Emotet Malware IoCs 2019/02/14

## Emotet Malware Document links/IOCs for 02/14/19 as of 02/14/19 19:20 EST ##
*Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.

#### Epoch 1 Document/Downloader links seen for 02/14/19 ####
```

http://104.198.73.104/secure.myacc.send.com/
http://104.248.66.24/secure.accounts.resourses.biz/
http://13.126.28.98/secure.accounts.docs.biz/
http://13.233.183.227/verif.myaccount.resourses.com/
http://13.239.63.5/Telekom/Rechnungen/012019/
http://132.145.153.89/verif.accs.resourses.com/
http://138.197.72.9/secure.accounts.resourses.com/
http://140.227.27.252/wp-content/verif.accs.docs.com/
http://150.66.17.190/Telekom/Rechnung/012019/
http://178.128.54.239/secure.accs.resourses.net/
http://178.62.102.110/secure.myacc.resourses.net/
http://18.220.183.143/trust.myaccount.resourses.com/
http://18.222.169.76/trust.accs.docs.com/
http://188.192.104.226/wordpress/secure.myacc.send.biz/
http://204.48.21.209/secure.myacc.resourses.com/
http://3.dohodtut.ru/trust.accounts.docs.net/
http://35.200.161.87/Telekom/Rechnung/01_19/
http://35.202.250.4/sec.myacc.send.com/
http://35.239.139.124/Telekom/Transaktion/01_19/
http://37.139.27.218/secure.myaccount.send.net/
http://40seg.com/verif.accs.send.com/
http://52.59.169.135/trust.accs.resourses.com/
http://54.154.144.172/Telekom/Rechnung/01_19/
http://54.175.140.118/secure.myacc.docs.net/
http://aaswim.co.za/verif.myaccount.resourses.net/
http://accounts.elementlabs.xyz/sec.myaccount.resourses.net/
http://adbord.com/css/verif.accs.send.com/
http://adepan.frameweb.ro/Telekom/RechnungOnline/012019/
http://afshari.yazdvip.ir/sec.myacc.resourses.biz/
http://agriafrika.co.za/trust.accounts.send.net/
http://aimaproducoes.com.br/Telekom/Rechnungen/012019/
http://alabarderomadrid.es/verif.accounts.resourses.biz/
http://amiraskari.info/verif.myacc.docs.biz/
http://app.websoham.com/trust.accounts.send.net/
http://archive.skorstensfejerdata.dk/corporation/IhWq-LH_uJEG-vS/
http://arepeleste.com.br/verif.accs.send.net/
http://atlas133.ir/trust.myaccount.docs.net/
http://awcq60100.com/verif.accounts.send.biz/
http://banyuwangi.org/REF/download/Newreceipt/JgGuv-QfZWB_ZmTI-ae/
http://barjockeysclub.com/trust.myacc.docs.net/
http://batdongsanphonoi.vn/secure.myacc.docs.biz/
http://bayaneabrishami.ir/verif.accs.send.com/
http://blogg.postvaxel.se/verif.accs.docs.net/
http://botmechanic.io/secure.myacc.docs.biz/
http://bueno.adv.br/trust.myacc.send.net/
http://cambozseo.com/verif.myacc.docs.net/
http://caree.in/sec.myaccount.resourses.net/
http://certificadoenergeticourgente.es/verif.accs.send.com/
http://chamundeshwarienterprises.com/secure.accs.docs.net/
http://chenhaitian.com/verif.accounts.docs.biz/
http://collagenspray1.com/Telekom/Rechnungen/012019/
http://cryptoseed.co.za/Telekom/Rechnung/012019/
http://dailyxetaihcm.com/sec.myaccount.docs.biz/
http://distribuidorajb.com.ar/Telekom/Rechnungen/01_19/
http://distro.attaqwapreneur.com/secure.accounts.resourses.net/
http://doctorjuliandiaz.com/trust.myaccount.docs.com/
http://drberrinkarakuy.com/secure.myaccount.resourses.com/
http://emrecengiz.com.tr/secure.accounts.docs.biz/
http://esgaming.com.br/wp-content/secure.accounts.send.com/
http://ewan-eg.com/sec.myacc.docs.com/
http://forestaljal.com/verif.accounts.resourses.biz/
http://forum.reshalka.com/verif.accounts.docs.net/
http://further.tv/trust.myaccount.docs.biz/
http://globalshippinglinecft.jobpreneurship.com/Telekom/Rechnungen/01_19/
http://greenflagtrails.co.za/verif.myaccount.resourses.biz/
http://greenoak.adcoretechnologies.com/verif.myacc.send.biz/
http://grikom.info/sec.myaccount.docs.biz/
http://hapoo.pet/sec.accs.resourses.biz/
http://hdzbih.tv/verif.myacc.send.biz/
http://healthcarejobsuae.com/trust.accs.send.biz/
http://herbeauty.info/7jhzynf/trust.accs.resourses.com/
http://highdesertnomads.com/sec.myaccount.send.biz/
http://hvacofportland.com/secure.accounts.send.biz/
http://hvanli.com/verif.accs.send.com/
http://iantdbrasil.com.br/secure.accs.resourses.biz/
http://impulsedu.com/verif.myaccount.docs.com/
http://irnanoshop.com/trust.accs.docs.biz/
http://jagielkyscandy.net/files/Receipt_Notice/UnhHG-W7L7x_e-nWT/
http://jaintigers.com/secure.accounts.resourses.net/
http://jmbtrading.com.br/secure.myaccount.resourses.net/
http://jobbautomlands.com/trust.myacc.docs.biz/
http://jointpluspro.premiumbeautyhair.com/Telekom/Rechnung/012019/
http://jrbdecorators.com/sec.accounts.resourses.com/
http://kanyambu35.co.ke/Telekom/Transaktion/01_19/
http://karditsa.org/Telekom/Rechnung/01_19/
http://karkw.org/trust.myacc.docs.net/
http://kebunrayabaturraden.id/sec.accounts.send.com/
http://khtc.hcmut.edu.vn/trust.myacc.send.com/
http://kishket.ru/Telekom/Rechnung/012019/
http://kndesign.com.br/Telekom/Transaktion/012019/
http://kocamanmuhendislik.com/Telekom/Rechnungen/012019/
http://kosheranguilla.com/secure.myaccount.docs.com/
http://kpccontracting.ca/verif.myaccount.resourses.biz/
http://kpkglobalstaffing.com/verif.accs.send.net/
http://kritikaprasher.com/secure.myacc.resourses.net/
http://lakornhot.com/verif.accs.resourses.net/
http://lanco-flower.ir/secure.myacc.docs.com/
http://licenciamentotraumaclinic.com.br/verif.accs.send.com/
http://licenciamentotraumaclinic.com.br/verif.accs.send.com/\/
http://lienquangiare.vn/sec.myaccount.send.net/
http://lindseymayfit.com/trust.myaccount.docs.net/
http://link2u.nl/trust.myacc.resourses.com/
http://localbusinessadvisory.com/sec.myacc.docs.net/
http://madrastrends.com/Telekom/RechnungOnline/01_19/
http://mail.turismonordeste.com.br/Telekom/Rechnung/01_19/
http://malayalinewsonline.com/sec.accs.resourses.biz/
http://marasopel.com/trust.myacc.resourses.biz/
http://marketingonline.vn/Telekom/Transaktion/01_19/
http://masjidsolar.nl/verif.accs.docs.biz/
http://mclplumbing.com/trust.myacc.send.net/
http://menzway.com/secure.myaccount.send.biz/
http://mgxconsultancy.com/secure.myaccount.resourses.net/
http://msao.net/verif.accs.send.biz/
http://namecheaptest.websteach.info/trust.myacc.resourses.biz/
http://ngkidshop.com/sec.myaccount.resourses.net/
http://nightonline.ru/images/trust.accs.docs.biz/
http://nt-kmv.ru/Telekom/Rechnungen/01_19/
http://pinturaartisticas.com/verif.accounts.resourses.biz/
http://pm.sabrysolutions.com/Telekom/RechnungOnline/012019/
http://pontotocdistrictba.com/secure.accs.resourses.net/
http://premium-motorsport.pl/Telekom/Transaktion/012019/
http://price-global.com/Telekom/RechnungOnline/012019/
http://primofilmes.net/verif.accs.docs.biz/
http://printingphuket.com/secure.myaccount.send.com/
http://produccion.sanmartindelosandes.gov.ar/wp-content/uploads/secure.myacc.resourses.biz/
http://pruebas.sansebastianpalomino.com.co/REF/scan/Newreceipt/bRyJ-HlwZ_l-Mej/
http://pvc-vloer-eindhoven.nl/Sec_Refund/xerox/Rcpt/4520624407290/qqOWd-41a8_zRJPulUm-Hw/
http://qzltrading.com/receipt/4161793752/SsLte-Wv_ds-DH/
http://rasteniyam.ru/verif.accs.send.net/
http://rbeventspace.com/secure.accs.docs.com/
http://remont-akpp.kz/sec.myacc.docs.biz/
http://renhed.kz/sec.accounts.docs.biz/
http://repproduce.com/Sec_Refund/doc/53389343721/Spmi-UXOXi_CG-Trm/
http://research.fph.tu.ac.th/wp-content/uploads/verif.accounts.send.net/
http://restosducoeur-bassinminier.fr/trust.accs.resourses.net/
http://risingstarsblr.in/secure.myacc.docs.net/
http://rohrreinigung-klosterneuburg.at/verif.accs.docs.com/
http://s550mods.com/verif.myaccount.resourses.biz/
http://sadragheteh.com/document/Receipt_Notice/pjrOd-Jook_dDALdsWM-t7/
http://samuelkageche.co.ke/document/Newreceipt/mgdly-N4B_NLDOJIedu-6mI/
http://sanat-tarrahan.ir/luMXk-JY7a4_u-Qfb/
http://sapidestraining.com/secure.myaccount.send.com/
http://seksmag.nl/trust.accs.docs.biz/
http://sgl.kz/Telekom/Transaktion/01_19/
http://shlifovka.by/secure.myacc.send.com/
http://smtfmb.com/sec.accs.resourses.biz/
http://speechwar.com/trust.accs.docs.biz/
http://springcube.com/secure.myaccount.docs.biz/
http://sprinty.com.au/sec.accounts.docs.com/
http://srivijaya.ir/scan/receipt/SDjo-K0Qz_TuPB-KX/
http://staging.fanthefirecreative.com/mobileforming/public/uploads/secure.accounts.resourses.net/
http://sunlightjo.com/company/DQniw-3Q_wEdXIYRUT-i3h/
http://svornitologia.org/verif.accs.send.com/
http://tatsu.com.vn/REF/files/Receipt_Notice/bWcPZ-KKobX_MFtSZymx-92/
http://tattoolabmaxakula.kz/secure.myaccount.send.biz/
http://tdp.od.ua/REF/receipt/tXTK-22U_efPR-cD/
http://tecnificacioimanteniment.com/doc/Newreceipt/oAYd-DZ_fUKPcQ-Hq/
http://tekirmak.com.tr/secure.myacc.send.net/
http://thammydiemquynh.com/Ref_operation/Receipts/Mutz-sr_HxITwd-rE/
http://thehivecreative.com/secure.myacc.docs.net/
http://thien.com.vn/trust.accs.send.net/
http://thien.com.vn/verif.myaccount.send.com/
http://thinhlv.vn/wp-admin/document/Rcpt/Mwmy-eg_tFuW-iQ/
http://threemenandamovie.com/trust.accounts.send.biz/
http://tisoft.vn/public/assets/Telekom/Rechnungen/01_19/
http://tongdailyson.com/sec.accs.send.net/
http://toprecipe.co.uk/sec.myacc.resourses.net/
http://true-today.com/send_data/Telekom/Rechnung/012019/
http://truththerapy.com/secure.accs.resourses.com/
http://uniquehiramatsu.com.br/Ref_operation/transaction/Receipts/ndvP-tXg_HPsOJsyT-eim/
http://upro.org.in/secure.accounts.resourses.biz/
http://vencendoodesemprego.com.br/REF/doc/XSep-3W0_FfUeoh-Qh/
http://viticomvietnam.com/trust.myaccount.send.com/
http://voip96.ru/Telekom/Rechnungen/012019/
http://w4snc.com/sec.myacc.send.biz/
http://wagnermenezes.org/secure.myaccount.send.com/
http://watwotunumili.co.ke/files/Receipts/EDfV-u7S_hwvamEa-NT/
http://wavecrestaoao.com/verif.accs.send.net/
http://webtoaster.ir/verif.myacc.resourses.net/
http://whiskyshipper.com/wp-content/secure.myacc.send.net/
http://wordpress-219768-716732.cloudwaysapps.com/verif.myaccount.resourses.com/
http://www.allindiaoneatm.com/sec.myacc.send.biz/
http://www.autoskup.wroc.pl/Telekom/RechnungOnline/012019/
http://www.cambozseo.com/verif.myacc.docs.net/
http://www.db4serv.com.br/Receipt_Notice/Mdqny-M4Q_Oa-LtJ/
http://www.dezzeo.com/sec.accounts.send.com/
http://www.difalabarghoo.ir/wp-admin/Telekom/Transaktion/012019/
http://www.elkhebar.net/doc/yFXEY-eP2Y_pYAqjsBgt-xdr/
http://www.emmawitter.co.uk/document/Receipt_Notice/DcFY-7KB_YQBHE-WM/
http://www.kelaskayu.com/Telekom/Rechnung/01_19/
http://www.luckylibertarian.com/Telekom/Transaktion/01_19/
http://www.mariaelenabececco.it/sec.myaccount.docs.biz/
http://www.misionnevado.gob.ve/Sec_Refund/xerox/receipt/Jamd-in_mauMO-bbc/
http://www.mobileonline.hu/soft/REF/corporation/Copy_receipt/588110761090953/mwmL-1ec_mncqV-NSP/
http://www.nicosong.com/RF/corporation/Receipt_Notice/295565133969/TxInO-SmV_UEMi-A4g/
http://www.osdecs.org.br/Sec_Refund/llc/Receipt_Notice/SnivM-h25_MkQZp-jG/
http://www.ppp-au.com/verif.myaccount.docs.biz/
http://www.sedlpk.com/Telekom/Rechnungen/012019/
http://www.tepeas.com/sec.accounts.resourses.net/
http://www.topreach.com.br/trust.accs.docs.biz/
http://www.vetcruzverde.es/Telekom/Transaktion/012019/
http://www.youwatches.online/sec.myacc.send.com/
http://xn--12cs3ad5a6alt7c1a6cva8byhn4hnno.com/secure.myacc.resourses.net/
http://xn--90achbqoo0ahef9czcb.xn--p1ai/secure.accs.send.net/
http://xn--kazmarslan-zub.com/Refund_Transactions/document/Copy_receipt/vXEE-9AFB_DJZTBYtUW-a5e/
http://yahyabahadir.com/sec.myacc.docs.net/
http://yarn-bar.com.ua/trust.myaccount.resourses.biz/
http://yoguibento.com/Telekom/Transaktion/012019/
http://yolanda.co.ke/Telekom/Rechnungen/01_19/
http://zendegieziba.com/sec.accs.send.net/
http://zolotoykluch69.ru/Telekom/Rechnungen/012019/
https://198.101.246.240/vk_wp/wp-includes/sec.accounts.resourses.com/
https://forum.reshalka.com/verif.accounts.docs.net/
https://lun.otrweb.ru/verif.myaccount.resourses.com/
https://tracking.cirrusinsight.com/fbacef43-c8b7-48d2-96d5-2bd368d2a98d/itexpress-kz-trust-myacc-docs-net/

