6cfcca50613
f8bcd4ee14d53376c5365c05df8df2aecb282b49bf5fe573945b127419368d21
f57abb64deacd21d35879645282cfd1269c23e18df437216dbfa194df9ef60f0
f8e016babde4af588be69c253eca0b9c77373f893eccdcf71db30ad4f5721f56
8e583d9d784d37bec8890b1c56c884e9fc70c0aa0ef6a785c733edafb89d6125
85c8bb223fd606c992b9f8f9f80b90022370d4b78885d3999c981de8e02d4826
56cb8cb05675d93bba4b607aab0f2d7024e4aea40178cfb07e99a6c4e5e204b0
e51e429758a79a63d81d4256d20e0b5f4fb82a45d36badd5a6860e2336690b4d
4e732e679b13cce16890ca812d582b551326d5429891f980d38f5b87e22a6712
25fd8da143e8ca1f8da88350b7d600cc73e9a0a91388a7e0ce9d5e62711ff16d
6c44fc066a5bb7ecb21e95df9883b9cdd91a0c66e6ecfca29bae4f4e88a5d18d
c61f6dbc8933952e5a9b0293044711b371863a00a1d5bd7c89667f63a421faad
f8e3e8788f0da3076df77ffcce09e4055f05fdb6d5ecdf8767b616b08b489cb8
6aa2b04b7f35b569ae3be693e873dccb0a07294ff1f0013f1883f9337480863c
3004ef76cd23f438692846e9a14a5dd02a3d1142cc5fb38d8ededbb42751bf55
feb14b89ab853dbed9ea762269908f6359bfca863c7fc2011969a9caeb753314
773c99c06085fa54a08559d354c5f83f117b7192b567c64a63b4006e033033f4
925ed9de954e0d254b5710ceea84197ea873f1988f3b547eb2eb9f6acd5ba7e4
6733278f2ec5f493363dd6b4a3db4826af3bc5d602968c902daf735ffb2159d4
13b962dd7d206341bc87e48c607642da681e848598f57ad83bb31fd0cef88460
efc589dad0277e75a189e2bfaf16b551522644dca4ead039b6d308f545901f16
a154e76a0d335465176bde498e39dce28ed50db294a9998d721033d8e69b3158
55948a37b3b7900df94d7e4088dbdf760dc3a5b8556443437910b5dbb65ebdbf
a6d08809f108ee4cf05fcd86d159dcce8602d2ece7e7b563f30010bfbc9028aa
4ed88e8fa76188cb66d20ccf4df9267279d6ab234a376f5b092c51450d92317b
94ae5f3633152f9468fb8aa596e4761a39fe4da2cea18ed1ad6aa35e0789c738
a01c858bd87a84311ed78aaed3c6e1e66896f46ec6cc1d502620040e81f1e879
5853b6156dbcce59547308088a3e74982f7adf38bf00f9d370d5de44183d536a
fec907d707575080dd2dae81d876b3359852eb86f8385fb82a6d35acbebd50af
e3b76292b9cc50ec575ef4372763535273fa8854f03b4bf649f511def3111562
39a9865f57ce2241fe5132acc1ae1c8fb78f2430929543f75f45c5dcde205902
de79dbe3f4bd7a5c6ebe3c007b8d4ffbbf4c19fc7ad30127e71ec0a7855f21da
0908229db381ac41a922f8260e6cbc8a6e4254f6d746879623da3cd9dcf61b9e
6856fb3c9a90a36fdf13939030294b0c3746f86a4927b8f7285ce9ae53779d09
723603e8bf62864b99c5fc7b1fb0906a6be8513b13288a7b3a1c6790f08230cb
7b2acaad74f37fb9cb885056a9a653c58f191eeff96f004cd8b1f7588cc35847
6f8967e911b0975e9a0ce7985cf6a4b3a5620ca6f6fb7343f2f5ea22454ac38f
99206f7ec68b1ab3b5dd14be0921ee2f13024938d087572dd5db0e4594aef340
b3017fd595ddbbf77285db18a650381bdea315945725272500422f96a73c1e29
d30e2a44b081d9cd84f6a014341b7d50480d6e3c4fbf88187471bd881dec2956
1c6bcb5ea3c05fbab6d0c382521e175854365409f4b802a166e3235dbac09493
e8739cbb87b2de2ff0fc396f1bff6b4bf30d9e529057bfccf75d72e0ae57ae59
2cf60eaa0a0c063e273ce01ee309a35e609a33e89ddd8fb1f5ebfd742c8e303f
9ae6cce86711c331387f31950a2d5110a577f50017561d6f2eab615f0e860d43
a32976c628063b87dbd2187b1527c6ff66875c0ba372c01155a7851d76ee01c6
5574ad8708a83cd0ed353a898963213c898453352b0467dd7c7a40a414ef1ecb
fca213ba636c6cf02df6e6b1c54b3fd71b7081666cb29ae09eedc2bc034b50cc
84814627daf5dc0e87c67a5d05ef49c7132f45e1f47ef1964409101daf266511
984dc24e37416d4a97df191782935a758b5ef857e8d87933e59dde52c5e59d54
48047389b0c8da1b03a2cbdeefbe45dcd551aecd9067bde536118ca8ac3b2edc
65e673d348a6ca83af819ad2aa97960411132ae5de10d4e9342d5457005730bd
b10e2e550425921c852a11eab4630a2d58244ee6283fb0d7e66febeb322db4bc
