Emotet Malware IoCs 2019/05/02

1. ## Emotet Malware Document links/IOCs for 05/02/19 as of 05/03/19 01:15 EDT ##
2. *Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.
3.  
4.  
5. #### Epoch 1 Document/Downloader links seen for 05/02/19 ####
6. ```
7.  
8. http://12coach.ro/wp-includes/trust.myacc.docs.net/
9. http://199.com.vn/wp-includes/0s8rweczh_22mqot8ogd-004539243/
10. http://acli.org.ar/wp-includes/trust.myaccount.resourses.com/
11. http://afriplugz.com/cgi-bin/trust.myaccount.send.com/
12. http://allhealthylifestyles.com/9yng/sec.myacc.docs.com/
13. http://alliedcontainer-line.com/wp-admin/secure.myacc.resourses.net/
14. http://altituderh.ma/wp-admin/sec.myaccount.send.biz/
15. http://aplaque.com/wp-content/verif.accs.resourses.net/
16. http://arrc.kaist.ac.kr/new_arrc/verif.accounts.docs.com/
17. http://aseloud.com/wp-includes/sec.myaccount.send.com/
18. http://asis.co.th/cisco-sg300/verif.myaccount.resourses.com/
19. http://atakorpub.com/emailing2016/sec.accs.send.biz/
20. http://atlanticterraces.co.za/cgi-bin/verif.myacc.send.com/
21. http://autmont.com/vrgyd9u/secure.myacc.resourses.net/
22. http://aviciena.id/data/verif.myacc.send.biz/
23. http://bandit.godsshopp.com/wp-admin/secure.accs.docs.net/
24. http://bardhanassociates.com/wp-admin/secure.accounts.resourses.com/
25. http://blog.ahlanmagazine.com/vdpj/verif.myacc.resourses.net/
26. http://blog.amisz.com/wp-admin/verif.accs.docs.com/
27. http://blog.bookingham.ro/wp-admin/sec.myacc.resourses.com/
28. http://blog.memareno.ir/ozwh/trust.accounts.docs.biz/
29. http://blog.moonlightortho.com/wp-includes/sec.accounts.docs.net/
30. http://blog.refa24.com/TEST777/secure.myaccount.resourses.net/
31. http://blog.shiwkesh.tk/wp-admin/sec.myaccount.docs.biz/
32. http://blog.toothlab.org/wp-content/verif.myacc.docs.net/
33. http://blogvanphongpham.com/wp-content/verif.accounts.send.com/
34. http://breathtakerstours.com/wp-content/verif.myacc.send.net/
35. http://capitalmarketsummit.com/old/sec.myaccount.resourses.net/
36. http://cdaltoebro.com/wp-includes/secure.accs.resourses.net/
37. http://cisme.in/wp-content/sec.myacc.resourses.com/
38. http://citralestaripuncak.com/wp-content/trust.myacc.resourses.net/
39. http://coach.getfit21latino.com/ResourcesPDF/secure.myaccount.send.com/
40. http://coine2c.com/wp-admin/sec.myaccount.resourses.biz/
41. http://comfortless-showers.000webhostapp.com/wp-admin/secure.myacc.resourses.biz/
42. http://corporaciondelsur.com/cgi-bin/verif.myaccount.send.com/
43. http://craftsvina.com/testgmail/verif.accounts.docs.net/
44. http://crescentschooljampur.com/wp-admin/verif.myacc.docs.net/
45. http://currencyexchanger.com.ng/inc/secure.myaccount.send.com/
46. http://damynghetuanmanh.com/wp-content/sec.myaccount.resourses.biz/
47. http://danxehoichongnong.com/wp-content/secure.myaccount.docs.net/
48. http://data.iain-manado.ac.id/wp-content/trust.accs.docs.com/
49. http://demo.jjmayurved.com/wp-admin/secure.accounts.send.com/
50. http://despachodeabogadosbou.mx/rrx1/trust.accounts.resourses.net/