```
#### Epoch 2 Document/Downloader links seen for 02/14/19 ####
```

http://1.246.245.213/@eaDir/De/MBJXSUUZXW3751092/DE/Fakturierung/
http://104.223.40.40/wp-admin/download/shMfe-dM_nnFgX-sRy/
http://104.248.140.207/EN_en/download/0234405946/ZDyA-U0FPh_dvfsnUKXu-CG/
http://115.66.127.67/En_us/Invoice_number/ZsHTW-GFAJ_xaonYTpnK-1GD/
http://118.25.176.38/US/download/New_invoice/EMQRa-Mp6_Ik-r8N/
http://128.199.187.124/EN_en/Invoice_number/ncuQs-C0hW_uPvdSfApY-zz/
http://128.199.207.179/EN_en/corporation/949706293103860/RNFCL-bK_rDb-RL/
http://13.112.69.225/wp-content/Copy_Invoice/kiUmW-O7_ambwybOW-6G/
http://13.126.61.11/EN_en/Copy_Invoice/3537640860405/dkXlq-Ij_ZxmVpj-fLJ/
http://130.211.205.139/HtDDY-RBS_s-6w5/
http://139.59.182.250/En/llc/Invoice_Notice/26997967767947/xFUlr-Ng4Hq_drWklraru-fK/
http://159.65.142.218/wp-admin/file/rlQCK-AEA_TOLYw-ti/
http://159.89.167.92/De/ZMIUKLF0088630/Rechnungs-Details/Zahlung/
http://167.99.10.129/De/QSCTCD4359230/Rechnungs/DETAILS/
http://178.62.213.188/DE_de/POTJCPC8133291/Rech/Rechnungsanschrift/
http://18.184.16.5/US_us/llc/New_invoice/iCPK-udcxr_KAYpXyRLg-gU/
http://18.206.204.30/wp-content/uploads/En_us/llc/New_invoice/mgwTk-v4gG_kKXYie-ikF/
http://18.217.211.183/wordpress/US/company/sbzb-NaBu_ZVKxdz-FrX/
http://18.218.56.72/wp-content/US/ZgjN-7JOe_B-u0A/
http://18.221.1.168/corporation/Rthgy-VE_DqQJ-iP/
http://18.223.20.43/EN_en/xerox/Invoice_number/LaejY-Xt_sgrNPE-YD/
http://204.93.160.43/DE/MPOFSQSQZS7461881/Rechnungskorrektur/DOC-Dokument/
http://206.189.154.46/En_us/info/New_invoice/tPds-xIodr_VDgMFSO-s9d/
http://3.112.13.31/EN_en/llc/Inv/QbLAG-DMjut_T-Gt/
http://34.220.101.62/US/Invoice/yDNsy-UFfiS_ZK-Iy/
http://35.154.50.228/VULAKC9526229/gescanntes-Dokument/Zahlung/
http://35.176.197.139/US/company/Invoice/Yegah-4UC2R_EqbBA-uK/
http://35.232.73.116/scan/898053748436506/ttSQH-TTO_nNouWKfU-fsG/
http://3hi.in/US/document/VDnf-uVHU_DOmH-Spb/
http://52.205.176.136/xerox/iCtfU-ck8_vlrGAB-Dx/
http://54.164.84.17/En_us/info/Copy_Invoice/632505435818/TCSp-Zj2_ND-gp/
http://54.208.237.58/de_DE/UCQZODIY8369826/Rechnungskorrektur/Hilfestellung/
http://54.85.253.114/EN_en/document/Invoice_Notice/xsMVK-BL_ugbhUUWX-zDa/
http://acdhon.com/doc/GJHjE-Ut8_oFh-YJ/
http://admin.staging.buildsmart.io/document/Invoice/iDgb-7xup_ZI-omO/
http://agilife.pl/file/1767554/ajlzT-SeK_W-xRz/
http://alainghazal.com/De/ETMYLTL8953726/Rechnungs/DOC-Dokument/
http://albamedical.ru/US/doc/Invoice_Notice/3961230676/FVur-MS_GT-I8/
http://allopizzanuit.fr/De_de/JDYJFAQV1248975/Rechnungs/Fakturierung/
http://ameen-brothers.com/xerox/2264903039002/PaAw-Cl_kIKMu-2L/
http://anapa-2013.ru/OZWUNOV4632621/Rechnungs/Zahlung/
http://anhsangtuthien.com/US/company/RNIkZ-ldYb_hvovAD-Wx/
http://ankaraliderlikzirvesi.com/En_us/xerox/Fsjb-Dv_jAuxwqVjE-3tB/
http://archmove.com.br/file/Copy_Invoice/2170832/mRfE-olO_Aiemp-ui/
http://attaqwapreneur.com/En_us/company/axExd-MJEG_cBtxjKJg-lxB/
http://authenticity.id/scan/Invoice_Notice/uqvC-jKT_rSYEDRAT-vJ/
http://balooteabi.com/US_us/En_us/dxJTg-4x_QfxoqYr-GM/
http://barrycaputo.com/corporation/New_invoice/ReYB-KGBfF_btPUHMDOo-0wj/
http://baza-dekora.ru/En_us/New_invoice/yQUV-A6_XiQhW-nl/
http://birchgroupllc.com/file/Copy_Invoice/BrEV-q7Rcv_TwTCqh-yv/
http://birdiiz.com/De_de/LOZSGMCZB2877966/Rechnungskorrektur/Hilfestellung/
http://bizresilience.com/En/scan/52135701911/gaPod-S2_JIxaPIWHd-Tt/
http://bkkbubblebar.com/EN_en/file/pwPyo-OpsA_yEWnZTg-UL/
http://bnpartnersweb.com/US_us/New_invoice/lTKbk-Q0_L-VTm/
http://bohobitches.co.uk/file/eEwY-IVlQT_uX-Jg7/
http://bonex.it/US/Inv/2438647724/KpUgA-a9_xxNz-2G/
http://bueno.adv.br/US/document/Invoice/Swzo-dniRC_TmQUVPZCX-cpq/
http://cafe.tgeeks.co.tz/corporation/XNcYV-e7_VCCcS-zxX/
http://calaokepbungalow.com/doc/1688845541568/aLjcf-H7D_IVzwye-Nl3/
http://candyrays.co.uk/US/download/Invoice/62275413/oTAv-xZmXO_fyzKhszl-Ey/
http://carsibazar.com/corporation/Inv/aMTY-oqbx_JdrQ-lzJ/
http://cech.gdansk.pl/US_us/corporation/nflO-0g_zGDw-v75/
http://chamboncaytrong.marigoldcatba.com/wp-includes/US_us/corporation/Invoice_number/3449472835/YTDp-QR_iEiNJnyTF-fZp/
http://chowdownmarketing.com/EN_en/xerox/Inv/VLPX-GccM_itLJudwyF-5GI/
http://churchofgod.team/phpMyAdmin/US_us/Invoice_number/zKVWe-HLC_tdBujH-c6R/
http://clashofclansgems.nl/US_us/30186813/ztaT-1p4J3_W-lat/
http://clients.nashikclick.com/EN_en/doc/New_invoice/rEvuk-5UC_WLYVK-Sy/
http://cngda.tw/file/Invoice_Notice/7669311965/IryL-ib_aSYF-n8o/
http://colbydix.com/file/Inv/bDQi-0EFgo_Hm-zrt/
http://construccionesrm.com.ar/US/corporation/Invoice/6295745/iUfi-T7_nLhlJ-dU/
http://demo.liuzhixiong.top/En/info/022722605742/rKkVS-SppgP_bHPhLheh-FA/
http://dentistmomma.com/US_us/corporation/EKaok-mK_puUnx-zb/
http://desbloqueosuniversales.com/EN_en/corporation/Copy_Invoice/BalcZ-858_C-HIO/
http://dev.go.bookingrobin.com/doc/Inv/tOsm-8Bc_TwVvfZu-e5Y/
http://dinero-online.club/US_us/company/Invoice_number/ICocU-75_GkXwjNYSi-nN/
http://dixe.online/En/document/Invoice_number/cJaLC-On_M-yu/
http://dizinler.site/En/scan/Invoice_number/Fxvm-USL_Jem-3S6/
http://eboxmusic.net/info/Invoice_number/544736988/eVWx-fwrX_DVlIIHbP-xsb/
http://edax.com.pl/xerox/FLqDa-0Tg0p_xbjIkWx-KWS/
http://embrava.eu/EN_en/Copy_Invoice/TNXWS-e0tv_Pos-9xo/
http://eosago99.com/US/company/Copy_Invoice/747050964813/okyK-Lk_pcUbpV-MSQ/
http://ercanendustri.com/US_us/scan/qdZGZ-vI_IW-LTc/
http://eroes.nl/llc/Invoice_number/csrXs-CbF_bklbf-2E/
http://explorehue.com/corporation/059767712543/FlyI-uBcdu_KAasjYjt-hW/
http://fancy.direxpro.md/de_DE/SQZNQM1580700/de/Fakturierung/
http://fatrecipesdoc.com/xerox/New_invoice/IgNbB-73avx_c-Gs/
http://femconsult.ru/US/download/UYyoL-8uuE_RcrgGmUff-li/
http://fenceandgateco.com/document/Invoice_Notice/FFAkh-MoU_GSAmzo-66T/
http://food-stories.ru/De/ZFIITIVLVF4074664/Rechnung/DETAILS/
http://forodigitalpyme.es/En/download/iiJNr-RvP_lMcn-8t9/
http://fortuneinfosys.com/En_us/info/Invoice_Notice/2986743250/lwYN-Y2_MUvIcLZ-Asr/
http://frispa.usm.md/wp-content/uploads/info/New_invoice/DscV-qy_flDuzON-BCr/
http://frog.cl/xerox/Invoice/GJLg-mj_sWxLJm-Hj/
http://fupfa.org/Februar2019/BQADLYIX6017258/Rechnungs-Details/FORM/
http://fur-market.ru/Februar2019/RLSDYBEVFU3100419/Rech/Fakturierung/
http://fwpanels.com/De/ABHYSQR9969074/Rechnung/Hilfestellung/
http://gethdfit.com/En_us/llc/New_invoice/dQaZ-R2h_l-Or/
http://giamcannhanhslimfast.com/En_us/doc/Inv/0609247872/JRKos-pB0_cC-DZN/
http://giancarloraso.com/US/download/qrZvo-Z3O04_bKRwVcLq-iJ/
http://grapeness.mx/En/xerox/Invoice_number/pbhZ-cRPgP_zEmPCHin-7w/
http://greenoak.in/EN_en/company/Copy_Invoice/gVpn-6h_JlRzKXNK-4Y/
http://gslegno.com/De_de/MSLDAMBXHP4663794/DE_de/Fakturierung/
http://hallmarkhealthcareservices.co.uk/US_us/document/xvupZ-7OJa_livhdXgw-SFI/
http://herbaty.zzdb.pl/LGROHFYNTT7091608/DE_de/RECHNUNG/
http://hipecard.yazdvip.ir/download/Copy_Invoice/QmWC-PgUki_z-Gxh/
http://hongcheng.org.hk/llc/New_invoice/88982804151066/rMFQN-PSnss_ZUbTCmH-Vz/
http://horse-moskva.ru/En/Invoice/738908009963389/lWnS-H2Cu_Xbeezsrx-mMn/
http://huyushop.com/US/Invoice_Notice/zbNo-LqVx_EF-Q3W/
http://idecor.ge/US/xerox/565711769621028/NrRJ-KIh_mCQC-8em/
http://iiccfp.com/info/Invoice_Notice/96187351938/hpGZ-WqTa_Zu-GO/
http://illa-berek.com/US/document/Invoice/QoACx-bj_YrUkJDFh-KP/
http://ilo-drink.nl/corporation/56243092/AQRv-C65sd_jPnXLO-Cd/
http://ingramjapan.com/US/corporation/kAuuC-LxnRQ_ev-gg/
http://istratrans.ru/llc/fmDd-K1p_h-yxr/
http://jaihanuman.us/wp-content/uploads/9/En_us/download/New_invoice/CyEb-Ii_Yavg-50B/
http://jaspinformatica.com/US_us/scan/Copy_Invoice/Bibd-nOH_KyoVziKW-Z5z/
http://kendinyap.club/EN_en/document/Invoice_number/hIBsT-Hmi2_huftCxLC-Fn/
http://kentazo.vn/Ldtc-s8_ToUPHq-M9P/
http://keshtafzoon.com/En_us/Invoice/33015438/BgsqQ-cloCn_PaYSlBcJP-eL/
http://kgr.kirov.spb.ru/Copy_Invoice/xYDp-erk_WogHeTD-o6M/
http://kostrzewapr.pl/css/En_us/RKgIj-oF4_dC-JEq/
http://krisen.ca/De/BBFHMZMUX6888264/gescanntes-Dokument/Rechnungszahlung/
http://kuoying.net/wp-admin/info/dhzv-E8HR_pExT-QWV/
http://kymviet.vn/US_us/doc/04142725342386/EiTrG-7z_Hc-vqQ/
http://kynangdaotao.com/Invoice/GwpQh-2Re_lpTUlKn-mH/
http://l3financial.com/download/Invoice/awyF-MOx_quji-EZL/
http://legalth.com/En_us/scan/Invoice_Notice/hhwOs-j7_VGrGVwj-Ghz/
http://lienquangiare.vn/US/download/CUQL-eeveX_MDgzJuFAj-r6/
http://liketop.tk/Februar2019/DEWZDFS5921051/Rechnungs/Fakturierung/
http://macampenyakit.com/EN_en/download/New_invoice/93164486026707/ygoS-Lw_TPKC-wIM/
http://manualquickbooksespanol.com/scan/Inv/wIPR-wSA86_oKJzi-WVJ/
http://maskproduction.ru/US_us/scan/Copy_Invoice/574264353827648/zfXmL-Z3_DOhxv-Pg/
http://matex.biz/En/company/New_invoice/kxTg-XJr_ddPRb-D0x/
http://megahost.pt/bdDi-82_ZauxX-OER/
http://miamifloridainvestigator.com/DE_de/NCGPKMLQ2278313/Rechnungs/DETAILS/
http://mingroups.vn/En/document/vqimK-93_ujgxHBl-2T/
http://mipec-city-view.com/Invoice/EeMOE-xzz3m_DmvMdrI-mXT/
http://mirkma.ru/de_DE/POEYPK3801489/Rechnungs-Details/Fakturierung/
http://mostkuafor.com/llc/Copy_Invoice/qRwH-dAK_p-kf/
http://mpdpro.sk/En/scan/Inv/WSuZI-WT_FU-mhy/
http://mrm.lt/company/Invoice/mRLa-XVx19_ZQh-p2m/
http://navigatorpojizni.ru/company/Invoice/eAeJ-h7qna_py-Vw/
http://nexusinfor.com/DE_de/TAKMPFGFQ0046319/GER/Hilfestellung/
http://nikastroi.ru/De/DQOUAT1965838/Rechnungs-Details/Rechnungsanschrift/
http://noithatshop.vn/US_us/xerox/Invoice/KsSCN-zUX_yk-T6D/
http://northcityspb.ru/de_DE/AKUNRVPV5601935/Rechnungskorrektur/Zahlung/
http://nova-cloud.it/Februar2019/ZVOKSN8028767/Rechnungskorrektur/Rechnungsanschrift/
http://ortotomsk.ru/De_de/EHDBXWZBJO7581980/GER/Hilfestellung/
http://porteuropa.eu/En_us/ctrq-ku5Z_UiAcbT-dm/
http://positiveconvention.co.za/En_us/corporation/vIsZq-3zAW_wkQuUzdT-lZR/
http://practisedrill.com/New_invoice/oTTg-LDZ_RJ-UKg/
http://premier-pavers.com/US/xerox/qsMg-0Q3_v-PAT/
http://progettonottetorino.it/En/company/cPCN-4HvR_lnc-J47/
http://promstal37.ru/402632157371708/rqnA-TE0_mpd-AT/
http://propertyinvestors.ie/BSKYQD0339493/Rechnung/DOC-Dokument/
http://prostranstvorosta.ru/EN_en/scan/TWGwh-nz_WT-Aok/
http://providenceindeminty.com/US/doc/New_invoice/RCllH-RE_T-V2e/
http://quintadospassaros.com.br/EN_en/scan/DGEnc-yp5_MdT-GV/
http://qukuaixuexi.com/De_de/JJFGVNVBZC2024590/Rechnungs-Details/DOC-Dokument/
http://rameshsood.com/US/xuTXt-rfjM_iCVbXiL-tQ/
http://rdk.kz/Invoice_number/luMI-EE_HAbJIY-vqV/
http://rdk.victoria-makeup.kz/DE_de/ZUABQV2745706/Rech/Rechnungszahlung/
http://rdproject.kz/corporation/Inv/DdvJn-QG3y_zoxWZjP-iUL/
http://rohrreinigung-wiener-neustadt.at/EN_en/yZgbm-KmG_vgWV-EN/
http://rupbasanbandung.com/US/xerox/Invoice_number/nitY-LG6_vaiXe-RU0/
http://saleswork.nl/9883973888669/sKfw-JJWCx_zdAVRkDnn-xq/
http://saltech.sg/En/download/Copy_Invoice/3495381713649/eWZN-xn3M_sbBUu-cmF/
http://secondmortgagerates.ca/EN_en/company/TURn-PY03_URCgOL-yTN/
http://seecareer.com/document/Copy_Invoice/SyfmR-GKT_qPmCiVv-3Q/
http://seksmag.nl/company/eZYu-2yP_t-EX/
http://shrimalisonimahamandal.com/US/New_invoice/fsCMJ-xXK_VaHjOdXn-AOI/
http://simpelway.dk.linux154.unoeuro-server.com/En/document/New_invoice/JXzYK-lxfZ_u-a8q/
http://smartre.live/file/Invoice_Notice/NZrd-ATgmb_sHgCDUb-iu/
http://smdistributors.co.za/De_de/TLPKUAUXYR2124975/Rechnungs-Details/Fakturierung/
http://socialmediafactory.se/De_de/QZSPUIKYBO6106030/Rechnungs-Details/DOC/
http://spbv.org/corporation/GsQo-lN5_ms-hVP/
http://ssdr.dk/DE/QOTINAD8793352/Rechnungskorrektur/Zahlung/
http://stemcoderacademy.com/De_de/XECTENIZU6230170/Rechnungs-docs/Rechnungszahlung/
http://sttheresealumni.com/EN_en/scan/tZdo-h7_qCbPxfxwo-tn/
http://sucreh.fr/corporation/Invoice_number/1123656788047/zrFjJ-U2_Lyrz-p4/
http://sureshdangol.com.np/US_us/xerox/Invoice_number/mbZge-PQzW_x-Yaf/
http://telsandalyesi.com/En/company/Invoice_Notice/Vkfr-TBy_KyNjorB-EB/
http://test.sp11dzm.ru/Invoice/CTNdh-Nc_FMsHR-Jau/
http://thicongvachnganht.com/EN_en/file/mYegR-Or_P-11s/
http://thucphamchucnanghanquoc.vn/En/download/mjTU-jBg_r-oV/
http://tischer.ro/US/document/Invoice/thmRA-M2eu_ct-9s/
http://tochkae.ru/US/Invoice_number/dyyhx-dq_Qhkz-Io/
http://tolstyakitut.ru/download/Invoice_number/SwHZ-lJg4_LURSGwCa-ktd/
http://trandinhtuan.edu.vn/De_de/RDCDPPXTNP5120675/Rechnungs-docs/Hilfestellung/
http://trandinhtuan.vn/EN_en/download/Inv/DopUi-Wu5Tc_S-ZCn/
http://transcendsin.org/EN_en/file/Inv/22174501/epGH-Gu_zw-hIj/
http://trumplegal.com/doc/tmSh-nfvn_rQxDPeF-jM1/
http://tsogomediakit.co.za/En_us/sVLmw-N5_hQQ-Gj/
http://tych.pe/iDLLJ-fs_pQU-VF/
http://tycpyt.com/scan/Invoice_number/sHOih-7KW_iIsUFbg-0T/
http://ulco.tv/doc/Invoice_number/WRSTM-CHkG_mv-Pjb/
http://unison-bedfordboroughcouncil.com/DE_de/CVPOYEEZZQ2991253/DE/Zahlung/
http://valilehto.fi/NQKRSKS7049046/de/Fakturierung/
http://vcpesaas.com/info/Invoice/pBXt-q6Sq_xS-1B/
http://verac.com.mx/EN_en/scan/Copy_Invoice/qOHHa-o7_YuCss-KFP/
http://viagra-cialis.pl/scan/Aepz-7pCO_UQbb-3X/
http://videokontent.com.ua/company/5297588/zBAdX-jQWdw_KVLPx-fFS/
http://video-mix.ch/DE/UAHPGJKCM8006722/gescanntes-Dokument/DETAILS/
http://view52.com/En/ThKIO-mF3vn_LgYuedH-53/
http://vivekanandaeducation-armoor.org/corporation/Invoice_Notice/JhGpZ-bMVh_SpOYPCo-tf/
http://walnutgrey.com/de_DE/WHOYMK6607843/DE/RECHNUNG/
http://wavecrestaoao.com/BRMD-JLQ_fEksPi-V3/
http://weglamour.xyz/En/download/New_invoice/hrFc-Vnih_VC-EAR/
http://weiweinote.com/US/New_invoice/yiURQ-1c_K-Gop/
http://weresolve.ca/doc/Invoice/KmtQq-Vs8yN_VmpHLQ-KJP/
http://whitefarmhousestudio.com/corporation/Invoice_number/ZZwEc-WU_kbmpt-77/
http://wineswap.com.au/US_us/aNMn-Nb_A-ire/
http://wishinventor.com/Februar2019/LVYGVVMCOD6472799/Rech/Rechnungszahlung/
http://wordwave.academy/scan/66653977405360/vcjGs-3fw2I_WQzUDnH-Kq/
http://worldrunner.co.uk/download/Invoice_number/SXma-sRF_mYH-fg2/
http://wp.berbahku.id.or.id/Inv/uzZA-w7_uM-TgW/
http://wpdemo.wctravel.com.au/EN_en/Invoice_Notice/3587030376176/LuApR-pna_EJX-dW/
http://www.2000aviation.com/UHAJDOIXD9309682/Rechnungs/Hilfestellung/
http://www.blueelephantmassage.com.au/En/download/8243513533/ZsScr-fwQ_vfsKCVRz-TUA/
http://www.buyoldcars.com/de_DE/YCUVZDKWWP7551688/Rechnungs-Details/Fakturierung/
http://www.campustv.pk/de_DE/GVGJDPBVXP7608465/Bestellungen/DETAILS/
http://www.cateringbangkok.in.th/wp-content/US/scan/Invoice_number/Kuzfu-S4_Trevk-inp/
http://www.cducarre.fr/US_us/xerox/Invoice/Ugzd-5F_xxzhwl-PVM/
http://www.cng.spb.ru/De_de/FCHGHSYQQE1228151/gescanntes-Dokument/DOC/
http://www.crownrentals.net/US/doc/Invoice_number/UAIL-mF_Dm-iC/
http://www.eurodek.ca/BDYSPL8119376/Dokumente/DOC/
http://www.fet.rs/EN_en/llc/xjxta-lO9_XRp-36z/
http://www.forodigitalpyme.es/En/download/iiJNr-RvP_lMcn-8t9/
http://www.fundacionesperanza.org.es/En_us/file/Wcwqs-Ht_qnY-Ii/
http://www.gohappybody.com/En_us/xerox/KUjt-nQhwP_FF-5K/
http://www.hospizkreis-senden.de/De/RWYRTY5984480/Rechnungs/DETAILS/
http://www.izmir724transfer.com/En_us/New_invoice/8184917467128/gQPW-ZMX_bJI-S0b/
http://www.jagielkyscandy.net/EN_en/file/EVEn-AywR_Sco-1vW/
http://www.luckylibertarian.com/US/file/Invoice/ExYcg-Yin_Doma-KW/
http://www.meggalistaconvenios.com.br/EN_en/download/Copy_Invoice/RIxJ-UjB_qRk-10Y/
http://www.misrecuerdos.cl/En/download/QEBN-LG_Zyoi-9X/
http://www.pattani.mcu.ac.th/wp-content/uploads/US/xerox/New_invoice/yOkVu-OX_qQVzLsP-QjW/
http://www.qqenglish.com.cn/EN_en/llc/rkjV-e8WJ4_Qj-3Gs/
http://www.realestatewaterviews.com/US/download/FXIZj-UWZ_fHqItwIW-ZO/
http://www.salesround.com/US_us/download/Invoice_Notice/1549691030811/RrWbu-vV_jYIMXESHL-LE/
http://www.sgokta.com/doc/Invoice_number/eWxG-pp_tFSgHut-er/
http://www.tecnificacioimanteniment.com/company/New_invoice/npAow-dC_DHc-4gP/
http://www.tiagovsky.com/US/xerox/Invoice_Notice/FjtM-4y_cR-q0/
http://www.timothymills.org.uk/corporation/Copy_Invoice/uXaER-jbJ_DYX-lyE/
http://www.uni-giessen.de/tierschutz/
http://www.vangout.com/llc/MrbP-Izeay_BUEIiE-Pk/
http://www.winefriend.co.za/De/FIORQOXU7539661/Dokumente/Rechnungsanschrift/
http://www.youthinenergy.org/info/XLqz-7b_mvG-Bte/
http://xn--90aeb9ae9a.xn--p1ai/xerox/NGWL-eHat_nrqqdaZ-36/
http://xn-----9kccsa1afbhzcgd9a1ay5l.xn--p1ai/scan/NaLsb-ny_jvJEYzTpq-yqR/
http://xn----etbh1a5a8d.xn--p1ai/EN_en/Invoice/18444564460016/EgoP-4SRBy_jLiXkSeW-0M/
http://x-soft.tomsk.ru/EN_en/doc/Invoice/vdcb-8AvQ7_oxW-qr/
http://yallasaffar.com/EN_en/PMNu-zKgz_lGt-px/
http://yduoclaocai.info/En_us/company/Invoice_number/OghqV-ZtJ2_w-x5J/
http://yduoclongan.info/En_us/llc/New_invoice/tuQj-tg_NsT-STe/
http://yduocthanhoa.info/Copy_Invoice/lsycr-cD_ndd-wfU/
http://yushifandb.co.th/De_de/YJAEZN2289916/Rechnungskorrektur/Rechnungsanschrift/
https://carsibazar.com/corporation/Inv/aMTY-oqbx_JdrQ-lzJ/
https://ftp.smartcarpool.co.kr/lf_care/user_picture/document/Copy_Invoice/ZPvfU-Y9N0_hUF-Mj/
https://noithatshop.vn/US_us/xerox/Invoice/KsSCN-zUX_yk-T6D/
https://view52.com/En/ThKIO-mF3vn_LgYuedH-53/
https://www.exablack.com/Februar2019/EVPXGEQIS4018025/de/Rechnungsanschrift/