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:05:30 15:31:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
963cceba0759dd50fb2a087ce21e144c64e5973e78a397fd2bc7e30fc444db8d
7a973404b546486366191a83c0e04aaa83a732b2133883f1a9246c296318d79f
054ee9e61a0a65c326881f839be8824859306d1d97e1d3229f8fa7eb195c730b
5c001e1f06cdf81e8a58292fa6c0c4f36dde86490cb471d0824446ae9e69c0db
389d64e2c9ffd7120f74693d76f488b8c146bba535d8d4e3e848a028d2968050
2c95be84419d63b6ff470b57b108f973cba96c712d8677121b1bd708ed0e5796
3b8afd70befb29f9b95436a16fa5dca6193af7788369d026e065f70872078604
76c522fe00962684df725bf25a174199443195e9562e99fd7ba55ab86c269d1d
055b220ce94fa44c1da3e6b10c78d9869b5ab58d7bce754b35393a4f7fcee2f1
ebac7a7dbcdc2f899eeb1d350110d5b1b3dde56a8437e1701d0350078495fee4
7199fe3252da097c2d34bc1eecb2244a3dbece169e34f5674b24ad11234b6895
a46c2718370f531a3e6ec951ccb19c56159f26b77d6aa3bab0731ce2c794076b
d439861c5584fb78a3400002cf2ecfdac64fcd3164d9182e6c05892326306ebf
36845718eeaa9e0e992076372c53bc185aec96a9506eb277c809d49dc4c29878
f4a07f1a4cd30e9347ee1ad7f30e1924786dadb1d6ed788fb2fe7348a928e623
5728eee65538ea548f875a51d731267536d0f7234add1d2d4eb1c2282220b28b
bc08a74cb043cf45229230333976c8a9fca493964667c36ae0909a22cf326b17
565593db57950e6a3b0eb6843bfa8e4298fd184bfa0d0b40a4ee47703a7b8cf5
35bf417fb46a528bbb9f07dca28408a72e066c835f258474536525deb26bb17d
59c2d27bd9acdfa4f8097b8252e06faee7f0affcdafe972f7d0defbe57428fd7
2a378777103ca9f6260ddf24452a45f249bdf207026d595f1cf47c1a85de1b61
cdaa4c3c7acf0cf7de4c86a88476ff809c165c916e411794cda1f3bc5d5fd2ea
0cf70cd6e3ce218ca6e0fb3bb7a79d13b176b75c4e29a332fad0aaee559f6970
a0d3dd45a0be8ee20a71761edb88f95567392034577c0de2a7b43c3977f1a1d7
9ce35e0f984b50c21084800ab5b826228b65719e69144d21fa7dbbee249a5bd9
fcd586466cd8551af44b6b406d478871054dd9c6a4cc4af9705402bf681e7982
51ad18fbc51d86ceadbef7f20bb8b03656e7c8444b4c2aeea6e679cc958663f4
1ca5562b20333989c32c7d29a9f7f6840fd5b77450c6c389ffafc37928b36749
230c0ba0db8fab4da33517e2b6a245c359cf04fa1ac17f877bcb5aa30ca1b0a5
560993ce10409054050a04e6c7e65ccf26d94d35a965cd90134dc1f6ccc7cf7c
0e041fdeedf7895719cfe791b8106e034d092f48aea99bb568d515c97a23850d
https://everythingtobetrendy.com/wp-content/mqbFvBGlJW/
http://sankaraca.com/wp-admin/aVBdZeOGj/
http://www.palazzobentivoglio.org/softaculous/ZLXVNXrCC/
http://aiostory.com/wp-admin/gxNAbyQwxr/
https://antivirusassists.com/wp-admin/nKsXsNLff/
Creation Time 2019:05:30 14:48:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
8843537f419f9b00cb9191967bd050643bdb7a49e3b2d841e8d1a35301d3b9c0
bb59e3b90c0617960558a00b59ac61b0ba7a48ac5d43abe975b274aaeed7a7e9
cab1d98b0de123c454a48060e7c3b8e33cda47b1dc2612f37a96bb5c066297a4
70b6d041f2b2be97e5fb0986bcfe40882c2f567e20b2c5d8dc9328f718293ce2
930adcc7722705e240f672e039cd29ff4886bf461b4f033d3e83967e4f6cb658
a5b07612b7ea7b5126fd0d31076e32cc354bcc079366eab35e6448239cf7ff48
bb61863bd66f88a111ac256375cdba080208ed936ee9454d775b9f843ac8809a
ff60d17aee6a178f5d9506325bbece194f115bd4e8e16eabab54796247372617
3cd36febe277b465545eadc1aa012406b6db96fbb18b1023aa0d06c2ac1234c0
b50550e84ef8ebde8eea9aad8da1bb0e34b90ae1bee1d349dda2be0810ceb306
e19478bda3dceff56de5b3cc2b600eb730144e6cd92b53ba110c0c08d2639dc7
8f3bce40479c866d1bca464b6d7f1be39087b21eebd361cf6c3f5e6d8cdb7ca5
2b705178a0a15e634c582853d6b8794f72f80f76cbcaa1105b6ea3d25febba3c
2ab57c8ba13ca09ee9f993e2b6cc69896501b03919c4cb072b02b04510a9eb09
eb19a28538c5e2f9a8219231b3a584d130277e331bd3314361c533f0275a607c