51. http://devoyage.co/walxz/secure.myaccount.docs.com/
52. http://dieetvoeding.net/wp-content/verif.accs.resourses.biz/
53. http://dreamsfashion.com.vn/wp-includes/verif.accs.docs.biz/
54. http://drmarins.com/wp-includes/trust.myaccount.docs.net/
55. http://dronearound.com.au/2tia/secure.myaccount.resourses.com/
56. http://eccninc.com/dri-one/trust.myaccount.resourses.com/
57. http://elenihotel.gr/wp-admin/verif.myacc.send.biz/
58. http://enhancers.co/abao/sec.myacc.send.net/
59. http://equip.tokyo/wp-admin/trust.myaccount.docs.biz/
60. http://exceptionalclean.co.za/p2ih/trust.accounts.send.net/
61. http://extremesandblasting.ca/wp-content/sec.accounts.docs.biz/
62. http://fastpacepersonaltraining.com/wp-content/trust.accounts.resourses.biz/
63. http://feenyks.com/wp-content/verif.accounts.docs.biz/
64. http://feiqichuli.cc/wp-admin/sec.accounts.docs.biz/
65. http://finergas.it/wp-content/secure.accs.send.com/
66. http://fitnessdenofficial.com/wp-content/verif.accounts.docs.com/
67. http://fitness-equipments.me/wp-admin/trust.myacc.resourses.com/
68. http://flash.ba/wp-content/trust.accounts.send.biz/
69. http://freelancerakash.com/yourls/verif.myaccount.docs.net/
70. http://ftwork.co.uk/old/sec.accounts.resourses.com/
71. http://fxbot.trade/wp-admin/trust.accounts.resourses.net/
72. http://geeyun.me/wp-admin/sec.accs.docs.net/
73. http://georgisil.ro/ltjv/secure.accs.send.net/
74. http://giambeosausinh.com.vn/wp-admin/secure.myacc.resourses.biz/
75. http://gianphoihoaphatgroup.com/hbqu/trust.accounts.send.com/
76. http://ginfoplus.com/wp-admin/trust.accs.resourses.biz/
77. http://gjtsc.com/wp-content/uploads/sec.accs.docs.com/
78. http://haisanthuytrieu.com/dgs/secure.myacc.send.net/
79. http://haisonconsultant.com.vn/wp-content/uploads/verif.myaccount.docs.biz/
80. http://hannahloweinteriors.com/wp-content/trust.myacc.send.com/
81. http://hc12366.xyz/wp-content/trust.myacc.resourses.biz/
82. http://highef.com/css/secure.accounts.docs.net/
83. http://hocngoaingumienphi.com/wp-admin/trust.accounts.send.biz/
84. http://hogiatech.com/wp-includes/trust.myacc.resourses.biz/
85. http://hogiatech.com/wp-includes/verif.myaccount.docs.net/
86. http://hssco.ir/wordpress/verif.accs.docs.com/
87. http://hsweert.nl/wp-admin/secure.myacc.docs.net/
88. http://iberian.media/tmp/trust.accs.send.biz/
89. http://icobweb.com/upswing/verif.myaccount.send.net/
90. http://iddeia.org.br/wp-admin/sec.myaccount.resourses.biz/
91. http://ilhankoc.com/bzgxi/QUDqTuqOEnZ/
92. http://imagesbrushup.com/zy9j/sec.accounts.docs.com/
93. http://industriasrofo.com/Connections/sec.accounts.resourses.com/
94. http://inetpact.com/css/secure.myaccount.send.biz/
95. http://infoforbiz.ru/assets/trust.myaccount.send.biz/
96. http://innowat.com/wp-content/themes/trust.myaccount.docs.biz/
97. http://insolvencyinsider.ca/onra/trust.myaccount.docs.net/
98. http://in-spe.pl/wp-includes/trust.myacc.docs.com/
99. http://in-uv.vn/cgi-bin/secure.accs.send.com/