```
#### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
```

Creation Time	2019-02-14 19:21:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
97cab237d957c57b19ef70d5ab7e2aa5d2487cf58ebd839b50e54c3edf8c6a9d
b49c9a22922bebab7d767c732338eba417c0a6c2149ce8f141a886184be3c949
91fe305a78b5c88f6f181f3a64fa7098ee36e2e166861d505b26079b6ebeaafa
f8336db42976d5c7ec95df0f80e52fdfe8e18c9ceefbbdc898c64ee13a43cc7a
948e256c53e10b93c327b45efe8629b3f3612cb0605a782293e26d36b1950d64
ce8d31d9414f0d296828b6c176fe23d1ad4f09c93774b6d4d49b115980232238
7e432eaccc7fee2b8ab0d7bfbed20b4d3b4e519e3b325d62d14df283e2e83ebe
21735a28dea318be302e52cdd1daba76404942057a3cee24bbb3a03f5b07e752
b0d4b233aea13f0cf2e48f64ecdc6504478090bfa5414cfa1a1ce8739c20d4d2
c96c7ac1102b8ccbd02f7bb51c768da7e09e33830096718d2b33796e2cd9de7b
7624507950aee0bccf264807cf20dff21a5c3bafd476830eb29ada4b8dc8d25f
fdc58287932afb134d3fccb474c00fb6c5f5b71b6876f3a4171ebdfeb7737eb8
c8722f847d62be9287029d2f54c8e86893502c3505665f9d5533c6d1298451bf
2b1229359899970d360bf063f96918306d07c7dd6e1d5d248f24c6ec36b55897
ad1bff7ab5748a521d54db010e86dcf65d3fb23eed378927697fa4ee342ded98
910ecee21de484ef238a555495abbe912c3fc4c6585438db6f4fb3e557482f0b
fc3b02c15bb18a64052774a9a1847b19584a83bef57e2d2620a19f17a00e0da9
46ecd52135b2b3f160cb28a9054916cc6d372ebde3700fe434666825877bf670
d2e19d553d410718597203d71b480d0e42f82e6bda1b98a186ceb7524a8bb1b2
b566280cea6f3390751f2799ef2a07fd2a5ae7b94affd01f5b344e65a9d5e663
87de3380817115140976171dbb9e5aa4207f8a2dff124065a772e90df6453229
d084730c3222a57b4ca69af66213b15fc808df800fcef09536125f2b8bbb3bfc
b7a5b11180a66fb10c9957a84c517f926da64a33bfc5949a5a87d694892f30a7

http://idjvn.com/VFRvAVWyF8/
http://constructiondistrict.com/zA0jHm2vt/
http://www.bspartage.com/MofXXfVq/
http://adam-ch.com/OMKLfD9mZC/
http://galeriakolash.com.ve/RlGVXxAvx/

Creation Time	2019-02-14 15:33:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
911d39e2220a0e142d8424f703e570041622c6d07d98114f98aa69382cdfc2ea
c25d5989f667513420b6c5c85dfcc13c177d0e281926afd7581deabe458de83d
15596c9bdbc21aad1b0070c760a7f61cfd03bfa1fa7d292f176ad75d99aa43cc
81d616d13c103135e9dd47b9617f4dd50abeeaaf489b09b40a5823d53ff05a66
3ec752bd4f66b468951109a731f1e5870f661a0efcb0488985b927f71f024ae5
cb81ea40435082b0d70a936d8ad67484f51324f0bad44cfd24276b1ae8d4eeb2
9425b92dde2934d830aa29fdd33f54ed1c08ed4cf697a398de5fffee80dc37b4
f0edfa20b32ddd99a92658da5f696222e0f1d4c99afd9e2c2a8a48b9fd7b261d
93822d00a1639ec284ded69e3957088a5ea64f9ffecb302eacf534408bfe4f66
a06622fb10a44bfd000fac55a5322031774c2c2500a558d77a4247708a69e4c2
e659dc03dfe534ba5abae46047a329043002e7f1560a4888a49dcf31f9958399
6c8b0ea8d2d55c35cf9cc3fa713b805024eb5deb6194be5c7671339af18529ae
f12e124637c07cad9b7e1ce7becc22d4e6235674806bbf5a9c219338640f8a99
630237cae6692864ee23e631a13ffd48731ccdf8f9354b2df55857e5f9892bc5
d88a30cf3b32cda80940dc9883d43c514e1505f44c7a9e9ba5b3c85c3302d9e7
7bbcb13ba9df7f6d8fa33c2b581cdd1ae42407ba604bb6b4c883e41f41601590
239942748da63d13b679edf04d3b955f6979d03cf2d5f53b0e10871c9717c6eb
405c63169f1c46e32b7103215fbdf3b4dfeb40ed21e5c5f9d953a747d4690813
5ede447198fd9790905c29e6810244fa57fbba49dfe1adcdfc3b9eb0be5f8fbe
c6cd14fd703d984a3229ce1a5e813c2dc0b556abb62e5a25ca5857cc3a4f176b
93d436758cc24dfad3d575c3794ccbed12ff44d6d9f0d76bc428c470d5b89608

http://hcforklift-eg.com/hdIixMkZ/
http://newsmediainvestigasi.com/uyspo23kf/nptoris/1KiUYgk/
http://businessvideo.urbanhealth.com.ua/gk9LHla8/
http://uran-spb.ru/qzzXAyC/
http://psychologyforyou.eu/1HdEdRb/

Creation Time	2019-02-14 15:33:00 (XML Based - ENG - Unzoomed Indigo/White)
2019-02-14T11:37:00Z

e4e3c145c665c49ca56c6a0db3a0ceb9a99f892b3dad4c23786b9f0ef6f26911
5e09937233d3be286d6935cedca2ff4954e7b36ecc582a2150d89686357b77ee
f0ede2a03f4ea0117da4f47c3041d9a0d9876c374f4b74cee6e8b6dab2b31e4a
547b9761464a9037c1aa76c52178b5d141ab790adce4e100d9fca489d1bdc461
fd424ccf7eb083c966106b8049d6e68876e652df73401772883e80a63d98be65
a4b898b92078d1e01992744f02ebd969a216ed6c8de83e9a2e7a1e933c6e7cb3
8250405e2ca68fae6fba77a461b9d7f786a2a6ab1984337050e02b788806500c
ddc7f188c59c03ef24d8f5ce2f3d9d93dd9c9fb6a9072bf30700a080e17a15bb
3425678eb3a61e437af67524c3444c83a890ad25aa1280da5287a0259950d31d
5036fcb8efabc8a863e9828107c22cdde2fbaee8b94545f2e793a8bdd7331272
c2b792f0e67f6982b6bf54bfdc5e88541f7af446f8225027b7c3cc2c98953c42
6d9d5380030787a8ad52a037a7d73de960b6c33b00ac97ffa04345a9afaab342
08c21909730aaa3c97f821c0b052e163ab81daad4e2a22107fa4ccee5f77b1a3
4aec976e9b1d4139ab3a2a6bc56a3aed96f54a943369ca2efd80761aafbaa461
8fa8e6f9ce5b34d88fa570fa7630419dfadd71d24c3b29634e361dbf85bfdcd8
51557a206fd8ce2a055c9fdb69e9111a976332e3a5f6dda32a8a2d2afa21602d
1e98f156e7ed7d59838b17ed0eed92bb7be5aa6ca24adbf309248519638c7567
1699ca85191a06d203b19364a067e1f96448ae391dba79fb82ffb7bdbba5b600
4d6e1e2e8dc91d4d6b9690054e4c2774a208283f7c84fadde580a51fc275d250
90c80207de6d6d9dcd42c5d71f3e2e4ce280e690623532e53a3d9bdab24c9040
05d36e396f86fd51b882535d427d042f7475c9aeeb2d54536aa90789b3515019
69b6d136530b5d3edd4f07166b54e8b08b320914dd5bd3e3081185bf6c75f09c
adb2c71003bea01e720d6237f14058785bf3721f138d4f401a6c5a46c43eb915

http://honkytonk-studio.com/Kw0rSq2FAX/
http://allaboutpoolsnbuilder.com/ULKMiATT/
http://bobvr.com/8GI2mvob6L/
http://spathucung.info/KyzWn62/
http://precounterbrand.com/UtbBjWRRG/

Creation Time	2019-02-14 06:55:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
2f5e4c2767b4c7e20391a50d2baba9fb44035ad38258329c3d9093f6866933bd
fbebf124c9bd0eb283ce8c38e47aacd82fce8d87379aa5138b0e78312e2829ae
4a15704e0592b8fc47e8802c379562f5f5694e95d8c72d0e34c846c728dcf3cd
f959ac98abe1c9ae2a880c7cc30cb39c4bdd4536db2442bf2dad33498954a777
b471ceebe7a8a8c39e1285f21f5b1af598cda2732aef32474961ba0295af9950
4f45707b07936c4a33037b0861fc6aaab24493b4372341deff8df56d6bac47a2
f04b45873ca7819656f9be1eecedf24a034d742aa8f2d16ef6ed3f53f48cf008
4bbed3da07f3358edc62ff2a5eac94d706a98dcbb0bd2c93a56830ec9c37b7c3
869c7e5002cf4566c7b1331be7ce8e9847dc76570c2951b45cb831bf95c25d30
fb2fddb42d09abd2cdaf2ff7d67c2cf676e78b294fe0d7225d19e96c496b7fdc
e0b66d07b9d9bf359c10cc467446e70f0ab9261a3199175c5e52135d6aa72941
d1f976001844035bb5b7c4373075393dfafbec0863c163b33e3852149e81f2df
4278120c2c57403b97a72dd9418855af55e61fdf51f89bd855ee1c9373525eba
2b8afbe2f7d8f7fcfa9e9e083c17de1ec69a518ec96c7b13644186873f8b33c5
051ff304a3c0395b69dcb6dcf36032673404cfbdfa39dbb8cdcdbc46d64e860c
826e2caeb1f94cbcff9f4629f2776ba48e707a0d8720e4d26690c156b1dcf051
b8e0b48e201b235ec1c198affa74a700964ece5a470f04c678dc48d037958916
c58e7b8696794c6d5f1dd3745225d93fade8d584c4ad620296d4a37b7f0d30af
5612cc8011008c94c844894231edac2fa1513d2dc53c053e63d1a31ffd25b36f
6c8887fa4d5926b51b24e96167a99db296856ccc70bb63938dc9dac4ab15c471
9a8638e42360c33ee43e4bde6fafa5b5ea62a164adda3b29fa7908904de76ba9
445b280bc2685430bdf3f9e6996c83b36d5b37921db1d8a56ba5f34999de0409
9a8638e42360c33ee43e4bde6fafa5b5ea62a164adda3b29fa7908904de76ba9
8d8ea8ddbd4f2ef870da650dae47e5570cb48f474aa1ff992e6ba40b49e1d249
d1cef97ad1d73220a0c4e28095b4a46992713d0649f8b138ca74b5e05be508b0
1ffee6ebb026a98cfe0ba910f228c562a7d93807c5b1c76c4651af578f9bddf5
0c3de549bf74ca2a9f57ea15fea1a4f20ab1514b96eac402f517409a5b311bad
693337aec2d20eb7f278c3e023f9e878d47313fa5966cc640424010d4abfe91e
cf04da964014299d991218169315bcd5d6d77ae67c6211bcf95158c4a461bf2d
b9c00ae1710ce68e605c52790689b1fc5c46a2069c795bedffbe50a38f532011

http://mediarox.com/7T1JXHHo7/
http://bazee365.com/reLlrcw2VJ/
http://clipestan.com/sciEWKg2/
http://beautyandbrainsmagazine.site/oLFpu9m/
http://aiwaviagens.com/wJ4nhRtsPc/

Creation Time	2019-02-13 23:06:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
0eff3a4b444eb8c567db5b87dfadb6a0b1fbec831901cb2718964fab137472b8
8d43076c22683e1d574274a00a990bfedab48dd1015fd6c5aafb44cf7632f2ed
90a497b432bc14ae7ac9016f868a72ac74ac4d31a2b4619ca2be1f5d1f2d6950
b7e66cf6b9746084770347e1766e227e536a88892530d6f8db193a485e681bf3
387de05e444f904a9205d836b1d5d941a3df3328e79cc81ee1fdec22a1a5e715
c863e1f6f21d32824837f9002d90181d12e0f68888ac9931267f80eb6d641246
44af4973b88c3d9fdb128c5338e528698ff6bc5578fe8d5f51a3767c919020e7
1be52ba66b2db0ac87508c275933d270a8cac113d1e7ba48fbbbac5c06fd20c9
8aafae60bcbdbdbdf877093104370bcf096a650c308fbb38828eccac6ee0a795
55e8b9c01ee6f006c63f736ce8f7f98bdf7b30f45740cd60e909bad5b653ef9a
842bd4ab9f785215fc55ed7291f3d404549d88218dde171150421bce4061f251
24accce394df4d28c0b496cacbcb0245e52c3401fccfaf14fb0ac8cf65a08ca4
fb2cba6b4c4b890a1a32cf2fd63be332e63375af7bb32fb43c6fcd1c8b27aed0
10aa53666e6b7b7535f5312e4a560134d7cca9926869dd49646c5105fd1a046f
e6b79db99b399198a61b836acb552f49c58e491bebda5dc7125d2a3f8b798f1f
f596bdd66454e9d2f00391920394679dacc80ec65d77e5cacfb01f73b3fafb8d
cebe799eb13204e363f9d18a0be2885e4668ca32ffbe1bcbe0d6071ddc5fe541
60bcaac606692210b3caefe17ecf597d49db8d529978d6726a7269b4a14dc641
4941777a3a7e4899df063ba472ea528865537ce43178b5db6aed072e61bc500c
1b8f1db3cc4c467bca294bafe4ef2082c83c385e75cc4fc589eb2b32a6d0c279
d31d8513d07a01c8cd627c745d0959263d122f95729d2cfcf951c9e8f741f2de
21efd9ba28b1813c2703fc87c58e1aec248d98417bcd25f6eef30321794d55fd
e95846c16abcb48406d3e68b89c6c57335d72683501f7a9bd60d2e7894fedaa2
9e59bde0e624352a96df24f41cf11136837b60e61c4a954bc2d41784c1710e77
36e96af0d786eeefe5749d3b60ab2dfa044ca4da0644012c8c15dc5a6df36e17
48cad76efb958c7d247a27f4636d464536d78174b5379f744c86be9b22020fd8
c131a04ef143915bef40c4816d7c065d86f15e1e00b15f26500895151f466fed
e23125b787324e0bdcba37250c3e9d784b57f901f885a109029f260bacf30000
619324ffdc2376cb39135e2705c1034eb856bd564698c886a15b176aa95df5cb
646a4bfb639145a8babab15ee88b8ff1744e68dbbc59f9085d4e2321171873de
30af6a16431fa52b727d75db674bec79d21b4687876ee26f57c137dcaeea5ca1
02733ad79a16b0fb62e4dfe438aaf227d6a456fe60445aa595cad125d72c9294
8e610df0d3b2a0b27aecd4d74baa2303621a4e1cdcdfd62a9a0518ad813276de
c72ca32025175570b30d91669466db659f84b9b910498b3d1b8ff673feb48213
dda878698d942e6bc8c8f114507f1a00878dcb205ef1a5569fe1e7968e4e8fba

http://gardenstrutturelegno.com/pafgY1kbyB/
http://mhoment.com/LM20Ymp/
http://extrashades.com/CfK0g0aQ4r/
http://gandharaminerals.com/4J2ko2vsYO/
http://baovevietnamtoancau.com/wp-admin/includes/uZ8bAUa52/

