Emotet Malware Document links/IOCs for 10/09/19 as of 10/10/19 01:30 EDT
Notes and Credits at the bottom. Follow us on Twitter @cryptolaemus1 for more updates.
Document Downloader Links
Epoch 1 Document/Downloader links
<none>
Epoch 2 Document/Downloader links
http://2014.barcampcambodia.org/wp-includes/FILE/wu2ohxrqz03to_d94d4-7953737743/
http://aaoleadershipacademy.org/submitok/LBPBKL52CI9/XlHOAYQhmQFarvbHBhQbXOqJpz/
http://accountingwit.ca/aoldcgd/DOC/zrkjxavi9_ufkgrrxt-12656772911/
http://adonisbundles.com/fp3i/cache/vlMkCEtngdPE/
http://africangreatdeals.com/e5571/LLC/bSojJjzJ/
http://alphauniverse-mea2.com/wp-includes/lm/rq0rfefv_ifzyb0-4133554223659/
http://altara-quynhon.com.vn/wp-includes/FILE/ROyChzXZmmvlLcTvvCDzlNRG/
http://aqualink.co.ke/wp-admin/parts_service/izpuika6s5a784yms2_y3ri5z6xp6-13597969471/
http://arewaexpress.com/wp-admin/fxcDxjiCijKxHrcNzPQymDUAwgS/
http://arsonsinfo.com/baw/INC/dsw8wqkko851i2w_1umy2yl-685987851/
http://artesaniasdecolombia.com.co/webalizer/wamoryztYaNnAbfvVzDIfgRCoNth/
http://aspirepi.com/wp-includes/Requests/paclm/EILwDRRuMATdDRCAMHacpSf/
http://atlanticcity.com/bignews/wp-content/cache/wp-rocket/esp/7bq5xdhzt_a1r5tbnqm-8203979739/
http://awgpf.org/wp-admin/LLC/dUDBARshweY/
http://batdongsanmientrung.net.vn/cgi-bin/LmqFOPaKSiv/
http://bayutronik.com.my/wp-content/lm/fzbngsllpv388227hnzzcb3a_w6x7wsbrbo-15585690126895/
http://bergamaegesondaj.com/wp-admin/wRnjoGikQJPXOndIEvQAGSxeC/
http://bestindiandoctors.com/Backup/sites/0ne3lm629zejg1q4u_yi3z0-44753301545959/
http://bhoroshasthol.com/wp-content/Scan/hggdtvcz2zsi517l3gjee_3yfg1w-575895064196/
http://billboardstoday.com/browser/3kwuoqci23nt4hvu2v12c_e4a4a00xu-72996516/
http://blog.safary.ma/fwl503/INC/vEVxmeCyUmCQtogaMolBfygoR/
http://carolebureaubonnard.fr/error/FILE/ltncoUPMaVaIlVXDugAzrMyzgbnIo/
http://carsiorganizasyon.com/wp-admin/3rsqemibg6q7euh_ga3y5mk2-0241822430/
http://casinomel506.com/class.fighting/parts_service/xeslvc68pslqjkp7196llaz6lq29_t3n918b5pi-91259416058636/
http://caspianelectric.ir/wp-includes/INC/WjDuxjeqHzXbrfUYv/
http://caspianelectric.ir/wp-includes/l68huz561pznssxpsrru6iz_s7w88fn-01983817834069/
http://caspianelectric.ir/wp-includes/WOGVBsMbJvMv/
http://cbportal.org/3dsnp/documentation/wp-content/esp/MWqYcltvHFhOCdKeRijTxBEqnBc/
http://centralcoastbusinesspaper.com/track.config/paclm/dDidnqMOzFjgNExvZwjjKc/
http://cetrab.org.br/wp-content/FILE/g6yqvtcruafc3zkp_d3nr9-321490176766/
http://championsifm.com/qvotoxy/DOC/wryNTTLZ/
http://choicebookstall.com/cgi-bin/Pages/BNrzcwecogxNabTSVqnTUtTY/
http://citrapharma.net/wp-content/paclm/ManbvNgYeTesxbVRvhAuwTVAeV/
http://clasificadosmaule.com/wp-content/sites/szs9n6pvn37fgafd911ss_osiby1-753587659577/
http://clients.siquiero.es/hizv5v9/paclm/afcse9eba1qsn_owbo6-69170965/
http://comeswithplaylists.com/wp-includes/esp/7sht98iadw2ccxzj3wj0fmswq_1esutw-24834270/
http://conciergebuilders.com/wp-content/Pages/dodnuyTiAgeKakU/
http://copiermatica.com/sox62c/zhpKvRNzRMZnGxZ/
http://corumsuaritma.com/alphabet/snfbHwkU/
http://cricview.in/block.function/paclm/5nt1xc4nk2mdm4jze2_tb1b44a59n-0908762582969/
http://ctni.co.uk/wp-admin/esp/bBItbZBcBQOoEwafxb/
http://danpanahon.com/grvdc/INC/v5i7izyj8483fnveeeldk52qi1uzy_2fhh5u-5883765997570/
http://dayboromedical.com.au/jygtv5r/j07aov3phy_ybt9lyxq-82887136095/
http://decisaoengenharia.com.br/noticias/wp-includes/SimplePie/XML/highest.function/rrdemLjXaqfAnzuMY/
http://decorstyle.ig.com.br/wp-content/languages/Scan/za7w63pg79e_f4ia5-01669369/
http://dhidedesigns.com/wp-includes/gr3i58adi7hyb7eqrixulx_6idouu64bd-35789009/
http://dipeshengg.com/customers/paclm/cxDXknmMpgJCGLrsXOHGoicZqWSiwT/
http://disdostum.com/blogs/lm/khtnAGvipOpDnzbCFMC/
http://dplex.net/wp-content/POZ52G58VLEVNE/dr1acb63nl723fij9cy53d64u_benhukrxc-225456009668510/
http://eduquebrincando.com.br/0flwql/INC/9vjwlstw7hsgpdvvyshgwrxr8by_ucmcw8zc-4885450946185/
http://eightyeightaccessories.com.ng/footer2/INC/BtlbChfnq/
http://eilaluxury.com/wp-content/lm/xkagila8iskhf00xis8m_jctve-45373747062887/
http://elevaodonto.com.br/lostpass/lm/mupx2bjo2odkpqxk_zzsa9-66510354300984/
http://elitecleaningswfl.com/igw3g/Pages/TmcIhsAzJiVyCRvsBmPUIurkYEHKZm/
http://emilrozewski.pl/emilrozewski.pl/INC/o2i1pmac2kkr5bo5mx2nl2at4_6dc3fvvq-66548834332/
http://fhayazilim.com/wp-admin/PKXhTTdQlDY/
http://forestcountymunnar.com/demo/XHOpCeJTaRXOvTNhriFAJ/
http://gamot2go.com/heuwmap/paclm/anvdvcmn4v41blign2h92txzprwkj_b3mz727-4262796566/
http://gangasecurity.in/uploads/paclm/SJICBZuOOWsrWsefQvBjcwx/
http://geovipcar.ge/wp-admin/omykmb709u_wr053d-94928636/
http://gogogo.id/wwsli/nlr8ex9iocry3ako_86y75266-4440808247/
http://gonouniversity.edu.bd/sociology/lm/InNCDfrRIDqnLjHrOFEhBGhRGFQsX/
http://gravitel.org/wp-content/INC/TbQxSZJEoZInJEYtPTcgNVmCnJOpmk/
http://hanoihub.vn/wp-admin/ZI25WG7XLF2FD5B/rqUrQsFeoTAYDGHTzAvRSJpuyojiX/
http://haram-edu.com/an3mkpk/vth4ecksh34pjbd152wgu0ilwdb2pa_hjd2opln-0927959715/
http://harmstreadmilltraining.com/ildrab/sites/xqdiqj5arvtvuxlroj67le5b_x11o0klyg-0091343054360/
http://hebronchurch.ca/dup-installer/INC/9my2alz53ycdju6our50wnufx_h3anzt5s-63739670/
http://hertmanlaw.com/order_info/esp/gGPCYXdJZuObhVMhUoZwlTMlfoxY/
http://hiztesti.web.tr/calendar/9015667889/fhpo6rl22b4adm7ucpi8e0qzvf8_vceqa-7199575809503/
http://homengy.com/wp-content/Scan/YraKrdONfzytO/
http://huisuwl.com/wp-content/FILE/yoiirefyep_jbjdp5-65813790/
http://hurtowniatapet.pl/wp-admin/zqVHnvSXXoiFCasKkuFaUg/
http://ilion.tech/9t59i7e/lm/ie6pzr18kd_f3faf-43169793/
http://infraturkey.com/deletecomment/parts_service/daaMnHeDzR/
http://international.uib.ac.id/wp-includes/467501246984/18zekk1wa2k7xjh0nj4tqwc6_fvr6ux3r-008335497826446/
http://ismashednc.com/cgi-bin/z551rm1hmrv373_e8hs2-7538061518636/
http://jadeedbjadeed.com/uap/Document/XdMOLGXYGfRWgazukFjJgqUGokvVNN/
http://janevar.dk/framework.fifteen/FILE/6dxd2qx9_84b50pcv5f-5433104293/
http://jcie.de/wp-content/sites/re3jpzr4ip6u81gt39bnydp_j5tl3he-76534962/
http://jokerjumpers.com/n80dyl/FILE/fn6eqy2d4nc22tz0hiwq8vl2_jz6m2t91-2918688556/
http://jrunlimited.com/choice.inc/Scan/ucijpc7mnod037c4_lcaps0vmy-13565505013/
http://karishmajaveri.com/discuss_lib/KzsFbuZVtvomqGnO/
http://kbkevolve.com/wp-admin/zjmxgadhuv4pnbzp7ynpdoik56795_gwb8z-673046389663526/
http://kela.edu.vn/wp-content/Pages/oNaVNIIKJdMBSHiWxmHdByJCiKE/
http://ks.od.ua/mmenuns4/parts_service/PMIFzNnqLKLTiXtfGbtv/
http://ladariusgreen.com/eb2hb/rj07fs0ce_nww3m1-5712796730131/
http://lavinotecaonline.it/wc-logs/yHlKCeOlqUfc/
http://maisvisitados.com.br/pedido-online/Scan/bkihvcBMLxRieYvKhFAQ/
http://mandarini.ge/newsletter-Qd9WAs/VAsXFIEDKWYIyRUFgf/
http://medias.chavassieux.fr/ithemes-security/63jgcgvb8jr68pcwazhl5h1smav79t_yyckjzwlc-316327566722032/
http://melbournerenovationsgroup.com.au/wp-content/IOXCLoMCz/
http://menanashop.com/wp-includes/LLC/pINCbMITwqcpKYXFmSjr/
http://merrylu.co.il/wp-includes/Document/HvIgNsRUYLsyvMKj/
http://microjobsnepal.com/86ea/INC/ayqwta4g_lixotdb5-175423663/
http://mmsdreamteam.com/veuc/DOC/XfupnXeZGj/
http://motherlandweb.com/wp-content/uploads/et_temp/DOC/6ya7wahtvja0a37bd9dcfp3vu_x207gp9ec-61869157/
http://muscatroots.com/xs0pdaz05/TVOwYvLv/
http://musicvideoha.ir/wp-admin/labncrg89zb4qmqb79zsenrlbuvf2_3ur64o-77901347064905/
http://narayanaayurpharma.com/calendar/parts_service/efn1penarkmzt7c0l_dhomq8iak-13656166/
http://nekobiz.ikie3.com/wp-includes/esp/uofMWYGRvYAHqMC/
http://netrotaxi.ir/wp-admin/DOC/sjmo8y8becp_s9h4b-6163496576268/
http://ngoinhadaquy.com/wp-admin/INC/NMmaLgowcJmhrnL/
http://norbertwaszak.pl/tmp/LLC/BQpvwHGKCQDvKNpfIGhqse/
http://nuevocorporativo.canal22.org.mx/wp-includes/s0r6nqec8g68xjnbfnttar7_t805e-24701676/
http://online.aminulkarim.com/wp-content/5842736490014/sgkpr6pqvwl_ac5en-1704501793502/
http://onlineprojectdemo.net/Nationsroofing/FILE/u0ose5k5vtij3iq0pcj51ba8jr7_xxaqjk-9587131473/