100. http://istuff.in/heyi/sec.accounts.resourses.com/
101. http://jati.gov.bd/wp-admin/trust.myacc.resourses.biz/
102. http://jcci-card.vn/wp-includes/trust.accounts.docs.net/
103. http://jcwintersconsulting.com/cizx/verif.myacc.docs.biz/
104. http://jktpage.com/wp-admin/sec.accs.resourses.com/
105. http://joindarby1.org/oeof/sec.myacc.send.net/
106. http://jokercorp.com/wp-includes/trust.accounts.send.com/
107. http://joy.do/wp-admin/secure.myaccount.resourses.net/
108. http://juiceworld.in/wp-admin/verif.myacc.send.net/
109. http://juristelektrostal.ru/wp-admin/sec.accounts.send.net/
110. http://kamir.es/controllers/secure.accounts.send.net/
111. http://kevs.in/wp-content/uploads/secure.myacc.docs.biz/
112. http://khwopringtkddojang.com/wp-admin/user/trust.accounts.resourses.biz/
113. http://klikhbnr.com/wp-content/trust.accounts.docs.com/
114. http://kreatis.pl/sitefiles/trust.accs.resourses.com/
115. http://krs-tech.com/wp-admin/sec.myaccount.send.com/
116. http://lacvietgroup.vn/css/verif.accounts.resourses.net/
117. http://luxuryestatefinder.com/l9cy/trust.myaccount.send.biz/
118. http://magikom.kz/blogs/trust.accounts.resourses.biz/
119. http://maidservicesandiego.net/wp-includes/sec.accs.resourses.net/
120. http://maxilofacialosorno.cl/carevservice/trust.accounts.send.com/
121. http://medyalogg.com/wp-content/ai1wm-backups/trust.myacc.resourses.com/
122. http://mekosoft.vn/wp-content/uploads/sec.myaccount.resourses.com/
123. http://michalmielniczuk.co.uk/wp-admin/sec.accounts.docs.net/
124. http://monuahrafurniture.xyz/wp-admin/sec.myacc.docs.biz/
125. http://muzey.com.ua/wp-content/verif.myaccount.docs.net/
126. http://mytradingrobotforex.com/wp-content/sec.myaccount.docs.net/
127. http://nagajitu.net/wp-admin/trust.accs.send.com/
128. http://nainai.lt/wp-content/verif.myacc.resourses.biz/
129. http://newlitbits.ca/cgi-bin/verif.accounts.docs.biz/
130. http://nissanlaocai.com.vn/wp-content/secure.accounts.resourses.net/
131. http://noithat-fami.com.vn/om8n/sec.accs.resourses.net/
132. http://noithatgothanhdat.com.vn/wp-includes/sec.accs.send.net/
133. http://numberonefile.co.za/wp-admin/secure.myaccount.docs.net/
134. http://nutriexperience.org/cgi-bin/verif.myaccount.docs.net/
135. http://observatoriodagastronomia.com.br/wp-admin/sec.myacc.send.com/
136. http://oneconnectacademy.org/wp-admin/verif.accounts.resourses.com/
137. http://ottawaminorhockey.com/vurv/secure.accounts.docs.net/
138. http://ozganyapi.com/wordpress/secure.myaccount.docs.com/
139. http://pcccthudo.vn/wp-content/uploads/2019/03/sec.myacc.docs.net/
140. http://performancevitality.net/partner/verif.myacc.docs.biz/
141. http://perrysignslondon.co.uk/wp-includes/secure.accs.docs.net/
142. http://petnaestrada.com.br/cgi-bin/verif.accs.send.net/
143. http://pinarchitektur.online/wp-admin/trust.accounts.send.com/
144. http://pinpointtracker.net/wp-admin/secure.myaccount.docs.com/
145. http://pp.hotel-le-verdon.fr/wp-admin/trust.accs.send.com/
146. http://programmernusantara.com/wp-includes/sec.accs.resourses.net/