1044e703651e0c91e296dc549e19c1a22afdd37cd2bb781a4fd86bb1982f1542
f04df50720f0478869b245979c39281cbf17d6cb2c08c33221d3934b1e1f1fd3
9e0813a45e8e949ce8b813e8559018d0b4236780d78faa9996362d0097327983
b9e35d6e1433bba60c8993745dfef89727257bcf7b947ed33f6f47adb688329a
b1865e518e33e4bba2e3cddb2d3d00ffda8030a1bdb48b3c7fd59ab7a31a457a
a8b5c34dafe9f46eef2f8b8eb7f71a0ca9d7d840363b029a140acd346bf34049
380bc34ae6bcee0b78b3c7a7fa35b93f56a83669c38c3acff66b18956ca40be3
f3bce57d0205206b90f8414da1088765c1ed5d264f6414d3586aced40eed5435
434d893c9731a52ba44e561b592feef9b07baa5b6d8e7f571e55260bf41cddef
http://sandovalgraphics.com/ixrtvi8z_ecbo41o-02805/
http://sap-city-dental.org/cgi-bin/uc89fdk72_rxx13zqaln-698/
http://san5.net/jjj/uTaqZGhMI/
http://scherbel.biz/cgi-bin/1hpl6b4m_h1nsi-783/
http://srconsultingsrv.com/wp-admin/h52vlk_9wonkccl-0/
Creation Time 2019:05:30 07:59:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
72607c261f87955ff646339ff7063bebdc17450a24ef35233ef9c31d349c2853
a7b57cf391a3e324b1ee2f6182993b34a6ebaadf143fed3b0aae5ed08384f056
d4fb2bc73c3c422c6b8fbe929655fe87c05bc2057a50e85cf0ae655d4dcc6781
8243d585376feab2066db0a0adb3a4fc1522d21be3b51c99683ea2d8d910c1d6
d665c849300753e6f42e6f64cf3ea0fd2a852131cffca689cecff09c4335745b
3c025c390247e346be266a3ea9da2daab29277bfc86888d34383b497a63bb295
743bb6f03307fbcb5878e462019a6d417299c7b313ba0c201256038bd11d53dc
d35fbb9f4cf9bcf2a4c1dd135b9279117b92eacd5178d32b8c12ac8d509b9f4e
664eae63e22907b30eb0940abc62a02d9565d83cc95f4f5da49efb4b4d220da8
d00ae555bd4cfcdf6dd29b9bd6e2175e6d010c12f5fbf70044aad4164d0e1f51
19b57a0733c66849a89e61ba18c031e2e3529bee49dbbfeb64cf614ade70aefa
834744cf97f29821eb41536ce05002ec897bca897939c2c79d8c8d23a61ff0ad
256dcd1336c46c0529f3c9d2b394e393dd4ef22ed5c3e111e155029a8ac63ecb
095321fd609dc0f9056d25732d082b0e32b6211663dfffe7fa854b3135f6cd62
c336938c86400beb6e253b28479451087044326a7565e7731facf96c12a6454c
e9f94b310253d5dd1e7db1bab6bc2b612d91967b04b10a73dca0613905bb690d
6356ac1b2179f02132e2387d2f3881969bdac03169f7bc08001536dda0a40324
88a00e7a6670ebf5bd9310592df76c65d92855c699ae27ac45c45a21452f70c8
53f893c415a2e89bd58615df1333a4a2dd8769661d5558c755031ed3bf8d0111
2762c4a52265dcf87638fd64ea75c485a4b6067796d8211c51bfc6c8bbd108b3
a6de48d770963d4712ba096c29dd64e887e16771109fa75f1fb4c9feb2f66dc5
101bda0f1be52e9f359fde71e23c1da7583d5804ee416dfa6a8f4bfbd697685a
1ee4089919dd39a7c69044dd61d5ff6f47d9773439e3f90403b66dc4a15e6159
854ba1c0e95b0dfd1b4081546eddda661535f580c04d2e858ed98509d590d195
476e2c9864524e7613926fd0411439c0e18162065c4448d14b254491525d7f44
3f029af254121deedc506e6cc2eadc6310318ab93f61e2d6c60be4a806c9bed1
15e37c90e930854299b28ea12a07b580017d8519935e996192d9af4b02dd301c
19ef98af8e6cc63824762314ea555d42dee03d6b9bd456f6bed56b60aee54ce9
6367f62c85fe031b35130cf7bbb0eefe5af8961b43c514eaa126b99e2df15018
05aad39628f200ae651d034b8c609c0f1059aaf24d91203eac3059c72d5c7a3b
47dfa5395e822c1d55bca02f2e68b5052a3919e974a253b4c95064fa77615818
eb510b7a134ef0d6a16ee736c1bf70d75d5a2450cd04df32f44319fe97200f22
a90906f3a7ea612e838e8b04ff03f96f5598bc5ca244becf78babf006d1d3ff9
0af2ecaab930bdcb2daff398115a17750c96b5d34cb69df0b9884d5363043ebf
http://stalf-photography.com/Academie_files/le1t_lzva0bs-93549621/
http://steuerungen.com/SpryAssets/lnzkDXKkYI/
http://stempfhuber.com/cgi-bin/hspgafe_zigwi25ew-816/
https://stoklossa.net/STRATO/EhExYBeyhg/
http://store503.com/admin/40uu9gih9_h5wjpc0-29/