http://ostadtarah.ir/wp-content/paclm/MpIiyqCdWrsLPjbMjiDqBhrZOq/
http://overwatchboostpro.com/ynibgkd65jf/sites/2bmfkc0j7qe8_58yyhd4-3344823406/
http://parscalc.ir/academy/RKWgiuSOZGpFVpIf/
http://peruphone.com.pe/5hdf7b2/DOC/XGxZhPXkNKqiiGFnKeIH/
http://pharm-aidrx.com/efwk/MZH38LF1NPEQ/xvnUxcBNXgiUHPthnNDbaL/
http://pontus-euxinus.ro/wp-admin/eiqCOgkzFcqVmErAgpqlcyqqp/
http://propase.de/bia/FILE/ptZVDCIuIlLDOepyAVQaER/
http://raudhadesign.net/lywnigrh/Scan/xfhtdjgaowz2i4_quvpc9rg9q-348921002488736/
http://reflektorfilm.hu/wp-includes/IxdxWQGDRcoVGLUpVLYkrad/
http://residencelesarchanges.com/wp-includes/04FX2I29ZGPH/st6vav91o3s0vrzvbqk84_a0pj2ex-4071728036/
http://roshanbhattarai.com.np/audio/LLC/0yxb1xel1ydl_nve0nvqu2-4052856905/
http://sabzgame.ir/wp-admin/BvEgTOQRVCgaOhhAYmRAFf/
http://sarkargar.com/blogs/doc/3cqjiibat066lv6n0kevsk_26v5gn7ga-150219060/
http://seatwoo.com/TEST777/parts_service/leTMngVRHKTNaOfmoTV/
http://secondchance4citizens.org/!mssql_setup/FILE/y5mivd7gydr3w3pd98pa3w7j_zxflx01k-90445161461/
http://smartmatrixs.com/Beta/LLC/2af68g7w0ysysv95nutlsp_0bunhkbg-9466852086487/
http://somersetyouthbaseball.com/trademark/xFpgxSRMQxoJhfZuMxqiR/
http://spdfreights.in/wp-content/themes/twentynineteen/sass/forms/5F7ISSCRXCX/48prsjavo44vlgpw42urej62ogdq_3lsa73yi-34847652134/
http://surenarora.com/consultation/tnincvctzy_de5oxm1psn-48178648280785/
http://tegrino.com/wp-includes/lm/JeSVLIKCcKu/
http://theamericanaboriginal.com/class.popular/paclm/IuiixzYpyLeeluMuS/
http://thefortunatenutrition.com/wp-includes/INC/v52zrunwac8ck4t6oq7g3_ny72vb-968513619/
http://thegooch.agency/cgi-bin/LLC/LLXTPrCXCsYiiCvj/
http://theinspiredblogger.com/sitemap/WtBiSWUQGwdly/
http://timotheus.ua/wp-includes/q6q5o3tcu201nx8aw7rdtfmr2oawh_386xjn-6420663950671/
http://unitedstatesonlinesportsbetting.com/d7928/FILE/eRxzJZyxWSzzJcVzL/
http://velerobeach.com/cgi-bin/1252478867022048/qtybtfxx2wrhkj_cg66zs-66166420863/
http://watchchurchonline.com/flc4/LLC/kozz6eabsjf0df3zs930221bti_kaoeskuaho-104905663584/
http://wizard.erabia.io/cl67i3t/Document/HcRzSepVgfWLviFFzMVzUFePbuvUH/
http://www.aaoleadershipacademy.org/submitok/LBPBKL52CI9/XlHOAYQhmQFarvbHBhQbXOqJpz/
http://www.adonisbundles.com/fp3i/cache/vlMkCEtngdPE/
http://www.almemaristone.com/fc709/2ABSKYI6IQC/XMDdZncwncsYPGbxvFGOGD/
http://www.arsonsinfo.com/baw/INC/dsw8wqkko851i2w_1umy2yl-685987851/
http://www.artydesign.co/wp-includes/TuSVCJIYEEtxDhNCNfyiSk/
http://www.bergamaegesondaj.com/wp-admin/wRnjoGikQJPXOndIEvQAGSxeC/
http://www.bethueltemple.com/elt9wu/NCEFJRM8E6C/btq08r6eu0j2kp6juqr_gwkc35-772058243057/
http://www.bresbundles.com/hunwdgi/esp/vml11lb8y0nqu244jmd1ulfcj_533mn-795717924/
http://www.carsiorganizasyon.com/wp-admin/3rsqemibg6q7euh_ga3y5mk2-0241822430/
http://www.copiermatica.com/sox62c/zhpKvRNzRMZnGxZ/
http://www.corumsuaritma.com/alphabet/snfbHwkU/
http://www.cuisineontheroadspr.com/popup_index/NEONyzJCq/
http://www.dayboromedical.com.au/jygtv5r/j07aov3phy_ybt9lyxq-82887136095/
http://www.dipeshengg.com/customers/paclm/cxDXknmMpgJCGLrsXOHGoicZqWSiwT/
http://www.dollbeautycollection.com/subscribe/esp/3ok8vaq3kx7l9nr5up43or3cjzauq_geagp-3939994883808/
http://www.earthpillars360.org/vgok990sf/cavTByhbMbs/
http://www.eightyeightaccessories.com.ng/footer2/INC/BtlbChfnq/
http://www.eilaluxury.com/wp-content/lm/xkagila8iskhf00xis8m_jctve-45373747062887/
http://www.elibdesign.co.il/wp-content/yKiXqyQZcygxYAAKT/
http://www.endeavouronline.in/cgi-bin/3ag3ls9kvd4ot6j1njug1nq8k_2v9rsq9-5699212626798/
http://www.famfe.org/evrcooq/esp/84c1epp13kh5edk3x0biqc32pe_iepmt98ep1-283131932215/
http://www.fitexbd.com/wp-content/FILE/pg89l1zxaxd6qbmjb4l9h924loun_n1ghb5at-06078805319/
http://www.glamoroushairextension.com/redir_mail/Document/kShXMWxIJhRoELoUsEFRMo/
http://www.globalreddyfederation.com/showheadstone/FILE/9c3i8602qj0y2aza932b_qxc5f8t7-2953719888/
http://www.goaribhs.edu.bd/wp-content/A3F9NVJS9BB3F/NMCmgnzScSetktYTdGLDfyPsqZEleA/
http://www.imgautham.com/messageboard/FILE/c1g6mqk1h_k41afgzka-045225358978733/
http://www.indianmineralsnmetals.com/wp-admin/paclm/atkfzp3ifvhsi5_ff1jd0-495395954/
http://www.isleeku.com/nickpage/4bcgkahy5toi7aq7cxa4mt_lutvecup-5215437109348/
http://www.isleeku.com/nickpage/Scan/ogx7vtz2tr4j_8g5j473-096029329350379/
http://www.jusluxurious.com/tdavtto/lm/GHgDnCgNZsmjhGr/
http://www.lavinotecaonline.it/wc-logs/yHlKCeOlqUfc/
http://www.marra.agency/rdwgwqg/Document/yVAZDWmziJuMsmfrEDYJyGgNTVdd/
http://www.moneyhairparty.com/class.local/parts_service/l08vz9rlsq1n0l9_ot5almv4cm-275176722/
http://www.nubianlabel.com/8azrk7l/Document/NzZyZOuUdr/
http://www.nxn.one/u3pgsx/lm/ja4cwgjfnn3d1pay5s2ltjk8_qije8-44560606469579/
http://www.okiguest.com/host/Document/3bl9lt32k3l14qvqxt7p_o2tnrcy0-773672729/
http://www.omniaevents.co/wp-includes/LLC/im4r213qj3jgqq04kcp722irmm_n7331-313199097437/
http://www.parikramas.org/engl/LLC/3ah7g1shzd0n4lg7db6_mv3xpum79-40795232/
http://www.saleemibookdepot.com/hpkikf/LLC/fqj2uihuh9te8_bculdpib-726470310041/
http://www.salviasorganic.com/license/INC/0fbsvvw1uzkhc8nf4x8hiqoa7obf_8flumf39v-3657734246364/
http://www.skipit.cl/ynibgkd65jf/1937595848468465/hikdahtt4zyu33so8klnk6_ago60-94537216593935/
http://www.soleilbeautynyc.com/config.noon/parts_service/vxs1bottyi2u_7wf0pxh8r-84007613556759/
http://www.spenceleymarketing.com/wp-includes/sites/gfvwg5a3gtksq_n7eng5m-8413323478/
http://www.studnicky.sk/f00q/04374738547357/ZEaOqSiZvgLiMxEhocJLq/
http://www.sweetpeahaircollection.com/sssu/FILE/lnnet2pb1tnl5rl0onl4gy_8vehv5y-920842041/
http://www.teamupapp.com.au/wp-admin/Scan/tnf1e9ljb7oqco78rpbotq80d4k0_m5pvoi7lmi-639229087769296/
http://www.theroirockstar.com/calendar/sites/lLPxeKuznmn/
http://wyf.org.my/1ax/parts_service/JvdnrMRYEeNbppDruhUdv/
http://zhycron.com.br/admin_ldown/paclm/TrZdUfcnfIvF/
http://zorancreative.com/wp-content/QQoaZSUCObBzknkKQrkvTwyvxGgfS/
https://aajtakmedia.in/wp-includes/js/tinymce/plugins/hr/ndnaRzhWofpncrWIMvqABN/
https://accountingwit.ca/aoldcgd/DOC/zrkjxavi9_ufkgrrxt-12656772911/
https://alphauniverse-mea2.com/wp-includes/lm/rq0rfefv_ifzyb0-4133554223659/
https://app-1511294658.000webhostapp.com/wp-content/sites/dkckTworC/
https://arewaexpress.com/wp-admin/fxcDxjiCijKxHrcNzPQymDUAwgS/
https://aspirepi.com/wp-includes/Requests/paclm/EILwDRRuMATdDRCAMHacpSf/
https://austinlily.com/exceptionalnews.com/esp/wvMHMSeXzdVz/
https://baby-wants.com.my/testres/FILE/6obhfm4y4hgd7ik3l42f069hp6aeu_7dv5tc-81265509449/
https://bayutronik.com.my/wp-content/lm/fzbngsllpv388227hnzzcb3a_w6x7wsbrbo-15585690126895/
https://blog.jainam.in/wp-admin/Document/rweAAfIYkNPFIfz/
https://bondbengals.info/wp-content/DOC/d791lv48m442qbv8tddodhjfmbs_dfsa5w-33037959677424/
https://centralcoastbusinesspaper.com/track.config/paclm/dDidnqMOzFjgNExvZwjjKc/
https://championsifm.com/qvotoxy/DOC/wryNTTLZ/
https://collectables.nojosh.com.au/wp-content/SYqlHrEWUyQ/
https://copiermatica.com/sox62c/zhpKvRNzRMZnGxZ/
https://ctni.co.uk/wp-admin/esp/bBItbZBcBQOoEwafxb/
https://culturalmastery.com/mt_images/paclm/tmdFgvqJFirVbCDpLw/
https://diezeitinsel.de/wp-admin/Document/4b1hs7073aq1fnmer4rv9k6f_lmrc8inum0-887675682613/
https://dplex.net/wp-content/POZ52G58VLEVNE/dr1acb63nl723fij9cy53d64u_benhukrxc-225456009668510/
https://ecklund.no/pdf/NS89IQMMUCSS/jFcOZtnMxKGeacejiwMwAlDzKeQNGa/
https://edealsadvisor.com/0589623/LLC/5ppdqz6unzkg67di1q0n_npcrhtdq4-34656834/
https://educacao.toptraders.com.br/m3wx4/parts_service/SZSxVCHPcMEMMrmyNfCcghGtWz/
https://fusichemical.com/wp-includes/paclm/NJBwSxlc/
https://gethelplinenumber.com/wp-admin/Pages/q8igbpj6z9a4of_l7hthj-08748941650/
https://getpeakenergy.com/wp-admin/AXNcgGWABKMhzpHLCBQJP/
https://gideons.tech/cgi-bin/Scan/up6n7frg0s_8ldx1ma37-8477658408/
https://gogogo.id/wwsli/nlr8ex9iocry3ako_86y75266-4440808247/
https://gunesteknikservis.com/wp-includes/parts_service/ivmbIdbgVWTFODKKVrQz/