147. http://projektszkoleniowy.pl/wp-snapshots/secure.accs.send.net/
148. http://psychiatrydrugs.com/wp-includes/verif.accounts.resourses.com/
149. http://puneetdba.com/wp-content/uploads/2019/secure.myacc.resourses.net/
150. http://quantrixglobalservicesltd.com/wp-content/secure.myaccount.docs.biz/
151. http://rajasthanrajput.com/wp-content/verif.myacc.resourses.biz/
152. http://resourcesyndicate.com/resynd/sec.accounts.send.net/
153. http://revestimientosmac.com/m6y0/sec.myacc.resourses.com/
154. http://reviewhangnhat.info/wp-content/secure.accounts.resourses.com/
155. http://rezepte-gesundes.com/wp-admin/verif.accounts.send.com/
156. http://romanemperorsroute.org/wp-content/trust.accs.resourses.com/
157. http://school118.uz/wp-admin/sec.myaccount.resourses.biz/
158. http://senturklerforklift.com/wp-content/sec.accs.resourses.com/
159. http://shanghaitravel.live/cgi-bin/verif.accs.resourses.com/
160. http://simcom.ir/wwpq/sec.accs.send.net/
161. http://smithsvineyard.com.au/wp-admin/trust.accs.docs.com/
162. http://sonaudio.com/wp-admin/verif.accounts.send.biz/
163. http://songdung.vn/4d4ixle/trust.accs.resourses.biz/
164. http://sonnenblumenpellets.de/wordpress/trust.myaccount.send.net/
165. http://sooq.tn/g435goi/sec.myacc.send.biz/
166. http://spnewsthailand.net/wp-content/uploads/trust.accs.send.net/
167. http://spyguys.net/cgi-bin/sec.accounts.docs.biz/
168. http://stoneprojects.com.au/wp-admin/secure.accounts.resourses.com/
169. http://strategicseminars.be/qsql/secure.myacc.resourses.biz/
170. http://sukienthienduc.com/bga8/sec.myacc.resourses.biz/
171. http://summithealthandsafety.com/wp-includes/verif.accs.send.com/
172. http://tallerespeligros.com/un4w/verif.accs.docs.biz/
173. http://teiamais.pt/wp-admin/secure.accs.docs.biz/
174. http://test.cablemar.es/ixuw/verif.accs.resourses.com/
175. http://test.hotel-zulawy.com.pl/wp-includes/trust.myaccount.resourses.biz/
176. http://test.ruiland.com.mx/wp-content/verif.accs.send.biz/
177. http://thaiwoodproduct.com/secureservices/secure.accounts.resourses.com/
178. http://thedatingadvice.com/aust/verif.accounts.resourses.net/
179. http://tourbromomalang.com/wp-content/sec.myaccount.docs.net/
180. http://traveltoursmachupicchuperu.com/wp-content/secure.myaccount.resourses.net/
181. http://ttytnguhanhson.danang.vn/wp-includes/verif.myaccount.docs.com/
182. http://tusoportunidadeshoy.com/njd4/trust.accs.send.net/
183. http://tvportaldabahia.com/5isi/secure.myacc.send.com/
184. http://ulco.tv/1v7wu20/secure.accs.resourses.biz/
185. http://unitedworks.info/test/sec.myaccount.resourses.net/
186. http://vivafoodsdelivery.com/wp-includes/verif.myacc.resourses.com/
187. http://vivekmanandhar.com.np/wp-admin/sec.accs.resourses.biz/
188. http://woodic.cl/kfvd/sec.accounts.docs.net/
189. http://www.aim.co.tz/6lk9csp/trust.accounts.docs.net/
190. http://www.dktepdvpiti.com/tardal/trust.myacc.resourses.net/
191. http://www.inetpact.com/css/secure.myaccount.send.biz/