Creation Time 2019:05:29 21:25:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
7953d886e1cbfff3c3a9a0870cdc37c5a89a134f1a99d8ab85784bd18bcc1661
7b950c8f968d5ffa14c220f583a59accccde06ff63dd8661c5a9411ee2beb461
7bf0b113f21a4154031590a00a7cb3b50b7c6e576d7a9fdeea0bb90ee433ebc7
517ead09a95c0042ae364b668bd8568b6dc06edb01b4e52e38e88fd0d4e83394
5feece5d3051fba5b10f42359169f8749e2f2e4dac366dc83a5c4570563d2341
a18284e7c9c7d17e3c2929239688a2b0b098b799668bafadab93dc111176c32a
28fac89ded02d3757e8a4779f33ba65814a4f03041a3b36cea832cd1ffc87fa1
29de9d50aa76455f1f7e7f4ff35ed5b53170231dc965f77d1c8938b4db8b5f4b
7695db6143f7ea25c5a12f76312422e2ea5dcaa36bf042cda3ad5e0393818d49
2f25c5be5af1be82b42024af67c20e91436bbc6e31bbff494d9d006d009d1907
c8403660ed7962725ec5bb62359cc8858cfbf7db8968bba9d0058dc6eee2f09d
a85d82dcf47efed91c6bfc0421ee7d486d014806a0e4162e39d6afd8a4603cd2
a80ef402bca0511250912bd1b8b67e1d234cfc80a28abfe20546fa017ff7b5df
4ab5b2506c70a39c85681c50ea33c9f17348248511e4257291c232fbd3c81340
a816f5e46452211d600a8a7ae80ad857463dfbf4c766e11d8aa6824035d55e61
5066daecdb3377128f7f33e8e852b38a44fe0241bd49bcb631bf8e933b911a14
12cb46854b352dbdd8bc31e83029b3cc8740d4df24bc316487f4f29091fb3f8c
19e7d25532ecbedb271be911eec224979a835324361fdde38882d397b9f63af3
18be1c6fb6f623d1a49e25507e128aca2ebc48b519e25b8212c42a61161a7bc1
ab96d4510e1b4f9f0476dedc402789df2b2a5c210af7086be7dbb3f34de02e82
17dd9f7ce5b7792be07fd8b97852db290c795ab38041270283ab69bfa5d60ffd
4f2201f478b77129db5d5b9c61e696a803a0e5eece86493aabd874312debd02d
f5b34b067c6114672981014429bd672bbe054c9a8f0b60d0bd6ed704e20de146
6414f182aa4e5b4ed76c1f2f566844878f4ac3d69726b50466f1faf4d09cbaf1
2a5d18fef83ba0fdfc47c30df709048e05e7929941a9e4c5c5aa45704dfe6786
08d5dd5ce04d9e58dd2a9b76b2cd517eb69effbf8eeedfebb6de232e8e35c325
076e6a2e725a459e96ac4b7eed109a308e89b21fab77cecd5bca6fa349d11d7d
e13c375dbe99928a40410e84a2073dad53ac491a46ab4f88615bb4c4b167ac57
5fe1eb7fe88f2ce4ecf33fdf54f48948e8cc7c3da0a4885ff01e5fe2d49b1933
29c21dbce1ee3800b90c97b47334fad2611b955ff248f22992d3325e034adcdf
78ffb5702941749252535561faa714f0bc6dd5f2aff61f4b89ebf258030aad3a
0e56b2fdf81e7458a521fb26b9a47a6fa2976d0c971cdf823d5bb5293d19c4cd
1f0986f2f2e00cfa265423b16d7ff49937872ed05577bc780090bfab176bb2a8
b9585ba915ed66d37abb401a6234e06d289915340d82e3a06475fd437cb60aa3
270247932403dda07555587a9752d529eccdb515e02bca52e9c101a95d4aaa5c
51be664404231f987f8feb092f193b4b5b1a5b1a58e84b9089d17939d64650aa
90769c702b9dcc0c672e6b08382cedb354baf72bc920ef777040f98b5c5f7049
4b36f4d3a062dfbfbdf93d71728e9d01d970e7f08d2d7be8da2ac05bbb262f75
8b8f19ce08b66474609400c28210511c4c87efe0685a26966b802e86f5c44b50
http://sasashun.com/MT-4.25-ja/sjqKyopohr/
http://theothercentury.com/SEgeVCUgap/
https://tecnocrimp.com/administrator/KkGEhGES/
http://tittgen.eu/iXOWCOaq/
http://tncnet.com/images/yh050r_w6ser-9083/
SHA256s for Epoch 2 Payload EXEs seen on 05/30/19
5a29f6b60c2c18ffc91acbe62d68d6dd4de188348d1c4373915481f46d738736
525e72da48f2db8eee60a2cda794ff96c152c1e177ed6fa11ba48d76cfbb57a4
9aeeaac03a0b49f94046847a2bf26ddbe10d1cb9cbc1cd3bbed8d106375d08f2
347602db557204bb63ccb8f0119ddcb0274517fdbc32baada5321eab3e5394b4
6051270500093c2ab1c557f10f937557007418a54122f59752527dadc64dd0ef
175e7413fc41e38d6d89c44bb9579c40fa232e34077372b2e7210b55f3b5e693
837d4d8f3f8fe6d7e2562ed0e453397aaaa8a59c3c4ea830e6264a7c01d0c1fb
5cde05d5a2d2ad486ad3cb6ff037cd3cce010d94457a1f62d12defd23f48f250