https://hebronchurch.ca/dup-installer/INC/9my2alz53ycdju6our50wnufx_h3anzt5s-63739670/
https://hertmanlaw.com/order_info/esp/gGPCYXdJZuObhVMhUoZwlTMlfoxY/
https://hiztesti.web.tr/calendar/9015667889/fhpo6rl22b4adm7ucpi8e0qzvf8_vceqa-7199575809503/
https://iglogistics.in/sitemap/sites/ycfxuqsv_ay7m3lcrv-140179245879158/
https://ilion.tech/9t59i7e/lm/ie6pzr18kd_f3faf-43169793/
https://immopreneurmastery.de/3u4ck8/Pages/14dbz0v3p8p_k6samkh-72286502/
https://jrunlimited.com/choice.inc/Scan/ucijpc7mnod037c4_lcaps0vmy-13565505013/
https://kbkevolve.com/wp-admin/zjmxgadhuv4pnbzp7ynpdoik56795_gwb8z-673046389663526/
https://kdmedia.tk/wp-admin/sites/LIYRNGFxaEk/
https://landing3.ewebsolutionskech-dev.com/hvgpz/esp/dobh6pgi3myqnq_4j83s7r-303897442189/
https://letouscoreball.com/wp-includes/Scan/ioAnqeYjTSoSxfLIPWmBWVzdIqwtce/
https://luaviettours.com/wp-content/SPP6HNIKFP0/ZbRxHCDvEKEmnrYiE/
https://m3creativemedia.com/780a0b/4nuwnadjz4_45lhp-76334341292/
https://maacap.com/efqce/7MBUVNPO3/zwNPEeZJxpJkERimLb/
https://makmursuksesmandiri.com/wp-content/g03vqk4nz6uxlm8dzpp868nw5_9l3ot493-355655399237/
https://manhattanphonesystem.com/qmr/Pages/gvzsjjrub4y0xzploqlz6h3zh_kll5bh-3307302776/
https://mbve.org/cctn/Scan/jog52jas2_i4bs9a-22970863048126/
https://meadowdalecoop.ca/13yn7/0619297881899598/KaUxpndFm/
https://medias.chavassieux.fr/ithemes-security/63jgcgvb8jr68pcwazhl5h1smav79t_yyckjzwlc-316327566722032/
https://merrylu.co.il/wp-includes/Document/HvIgNsRUYLsyvMKj/
https://milwaukeechinesetime.com/function.cheese/vHmHUDKXBfcgYtvnXicxWt/
https://minimidt.cm/wp-admin/vEewXdPlIE/
https://mmsdreamteam.com/veuc/DOC/XfupnXeZGj/
https://mododimarmi.co.uk/balloon_lib/Document/bUxoTshGBVombMuVRnjDwRoPbvyi/
https://mullasloungeandluxuries.com.ng/fud/INC/cd1adengp_snckfe-19152890/
https://newhomeblinds.co.nz/images/Document/0llybnsxc8rokkw762ye_s8y80u2c-23896512673589/
https://newwell.studio/test/DOC/NtnDpOmWbTdPEdBxrLyy/
https://norbertwaszak.pl/tmp/LLC/BQpvwHGKCQDvKNpfIGhqse/
https://parscalc.ir/academy/RKWgiuSOZGpFVpIf/
https://pasban.co.nz/ciawl/DK8HZX359NEHH/cvMAJgVUDbLQRGyWq/
https://portadamente.com.br/wp-includes/lm/PpEGInZu/
https://prestigefg.com/wp-content/parts_service/OHxabmDglAbmKV/
https://raudhadesign.net/lywnigrh/Scan/xfhtdjgaowz2i4_quvpc9rg9q-348921002488736/
https://residencelesarchanges.com/wp-includes/04FX2I29ZGPH/st6vav91o3s0vrzvbqk84_a0pj2ex-4071728036/
https://roshanbhattarai.com.np/audio/LLC/0yxb1xel1ydl_nve0nvqu2-4052856905/
https://sarkargar.com/blogs/DOC/3cqjiibat066lv6n0kevsk_26v5gn7ga-150219060/
https://scolptre.com/hnx/94255159462476683/hvuQlzBXncKWTcXQq/
https://semadac.com/ss8m/Pages/qirbjcf12en2neqczsmjepztygj_ra27nxg-853799018859/
https://seven.ge/wp-content/esp/OXuiYinvhNmDix/
https://sudonbroshomes.com/chase-login/LLC/LkAeZgQomHrGMakBZv/
https://surenarora.com/consultation/tnincvctzy_de5oxm1psn-48178648280785/
https://susanne-zettl.de/emptycart/l1u1aodwcqre02d_bye6c3-605766707562343/
https://svedausa.com/wp-admin/Scan/hoklvjkkvo8t0kyq2e0yf9s0g44pva_gflzg3q1w-96887715538972/
https://techroi.pe/hmsmbtr2/sites/sSORQkcZ/
https://tennisarm.nl/cgi-bin/MIXYM319I0YO/MLWphlZImyNoh/
https://thegooch.agency/cgi-bin/LLC/LLXTPrCXCsYiiCvj/
https://tizbiz.com/8969544/Scan/rQsqZcVwoTQrYN/
https://tonkatali.com/sg02t8/lm/6arhhfm8_gxdrja-7313765353/
https://tradingdashboards.com/wp-content/5s8qxz9ndr8_qvlsoo3tdp-991967836352/
https://travelstream.com.au/ke3v/sites/eVmtTyvFRXUOhD/
https://vendurkraft.com/chain.function/LLC/89j76jxit15rvh2y4lj0107f73_u7vwne2d2c-87375448565/
https://vivesto.it/wp-includes/INC/yrjn98qxp8vt9nxbqxav9ckeepy4w5_w3w22a405-01911972831/
https://www.1cart.in/wp-admin/DOC/9spxxnlf_nn01tksh-7385953062/
https://www.adonisbundles.com/fp3i/cache/vlMkCEtngdPE/
https://www.arsonsinfo.com/baw/INC/dsw8wqkko851i2w_1umy2yl-685987851/
https://www.aspirepi.com/wp-includes/Requests/paclm/EILwDRRuMATdDRCAMHacpSf/
https://www.billboardstoday.com/browser/3kwuoqci23nt4hvu2v12c_e4a4a00xu-72996516/
https://www.bresbundles.com/hunwdgi/esp/vml11lb8y0nqu244jmd1ulfcj_533mn-795717924/
https://www.carsiorganizasyon.com/wp-admin/3rsqemibg6q7euh_ga3y5mk2-0241822430/
https://www.copiermatica.com/sox62c/zhpKvRNzRMZnGxZ/
https://www.cricview.in/block.function/paclm/5nt1xc4nk2mdm4jze2_tb1b44a59n-0908762582969/
https://www.dollbeautycollection.com/subscribe/esp/3ok8vaq3kx7l9nr5up43or3cjzauq_geagp-3939994883808/
https://www.earthpillars360.org/vgok990sf/cavTByhbMbs/
https://www.eilaluxury.com/wp-content/lm/xkagila8iskhf00xis8m_jctve-45373747062887/
https://www.elibdesign.co.il/wp-content/yKiXqyQZcygxYAAKT/
https://www.glamoroushairextension.com/redir_mail/Document/kShXMWxIJhRoELoUsEFRMo/
https://www.globalafricanproductions.com/init.bent/INC/94gsdyo8a2mcffjb84iabs0v973wo_o72z8dhvrh-08376968703760/
https://www.gravitychallenge.it/wp-includes/oVzOmJgaFdvVYIqXoumSFIqtzbsoT/
https://www.haveaheart.org.in/haveaheart.com/esp/g1qgmf4vyjg6ktgbrp_dfdcxo-224311742/
https://www.ignitedwings.in/wp-includes/3S7HI7Y71J02QO/vzKLowuqTVOFBskOeTOm/
https://www.ilion.tech/9t59i7e/lm/ie6pzr18kd_f3faf-43169793/
https://www.isleeku.com/nickpage/Scan/ogx7vtz2tr4j_8g5j473-096029329350379/
https://www.itmsas.net/wp-admin/Scan/0v54fipdh3twy3nwdu_qakbc-7002424175484/
https://www.jcie.de/wp-content/sites/re3jpzr4ip6u81gt39bnydp_j5tl3he-76534962/
https://www.kairod.com/wp-admin/2mnbyvwluikqcptooc6zgqi5x_n0iovu4-89107313/
https://www.labstory.in.th/wp-content/uploads/paclm/8wir284b2zbdmvqk98_jjmnralgm-76572020596/
https://www.meharbanandco.net/wp-content/FHLXMH1LLXNHZY/bj8q7z6ul99eq79o_p7wi7-797280390802/
https://www.moverandpackermvp.com/hindustan/Scan/8m4z0mpwzx5zymolxuxzkptm_wlhet99o-387163488/
https://www.nubianlabel.com/8azrk7l/Document/NzZyZOuUdr/
https://www.nxn.one/u3pgsx/lm/ja4cwgjfnn3d1pay5s2ltjk8_qije8-44560606469579/
https://www.skipit.cl/ynibgkd65jf/1937595848468465/hikdahtt4zyu33so8klnk6_ago60-94537216593935/
https://www.studiomovil.com.mx/wp-content/Pages/ifcsx5toe_n4swmea-525270872885/
https://www.sweetpeahaircollection.com/sssu/FILE/lnnet2pb1tnl5rl0onl4gy_8vehv5y-920842041/
https://www.u4web.com/wp-admin/DOC/l3ayp82wx8eu3fo9_2r1yge-93054757760/
https://www.urbanstyle.in/wp-content/DOC/22wpiv8sxio52tc0qnd1owt_dqvemyo08k-22837492/
https://www.zhycron.com.br/admin_ldown/paclm/TrZdUfcnfIvF/
https://wyf.org.my/1ax/parts_service/JvdnrMRYEeNbppDruhUdv/
https://xn--kuzeypostas-9zb.com/wp-admin/253243114929680/XSrjNispZlFTURXVdGTcyXsLmOtxlM/
https://zenithpedalboards.nl/cgi-bin/ursByHsnWjenEVvQJL/
Epoch 3 Document/Downloader links
<none>
Payloads per Epoch by Document
Epoch 1 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:09 21:14:00 (Attachment Only - Doc based - Protected View)
SHA256
e25aa1c6dc675c245e9ce83b43b0b80aee71865e9d512d654e3f654dcbba9287
0d7dc3e10c42a192c2a6d5193632d716fe518254e16a81e8751740ebc5db6d1b
3aa6d1dbf04cdb7a82aed0cb3b736365d6c5b92ab1f24db548c90b91443d71cd
ce2e6e21e48a05808a066b20bf233ba3963336ce10d272e9b4589eec9de0c57a
e46e631a00ac65fed275d1a549fe019dc9bb88dff591056e76cbb14e28c2df2b
e6395a5a50b41bf7299e1ab40ad8f1dec740bffa4d2ba873682469db48152711
e376f6eab1e726f20ece6c7d17bbeae55c86e2da1796cae01f709cee66d73e4b
http://bluelionconflictsolutions.com/wp-includes/5sk54068/
http://www.winzerhof-kridlo.com/up/gqfm32861/
http://www.coscorubber.com/lzhfb/3lzijk275/
http://huyndai3sthanhhoa.com/pictures/p9104/
https://wearetxvets.com/bat.function/p1bjn92466/
Creation Time 2019:10:09 13:30:00 (Attachment Only - Doc based - Protected View)
SHA256
59a1191b40e1b02e3bb3bf27f04e702c1212be2b388f17e390d2ca202a1bb9a8
f47a89a1f394ea19a47238028c5d3ec9fa65d58ab511eac4413fb4436884ab52
fd40305ae80b4c329cdae0906053f17ed530b621296474319f61860385933a37
3cde969c8f82d092e654289baaa67fdd48e04b94b69457c73cf0c1bb13d4839d
7a1ac5a0c167aefd7642c911a42734ddfbe2fae9125f80b817c0ba8066cb9a21
582c2f9a4b2efdf5ca799d4f115b0699a908582ea984b696cd1f1397b356838e
e64c07ccf829e1b5da0841fd0eff973e09ec88c3c293b77807bd18ab574577ee