192. http://www.pomohouse.com/wp-content/verif.myacc.resourses.biz/
193. http://www.unborncreations.com/wp-admin/secure.myacc.send.biz/
194. http://xn----8sbabmdgae0av6czacej5c.xn--90ais/test/secure.accs.docs.biz/
195. http://youngwivesclub.co.za/wp-admin/secure.myacc.resourses.net/
196. http://yourbikinifigure.com/cgi-bin/secure.myaccount.resourses.net/
197. http://yourmobilespa.co.za/wp-admin/verif.accounts.docs.biz/
198. http://zemlakdrillinginc.ca/wp-admin/secure.myacc.resourses.net/
199. https://000359.xyz/wp-content/trust.accounts.docs.biz/
200. https://abafer.com.br/ekmr/sec.accounts.resourses.biz/
201. https://acquaplay.com.br/a/verif.accounts.resourses.com/
202. https://blog.bestcs.in/avhs/sec.myaccount.resourses.net/
203. https://blog.daxiaogan.ren/wp-admin/verif.accounts.resourses.net/
204. https://coach.getfit21latino.com/ResourcesPDF/secure.myaccount.send.com/
205. https://donations.mogpa.org/wp-admin/verif.myacc.resourses.net/
206. https://dp5a.surabaya.go.id/wp-content/verif.myacc.send.biz/
207. https://drtapaswinipradhan.com/wp-admin/secure.accounts.send.biz/
208. https://enpress-publisher.com/wp-admin/trust.myaccount.send.biz/
209. https://fmstudio.cz/wp-includes/sec.myaccount.resourses.net/
210. https://franosbarbershop.com/wp-content/verif.accs.send.com/
211. https://frequenciesoffreedom.com/wp-admin/secure.myaccount.send.net/
212. https://happyroad.vn/wp-admin/secure.myaccount.docs.biz/
213. https://inam-o.com/old/secure.accs.send.biz/
214. https://insolvencyinsider.ca/onra/trust.myaccount.docs.net/
215. https://jcci-card.vn/wp-includes/trust.accounts.docs.net/
216. https://jinkousiba-hikaku.com/wp-content/verif.accs.send.biz/
217. https://kreatis.pl/sitefiles/trust.accs.resourses.com/
218. https://lucky119.com/wzzeb/trust.myaccount.docs.biz/
219. https://noithatvanphongdanang.vn/wp-admin/trust.accounts.docs.net/
220. https://noyieweb.jp/images/secure.accs.send.net/
221. https://numberonefile.co.za/wp-admin/secure.myaccount.docs.net/
222. https://orionsexshop.com.br/wp-includes/trust.accounts.send.net/
223. https://ouropretocultural.com.br/pdf_espanhol/secure.accounts.send.net/
224. https://pinpointtracker.net/wp-admin/secure.myaccount.docs.com/
225. https://pizzabro.de/wp-content/secure.accounts.send.biz/
226. https://sampoernagroups.com/zohoverify/sec.accounts.send.com/
227. https://servyouth.org/wp-includes/trust.myaccount.resourses.net/
228. https://thebusinessmonk.live/custom-files/secure.accs.send.net/
229. https://thedatingadvice.com/aust/verif.accounts.resourses.net/
230. https://tiendacalypso.co/wp-admin/sec.accs.send.net/
231. https://vitasupermin.vn/wp-includes/verif.accs.resourses.net/
232. https://vivekmanandhar.com.np/wp-admin/sec.accs.resourses.biz/
233. https://www.cxta.com/ynibgkd65jf/secure.myaccount.docs.biz/
234. https://www.festapizza.it/wp-content/uploads/verif.myacc.docs.com/
235. https://www.jiajialw.com/membt/secure.accs.send.biz/
236. https://www.salondivin.ro/tur-virtual/sec.myacc.resourses.com/
237.  
238. ```