50092a141f4d560ce350390de28b7752cdbbbf0b5d0757efec18f8913e680a09
31f3340b9cb9d2f1a829c905da3f5adb78c83f2a082e4e7f6430f9cb9039e689
f3af2dbb956568b03dfc2e54324b6a5c0afa5d09d541ce3b42aae6600a88fa85
ffefd2bb524d00e8ae376e141cf8a3a2e4eb18155bc3481fbe75204551515867
14a02057161b028ad3da97ca854bf9d108c5cf92e4efdcb2ad8c7afdc982cf47
62980161f1c7167cd715652104eadf33e8f3ddfaaf4be3a6d8dadc7e0ccd49ef
5a8758f08a1d08f6c819d883c87e46f3e3310a39eefc2cd12671307658f09c95
c74c0b7952cdc83e9bbff05d47706e843f82e3ad8f5255ad9d34c4836acb3379
e6651decb06d18b300c9b3f00e6118210fde118b089d5db1ae46db2344319345
918f7497fff8ead22e8de20ed06728ccc8637a17b9ad56c77e0b01b826ee267d
2928ce934df8369f06899ac9d1d94f5fc35cc66708825748922078162321b321
5b4cbb90550a008b68ffb95356fdf623fad453eb60776616cb648da21fcf154b
09ca19cec4e01261a1a01189805f9997c6f5f0ae637dee54fb5c66f472ad2433
4764ec39155c325c1042604fc7b97630c62c1352b5150d610bf2e2e6237c31c4
cfb6f176281e9e72abe5fbe4b8b09aa3f2219dd97d9e817b59361e8478a77ca5
00b0fbeeccfe2486a177efed96e79480cb7704cfa55bbaf73712c4438634bc75
565b3525c4a01fd1277dc4e0139cae1033c7fd2ec65e24b87197dd33450afb19
e49fe1fdae8452dd5fa43e5d5322e50912301557b8c256cabeca963155d28672
7898789fb638224b50460ed58607bed96b0103894fa520b8ec781fd07a7ae225
4f538976bd77fc86a0d8e325e3277bd758a8bded7c7d32ffc3489cc80b527864
13e3c76d38458d365bf51dd93f6ecb43f02268abe352cfdd695cb787e8c7a0a4
d176f3d714947649f95781d10266540d827eff89ab8089ab41571a8f7cc40e98
d0f4121c779025f13a267c8463246bd0504f9461cbc6617d32dc3f305110642b
6253026f6c93394dd6f17ade75c98f71492c93c20aef29928877879e74f3c74e
e2a925e4d7f56eaf6803456847049924903495b13af99231494f4d5ce53d7341
9d07148579a9ca4a5def50a145810e3302efe7230c986ed831bcd6d17dc999a6
2dd55329dc37114a3f60356d1bfa826807d94e6c8f05cb590a6618e7c7629b52
2954417ff120e2338545fd4257921761a222832e9a50bb14f012da546f4748a9
b574e372df7146902ad2e2f479bc708b2ff0de17a082964b58862567abd3baf6
cc85d7acf766d91dd0c84c35a454b2799cf8e65933fae4564c7cc8a6f43f79ba
822d6386b63ad96f54da43379ff605b0533b56371dc63d9ee733f03235c1076e
7cddc630aa79bff608bc97a2e6c1751954c5c9126b88b5b9c63a670d8bd68db3
3e62b4591a3cd19f078cf8171c520a84667202c516584c37df169cd58898ba4a
9a2c0fdc8d75ab408403a35ed932d935bf810bf4ac2f121ba810858ad2007582
6b38896177862321b1d36a769ec4bd89ce17a8cf48e00883eb541473fd4c098a
aa9cedc16ac1c23231d438c749e1e4d10a64a18d44e164bee54ccc739cbb7018
bf2f30b7f303f2c8ccc9dfa011dadd21fecba49bda7a8b82cf9d65bfe576b0e5
36952bbd8a0c2e0bba1587fd4db81fe0504c31980d848214f7172669b5eab63b
2e731aac8121cac328c06647a906995cce2eddcc98cc7049d1d8fa2fa4a51798
0c1b1a60c57effac5806d2877c46fa38977448a9ec6bfc41b51432bd94377cdd
10beeb48efee9ac51e02643c5726ca1f4145f871fa004ba76ca9014f59183243
b7db3fde6ea5a61a956475e1b9cb76e1219afbe92f56b54675ed2620cb8bda47
b65379f11aa7875da82797a5133cefb62b8eddaa8cc774bbbc4afaded1ff3ff6
188c40838ee0e7b79bef9edb598e34e5191cbd3b8ec3e4da347a5ca1d9d84dcd
ef5ac35a5247a3fba1921cfaf01e905071acfe45650c317c1df2a8d8034133ce
f570278accad76b80deaa6ccae148c025301e90671496c4e2eb110d181c28d59
e724abc62c654a0115800185ab2354446d4f696777def7f062d98c971d9a4e75
885d55401b83c19f50c9d807d90c8fbfbe3028021311d055c9c2b47b025e987b
6dc9b3a5d8cfeabbfc77f22815c64a0fc5b2b05ffc9f0fb5add4a5e9bd1a817f
66edbd54b9283da3b83e8fd81f0a9722f3447b308c53eb817707bfe75921d014
09e0c6a95e739e9a9e27fdf6f97213384ba934856c6f3591c640af458cd9b3ff
157aaa427e67c5d76503fadc5984148d2f89944e93b6504b830dc521be0285a2