```
#### SHA256s for Epoch 1 Payload EXEs seen on 02/14/19 ####
```

1e71eeedd14cd0e0039aec1ac38229af78ad4deb06bdb7eec2ecf7fe59dc4582
0e52926be6946300636e765394b65a9a46aacbfec415d667b416dbf107e28f25
9533efb98d97f3445a22973ed889b898b091ae34f17d51c79e1a480320b99745
053cb5d1a66a24f4c5e8495ffd59e1bce4f873ba1e3f2c15a14f595500ef177c
17fb84d62f2f9248fe32b7a3f877113d44aca585fac0c77c00e93f8f042bf9e5
6b6b5e0bbcee387ff9e6a2fbadb684e04edf510438e57959800919423b76e92f
c04da2aff5fa3cf046b56a01a17475063e0f9c104c07abb647716818b0c95b64
acf431a81361f8797fe8815adbb898a1f9283910d1c03e5d7aae8648bf40e80f
940c93be72c84e46e95f83bae90221eabfc0bb164da77d36e503358027acb8ca
a7f125f6089019719c274641c9236b393e71508776c1a71da2fcbcf814af38e2
1ae68f4344979b2a807fa9db2754c10d4b85f61ded630408bca181c5f5725bbb
d0878a97ef91eef64e97ff98e7f6d922aadc557e9d2979ad3ebe2de8ad4a7fe6
67c8a229ff64ec847b80ef05bde4009c1fcdefe1eb58f00ee209771bfb52ebe4
0c71c18e4cfbdd41c06280f99ff797d36a7a27dcbe188a87f3e19c1ecf6f1ca6
0847c8bb422e0bc7fb39f6d0454ddcd0d4a4aa0b61e2d69d8b0ff5b008a4cb7a
4c1db0432c187d592962ea1be25635d669282f332aab0b2fc7485f2ca2588e04
7511c603fdadb2768a59fc2f23f472f269a9ff020d5bcd32017a5184800fa766
4dd92acabaf20c9749713447692a0f91dc672b960cb7e2fcdc6e018960d90caf
c1e75b1ade4a94c836c1f1c0372b903f5287ea34dbb27bf6f7df083a8c887c2d
d46f20102f54152d0c0207328a5a604c15726641f77f6ca75cc4eeeade7902aa
42135651497bcf3530f8cb1b64305abf2cd0c35dd680077b4538ae37b3f50984
a4eb084780e8f266366effda9e6a3aeea50820f4461f31413784ab563b714e69
7f6f7c7490e696dab512e0497e2ec7d10bdf1adab4552521d140ef903021d02e
1c86a1df8288afcd495e4767657f53764e8edfb275f3c62c4d9190139808a32d
0a621b79ab1fd4ed3462f4d1c11c2599103b094fe42d2625b5ac3cd22710f823
08770df28717c62fe014bcfd6bcb46b423d0e5b00491f2afe09b7b04d07dcea9
b7f23945f429ce57cdccdc141441bf6bc0397105d2d65ee4321301b6f332fd99
c9b6bd6689b09a4778c1df10cfaa2cf2a1f5274619c653b096d38376c2692c23
79ff5d22a89b1aca1f11d367b9747e079b4525905b9e82a087750516272f4531