5547ade1c95dfa2f54c57f4b10059020a4828ee279701e2169896c1337e0626e
53a6488f75798186a546696c3bf3c86094e7998ba1c62496535462566d270aa9
2b1fd23ab995fbc8a8adcf34480f4c0d39104ab15b8f84da5591bc819a635552
f0b77fec9fe25acbe64375ae2c97587f4c78873cf8a6b96eae73c3538c9c2fe9
0e9fbc06ddb0bb42ee27ab112742461f1fe4610f65cc107e17f72fa6970bc019
1e3239b3b1a51e5876877727082123611637aa6cb1bb91d3e4928d8bad122fc2
451761f0817b36c311ebe24817425d5a0f7451266fe5c1f59524c185ff3a6f32
b909df61672fe03ddc3bdf97b3b7acafe56b59999df8d193c7128d1c1388338e
98d42a66a52b701a92e603479508b45685c3f8c78726b26aed2f3ba1a68d261f
0e7a4b128522ad113cf7eb1a5102411dd74075e573d5324cfe43a991ed355f18
29b5e40a9c547c192c034395d3ae191ba1b00a861f358e1a64fd8e5f65ebf300
98cc33515f40a302125de85f2360e9c9852c9377051b511e075e2ff5c332fa0c
f5c38c747cb5e69d8f84823833a492fbd6a3338038f921271beb049d7d8e2b9b
369e2c3bad72b46749b3fc97b4ef1b84fa6437d3d099cd8784d13ba50e7ad3eb
7629956d071ef8134e671cd45ecef43bc661505e0e0ec486027ddfed4284b405
9b007315c2fcba910e293faf1cd1e24cf3a57fc1d0e7493e617c161e26c730f3
http://www.bridalmehndistudio.com/wp-admin/ellvqa6/
http://www.oshunvirginhairco.com/compatibility/yn8fj00419/
http://wisatlagranja.com/7biec3/um9j3606/
http://3dsharpedge.com/dbconnect/x386915/
http://www.thecreekpv.com/function.youd/ij1/
Creation Time 2019:10:09 12:22:00 (Attachment Only - Doc based - Product Notice)
SHA256
0b2baa861978e3f1f9b0af181611a84a84fa2283cf74c6a4b75224447a13df18
8234695c732d45a6e03a128d6cd6e4d0f72ed70ee4327252f82c95283f36a705
d2a93e9097d937168bed4d7f3f62cc8b6ca37dc1afc988f954c2b7f35040ebd5
ef2b6e548f4b1b97740ba6bab81f1f1f983e8647fa439467f19cd32c5e9b5315
d9a50da89f1205b2ad49979d7d084aa1c6946832052edc99a2d450191538e1fe
7822dd39a31e36a46440eca9fec9c925e34f625908a35f2f4f3967a2cefe55c7
http://www.vibescyahdone.com/wp-admin/d04l1395/
http://www.mmacustica.com/wp-includes/s1uv5960/
https://whobuyjunkcars.com/css/f5/
http://madhurfruits.com/wp-content/rj26h8y00685/
http://westernverify.com/template/pivp8064/
Creation Time 2019:10:09 06:30:00 (Attachment Only - Doc based - Protected View)
SHA256
ef934fcf6984c85ca4dd0bb1598ac3e7d5e46721067e0f76d72edd8c9a1efabc
b436a0c07cc56fa0e382a4243968fd422a3ea84da6911b661fe4a5950293cae3
a5553996e1dbd6422ff39bfb8b98179d962dd7debdc9486f67144367f01c0a73
c014ccad55fcd70b808c51a44bbfd530e9a22a86ca21cbfb3e40d930119451c9
041391fbc7855b2b22b3ceacfa0ff4139d4e71b86c23a2560c04409cba23edce
6911308fa3563b40454413b6a89473b9c337f6923b6ca3d36cd91db0aace248c
5903205afd9e904992a088faa3c90f4dca196d375a500d91ec91476158b68117
bfee515a72c2def2bd6f01958187ad2a11fe688fcbaf2a808380225503d7c251
db4bf525c9c3efa9035eadf14378ef613c20ea0c9118c9fcdc2ca97b4760ff26
fd413f73c7d10eec1422a60d50a2023354e6cb12c0dc67ee7116806287d2c534
b81e338953f0a9365ef8bb4fd4c48b79860b93bb53afa56bd6aa7e9fd2dc331c
ec7a5ae43d8e2ca8048855c57571b0356306959a6164d617ede54b561f498190
008acf1db98880407f0782405feac9edcfa734ecaeaca065aa37d440da1add73
b52ae7dbd9f059fe84c0cbf73d59811e87c06928dd07946ba0340cfcf97e1c89
3ab0d7eec7ef409f9bbebc3a5f3082eb2a2ab2c802bf3d283451376beef3c328
https://thinktobehappy.com/gtxvys/30201/
https://www.bonvies.com/preisinfo/p79846/
https://parishadtoday.com/1cm15r/xog62eh983/
https://www.organizersondemand.com/cgi-bin/m719694/
http://www.lindasamson.com/vjhoqx/n46759/
Creation Time 2019:10:08 21:38:00 (Attachment Only - Doc based - Product Notice)
SHA256
392040b90e605ae9d067477be332ec7afaa6ddaa6dda839a4be508b810a10f61
6d679a91ec98f97d1f32742549b9d0212b2aa5cadf0ca0d08246f34a289f6e04
be70c7c61ff2b6369ade37c27334dfd2fff3dcc6e02e571686edbe38bd667008
c7ced1482bb20fb1065e53d648bf05c6840d843650d685b7ffb5614fc3e309fb
2bb1527ada1ac7fce2025798130e3ac21a83e0ebb27e85d281d89a07f87e48ef
6743e819a34e26290e4b9e7692ff5a063cdc0d48cc87f6c77fb3c28097db79e4
d2e6215ac15fe2176787ae422ea20c0a23ad6df7ed367cb47ece74aa6c560550
474e5532eb487d33f4a2464120aa4188b131d629a96e31c92487ab013cbba8c0
2e2525bfcb656ecdb42a0c5c8e4fab533c9d57fd499f131dc1bead5b086a7f1d
7471f2ccc2225f7a3169e9521706c2b790a21d48b95794e46ac71ccbe2fc9416
c84664a344e771be41969912556336d2c897a4dd251d26eeacac6bc5fc319e65
4e806bd9e096dfffe056e99bed38f1a85731515b11b9ebfdba0d7ffb11fb9992
efb61b5b76430a4c0d58a60a34d0e8be970d771a37d9c14987ef3a6d5377c256
ffceea0e683d27646dd9edf54b38876c347127f03d6fd76bcb27706ce4a1bce2
https://www.skullbali.com/bk.wp-content/311/
http://cheematransxpressinc.com/wp-includes/shm5djl4638/
https://aceontheroof.com/i0oni/gzx5550/
http://www.dgxbydamonique.com/fr4jt/cache/init.upper/h8914/
https://aaplindia.com/harder.inc/odw8xth96/
SHA256s for Epoch 1 Payload EXEs
a1d4243b1e2380d5fc9d26ea036bd00c39f09cdcdfc1a3d2b699b5fc15cf29a0
800c0422838cc99b849010326ec0b321ca5087f76f8b3479baddaa089073038b
289c04314df3679f04bf1817fbf1589fb19dbd481f8c20daac8861068a7c5a32
3b54697e11bc0f4722992140e080cc76599128ca144cd905d12b9cc9ea1e6ba9
d8614f65c65df8ca408d493fa9ef65894a84d9a49ddcb08be7b0798b670d367d
640086c532c00aade40f11146f735fd3e969fe1565e5890800fe4b7551100523
b5617d46830e9a3a362c97b9c6140c15c04b1dd64136ac1abf1dea3e65d83ccf
9d90d6b929ea9e7e517bdff7d826a49f8702f3bf005a3ee71ba53c4b91b32c01
e6630adfc5882be333236fd4da6b8fb8c86866b4768b7914fa9102a3de3bc3b0
5ef1a5f4d7f7e3fd74392e514680e3439de5af3c1c818d560d82a62c77eb0a91
52dae4128bb378dc4a877aab9287fc1ceb7576e1cc8506351a5679c6e9dd2e95
63cb6cd04a691f5af02e6a045cdf357e93ee8be5002100b90088b5dd65b24b70
a294d3de530521a41e13cc3fd07c4ab8bb6dde58e4f679f2829cf440c51b4526
1ce26a7b3c6204c55353d10646644cfc15a9e3f51615c068456956a9e1ad4589
5a7ebc8633fb1c2634dff69a86a455eb977ce9bf4508aa8d06b4f9d535e08cc4
50dd2a58dea323956e323b732b35776b6555347bf77ae4f21a0f2f73cb59fba2
6808bb2428b7b02a97ed9cbf170e1bf1e8e8202200354bb696da4a1f241b5d8f
Epoch 2 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:09 23:26:00 (URLs - Doc based - Activation Wizard)
SHA256
1ff45920b3eef0ba9428dcf261538e8f874205f2f7279e881efcbf2c8b7ddf6b
1d29e6801ce94dc34ad5f2b5a41f38be97f7a049f3e9e19df1cb43151e3f544b
9eac41f62d55af75036c89d0ffb6abf724397de9db1601485b3c9fc682da0803
adcf4e809c5eb320eee150c670755b13c7213cd79415d5ea42e2df00019d6f2e
3172a2c9aba211c55835096a66b5e2b51446fe324ab06b9abe3e12ff96c82286
f8a81fcd5e4b1c645941b813c4e7053c4c92cc8b32076e73a5ed2fdb222d02b1
fc13915dcf6948edbe4bb35e72d68abc124fd2703b6d7cb8e54901b490010a75
951b4a236894e17df7860e6dcfdfd2ecb003aea7f811a81c6a114a8021d173d4
88177b5b39ed84cb0d01934549e1af17f39273dc50302d920fee4bb06932ec5a
6cadae1df63f52f3abcb5a95d3d4fe31b90f238da742e61e8edc716373a52375
d83997e478df2c6fb110487f2456e8174b3ed5de8e3d7d09a91cb50f025c9805
4fc7f7b3f725c62a8cbc0ebdb3ce31b92406bd9fd895823d08e478c5440d3e36
cf36aa2fee5351891df1ad0f3a9449c19da65dddfb65a4f6c50f4e9218d84a16
dcda6be47fde8a164ee800f2a44251fb967d389ae1a2b39b371728101e022083
99ab5a5a0ffbdeb15b879e6fe5dfe9aeb45af1929af625435ced25e002a5b5d2
d3127b4036997e3671fef2a90e09c5e340d289dfbdbab44990673500bc56f407
2a52899c65cd366139377fd1a3c1648e9effbae444bab06741f12bd85787676f
7fb16ea476bac40113f29f3a318c305dbe8cb7a61439444b6589d33d69586f60
e333768e423c4aa3e8d064045ab3245ce04700293b0ea520ebf5e5475ebf8da4
ac6fe53c6f11ac695b43b65374774b18557f560c499bd4b9ae2d853ac4b899c6
5bf681e960fa4c9fff5265185a1f295a4d8085d7ef8cf19e4ed352d879f7e430
c05053f986189ad54bcdbe32ec02e82635c63738073bd9377fbdd231277a0320
e341407a68853121b529e2a473e68326263308a874876f41044cf5385c2dd2c7
131d969d83446ad79b80f299db173dbb243158b3df827d2b2bb197f84561b542
d9db4fa770418d6a1f517604a668fa4a9b54ce0e5dd57f2d91d7224763be11c7
c923b3272f267788fd3b9324de97192cac0839d72c742b492a6a5e8240858548
15d5d87f6ba3c6aee2c9a3f3bc9c4f83f6c42ed0ea305eec19c678160d6d15b3
15d5d87f6ba3c6aee2c9a3f3bc9c4f83f6c42ed0ea305eec19c678160d6d15b3
14cc58467a874f57fd4b1b170e7ba3e3aa412e96021b272e9bd7bb6a1f76806a
795a55ce16a6e032f51bfc5db65f4051a3c0df955a50e17a6bde4cf2c907d9e6
8f9307bb59d42b4317ed47e23470dc886580d809a3caa7026614baa348dd50e2
017ac2f1b3f228c520581f72a648f60661e6140b4d176d798fa8bebc04684d47