e6e37d913d066a4746167c6a9bf29b039c766040ad21c706c642442958e8fd98
9563f71380f0fa02034d0554151872fe6a637ad0036a764b781cbee0e1c250d0
14e461da3c8ff9fc1738f06e171085eafea81157383a4e499c96a8bc703cd8fd
d939c4f36c1c00c276009eb97338b0e33fa816e4a3b8c5516adc8ecaebc29603
5bfa8d05ded496fd468cc040a7a56a4bac648c50c9573b0b383b7f3b0cb4a161
ee4d3c418d065b701851fa607a325308e113f99d8fab479a6b93f4f929f75a47
99eaefb4b7d3f94e29e79b766dd304b12a94f49006bb50031504cbd6b02caeaf
3e9fb6bfcc6e23b9afd444159e881eeae597fec756c6c2c36728abbb998e8676
6ba5574251cb74c31e36a62ef59e5f2306ada327be92b83dab9314465047a20d
57f0449b822e3de6a4653fe43571f7e547116e337e52acfd3aaee3b38a55c74e
d37ea0c1ecdf9820d22b27a92e1161b65eda0f9b3eaf90c37bb600b2d206b598
5ca84db45ea859822aaaffeeadf74bb21266429998ee26e239abb1a0a88e855d
ef3b8194d9f0872f20d80f2a19983539be6a83f3b504a4e9185f1b784f385b16
e2975b4d4c38a8941e49613db2aa7ad73daab6e5d467db71b158e80d37af6421
d473b8b42a8e0c06f1cc4c76df9ea3153157d6456419d9d07f40beec70273f05
d0de6fa065bca9517222e815dcf73ac54b23f1df219c0ffafc5c2d6b9d826e6f
55c736b5722253d0f7fb5f587817a6bd0bbf4b3ad126009c987a8f00ba434602
069283084a7cc8bebfddc5c2b1a5f22332141e3795493ed78d9edc21d40f203a
9564796f42342e0a231269486e1faeb1995973abeb3769c926bc4c73d686da96
d83af2f9f4b8886bfcd17c91c4a5d27a1d76eeff56cbc9a5fe09c93d6f1803be
1f9d60c032b5123547cd68db0712acaa7fcddfdb8437e559a32f26421ddc5a87
ec71ec863017b5e86885147c60cddcda5e7ed412c51921bbbedf0c4c021173c8
8f831df11feeadcf237b038c432d4fe706cf9afcb940c4e88c165a9d1930e9fa
3a1ce084369d7a1b98c0a783f2f975759cf036af6a5ca0c3a22b648075bad5cc
9de557dd1c218d51809b5103e65b5b93e9e594a6c3cad1da38a3cdb87e163062
d3acbe41dded6fa07c01ed7540812ecab10273674d82e222d74f15517f1a5e7a
5b2d5986c950662faa5f3e2caa6d9e1cb5649aeba1fcecd360f7628d32a7d808
493e89eb46424486988758fb4061873af2bdae7e1387a73de5bd4460618261cd
75bfdbd776b390d0cbf804f7c63f0979047e9eefdb48efed9bb9b2582c729bd6
29c26e9b31f215277f4d0a7115be3ebbba85b89c4385850559f114bd8baa63e4
23af4fccf4ecf994e93c39b21a85b9562179764d733cea3093f1c91ae28c1574
17403ed8b3cb0b6b34a2aaa757a19a990f6b7adac2c8b4544fd6f368338d9c69
3f75323735d99c2d15794a84e07e0e08cc35f08f1e37c50fa97b1b29ca784338
Epoch 1 C2s
103.201.150.209:80
104.236.151.95:7080
104.236.217.164:8080
105.224.171.102:80
109.104.79.48:8080
109.73.52.242:8080
110.93.196.197:80
111.67.12.221:8080
128.199.78.227:8080
134.196.209.126:443
138.68.106.4:7080
149.62.173.247:8080
152.168.228.112:443
154.120.228.126:143
159.203.204.126:8080
159.65.241.220:8080
162.217.250.243:7080
170.247.122.37:8080
176.31.200.136:8080
178.79.163.131:8080
179.40.105.76:80
181.134.105.191:80
181.141.87.122:80
181.15.177.100:443
181.15.180.140:80
181.15.243.22:80
181.16.127.226:443
181.171.118.19:80
181.198.67.178:20
181.228.60.191:80
181.28.144.64:80
181.29.101.13:80
181.36.42.205:443
181.39.134.122:80
181.48.174.242:80
185.129.93.140:80
185.86.148.222:8080
185.94.252.27:443
186.138.56.183:443
186.23.146.42:80
186.23.18.211:443
186.71.75.2:80
186.86.177.193:80
187.178.9.19:20
187.188.166.192:80
187.242.204.142:80
189.196.140.187:80
190.1.37.125:443
190.113.233.4:7080
190.117.206.153:443
190.13.211.174:21
190.143.151.86:465
190.147.12.71:443
190.186.221.50:80
190.193.131.141:443
190.230.60.129:80
190.246.166.217:80
190.97.10.198:80
191.97.116.232:443
196.6.112.70:443
199.250.133.87:80
200.107.105.16:465
200.28.131.215:443
200.32.61.210:8080