```
#### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
```

Creation Time	2019-02-14 20:31:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
180b861d69ae2c5e56585f77c89c2fc310a77e8eb5dc5bc8b01383ec30466779
76829cffa47805f777bcfeecc78d19297332051588de29ec86e28a8e772c9874
64a9cca238ef5a0f0b66bae0ec4737716d3da59fe9033665f043e46dbb38fbde
b2a825dad3bf548a0d029d06ae7918aaee864f8dd585c2200e43c5fdd9d9b30f
c4c6864c23c2ec89797829a20f797eb8f347b575df03e06567e8da30a2abd54e
7315f94b01f84b76c1b1884b21bb25c747c89092347515278b32ede89ffa0a1e
51876f09ad4a176e3d4cbe9fc7e3a594951d813415b3eea7db9e46a1d50eb4f9
b87c6d9d69ea5b2e1007c27fdf3cce675e135aebc269933c59a1d818054c3ec5
8684f6a3902e53492c323711ead750c8bc89cfecf275df6dea172dd6ac2496d3
740b0a8f0a8667879b21cbe8aed9f1b4fd69bf7fa84e6a596b9e02860f5f1c54
8883d9a7d7ff701bd2cbe8a02b9925ca3dfa850859c3be1bca4386637658713d
abaca59abea151faea5ff968e925eb1365b136669aa2f353cf3015d36a7f0872
479b923b0077f6a80cf191a1727a5cbe4d5c1a25652e598eddbbb611f4b20153
2881aab6e692c0525d3d508c89480221759bb26d6a9e5fa56595838efe5db0d8
60c11b3685bf6c9c23cca22c440f1035ca43a37cdc4468e8c3ee65590fc1598f
541316a342c2973eb97eeee70a74a023e3f280e2f5f8893979eda15ab55318ff
a5fceaa60e61bc107521469cca705ecb8e7478d9088dc1db9a24398ac2bf122d
44a43a92eaaf73f061eac4756a945677670642f7036cf4b9b364f7df909e4b2b
bcc9db6f612014ed0af6110bb37fc9565c6299699e2afc510c477670139adb6a
df153c96c06c400e953a5d568ebbc36a7fdfedcb99baab67f87252150c9457a4
3258a072e0043407d3003ad7abbe646198adbf150cd69fbea3bb03b2078859c6
f40efe04a0924168cd659ebe5fa801f927f3918e47c3df3b9cb267d682f55464

http://emploired.com/ZpFvWHkpIOZ0Sl89_qI/
http://hoanglonglighting.com/03q47xywwOugYVF/
http://brazenfreight.co.za/keFNCAwCOCUbkf_lTFb/
http://cbd-planet.ch/7ON6ZtCGM_Wv/
http://foldio360.nl/kSZatJQy5U/

Creation Time	2019-02-14 15:22:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
535dd500af21f1fcd2d774c871c85920c5a4e6e85e9e4c9ad7f6f863f945d1fe
82d8ea7296ebb0ab9e0837ad5f4720a3a93873bbdf6c6f1fdfac51a161abd2f9
fdfc9e81e97a868f7682abd638b4864716ce36dcf03c0c88ecde9944e43e7c29
45d5df97bab930cdccdc3a67d1bac3474005d4fedab5f68f4c2a425c6a9e29d5
f3974fa6b3ed42175ebb584065586c9d41679145823dca70513bc9bf1a8df1bc
ba193225e69c78464bfd795cf91aba262985f7d275828a4b7014af2e9f7e1494
130283482cb1afe672ae27f4be0f4a54059eddc1b8dd3406bad9a7cf46fa92e9
03c5e8f45f5a455f75c1b779492386d44a98c9e34eedffd36e1e84f920f608e2
de6fcfe8fe486daf9e0714e9571d480ac5c4403301b193b673f08530145ef95a
db9a1b0df6a3a5243aafb8242fc8066a4b8d874a123b56e10161b7b6cc2b7387
d3017bf3fef31086400ec840a4d3723960fa5f253645db27cf234b4f79345c6e
0b800d68629d09e457b01770eecec25262850047290199e5946098441e93720e
a5f874386ec47755e8617111846b2a41bb40a755fca2941350b43b6f9ba58557
5abf0e0ff50beae40763deb3eeb94fc9c8b1b3146fa1d4af4757a2c832a08dcc
d937abd1fbf2905ded05aa57010c1151335e1aed5970f92a1f29062934ba5eab
5f27f1b36393f4bb01d4367b2dad234ac11a033ec6a48e2b50975507ceab8027
596681297db052f2da5592bd4bdfddf1ca6c5c5eeea2c5a9779b0ae29ca74911
0a63296be569d27f409dd52ab1cac44d5354aae089de3f10812d4ee324cd60fa
cf7b411657d4645f65f5b0446624f5308e557d01b070c7e86bd3261ec37cbb92

http://shashlichnydom.ru/NbEDRSsyiy_Rl2/
http://wolf.camera/jkeU0iK6Mf8v_dy0Ad/
http://www.marekvoprsal.cz/s1yTiin0l_AUP/
http://www.eufacopublicidade.com.br/ULxnLcrzzz4E/
http://londonmarathon2019.kevinmiller66.co.uk/9bT6FbyqID9O9B/

Creation Time	2019-02-14 12:47:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
239ff2db96ca0b04cecf3236fc042847b2a1a171dd047fd865ef370107369b76
ff4d9e0f17e7371ade4195e4fab373f654c0cc0f8ffb921005df119dc7305e7e
faab82751f26eba9bafcaa066cc22004e82e859059a43884fef3843b4f47eb2e
fd55e4422ee62676fe07fd81ae90c6654b2a334c73f50a83e85304a66994847f
dfcfd7d46f89debcb0c86f66dbea82c195f70d5caeedddea0f81694ebf75088b
1fb917d1a6a8404cc97fb7d17b64c191d6fb00c4f0e0649d16e7f4574703fd29
c422da6ff99c38fea927a6e08024d546c38a0e93402e5e819e700ca6ffe6d250
be634528eb7ad9426eeb533bf7c994e19fe715d33e395f5cb00c8e85c0cc75cd

http://www.sciage-meuzacois.com/gLqKayMq085SopA/
http://galeriakolash.galeriacollage.com.ve/B8KFy2zfZq4Q/
http://smehelpdesk.net/80nAwJ6zJxyj_VjzhHOQas/
https://samaradekor.ru/gbZRcGBbsDNGMYlc/
http://mail.propertyinvestors.ie/E6gL5cueEr_GE0DANu/

Creation Time	2019-02-14 07:18:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
309129a58f1d6851dcd9d72a658ec11258eac9dbd8f889c810ed296a28886471
aca12b3f3331f25589065e6cf7c9e749804db805b00f930061f697b9c6d823c8
ad5f926f062e448cde3d9cfacd38d57db66488210820c5b39ef8e1d719b432d8
f7e4a0fec8190a4354973127e9f08b69eb219e7bedc91416cbbd6dab72fbfb9d
821ff9ebf0bdfd4c4c113a5bf6dce3577ad9efe913ac9b0f532f3b960b9b6e20
f6abf3c768fdc1c3ba9ff5192e740f8f641bae04467457bc22b722d0c0d05115
2a513c7ff89b67215de06bd11295f3fe11bbce26d47fe7368890f54ff6e2d067
76170daf591de5f1f31618e9f43c92ec59a157c5a0c3cda6ce228a75d4c64e6e
e824c6bc43b66825ea81a7ce0d9e82270776fe7ca95e7920ddb5d680edad99a0
aaa3b654dcc11de1f7b819485ba34d8e938aaa27b40854fa1472f2abc72559f5
87dabc381ed01a1da896f7d629c5b48b16531eb71afc68835436b1b17f68d953
2f022f5381a776ca0f44649bc4cd20d659917e821e4d4d753fcd7e597192ef0e
7fde9aa23b2bc6293a1e7dd4f95fea80c94d490c8a21967d20ca8919d635da3f
b6f6662a3c0d6f490cf441feb38e308ecdad3c4d8371036e717869366f8ad763
0d6ff348080fd6d7e225934f41e0e7e0ff09fd3b8ff79ed940805282b707f600
1f999c3451bea36ada1d97e8106681ef2b24a67d324aff42641fff42b58a0301
373375f71fed8ce60370d23037c65306d9ee1d67c3be14ddb0e64b70ef59839f
a485b17a7ae2719d37d77157f7add1fbc72e8930f23b3130ef44c2890b66d0c0
adba2e0b0cc316f0cc5d45fe7e2ae69dc3fb8510c1cc3103991e4893a6277fdd
2e72e06c767772a9ace4986b7e82f22bb5a86b4ecb5c8611cee0692200d0c770
a74159acb83e97eca7da81b6f5d45772bf2a30780b05254b62abc4927f7a4b3b
1e00a1ca23830170661110c2acdb062e68549dd55a5e2825367c7a5c5c188625
602c5c16dd41382ec2c3826424d6562c33a482e1ac6052a3dfe87ec92fa8584e
d4dd438440f5209a9ef454f32d55503833caf30f3a97b6454c9904c7ea463efc
297338214812f4f1ca90fe35488c37e9c67f39e3e7c36ff5a9ddcf6ca87c5309
45339bbfa3d8d6467cff9d7afa2fcabea74fd6be632e21dccff4353a4844b453
09af2446903f78f4e119c6f09c0370586202e7d7c32b2ab0951de926368849db

http://hifucancertreatment.com/wp-content/uploads/PKL8EApdvFOUn79/
http://spb0969.ru/y08GBl6toozB/
http://abiataltib.ml/FrbrnDxacZrXy9s/
http://dogstudios.it/ltBpABqV1Ns2_X/
http://harrington-loanforgiveness.com/EFdDyrxbzSS7_DlxXSb/

Creation Time	2019-02-13 23:48:00 (XML Based - ENG - Unzoomed Indigo/White)
SHA256:
9aba8a13a65140590ddd44505e2062ef0abd7d237597df171a5580fd3dd88583
45c97865c151923514f3febf221af75a4d649758533d54232673cf7df9f3ec5f
34c07e155931a1ac842190b48c101fe1d9c7d0c76510c17db7b321d3896b181e
997964c4a5c7201259c9fb53afa8f2ab39aeacedaa2d53989062ffb331b70e3d
f12c3d3147732dd1837e14f342cfd70c082708124d97558c9c5caf20a100bd3f
c1e542cb3be56dce530c4b97765a172a94d7b2b3e3cbf6d9fb2e23f2f10f8fb2
2f7248c175ec1da0279ae994e20d817c5d82a0af4ae77989868bf64a501b60a6
88eb0f7bcb66bc62b55621f50a19fb923350453cd6816cccc422dc32d9dad59e
c38e6b749e64976caac387bc52fe55279fdc9fe2630995626efdb0d9fdaea731
ff3f4879e17cd72486722d1712cf26a8d7a8f2d1f307d927a7940ed9e5be5330
88a2c90031155ebd1b406fe1524664efb62a6833512db27a98bc3c6416462aee
a965da800c5e4ffe753e22557c1746d63c01ba6c08280b853bba4a0e72e779fa
4068918e0d70f988023b85ebcf4177aae3f893604f9cc8766d43bf4f0c9266ad
8c6417f6a9d2d6256436c219e59232c0fdcafdbcbe8182b36c1e0370aa4055c3
79efd0c5cfc8f807bd4a3cfdf8994da0bbdcb54dd7d0e811ce291efbbe9f1502
139d633d16933b0d389164796f9ea35f965376d38e39a304440c7b9a4c245dbf
542577becb112330695a96e67f02926bd57020637e6a7756a3511711383550f8
fe543bf0b5918614e53130a7358098f6af1d7650867c7cde2c5e1cdd2a36c9f1
6c4a90e858e33965eed2a0da8bb29fa58c4b52a94824e57f4028d09795638dae
8ddd163ef158c0f5ea2c1b50029b1462088e5a98805449045d8d25e2cf6fe207
03c228319f317c2b78d1a041e396dddb067b2072f7d21d73db0aad149548c865
c4d5eb16e247de7d862e97622bfc7f1c37ddd21e73ba80e706cc7d10a5dc29bb
6f8babc146a8c3a582cabed6ef91731c2987f843e3a4623c0d951c0de13ee213
20fbb46e90f174bd6faab4af0d756c30e92baaf3b333926007a24434dec69035
052488cda45ad6ec29fbc46265495586eadd9e9e02b74f34b5d43b0a4293036b
dea89eeff5c8b4e855d406cef6954619c5add1eac5aac97f45407c02c141c2a6
e5c55d7780afd1432528adb675fa550097e850edc999ae28efcaaddd905573c8
78bb21dd9e0b70ad08bea194f26daead7af712907c64edc89e1632a0aea41c4e
2a9335e5a98d985878c7de229ee67ddcd92762eb1d875213773cf054af8412ec
cfe4efa103f660717a0fd3af9af97b5cf08fcb120c19a869c0f04d71a161114f
5d680196c68ac6029c83fdcf17b413e5cd82366c46326997f8b608b0e94d0de7
5072a0de55aa41713827fe476ba832c622bb5fc412b1ffc92fee45f5c3237e29
e299f7a1b7b7de00850d383f989bc12f1c16b06f6b1646f0b375fa1a452811fb
2d4d7fb923bca4b57f355c1e99ccd3f3057be2a7251db9c910b2f025187d0a56
f8a841f2d60e35c4f6b5651bc77ec27ee0ea378b5805d791255d92340a2fc1d8

http://pro-obed.u1296248.cp.regruhosting.ru/l29uxpBrAX/
http://farmsys.in/N9ttrjKXR7xE/
http://everybodybags.com/hsBstnnD9s2CpH/
http://eyestopper.ru/22h8ErlH8uzqnbb/
http://kuhni-vivat.ru/q2ECLyVCmWNeG_z2gp/