ba0c2b5c5be8735d4ce6fff7e57396aa848018d8d71ded07134ffb7781f522ea
4f25f7d86cf0f77dc97ebd3184a7e03e8da522ad421766bb559b8f928e53cd45
9a26b75cf3a0d03c97e1ba5e485e32cb77d9833277be6d6f4b8df8834c0ce082
25647f4c672951dfd28b9c9121e8758ee4b45c53b3a462fecf3f70a47aa8a239
c461e4fa357bcf2a2d9638e28711e177143a688675eb23a99295b8868f03e845
9f17b8cd7da66d45d1bbc9c3965591d8571df7f3b052b6f79f10a58e1439d9b9
f93381722b5ba7d4ed93d0c44fe08cd794574547d97eff11ed814b0ec18273eb
https://www.mmtt.co.nz/genimage/ClUXVYfQ/
https://wkoreaw.com/wordpress/FxiXOLHy/
http://gennowpac.org/wp-content/DJRMUdiP/
http://cjextm.ro/wp-snapshots/oDjcwvxm/
http://www.antonieta.es/caeeq/dtWZYxVo/
Creation Time 2019:10:09 21:25:00 (URLs - Doc based - Activation Wizard)
SHA256
fcda00e376d44602c901c96c3a681e04a68ccf5e78ab8eb476872998eb23ad27
fb847e82ace6fa7c71a842b528ac6c6854cb62edc6b3e168522900507d261c67
aec5664906021d4bec1e6f33c37184a99eca7db183b4fb82716c43db3658388d
b457d2f0156e4b5ae5a4938c6d89ffb3db138412ba6094487ebdeaa935e46429
ac7a03ef19d79a5e52b89f284d95b07517e53ea267567ec697c63b5f2786c40b
1a2cf768fe29740e8aa47c5cff368ab1e81d9ee73a8047b820365363d99cd148
e8e6f8650526c21d34aa43a33b4e70d79d7aa4d2c39434582b88a9109f89de04
ab90dea096c0cd0114ae6aaf4fa406b524a5f503d2a5188a7742403c8cf48a33
358ac103282c3fdde89bdbfd1d16edc900c4e10270e17a19eff7b0458ac5b130
5937aaaee26de25b8fa488c5897cc9d7187a73458acfe3f824686ce0dc54c3fe
1039cd4dc430850a16167d10583b1ef9f9f7649f85b9ef4e380e4cea0b28e2d8
7911ddd07fd8579a3b9afa233635984be87f299a166555dcb5268fe5e28e2519
236bbea1bd35d7170ad42e8a7a9a204024f730cb5fe95002d840b438acd6f32c
688b36ddccba7411cfdd5b7289f698cc1a0eb9f0f22fe9313ac4a97706067b08
746b0fb6a5475d9362ae677bd66041c4bf14a17adb5516546ca3393eaabeebc5
72e80950c7a2f21ef7f6934e4fae280f8401fe83de4d6995fba8e0dfc559ef53
00dc9db96ed5db0c3138c1e5f74dedb486be719f01a6fac6f60007ca408b78dd
19d97aace3c075255a0370f268edd9af6b4e69e30907ba876e5b31f8a533086a
https://salesray.com/freebies/HzTRnIyl/
https://westernwellbeing.co.uk/wp-content.bk/hr2qxq_mydeb-0513806524/
https://dollarstorepluss.com/handle_api/91l800s6_j2tcee7p-50/
https://chrismckinney.com/cris-new-file/dejopn9l68_pgef8-79749073/
http://squareonerenovationsinc.com/roawk/wtuds/UhPJaCWK/
Creation Time 2019:10:09 16:49:00 (URLs - Doc based - Activation Wizard)
SHA256
57f050a32c6ebd5ee2dfc81069588a910df9917b9770db07d84b5242629fa012
e8d6e1eed928ef0fc54b01edb5df0f45caed43e5c0c2bf907322d085536495cd
92af46b4fbaed9fde6b81af08bb9965c270ee334abdc7be43eb12a482ef65a6f
d0ec402c6420a7a773c4a95acccdbde2f4ec2bb5bf3b1b13f86e8e762a37bf7d
b48704fe8b054beb0191bc2d7fcca10ac463af8fc2d9cb232026ec4c4aac92e6
fef5ed7ccc45e820a028b0aa5cea44e51a384f8e7ab6bc5632f33d51d64664e5
f19c01010e1074a20dab25d568e6459c73ad15d1866d8f701960eaf78d945c26
a5535ff40bc7807b8dffba53e8a2a6fcd2e9bc12d545a7c0618797d4c27d7eb4
e1a5c331ed5d89af9ed1bd575692f6f5a7f80775cb43aa338becfd0019eb8442
419dc693eb08a28b612cf80637a29dcb819c5b8da3be417c51a99e1c9f1f3515
5380080f42ec25e09f5d9a208fa0c78f82ad0f45768daddc7b63f6988ab12273
7222676fa925ced8216a6173b82d365e994e644690b628d33102d13d6ddd37c4
c87b8f0e9cb9ed67e5e558fd9da0574ae16b37ec669dd42fbb741915e5e4ba91
864b8b9d2b33b2902a9795d894be4833fa1e1fb62c79b45dfa292c8d5b2d5fde
421dccfaf3360abb5390c29fbef5882f94f35e119806217ab8e7e5f44aef05de
e83151bfdcbb6776a7e1234fd842fdb63b023a8c10cbafa8d5ee2ae1f882f538
7615099e7412c5566162945b9ad84a5f7b2a1cf66389fd66db199789b0cbbb69
8fd63182c87f737c63c77a01d8ac33878808689f2f921979437f91724b1382c1
fd8c3fcf8ca04ddd17f6fb7f7a6463912e6f33bfaf27e765188887fde52686f0
95dca0e1440d64cd9b0a1f67381772e46ec1828e77e48544239f031300382def
8fd04ce2418fc4baf9ebde360fa250cbafad34dd67dea5afe4f317779679dff2
8de71f09c70fb405a204d32b105b392d9b14165675ff6df937669a08d47724ae
61efe2427662ff044fd5f42ad21f4d1ec5dfdda0f6c922bee558fa9470ff240f
227111ce7f8b8b2fdc4bbd53fab958b27e33feebd790ee17ba8d06da410fac10
f234bf584abc0d18e82e166b9a45d779d20841bffa1525e84cabd485adec6b0b
534e91a24004f6a7738d6ea5a566447853a093f279603ec098964596322afd62
7197b03dec44235f9e44560e18fa14b02f7021e2f2ffa5ccafb39fcd415e8aac
f57b2904d665951603a281dec44425965ca87c15f90a0f5f8282b609404b3a88
f57b2904d665951603a281dec44425965ca87c15f90a0f5f8282b609404b3a88
680e0f26be549bf15d1c04358e331056889a26edd605ff2870680b7f9cc83d53
af14bfdb6fe9002449434de0b75a24bb254d2257423f1503e64f9e95e1ec11f1
45d8f08d687befefa8950853a1dc483c2b5d2df3012ee15c45e166673330a12b
2f7c65ddcf0040bcedf508523b6e8147e00c2d190d31fbe4aa884fb36bfa4a16
29337a61c515f871111999c5038480e674452cfb18bdfd66b8c243f796702337
49e15b319402860dffca9784f6281b0452321ffa98dff8d292a5bbb68fe2a542
9084965de3ade0fa050e91799e67f06f69ed28a1848683f6b193d42bd2e13935
0b851ecaab8adeae4f55af349ac0d81d548a8be74204cb839d2f218846613296
072a7e6f654adb46e871bab6b3e6a43a8021ac60a7cb4f1659596b79fac0d5db
a8be0caac4bdc870e46a5fe401f5b6e86350b0b858517f27d309d2823ee93270
http://www.soprettyhairllc.com/welcome2/ircYdjewPt/
https://www.zhizaisifang.com/function.fence/dLjPTzyl/
http://future-maintenance.com/wp-content/DDbVcLPvz/
https://imtglobals.com/images/53ef0u7fl_4y3mxmb0f-54/
http://www.vastuvidyaarchitects.com/wp-includes/MXQxgFZE/
Creation Time 2019:10:09 12:18:00 (URLs - Doc based - Activation Wizard)
SHA256
717415998233e6c11784a3d7de4c81cbd1cf1631e0c7c37ad2fca26d8c8f4b03
60e09344caba483d8ac3cfde08950cbf8e6d84dcf20f859e25a76ff654767a96
4ccf926ad31a13b7e78eedc783d0b3dcc70e45ea21851d97265f7f30d05aedd5
bdeb87bdd30ef4607be960c0c5171c479840bbde843ac85b2999898f0c11f03a
7c96b44b991c84fc3b006c5dc34914033200478f5146e0cacb9b24a6f36565d2
b6871d4b11c590e2656233a18dec9fb376931e7fa8b6892dcff3981d8ca02fef
a5c3f1dc9c03fe2df101ea82a64fc7b2d8c3aee0bf3e0d265c1cbf3da2ad8815
bb960450c2b0089d24590ccdf5e9771f674257b38388afc26d4fa195b60acd7a
4679802149dcf1f91bf3c0eac53e2cc742c84f9791f671180e7560b6df08c9e1
020d304a630900854cea9666409dd76f51a35b3d3d60c9ba0c512d59e6b25093
843fad6602a50a9cf09f0d44ad8cf1be1a102ec005d87c9d194b3d166555cf5d
ab47a7deb307f5d70096f44b7698c17c814d0cc9b37dafebefd1759b64ced6b8
6586de01452e6af994b8baa1864135ad137fc28a354fd994a53274acb4621b12
765e97c7ce884767fc2038e235edd2dd1a81a78d2c10a9b93d4c88a098dc7e37
197a06f462b11d818f1efb361aa61425dfc0a7264d40deb8e3890fee1271d6f1
ab84d56cfb83e7d44ad4790abdfe4922b93bcf05b0c1b2ff6db307fadbebc133
1f83e3a97c2b5a9dd0bd4436d7c90328bdddb85247da50e3796e48019d5641de
271a5404a6a54094001ba2ebee1e9fc2078dc087ad7887dcfe0cae0d977a3138
32a27f26da134ae8e33728157da7c8586587b223e767cb1771982e77770c5082
ea71ca044651ca4b4213a6ea164ae29d4c8d3e3fb15d47b0d37877c6f0962ca1
83b5e481119a6df670ccf18d3a18b16d8d44c503fd15dfbfe0cb43afdebebaaf
2dd51af5854cd122bc39a97c2bdc74414cd3ad36ee6481c4fd110b654f7b5396
bedf0f0ce712d58c5dfddf05d9e1c30fb8154f73fd348a890644b27a3b9da6c1
0c6bf5a8ef502acfb23a107df5844d96ea4326e751890fd40b5b394aa029ff95
2ef7f929b82fadf88256a0769528d97f8a150d19085eb2fbf870fa733efc3777
908e000f88b1ef8498d4037b5e435e8ce7e4d597f8f5b5e42ada8667aee9df74
930da8970782a5d9659d7f819f40ecc1cebd6ca34d58b4238e2fb8f2f145a598
8b5db5a8fb38b8ae91a42ef038d1a9404dc3237c57cbf208ec17cb80b3440dcd
1c82df1eb52ced640035de11be4ba478000a1ee9d4e0d9b773c0c8172504bcb0
da5e7b2615f593378a43ea6f04a4e24f53256da53d697757096bb4e497d05a88
bd8ecee8128b26c36e473ffe46bfe01e6f584e7bf0582605271c784576300243
5cf997ed48b79d6787097d57dfc2711d7140e88ecbc78826b70e6764f2e305db
42105c19ae3c59353da42fd93f7d1e418fdbf47ddd14b057708b31a9115edfdd
9a1c2f37c694cae03eba825550a69d528d43f0f157df9dc83bd893d3e4b79ec6
e40a339fcfba115315f5e1b624d8db9b0ffd4add67003bfb245b81da3b542b51
051e6598ac379949458a7cc477846784ec21a6c5d4050395a87851db626becd1
8f32b851e59df9ed854ef911809f89df6bf8b0d3df877495cf0555342bbd1674
http://stephporn.com/cgi-bin/oSWSyiKNzf/
https://thehopeherbal.com/tropica/PAbLPQBS/
https://e-centricity.com/css/zcnIdWUhbd/
https://newagesl.com/cgi-bin/WEHqDwjwS/
http://www.westburydentalcare.com/wp-content/hvg1k_1dr5cd-999/
Creation Time 2019:10:09 06:21:00 (URLs - Doc based - Activation Wizard)