239. #### Epoch 2 Document/Downloader links seen for 05/02/19 ####
240. ```
241.  
242. /
243. http://192.144.136.174/wp-content/INC/LYcsWaUII/
244. http://4gstartup.com/wp-content/LLC/COfrmugcpIOEYNkHlXQKX/
245. http://5151c.cn/wp-admin/Pages/pwy9qlm7grbyr7j5t97oglxntvgg_hsh1799t-646996337353919/
246. http://9933.az/wp-content/LLC/6ph2d3hy9cxmypxhxaq3n3mmln_nq505ig9cf-284464809/
247. http://academic.ie/error/Scan/8ygdtxqmxnx0i6f343n4g1dxmk98_easz9a21i5-90983660/
248. http://ackosice.sk/wp-content/Pages/mz9baiazvn3un5e31dp9_rll1kx8-43767854460/
249. http://aesthetix.in/wp-admin/nnrgw8179ka7yzgt799nydbsechs5g_w485mw-9039736828/
250. http://akeswari.org/wp-includes/Scan/NRgtuE0DmxEc/
251. http://aksesbelajar.com/1rfq/5d0ivvw5cxhwhjj92jp_2o21aw-38711891620037/
252. http://americanpatriotlife.com/wp-content/PcSeumASzkBIpvfvJPBbFENgjKedWC/
253. http://anneko.co/wp-content/uploads/Scan/ZwJlWZLCLlq/
254. http://anshibalapan.kz/rlidgds/FILE/zq2t9qxei8aokhrnos5ugex0ul03_wc2fydnea-13642553156/
255. http://arcoelectric-idaho.com/wp-content/sites/hwhsaMJvOjoVHUbjBSTh/
256. http://b4events.it/ggrmwpx/jfIvRPxgMES/
257. http://banhtrangtayninhngon.vn/g6ce/esp/kvmtedfro5tcxbah0yz5aj3b_n6x9a4-5841358650/
258. http://bbctechnologiesllc.com/c2cs/INC/qbcz32xu92x00rsqlhz_pd00v0m-41136552480655/
259. http://bdsdalat.vn/cgi-bin/INC/bos9lxzna29lsyi1clme6se05_vnwyihpt-647885291573/
260. http://bejix.cn/wp-content/DOC/wu7vi5ys8i4ihf0ym_rrfprb-421640917/
261. http://bestflexiblesolarpanels.com/local/INC/ZROPVyXnFTicrXwGFOQ/
262. http://bkdd.enrekangkab.go.id/awstats-icon/INC/2ijymn26v7uarffbkd6lx_u0p6k569-27092581718/
263. http://blog.connect2school.com/WP2/fnWxFaKQCypWZiiVriyZFlgo/
264. http://blog.kingtelecom.com.br/wp-content/3j57y6gnx6_v785i0xb-4191312943/
265. http://blog.mazaka.eu/wp-admin/DOC/pzxoo2uy_knpm5u9ru-74491240662868/
266. http://blog.sabkishop.in/iwnq/LLC/xd00pw1f9ic_gy3cvmy-486221392/
267. http://blog.s-se.ru/wp-content/paclm/zkovy02nnutr0jjeg_6sai3a2wd-885879232997/
268. http://blog.steadfast-inc.com/wp-content/plugins/wf03fx7w6uv_lfhqooa56u-248047369/
269. http://blog.taxmann.com/wp-content/INC/kDSvKbPatSbXtqkFmEZqw/
270. http://blog.winburnrc.com/uploads/aalkowg7imwmxydqi_irzxw2-61291258298548/
271. http://blogs.ct.utfpr.edu.br/direc/kScyjjaDwMkMIvbnmGA/
272. http://blogsuelenalves.com.br/wp-content/FILE/rfruTfMTupjpqkwEIarWLv/
273. http://blueombrehairstyle.site/wp-admin/WTwFtrmTPyVSnESPjOoYOLtaIc/
274. http://bodycoat.in/wp-content/FILE/lHHnjYARzarrfJOaUUVxjqdiHI/
275. http://booyamedia.com/img/FILE/o3996ZMupUjV/
276. http://brikhotsoattorneys.co.za/wp-admin/Scan/ae6ppq9o2sz_yrsmo-7414038499081/
277. http://c919.ltd/wp-includes/js/tinymce/FILE/b7x4qk9djlfmhbgm4baqtmecxqrbi_y1gar1k8o-844248121/
278. http://cbl-mmg.com/fkya/paclm/rPIDBOQIFfWncWKfyrUcPKM/
279. http://coachbagsoutletfactory.net/wp-content/INC/hQYoIbbJjQkUUcrsCHE/
280. http://colormerun.vn/wp-admin/Pages/vumsbdgcjm17n8qtawde80lovhz_hd2dq07-777785434129/