```
#### SHA256s for Epoch 2 Payload EXEs seen on 02/14/19 ####
```

808cdcfb9542a6f77f15a9e1e884415bb3cb50690ac2ef48d28e8b9a3ae5da46
40fc670a70845774d610f5ebb4b2bf3f1553f3a13482b5a32ea232524a944d0a
0b969fe7a914ac1245e070e141595552c4bfaa257ee443003bd90d7f7f300478
5d2fe086228efabc991789be9d716e69b058894ad5cbd36682e7363a0285245f
31c8f3764b695ac090796fc709f21cbf482a2757d9fa5d9088a60438bf5a463a
d6c65544285ff5b5d22f61edf5c4fc46b0c4e9850c8e7ebe51770d9ba881c8d9
38ece53ab9da86d8476415a88b809217ce76efa88474448b0b2a191011237cd0
1f6a30b0bc3e37669886678f51586570a31ec16b9d024f316ff86623ae050aa7
54554d6bea542e75d7bc7519eecbe785d9ca8ef68f21aacbb51ce6d806e2261c
f76715e20fc899af32561437b5180acdbdf3b54c7c61d6ffb11315a886bb109e
e52909ab987823dee0dc5352c85747b82ddb214587b827d8ffaa2198c4b7a0c2
ef760fd8b0a89a87957667cd5f7935a3452fd4a02be3dc5886b61c010ffa1369
9707949470b9cb3ef6a56d9d99026a543c3ff5bfafc4a885ef23d473af9b1027
3f95124fd47ea52a78ea2ff190f6b7d8dc84dd53748d2d33cc9b1f0ce50bbce5
d3acf67a05e277239ecebab372ca04319bc74db711afaae545c6fe6e85020f1c
14c829d93436c24a6c271b53dbf80f2c4419b30698aee78558c8f5494ad12c96
9dd9541635d17b9e1cedb15c0b97c1e2e3e7de91a618d5524e6ab6711cafd9b6
7a92cd75729fb8c146cf9c14c732759e31c1857d79049c167902e89393164cb8
b12e2457d79287b2c26b282aa271c8d48d2c44a7b94f15eb4ebfe9bededd15ca
964f01231d827d416fab3d480865bc7839a3680f3d95c79a3ad1ecfaaa72229c
37f0f36059fb52dc0d730b51ec6003e0282b31e354476cc3eff13456870406e8
9e1ac0e988685ea6cae11d65fc6e7c75b647e40bd87accc8bb7117ace31d4d14
ae8f99e71da44f1d8f38fc34cfd7f33673594fec5220f3f40d1daeba7d98851b
cef25cecde666e868ba2c0eb34ba4e3751b1d27535d254d046efbf70778039ab
3869620582570a1d59059620ef2d756c7d232c5ce2d9f563e9dd3f1e453d9032
b43d55acb4e63afc280c83765e4049aaa2de4cb64cb3bd8931b395210fd0c06d
70fd7eb41a4c8299db3d589e9ae3e3f13b0beb9d0a3aa7d4a256ef6020bb1640