SHA256
6b402b98e05150b7cd6cfe353232c9c90edc357c900487e7fd60adcc2b4ccb66
1aff2e97b2120bfed781b58989d7b9ceaec3ffe671622a0301ba4d72b20dfeeb
1c430818d791db7d2e5e15741fc70cd425e7c3f446b35c25a408dc6806703697
319019ec8cf18d0d64954ef9c16c195881200b5df5f5de8a452124865d04a4b3
e7ff479f4adb4434b10983fc64d9f5d442da4427792a66f2ae4f4e47bfbe7391
843d8c48fa76752c40ebc09fb07fa210df141abff4b93de35d9f81f4c0bf82e5
d05bb19ed89433a6cb34cf69d96f5b6327b800c959829b8c18e78663f9926018
bd1eb12f63c1ac2aabd42a261abf137798238f94b22bd858d8f196a0bad04cb5
9122b23bbdbd11d11dd50f8de6e526b29228000b8c48924ba234fe9a07aa583d
2e16c69839029d1b264d1e364cc5c701c0a0ff43d133f4d63dfa3fd48d6d3e60
fd50554b37b4bbd917bcd4ca8d79fc5cde03c68176430512f68af16a6f5439da
4551c05ddd531820cbfe46f4fcc81c666733a8338dd4f22b2b2dfd0f7a1d7fcb
bc0b6c060df94512811bed06c66e36528b6cbd2bb0861ed4cd1ca0be3956f836
c64c65f0162a0c246647dba56224a66cfd5c1d52480e0ed5acda6a5057d5fe76
d42f02db80c80f31fbe200c6525f3e2920de1468ca9fd17b0108fe315ea8ac7a
42b2f27a50a9d1305cab4219621b1bcd2cb75924e6a24c28e5dd45a1e46e0937
80b51357ec225e671e6197a5ae1a6f7a8e3ce612d68c228be2f2c52102d7f990
69aa75b522f9d32a2d9a58bcc7d72cc7a389b889844b1cb56431d25546bb0227
705ab1b0d425dbc8ca373e4ccee0916a7ab18547c3ea500cd3c2b3ba4d02a835
1654dee2f2da5293f465c0b5ec94172367afe10581ae60189f58e771a95a245f
a271fcc407522b03fcd67da5043c86a5b277ec49fa84e3b8a3ab37cd7ba6c4ec
9d0dc1eb88f28b66626e405c5e43632c8edcdc55e2b645b319a4759ada545f39
107a05bcadbb9c45bbfac44ce6ed892c0645a1c2405b2aed50baab021c9ad1b3
764be4e80aca56a9c315869b45ff6c2fbfc4a9ff24e0252ed19a1e1f2a17f2ea
5fab189daa357cda0edba516934aab089d3f30e444a393ded5805fc750256ba4
2f39759fe463f2863e147b4613ba800e82858c41c2d840053e8ff6f97e49fa30
f4122bad8e4a9f6fbc823f179337191211f08c06d0c90407e32ad9fc5919b439
be82d9dcdfabeff2daf4616933afcd121be737b2d3c1ed7f3edc877fe8d60c04
2fb0490324e27858b741fa3446421049a1f0255ef77451a252d02b4d00be5f2d
6d259f0fe9e4df9055b7c5dbcbd92f4673952ffa3023e4407db60350b3b82937
08f54ffb88630cca7659e8cf6a6d0fdf3efbfdd52af65a760e7e359139bf9f7d
bbd0e2eecc94ce9289826e7470a480de0798992b5d36a7e648458b33b4df241e
e667695ab21107e8ebc4cb91f62bd9ebd0c7d62efb1773e459ce2a81f695a81d
a8839f902fd6505ac1771d4ff736e56e56afc76e4f74c867ac1d6a2def122d29
b9a9115c0587a8ecd097fda572cf6d6455d0c790d09953416510c027f72b75b4
a1360aaf0123b9b2fbadf26ef1179696232af15c356dad56f0a3819164e6bb5f
caed5c43bcff43b5779a7f8a779690f52a14e34a3b96ac3bbdf94d28107f77cb
6cbd1627d191844e8324a55ba7077e615cec2f8a5a3c1ebbf2387bf304cef131
bf028ce459f399a91a150e2cb30091c642383cfd5cd1fdbd4cb05386625848dd
e2b5fe8808ff20a3b542c2f5d743e4ada1352e04fa5af176d9f59351592d24b5
ca537795dff71d380eac2fe01dea5f9ed4c4011c629e9abf47b44895948a33f2
be126ebe84c6f26920814cbe686a15f1db6d85ec60d6412ce20a65e0f6772988
bd000e4a77d78a955b3f2ccd83f614e0a695a473055f329cab11eaf25a908aff
c2e96967dfa38d75c6b1294b2bbaf318950edf1337aa779b7c7fc05b732fa478
fc83177d7fed0e76f6083fe4434f1fc97f00dfa21a055bc2be8fb5d387ce1d42
f77de6d5346828a0d4e5f22d9db199a1b786973f458940ff26b5a35347066f1e
d2c7f431b76c0bef8003b29a2ae847a5cfec4e420d394ea8ec03e78d03c50b87
3504f1e32839c590c9e881052cb4a3b1f73bd2e4660b033dc1912c5f056de5ee
http://steinerurology.com.au/contactus2/e711ow2nc_p0epf-1/
https://floryart.net/wp-content/ir2b24x_95bk1-180/
https://shaolintempletanzania.com/wp-includes/y4wxbqausy_o2gvkic-2375588/
http://www.dobrebidlo.cz/cgi-bin/JtTDLyOOz/
https://www.logocrib.com/reklama2_server/19amqnf2o_kptpd-78843521/
Creation Time 2019:10:08 22:16:00 (URLs - Doc based - Activation Wizard)
SHA256
e87bb68914c0ef7b9f18211e433f91bc4a6c4d82eba8436d98dce32167ffc1f9
50d4d9c884c8c505660b74aea5b4b05dcaa370e2dc270d1b9f3dc59c899f297a
45a37122a13d5b02f5bd64ab60e1f9421381738c19fb4a13cb19b51b41a1f88b
bf5d456a15fbe96b05e8feb12b535a70214f5bac3e56e96a20dfcac60b29d006
8b60b7de0518d45996047862812f6641abe43a34cc8c561668bb6259c45ca712
28abf284985f77c70b387fa760ed8854a0114b05f7de24a8fa97920808af0234
51583c7646007e7491706c652f15feb0219febdba42ff614beb0cb98a3ba3204
e40f3ef25f436b682659426c4a0090784fba521b368fe0591f88e5bf65c4dba6
751c3b522de8f2045d9ce84096455e30ef73985f618e33e79a39f12284363f88
56b71d9545a14b080ab7eb2036a9b004d693f6190e4b616a2b2bee977152c24e
936259c6c919bd5f3271486b487fd320c443e047af82335b84bc6f533647efeb
8b9f82b44c7fec0426c9adddd0719466f867ac98a21fc5648d87d5df5e0bdb83
0665e059a85f577a38ca57b3328ffcfdd591eda4421aa857a5b9535e7710bc50
541db291479f192cd190e996437b706ee472b08871e4a89bf425a5f77e757054
e428c1e1cacb0cca50c1eec571d89176ce6b4a630cc49e9adfb04e12eb45d31e
d492595de7a67e6c46ff5ae335725a0553ad904a0534ed20bf29b67ece4e873a
4dcae0fae1cbb18f9c0b6c044f79a8d1b86b4343bed077c2c94a8896f7bf4bd8
b66a93c6f054c3dd576b518846ea162c3b490b0214368b9530e4a0e4ac2f5867
b64a15991bce0d746e47a8c7fd6cfca5dc81b323990801076870096762e1ed7d
3740c5c3a725f093c7895d056f6e09e817911f7d0a43f1ee67ed3d06f0a8ce6e
08c30c1f4782ddd30911fae1e23a29f115386454df794dd1ffdde226bacc3aaf
53b342834f0b0477b3cf000d45cb4363814e572a741c8f004377a5c88b8a9a41
bb016b2097482bd176b2f7da455d474f5d9b791e3b8671e4a9c539b25aee45e5
7b0b8d45e3d779abc31f490bd2d955810bc6e10c057206ef0326e97057f84dad
9ac6f2c48c6b6c14edb941ee27e7ffdf436054f2d5351bb6b4285c0857259e85
bc6df43e2f78abf8acae5e072b9dc69411ac1a0147b2b8730863d6f0ed3b9102
29c97acc2777eb6d00e02923cdb120fdaffd0f1f4adf2e58961b5034889d34be
ee53338e4f0083d901a4f16494c53161604654842ef71caf59a7db986ac54d92
b808bc7ca3d26aa8bb213695326842a4b5d26dfa9a8f3a46dfcc283a381c7b04
8bcb2e800ab8e95556dacc816bd7a0d59050b29b5cdc913a54bc8167d84abdb1
23dcead775f62f66bc7033cbb68e30329e5fb095504d7d3a42a1b71453988308
http://www.bundlesbyb.com/tracker/wem3_yldu7bdho-3397265/
http://www.crookedchristicraddick.com/b6lco8b/fjJlPxAE/
http://flyadriatic.co.nz/wp-content/upgrade/kNNrBpkb/
http://boomenergyng.com/ejtvcw8t/nnqryau_eicqc-2236624/
https://flowerbodysports.com/wp-admin/LyKaednUE/
SHA256s for Epoch 2 Payload EXEs
0ceb1ab2bc03b840c03b5fcaba8397ee8d0f3877b73fff22e7bc50ab5c596821
205e75b54f67ac0d99445adde7a91e94c56cfb5c4995878327027159f5562027
db9ab62920e6a46ca2ed59de12132eb16c5c6205f3328a4d5a26cb52ae298ebb
6d68d21a0635b1bbe2335d4e2cb3e34c8a0d69e320725849465ac3a5ab11b31e
ee35b43c9bf1a9c24ab983a470e1cf5eb9508c741df45f5829c8d918a771b584
1f365eb1c7e9642a34dce74a6c75b6d5589e01b37c4f3a340894781064a508c5
4a98c1b48e25ed7a590d7fc89d65e07e40896e90c7977658c3bfcd8da7392181
3251a00155619dd1ba363b7fe477dab326fe791d2135129d3133c0cb716dd58b
060af9817567645013fca39c2a24e3baae88a9ac4c96b369a7961755666fa01b
cdbe742cd698ed504e7636811a13b8328c0a9905f4158fb25cde01dca66230fc
066d31cc0e6f45e89297334aad69cca12d60e9b4fe6aad341d08bcf6bce37c45
5e121e16757f3a3bafbc9b3e696de9473b4f1af5a314194cdfca68ab40332e9c
b77f540a0cf278192870bab7fa677c0e858269ce1321814573934a6d095d89e4
0819a3cd3245e1348b0044b9fbc03d7a63449b0454a10baa8dd83c604adf718d
Epoch 3 Payloads by Document SHA256 - All Times UTC
Creation Time 2019:10:09 22:06:00 (URLs - Doc based - Activation Wizard)
SHA256
f6115c318f0c3b864e6327d90dd9cf83a03fb7c21f19beb7dd3d2abd13c87536
https://rocketbagger.com/0iayq/rbac8wae-povv6x65c-527167/
https://jeevandeepayurveda.com/wp-content/1ixupf6-576ug6iiz-67/
http://www.kyzocollection.com/vegk/lbrbx-0k1xd7wmy9-1012117/
http://www.bizasiatrading.com/nxa7v/8wnaa-91zx-4804/
https://aideah.com/lpguu3w/UJJnMzc/
Creation Time 2019:10:09 12:25:00 (Attachment Only - Doc based - Product Notice)
SHA256
7f6971ee0dfb6d9c9078e6580036f34f7512855d580845f20bb6dd401abebaa3
9d98130e047baddc12e76675bfcc8ec6faeefa72d3526f5b90c09aefe218d881
766c7fd921fc9ac3adccacfb7c85b028a18ae4e33667171163387ee465429df5
e8d8d3ccc90d2c40e7ad7a62173e83eaa7e6ce2207f15ba102f4e3d240be893e
25e16e7fb7c62ff67ffca97e1baf820a97f0ba68ecea7b0fafc4d1c1dd6eaed1
b8042f7ada7dec97196950ef4129a9c1c5a9256e6172d6a2450ac101b6cad0aa
0b242a5963d4f8367adb25a490abcb83fb35f20f3b9e065023da82cb7d874b77
ab137e95ba384c35aeb38b075e22c7ccb88104a9069a9155471055ef7bdbe087
http://www.firstepc.co.uk/partnerzy/qpmu-x6apdv-47372/