200.57.102.71:8443
200.58.171.51:80
200.72.149.90:443
200.80.198.34:80
201.212.24.6:443
201.213.122.86:80
201.219.183.243:443
201.251.229.37:80
203.25.159.3:8080
205.186.154.130:80
213.120.104.180:50000
216.98.148.136:4143
217.113.27.158:443
217.199.175.216:8080
217.92.171.167:53
218.161.88.253:8080
219.74.237.49:443
23.254.203.51:8080
23.92.22.225:7080
31.179.135.186:80
37.59.1.74:8080
43.229.62.186:8080
45.32.158.232:7080
45.73.124.235:8080
46.101.123.139:8080
46.21.105.59:8080
46.249.204.99:8080
46.29.183.211:8080
46.32.228.206:8080
5.153.252.228:8080
5.79.119.1:8080
62.192.227.125:80
62.75.143.100:7080
66.209.69.165:443
69.163.33.82:8080
70.32.84.74:8080
71.244.60.231:8080
72.47.248.48:8080
79.143.182.254:8080
80.0.106.83:80
80.85.87.122:8080
81.143.213.156:7080
81.183.213.36:80
81.213.215.216:50000
85.132.96.242:80
86.1.139.205:80
86.42.166.147:80
86.6.188.121:80
87.246.58.59:80
89.134.144.41:8080
90.192.84.225:443
91.205.215.57:7080
91.83.93.124:7080
Epoch 1 - Spam/Stealer C2s
<not verified>
61.92.159.208:8080
104.236.185.25:8080
50.116.63.9:7080
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
Epoch 2 C2s
104.131.11.150:8080
104.131.208.175:8080
104.236.246.93:8080
104.236.99.225:8080
105.224.116.43:21
115.97.16.102:21
117.218.17.6:990
119.155.153.14:21
120.150.236.64:20
125.99.106.226:80
136.243.177.26:8080
138.201.140.110:8080
142.93.88.16:443
144.139.247.220:80
147.135.210.39:8080
159.65.25.128:8080
162.144.119.216:8080
162.243.125.212:8080
167.114.210.191:8080
169.239.182.217:8080
174.136.14.100:8080
175.100.138.82:22
177.242.214.30:80
177.246.193.139:20
178.152.78.149:20
178.62.37.188:443
178.79.161.166:443
179.14.2.75:21
179.14.2.75:80
179.32.19.219:22
181.129.30.82:80
181.189.213.231:465
182.176.132.213:8090
182.176.94.236:20
182.176.94.236:21
182.176.94.236:80
186.144.64.31:53
186.19.202.88:21
186.31.189.232:143
186.4.167.166:80
186.4.234.27:443
187.146.179.75:993
187.163.180.243:22
187.163.222.244:465
187.189.195.208:8443
187.225.213.90:20
188.166.253.46:8080
189.209.217.49:80
190.128.26.2:80
190.145.67.134:8090
190.25.255.98:143
190.25.255.98:443
190.25.255.98:80
190.53.135.159:21
190.72.136.214:465
190.75.47.24:80
190.83.191.92:53
190.97.219.241:80
195.242.117.231:8080
200.21.90.6:80
200.85.46.122:80
201.199.89.223:8443
201.220.152.101:80
201.238.152.20:465
206.189.98.125:8080
211.248.17.209:443
211.63.71.72:8080
212.71.234.16:8080
213.14.166.152:990
216.98.148.156:8080
217.13.106.160:7080
222.214.218.136:4143
222.214.218.192:8080
24.139.205.186:8080
31.12.67.62:7080
31.172.240.91:8080
39.61.34.254:7080
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.101.142.115:8080
46.105.131.87:80
47.41.213.2:22
50.31.0.160:8080
50.99.132.7:465
59.103.164.174:80
60.48.253.12:20
62.75.187.192:8080
64.13.225.150:8080
66.84.11.168:8080
69.45.19.145:8080
71.244.60.230:8080
75.127.14.170:8080
77.56.253.112:80
78.186.5.109:443
78.188.7.213:8090
78.24.219.147:8080
80.1.76.46:20
80.11.163.139:21
84.241.10.111:53
85.104.59.244:20
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
88.21.212.13:8080
91.205.215.66:8080
91.74.62.86:8090
91.83.93.103:7080
92.154.101.154:50000
94.76.200.114:8080
95.128.43.213:8080
Epoch 2 - Spam/Stealer C2s
<not verified>
198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
https://paste.cryptolaemus.com
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1 and Epoch 2?