```
#### Epoch 1 C2s ####
```

104.200.80.44:20
109.104.79.48:8080
12.6.183.21:8080
138.68.139.199:443
144.76.117.247:8080
159.65.76.245:443
165.227.213.173:8080
181.15.224.57:80
181.167.251.10:8080
181.56.165.97:53
185.86.148.222:8080
186.4.127.72:995
186.72.205.234:22
187.145.0.129:7080
189.173.176.115:443
189.178.109.181:143
189.183.68.180:7080
190.117.226.104:8080
190.186.110.202:22
190.96.172.225:8090
192.155.90.90:7080
192.163.199.254:8080
200.116.200.136:8080
201.212.113.14:50000
210.2.86.72:8080
219.94.254.93:8080
23.254.203.51:8080
24.194.252.25:80
24.37.161.242:80
5.9.128.163:8080
51.255.50.164:8080
51.77.109.100:80
64.40.163.8:143
66.209.69.165:443
69.163.33.82:8080
70.167.72.96:143
71.40.213.82:8080
72.47.248.48:8080
74.45.170.110:80
74.62.52.222:20
75.110.229.201:443
76.94.36.57:80
80.15.172.81:50000
90.63.245.70:8080
92.48.118.27:8080
98.121.75.14:80
98.238.127.216:21