281. http://community.diygeeks.org/wp-content/Scan/it53y8s7pkaizwi86h_aodr24-4164303803/
282. http://conceptcleaningroup.co.uk/wp-admin/RxvHrSdGSlfoZqOKGnON/
283. http://coralseasanibel.com/wp/Document/PTzybdTcbIDXQDtyHg/
284. http://corehealingmassage.com/wp-admin/TwhjPoZom/
285. http://courtesycarrentalbvi.com/wp-admin/LLC/gfewDoDPvGVWBfuzCjHhrBGjKgbPU/
286. http://dcfit.co.zw/cgi-bin/esp/sofkjyvvbmigfzj6xr5m3vfm6q2_fxofwekbl0-9953622915/
287. http://demirendustriyel.com.tr/wp-includes/LLC/8hrd0iaxtfca_drf3g-28237112672512/
288. http://dereza.by/thw4fgg/nmmbf-0hwiou-ziwmln/
289. http://dereza.by/thw4fgg/paclm/mgakkFzHUVVQWBQsMYqfeB/
290. http://detmaylinhphuong.vn/wp-includes/fonts/INC/6yh3xdsw_6902e0q7uk-20835125/
291. http://dinofils.com/wp-admin/7f53kw0suia3ty6mepq0nk5vqgpro_cspbx-45988021188/
292. http://dotnetdays.ro/cgi-bin/INC/73s559zuqod8z_g39odrkgg6-58079281636/
293. http://drkamalsgroup.com/wp-content/uploads/2019/04/IjEzvbBVv/
294. http://ecocleenfranchise.co.uk/widenationaimages/parts_service/ymFlZGNrUVVVpJoqnDlbYgt/
295. http://ecominser.cl/k2rojqs/WibouBpB/
296. http://economywindowcleaner.com/wp-content/LLC/xsk5ok6vtaggflyxax99dxlatptel_ubtjmzrld0-590157321/
297. http://ejder.com.tr/iuLYqpe6E/Document/skMwrTWsxo/
298. http://elitetransmission.fr/wp-content/Pages/ttrgxyacs2qcnklru_0jk32o4w-47168856156/
299. http://elokshinproperty.co.za/jtau/paclm/8ouar200imvhee4iy_f85p9l0e-62227938/
300. http://emersonprojects.com.au/wp-content/mndp3n5ia73am8h1_y58xx-933473224457830/
301. http://emgi.com.br/qcf7/paclm/ik6esrg52s7mo0oab5u847b_wa5y5dse-5036135867/
302. http://epsarp.com/wp-content/sites/bHgZrPCbDbqAlDAYdnJSk/
303. http://eqbryum.ml/wp-admin/Pages/r55lwa7xff7muytssw1pc_i4a8w44at-785512967/
304. http://equintl.com/wp-admin/DOC/uGroXsNXLXAMptvBvNAlhAmiehXUc/
305. http://equipares.org/site/wp-content/uploads/2018/agvlv16v64t0_44u9e0cr-5813176666637/
306. http://euwinecn.com/aa/hNDAhgQcvlTRtnJFxTNU/
307. http://ewomg.com/blogs/DOC/QHpryPqastqd/
308. http://fasian.com.vn/wp-includes/l7qivj8vt61s_a54c4ub2do-507402877790120/
309. http://febsmarketingnetwork.com/wp-admin/sites/mttnpZsVcwT/
310. http://ferrywala.xyz/wp-content/INC/w26vor8fa_1zlu05-559390994/
311. http://fitelementsfargo.com/wp-content/themes/gpukJrTUc/
312. http://forumbolaindonesia.com/wp-admin/Document/qvkndbamk21wwyjigi_048gkx5-5506768399/
313. http://fotobot.ir/wp-admin/sites/kkeb60wfibwst8utsbrquceq6gkh_or0pbfdl1c-754853850161/
314. http://galtest2.lansystems.it/old_bad/wp-content/languages/files_mf/Pages/rgaWNAUKI/
315. http://garden-solutions.co.za/wp-admin/DOC/irln2kvzv7yt0861rcrydr6lx_bz4tu5w-44510095419116/
316. http://gasdetector.dlvcorp.com/kosk/LLC/ODzDoYvGPJIESoSrUinLncHjfhAzHF/
317. http://gem-st.com/wp-content/parts_service/YReZAzpfGeeCSDdJLNGzN/
318. http://genercom.co/wp-includes/paclm/zJVaosialBsMME/
319. http://giambeo2.ballybeauty.vn/wp-content/ol0x41uj8rswaoo8j8p2ot13rm8_v2gf16-581586352038/
320. http://giambeosausinh.com.vn/wp-admin/q7hkjz-o7bnek5-hvgj/
321. http://gkmsm.ru/abuebz0/Pages/sedHliEaUfqrmTGVfmUvIYukOMQ/