http://chophubinh.com/wp-includes/22o7q6lju8-v59siwk-338325/
http://casadecamporealestatebyidarmis.com/wp-content/c02t-5qksf24-39/
http://www.fixidarbi.lv/8zbn/aittipE/
https://shopteeparty.com/checkformats/t88qai6aq-athkgzd-814984015/
Creation Time 2019:10:09 10:54:00 (Attachment Only - Doc based - Protected View)
SHA256
5fb4ae4ca85c58ed415b62c311b5aa90ffd4be4b41c68b4f26d9bae03a5cb900
816d707bdb085f0d6bba350839ba9ac5bb8f67f419377d1378ede1f5df8b6222
d2c72a144c1de8fa859dd7324b8fc5a5ddfdb160c18bc4a90da67ec939730ffc
c2083ec63d6d8b276abd4c55fdc33f7d2fa2ddfb3ccaf4f461f4182425394011
3ffdc19ce4dce8228c9485934692841211a423125a21a5adf683f82d946210ca
https://pinline.site/wp-includes/juEphqW/
https://app.fh-wedel.de/wp-content/uCVUHZ/
http://federparchilab.it/backend/wbtNkv/
https://za-ha.com/test/o2ymsg3c-2f3-193827/
http://www.mikevirdi.com/wp-admin/dqp-x3yftd-0715/
Creation Time 2019:10:09 06:25:00 (URLs - Doc based - Activation Wizard)
SHA256
68a4be5f947d5fe920648df14d349339e056100879f5324e3274614af1e8ef65
a944bc453a4843e26ba34081acb5178ce211ff12a66afdb600f4868e37606c4b
188e238c1d848b2676e19739aab5bf773bbf287c8b51d08f77d2541596fe2a4d
eda315d639ba68a2f225eaefa44d6e381d0312a48c8dc4505c3b76878f136ddc
cb8a01507dbb55101009ac8ed24d31ea41bb81807ff300edd8654fc0712dee02
f197f9652134d09ffd19de2aba7f9694daae9e9de7b55e41347ff0794841d760
655624386a4ab8bce743a8e1c2d28184cc0a2173d4f8253767188b68b17de76a
573e4ff41365d30b5ca0a161ba2406d19d7650a7cececfc53b97129470619d84
03f566b7d6832b42a191c883ee30a77d0bf13287c2d6bcb3f31177e2fe818ab3
8c1424df1fd2869183e39788d3cbb28f06d764eaceb6d8678eace0321a7adb1d
288ea7ffe71e3d268aaa1032a7406994c5b707068f50d9198e5bb32e7a506074
83fc05d9f337af6618f32a87fb4fb40f3a75295071d32e207bb6a2a10754d7f9
http://systematicsarl.com/index13/5o2wrr6-1vx2jgebk1-671739134/
https://infinite-help.org/blogs/0smmsc-26u64-21/
https://salutaryfacility.com/js/crpkbdksr8-7y012-20587359/
http://www.duppolysport.com/cgi-bin/v10dig-uafcrbdxu-16/
http://indulgebeautystudio.co.uk/cgi-bin/3g6mgv4eyj-whmq0-8148542047/
Creation Time 2019:10:08 21:22:00 (URLs - Doc based - Activation Wizard)
SHA256
98171cb786b90d72b9719f6a6fb80c5104fd3dd2aeeeee5ffb386fa91091602e
f8088422b9fccf20927d24f71bc3379c459dfebe47930a7191c101dc5765eb9a
47e9b5a0b1186463980089bc086fa67a825ec11f6f59c9f41c3e7baab4f3d59f
16e1a596042ee81b42006b1198e32c03506e8f803cf9faa576f8c2c128a63587
0df4bdfcf03c165331525d6b80c1ebeb2ca47737210e8819025fe641b0572242,
c3e2f6c1a0654e7c18e381a0a501515977b5bae6d7d7ab6f1aeb075704e15dad,
f77ded17b431d4df335149b3431951b6e8bc06b36b62725b8cc6aee3188cc9a6
https://quantumneurology.com/c9wpulh/jzb28h8-nb0rnw46-3014549325/
https://www.xuperweb.com/og6pj/nekIilY/
https://www.openwaterswimli.com/roawk/9qjxjxwea-lruswyx-465183521/
http://www.evextensions.com/wp-content/upgrade/ruyjko/
http://www.diamondegy.com/wp-includes/wuksdgxg9n-pcm-6870/
SHA256s for Epoch 3 Payload EXEs
ddecacbbb1f58ccee7d1590fe0bf717c847fb75bd8ddf606927cfb2ea418dcd4
b6c5d6655ef066545f8b9b8094c7347bf283e771b8f9b46b8e8f6e08144dcf13
f4c4eec20fc332f2c59b3802f4e81bbcd85a54a5f54e627d6a2982f316af526f
9af3c4f8514d9c318ac90df6fc0e3a0278b41247ecd568b30a8266d0370f3eb0
0fe2c7cfab6e55d92fcfe60d66e236bef5d44450c6ae7b759bf694f6097d935d
2bc8c8cf127365a2a94bf47dc26ae14d11e62c38fd0df564bfc7867e025d94c1
a2e1341786e65952124067e53bb9522bae2247c5d51b936e7678f363a9e994d0
68cb95f7e0d2a77e5a4832fb75243520a5ccc109849bbc933062379df4e7d164
1e4cdfb7252c74369fc5007e70c6746994f9e7a2e9f2f11b3012718b415d77a1
14bc54ea2759508a18c4e79734d328510897db0a2c71bd4ac2dffb34f99df2b2
d511e7f30f4823744e99df45d93dba8babd58a3602a563d4b0d444f56a32c680
C2’s Per Epoch
Epoch 1 C2s
109.104.79.48:8080
109.169.86.13:8080
114.79.134.129:443
119.159.150.176:443
119.59.124.163:8080
119.92.51.40:8080
123.168.4.66:22
125.99.61.162:7080
138.68.106.4:7080
139.5.237.27:443
142.93.82.57:8080
149.62.173.247:8080
151.80.142.33:80
159.203.204.126:8080
170.84.133.72:7080
170.84.133.72:8443
178.249.187.151:8080
178.79.163.131:8080
181.188.149.134:80
181.29.101.13:8080
181.36.42.205:443
182.188.39.68:80
183.82.97.25:80
184.69.214.94:20
185.187.198.10:8080
185.86.148.222:8080
186.0.95.172:80
186.1.41.111:443
186.83.133.253:8080
187.188.166.192:80
189.160.49.234:8443
189.166.68.89:443
190.1.37.125:443
190.10.194.42:8080
190.104.253.234:990
190.158.19.141:80
190.221.50.210:8080
190.230.60.129:80
190.230.60.129:8080
190.38.14.52:80
190.85.152.186:8080
200.51.94.251:143
200.57.102.71:8443
200.58.171.51:80
201.163.74.202:443
201.183.247.58:443
201.199.93.30:443
203.25.159.3:8080
212.71.237.140:8080
216.98.148.181:8080
217.199.160.224:8080
46.101.212.195:8080
46.163.144.228:80
46.28.111.142:7080
46.29.183.211:8080
46.41.151.103:8080
5.1.86.195:8080
5.196.35.138:7080
5.77.13.70:80
50.28.51.143:8080
51.15.8.192:8080
62.75.143.100:7080
62.75.160.178:8080
68.183.170.114:8080
68.183.190.199:8080
71.244.60.230:7080
71.244.60.231:7080
76.69.29.42:80
77.245.101.134:8080
77.55.211.77:8080
78.189.76.2:50000
79.129.0.173:8080
79.143.182.254:8080
80.85.87.122:8080
81.169.140.14:443
81.213.215.216:50000
82.196.15.205:8080
86.42.166.147:80
87.106.77.40:7080
88.250.223.190:8080
89.188.124.145:443
91.205.215.57:7080
91.83.93.105:8080
91.83.93.124:7080
94.183.71.206:7080
Epoch 1 - Spam C2s
37.187.5.82:8080
45.55.82.2:8080
185.94.252.27:8080
Epoch 1 - Stealer C2s
75.127.72.18:8080
190.115.18.139:8080
66.228.32.31:443
Current Epoch 1 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOzoTryw1r9RxRJPFKalO4+q7JaDZWSB
KZlEc22H6ITuE06tvJspue42TF1yk8xN+1bqW++QeV6Clm1uRswA/qoao/6p4eN0
h4zIO8PEaJ0C/9EO4cx9yfRLlVpjdEkP0QIDAQAB
Epoch 2 C2s
101.187.237.217:20
103.255.150.84:80
104.131.11.150:8080
104.236.246.93:8080
115.78.95.230:443
124.122.49.166:80
124.240.198.66:80
136.243.177.26:8080
138.201.140.110:8080
144.139.247.220:80
149.202.153.252:8080
152.89.236.214:8080
159.65.25.128:8080
169.239.182.217:8080
173.212.203.26:8080
178.254.6.27:7080
178.79.161.166:443
179.32.19.219:22
181.143.194.138:443
181.143.53.227:21
181.31.213.158:8080
182.176.106.43:995
182.176.132.213:8090
182.76.6.2:8080
183.243.252.71:143
185.94.252.13:443
186.4.172.5:20
186.4.172.5:443
186.4.172.5:8080
186.75.241.230:80
188.166.253.46:8080
189.209.217.49:80
190.106.97.230:443
190.108.228.48:990
190.145.67.134:8090
190.18.146.70:80
190.186.203.55:80
190.211.207.11:443
190.226.44.20:21
190.228.72.244:53
190.53.135.159:21
192.254.173.31:8080
192.81.213.192:8080
198.199.114.69:8080
199.19.237.192:80
200.71.148.138:8080
201.251.43.69:8080
206.189.98.125:8080
211.63.71.72:8080
212.71.234.16:8080
217.160.182.191:8080
222.214.218.192:8080
23.239.29.211:443
24.45.195.162:8443
24.51.106.145:21
27.147.163.188:8080
27.4.80.183:443
31.12.67.62:7080
31.172.240.91:8080
37.157.194.134:443
41.220.119.246:80
45.123.3.54:443
45.33.49.124:443
46.105.131.87:80
47.41.213.2:22
5.196.74.210:8080
59.103.164.174:80
62.75.187.192:8080
67.225.229.55:8080
78.24.219.147:8080
80.11.163.139:21
80.11.163.139:443
80.79.23.144:443
83.136.245.190:8080
85.104.59.244:20
85.106.1.166:50000
85.54.169.141:8080
86.98.25.30:53
87.106.136.232:8080
87.106.139.101:8080
87.230.19.21:8080
91.205.215.66:8080
92.222.216.44:8080
92.233.128.13:143
94.192.225.46:80
94.205.247.10:80
95.128.43.213:8080
Epoch 2 - Spam C2s
23.253.207.142:8080
185.187.198.4:8080
46.228.205.245:4143
Epoch 2 - Stealer C2s
173.214.174.107:443
104.131.58.132:8080
176.31.200.130:8080
46.105.131.69:443
24.45.195.162:7080
24.45.195.162:8443
80.11.163.139:443
94.192.225.46:80
209.141.41.136:8080
46.29.183.210:8080
198.58.112.7:443
185.42.221.78:443
Current Epoch 2 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALk+KlHgOKXm9eDkWu2yN9lanjwOm6W2
PV0tgr4msNVby2pOJ6S1MZQnQwxl7y6WWzT4kveAQhLmW8JB2M2PDOxZOgVMJH2C
AtkVW1p/P9jNJWVvjK9SmrbLdIeiKNtRfQIDAQAB
Epoch 3 C2s
110.36.234.146:80
113.52.135.33:7080
125.99.61.162:7080
138.197.140.163:8080
143.95.101.72:8080
144.76.62.10:8080
157.7.164.178:8081