```
#### Spam/Stealer C2s ####
```

104.236.185.25:8080
181.169.2.89:8080
181.58.30.155
198.58.114.91:4143
216.98.148.157:8080
31.167.70.26:8080
64.178.246.207:8080
73.83.148.166:443
74.57.246.27:8080

```
#### Current Epoch 1 RSA Public Key ####
```

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB

```
#### Epoch 2 C2s ####
```

100.35.190.8:443
118.130.116.170:22
12.195.47.98:7080
129.24.37.8:443
133.242.164.31:7080
138.201.140.110:8080
153.121.36.202:7080
155.186.224.38:443
173.255.196.209:8080
173.255.250.241:443
174.56.183.132:465
178.62.37.188:443
181.1.124.16:8080
182.23.3.227:80
184.54.110.31:990
189.222.174.85:8080
190.114.242.130:20
190.183.39.78:50000
190.80.214.25:443
208.78.100.202:8080
211.115.111.19:443
217.13.106.160:7080
24.227.158.234:21
24.228.124.151:7080
38.27.109.250:21
40.132.40.83:443
41.21.224.121:7080
45.123.3.54:443
45.63.17.206:8080
5.230.147.179:8080
50.31.0.160:8080
50.93.34.66:443
61.76.180.18:443
62.75.187.192:8080
62.75.191.231:8080
67.205.149.117:443
67.254.13.154:80
69.198.17.7:8080
71.42.166.139:8080
75.164.190.148:990
75.97.212.250:7080
75.99.7.18:8443
76.94.226.173:20
79.75.233.224:21
83.222.124.62:8080
87.106.210.123:80
94.76.200.114:8080
95.10.12.151:80
96.37.137.42:80
97.96.130.176:80

```
#### Epoch 2 - Spam/Stealer C2s ####
```

31.167.70.26:8080
64.178.246.207:8080
73.83.148.166:443

```
#### Current Epoch 2 RSA Public Key ####
```

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

```
#### Credits and Notes Section ####
```
Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen

NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

```
#### What is Epoch 1 and Epoch 2? ####
```

What is Epoch 1 and Epoch 2? (updated 01/29/2019)It has been awhile since I refreshed this section so I wanted to update it and bring it up to date.

I have been tracking Epoch 1 and Epoch 2 since May of 2018. Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for
communications. Epoch 2 is currently the larger of the two botnets and I think it is the main push of Emotet. Epoch 2 WAS a smaller more rapidly changing
version of Emotet at one point in May/June of 2018. Now Epoch 1 seems to be the smaller of the two since this time period. Despite having unique unshared
C2 infrastructures, these two botnets have been seen to move bots from one to the other and show similar behavoirs seemingly controlled by a single
entity/group. Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an Epoch 2
document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those being delivered
in maldocs on Epoch 2 at any time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and Epoch 2 may
have a document hosted on host.tld/B.
- The RSA keys will change every month or so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours to stay ahead
of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from is to find the payload and then check the C2s/RSA Key.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

```
#### Community Lists ####
```

https://pastebin.com/ei6apJyL - @Bitterman59
https://pastebin.com/myGjpggd - @Jan0fficial - E1
https://pastebin.com/F8bZrLTH - @Jan0fficial - E2
https://pastebin.com/efBV2MXt - @pollo290987

```
#### Credits ####
```
(OC from @JRoosen and/or combination work of the following)

Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic, @0xtadavie,
@Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial
@shotgunner101, @HerbieZimmerman, @Outkast_TI

C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie, @devnullnoop,
@gorimpthon, @Racco42, @Jan0fficial

Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz, @pollo290987,
@malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey, @Jan0fficial,
@OguzhanTopgul, @HerbieZimmerman

Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and helping out with all of this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch
and @Virustotal for providing services/software no charge to this cause!

```
#### Daily Log ####
```

Short on time for Valentine's Day but Wmotet was not sending me much "love" until about 1630 EST. Then the floodgates opened and I am still
getting malspam from the E1 botnet. Up to about 125 now. All purple button invoice crap for the most part but there was some suspended banking
account malspam in the morning from E2.

E1 C2s are the same.
E2 C2s changed but the count is still the same. Recorded above.

Short update because of Valentine's day. TT

```
#### Sandbox 02/14/19 ####
(all with fakenet and MITM unless spam/secondary infection)
```

Epoch 1 C2 run on 2019-02-14 at 23:45 UTC - https://cape.contextis.com/analysis/37208/

```

```

Epoch 2 C2 run on 2019-02-14 at 23:45 UTC - https://cape.contextis.com/analysis/37209/

```