What is Epoch 1 and Epoch 2? (updated 03/07/2019)
I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
time period.
Here are some observations I have noted since I have been watching these botnets:
- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.
If I think of anything else to add or if anyone else has any suggestions, I will add them here.
Community Lists
https://twitter.com/SecSome/status/1134192242783129613
Credits
(OC from @JRoosen and/or combination work of the following)
Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
@Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
Daily Log 05-30-19
3 emails from IN/PL/UK
E1 DOCS have a contract theme
new-contract-May.doc
project-contract.doc
new-fee-contract.doc
A big thank you to all those that report #emotet, via Twitter, URLhaus, URLscan and all the sandboxes.
General News:
<>
REVIEW:
If you didn't already see it, there is a very simple way to defang these ZIP/JS attachments or links. Just change the Explorer association
to open .JS files via Notepad.exe. You can follow my instruction here in this Any.Run:
https://app.any.run/tasks/81503633-0f95-48d4-bd80-c83ec5c2b763
or you can do this via GPO. Here is a nice writeup on this process: https://montour.co/2016/09/group-policy-force-js-files/
I recommend you do this because .JS malware is very 2016 or even earlier and most users never need to run .JS or .JSE for that matter.
You can likely throw other extensions into the same configuration and @JayTHL had a nice thread discussing this here:
https://twitter.com/JayTHL/status/1126204098670411779
Email Template Report:
Generic templates on the most part, the usual body text listed below.
Review:
What we know about the threaded templates/reply chain:(changes are marked with *)
- Emails are sourced from once (or still) compromised users all over the world.
*- Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
to the compromised party on or before Nov 2018 until at least March 2019. (may be up to present) Also have seen emails going
back as far as June 2018.
- Now on E1 and E2.
- Now seeing German based templates that are essentially the same thing but in German.
- The injected reply is usually prefaced with the following:
"Attached is your confidential docs."
"Attached please find the wire transfer form."
"Thank you for your help. Please see the attached."
"Load instructions attached"
"A printer friendly attachment is now included with each email."
"Click on the attachment to open or save the printer friendly version of your report."
- Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
- Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
- The link is customized for the display text of the link to show the real domain of the spoofed organization.
- These templates are pretty limited in run and not very numerous.
Link Regex Report:
Regex directory patterns
E1
*https?:\/\/.+?\/(biz|com|net|sec|sec_zone|secure_zone|seg|US|ver)\/([DdeEgGnNsSuU_]{2,6})\/(accounts|anyone|logged|myacc|sign)
https?:\/\/.+?\/([DdeEnNsSuU_]{2,5})\/(ACH|Attachments|Clients|Clients_information|Clients_Messages|Clients_transactions|Details|Documents|Information|Messages|Payments|Transactions|Transactions-details|Transaction_details)\/([0-9\-_]){5,7}\/
https?:\/\/.+?\/([A-Za-z0-9]{4,5})-([A-Za-z0-9]{14,16})_([A-Za-z0-9]{8,9})-([A-Za-z0-9]{2,3})\/
https?:\/\/.+?\/(trust(ed)?|sec|verif|public|secure|open|verif_seg)\.([DdEeGgNn]{2,3})?\.?(logged|signed|accounts|myacc|sign|anyone|myaccount|accs)\.(resourses|docs?|open_res|send|office|rep|public|sent)\.?(net|com|sec|biz)?\/
E2
https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
*https?:\/\/.+?\/(administrator|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|direc|Document|DOC|Dok|DOK|esp|FILE|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|PLIK|public|Scan|sites|test|themes|uploads|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n)
https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
NOTE: If you get a lot of false positives, try adding (\"|\n) at the end of some of these after the last \/
These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of link malspam.
Payloads Report:
Normal early start
E1 was attachment only. 22 DOC hashes scraped from sources for 3 EXE sets
E2 had three EXE sets across 430 URLs, third set was an earlier than expected release (2019:05:30 15:31:00) and may have been attachment only to start
EXE for both had high rate of turnover (~15min TTL) with a break between 18:45 and 22:45
Both had C2 in excess of 100
C2 Report:
C2 from E1 EXE gave 117 unique combos in total. - recorded above
C2 from E2 EXE gave 111 unique combos in total. - recorded above
Closing:
<>
TT
Sandbox 05/30/19
E1
https://cape.contextis.com/analysis/78202/
E2 https://cape.contextis.com/analysis/78203/