173.249.157.58:8080
176.58.93.123:80
178.249.187.150:7080
181.113.229.139:990
181.47.235.26:993
181.97.70.132:8080
186.10.16.244:53
189.253.27.123:465
190.13.146.47:443
192.241.220.183:8080
201.196.15.79:990
203.99.182.135:443
203.99.188.203:990
212.112.113.235:80
213.138.100.98:8080
216.70.88.55:8080
216.75.37.196:8080
5.189.148.98:8080
51.38.134.203:8080
70.32.94.58:8080
70.45.30.28:80
78.109.34.178:443
80.227.67.18:20
83.169.33.157:8080
91.109.5.28:8080
93.78.205.196:443
94.177.253.126:80
95.216.207.86:7080
Epoch 3 - Spam C2s
185.187.198.5
41.185.29.128:8080
Epoch 3 - Stealer C2s
178.32.255.133:443
198.46.150.196:7080
Current Epoch 3 RSA Public Key
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM426uN11n2LZDk/JiS93WIWG7fGCQmP
4h5yIJUxJwrjwtGVexCelD2WKrDw9sa/xKwmQKk3b2fUhwnHXjoSpR7pLaDo7pEc
iJB5y6hjbPyrSfL3Fxu74M2SAS0Arj3uAQIDAQAB
Credits and Notes Section
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.abuse.ch
because they rock and report everything to ISPs as it is confirmed to be malware. Additionally,
this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen
NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.
What is Epoch 1, Epoch 2 and Epoch 3?
(09/17/19)
With the find of Epoch 3 that split from Epoch 1, this section will be rewritten to reflect these changes in time.
Community Lists/Samples
https://pastebin.com/h992wUMk - @Paladin3161
https://pastebin.com/35PJFrrj - @Paladin3161
https://twitter.com/bomccss/status/1182095333481836546?s=20 - @bomccss
(sorry if we miss anybody, make sure to send it to @cryptolaemus1 in your tweet and we will try to include it!)
Credits
Combination work of the Cryptolaemus Team - https://paste.cryptolaemus.com/about/ and/or specifically the following:
Doc DL URLs - @devnullnoop, @p5yb34m, @malware_traffic, @dms1899, @Paladin3161
C2 info/RSA Keys - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @VK_Intel, @Paladin3161
Payloads - @devnullnoop, @MalwareTechBlog, @lazyactivist192, @TheHack3r4chan, @p5yb34m, @malware_traffic, @Paladin3161, @ps66uk, Anonymous :)
Spam Templates - @devnullnoop
Special thanks to @lazyactivist192, @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!
Very special thanks to @Binary_Defense, @lazyactivist192, @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project
https://github.com/decalage2/ViperMonkey, @digitalocean, @mploessel, @anyrun_app, @unixronin, @hurricanelabs, @MalwareTechBlog, @KryptosLogic,
@0xtadavie, @MsftSecIntel, @abuse_ch/urlhaus.abuse.ch, @urlscanio, @BlackLotusLabs, @TrendMicro and @Virustotal for providing services/software
at no charge to this cause!
Daily Log 10/09/19
The links keep on coming with over 300 on E2 and they threw them in PDFs now to try to prevent anyone blocking them. This started actually
sometime last night I think but I am not 100% sure. Also, @ps66uk did most of the hard labor on this paste so thank him :)
General News
Not much of note other than the PDFs being used again. This was not seen for months and is an interesting twist. This was first seen by
@CofenseLabs. Here is their post:
https://twitter.com/CofenseLabs/status/1181974889084936193
We also posted about it here:
https://twitter.com/Cryptolaemus1/status/1181978349637439488
Drops Report
Getting more reports out there of Dreambot and Trickbot still being dropped. No specific samples right now though. Will see if
I can get more info soon.
Email Template Report
I am hearing reports of generic Email templates in many different languages. English/German/Polish/Spanish body text has
been seen as of late. Most of the PDFs I have seen have been English though and like the example shown in the tweet:
https://twitter.com/Cryptolaemus1/status/1181978349637439488
One other thing I have noticed with these link based docs on E2 is that they seem to be hash busting in more than pattern
based on 5 minute intervals. I havent measured it specifically but I have a feeling there are two hashbusting chains of the
same document happening and somehow distro is split a bit on E2. Maybe this is lag or maybe this is two different campaigns
using the same base document template, either way it is interesting.
E1 ModifyDate: 2019:10:08 21:38:00 CreateDate: 2019:10:08 21:38:00 www.skullbali.com
E2 ModifyDate: 2019:10:08 22:16:00 CreateDate: 2019:10:08 22:16:00 www.bundlesbyb.com
E3 ModifyDate: 2019:10:08 21:22:00 CreateDate: 2019:10:08 21:22:00 quantumneurology.com
E1 ModifyDate: 2019:10:09 06:30:00 CreateDate: 2019:10:09 06:30:00 thinktobehappy.com
E2 ModifyDate: 2019:10:09 06:21:00 CreateDate: 2019:10:09 06:21:00 steinerurology.com.au
E3 ModifyDate: 2019:10:09 06:25:00 CreateDate: 2019:10:09 06:25:00 systematicsarl.com
E1
E2
E3 ModifyDate: 2019:10:09 10:54:00 CreateDate: 2019:10:09 10:54:00 pinline.site
E1 ModifyDate: 2019:10:09 12:22:00 CreateDate: 2019:10:09 12:22:00 www.vibescyahdone.com
E2 ModifyDate: 2019:10:09 12:18:00 CreateDate: 2019:10:09 12:18:00 stephporn.com
E3 ModifyDate: 2019:10:09 12:25:00 CreateDate: 2019:10:09 12:25:00 www.firstepc.co.uk
E1 ModifyDate: 2019:10:09 13:30:00 CreateDate: 2019:10:09 13:30:00 www.bridalmehndistudio.com
E2 ModifyDate: 2019:10:09 16:49:00 CreateDate: 2019:10:09 16:49:00 www.soprettyhairllc.com
E3
E1 ModifyDate: 2019:10:09 21:14:00 CreateDate: 2019:10:09 21:14:00 bluelionconflictsolutions.com
E2 ModifyDate: 2019:10:09 21:25:00 CreateDate: 2019:10:09 21:25:00 salesray.com
E3 ModifyDate: 2019:10:09 22:06:00 CreateDate: 2019:10:09 22:06:00 rocketbagger.com
E1
E2 ModifyDate: 2019:10:09 23:26:00 CreateDate: 2019:10:09 23:26:00 www.mmtt.co.nz
E3
Link Regex Report
(These are experimental, use at your own risk.)
Looks like only E2 is doing links now and it seems to be some of the old Regex. Here is what works
so far for the list of 302 above:
https?:\/\/.+?\/([A-Za-z0-9]{8,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/ - 155 links or approximately half of total links.
https?:\/\/.+?\/(Document|DOC|FILE|INC|LLC|Scan)\/([a-zA-Z0-9]{4,30})\/ - 39 links
https?:\/\/.+?\/(administrator|academy|alphabet|assets|blogs|cache|cgi-bin|css|DANE|Dane|demo|discuss_lib|direc|Document|DOC|Dok|DOK|esp|FILE|function.cheese|homepage|images|INC|Inf|INF|js|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Plik|popup_index|public|Scan|sites|sitemap|sox62c|test|trademark|themes|uploads|wc-logs|webalizer|wordpress|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,32})\/(\"|\n) - 86 links
This leaves about 20 which I can get 15 of via this new experiment:
https?:\/\/.+?\/([0-9a-z\-]{3,11})\/([A-Z0-9]{7,32})\/([A-Za-z]{9,32})\/(\"|\n)
Also keep in mind, your filter needs to look inside PDF files to find the URI to test against these above. Otherwise
this does not help.
Payloads Report
We saw a new loader dropped today across all botnets around 10:00UTC that is ~600KB. Since this was released we have been
seening more frequent hashbusted updates of the binaries now averaging 1 to 2 hours apart. C2 and Distro are still in sync
and binary releases are basically in lock step across all botnets. Eg. within a 1-2 minutes each botnet gets a new exe.
There is a steady increase in
E1 - 15 between 00:00 and 22:20
E2 - 12 between 00:10 and 22:15
E3 - 10 between 08:50 and 22:20
C2 Report
It looks like E3 continues to remain small and I am not sure why. It must be targeted specifically.
E1 - 85
E2 - 87
E3 - 35
Closing
I am having a hard time getting back in the swing of things and have a lot to do at the dayjob. Looks like Ivan has a lot to do as well
and I would not be surprised if we see other botnets going back to links in short order. Over time we have seen E2 usually be the front
runner for "new" or different features and then those are cycled back to E1(and now E3?). Be on the lookout for more changes.
TT
Sandbox 10/09/19
E1
https://capesandbox.com/analysis/2578/
E2
https://capesandbox.com/analysis/2577/
E3
https://capesandbox.com/analysis/2597/