322. http://globalautosaleslanka.com/demo/eyefyyXO/
323. http://globalmanagement-ks.com/icon/Scan/9uu9lvymdfla7abw2_t45a9-6549953609441/
324. http://gn52.cn/css/Pages/CmUzPDxvmcX/
325. http://goldflake.co/wp-content/DOC/gKdReBNPojKyHuBMuwejXE/
326. http://grandview-property.biz/wp-includes/FILE/CNHVOwKibgeaSNdRUsduFcTEDhlD/
327. http://grinai.com/web/iiz36l9bg_s0qjcz-661523208732/
328. http://gshcenter.com/wp-includes/INC/9o00dwr7_7bqcxz-902762918614/
329. http://gwangjuhotels.kr/wp-content/themes/INC/zi10oh8x17sow03sjd0gmkhwe73ie9_erzxfxy-08010765900018/
330. http://gyanenglishacademy.com/qzdz/JgeofgzEkrEOJ/
331. http://hadimkoygunlukdaire.com/wp-admin/LLC/a91wy7mq9qjman84_wbmw5h-5132787275214/
332. http://healthyruns.com/mb0b/Pages/4fe72wms5jwjy4xmd17crc3tqy_0ohwtx3by6-52970741/
333. http://hniold.mageexperts.com/html/parts_service/vpnfoa7tgl_qbrtpv45hf-64095293/
334. http://hr24.com.ua/saeu/DOC/gbbVNHvZlEDKZnqyNvimmS/
335. http://hubrisia.com/wp-content/uploads/DOC/YkEbhBHCuzUtrv/
336. http://humandevelopmentmag.org/cgi-bin/Pages/tomamkpzkwed8lahovafiih_0tt6gowlu-10562221070/
337. http://iimmpune.in/wp-admin/paclm/ufsi70uv65ehpl0fbmw7wgbgqemr5f_k46l8nl9t-02473911646814/
338. http://imboni.org/wp-includes/INC/fghz3tbu33yn_k66ebx-54661321/
339. http://inbudget.pk/cgi-bin/8y4owvesd9adv1lndmyvc_ow5s4u5-86373036587784/
340. http://inoffice.lt/wp-admin/lm/mYoJqtZkiHbtYOqwpWOTJhgjtb/
341. http://inpolpe.com/stock/Document/ofu14i5Xo/
342. http://insideoutservicessouthflorida.000webhostapp.com/wp-admin/fFHxSlaakMvhveUIioZauxXt/
343. http://ioszm.com/wp-content/VKvRtbEjecrTUWtZwLJPTASMB/
344. http://isais.or.id/wp-includes/LLC/49cbxeqakcy5shwwg27m_efdkv6ht-7871582409411/
345. http://isesyoyu.jp/about/LLC/mZ1wF5rYnD/
346. http://itai-ziv.com/wp-content/LLC/0Oq6cCbn4499/
347. http://jeannegh.com/wp-content/LLC/OyNxaZXYyhUYuomVB/
348. http://jivine.com/sechdule_css/Document/zveixqtll5o1qxlkdlkwwxt9_z2kzj-39972165/
349. http://jjescadasorocaba.com.br/cy3l/DOC/XvXcaodnCAhcgnSOM/
350. http://joelscoolstuff.000webhostapp.com/wp-admin/INC/z6ayxgq90dnienk_cd4ob-621061856/
351. http://joepackard.com/_vti_cnf/Scan/KeKA6fVN/
352. http://jsantunes.pt/wp-content/uBmDOLnXXjORmjqjFQO/
353. http://jvmahlow.de/wp-admin/Scan/td8nxrcnc9ntmco49_615sw-577633401958136/
354. http://kashmirrajitravels.com/inslawnetwork.com/DOC/RsrqryjkpcTNCjW/
355. http://kautilyaacademy.ooo/wp-includes/Pages/VxCgAezOEYFOJjATKjs/
356. http://kidscountnebraska.com/wp-content/Pages/cuxkCsUZPHPJygMchNn/
357. http://kitaooji-kinseiin.jp/wp-content/tdns46unnon8jp2d1kz5y6d2ms_zzcxt56kd-15051739986/
358. http://labpolimeros.eng.ufmg.br/wp-content/languages/Scan/otFLJySrnIhKGIkcldvDG/
359. http://lejintian.cn/wp-admin/lm/CUBhsurjIYlmEDiyUA/
360. http://leofy.in/gelp/Document/ec8q7ph1xjushb36_qsj7y7hhm-550883703428/
361. http://likenow.tv/wp-admin/Scan/8enhnhzil6srybsha7hds_7vmf6eni-6977368107404/
362. http://listings.virtuance.com/wp-admin/jlrubop9_zkct0-800845530/
363. http://lookingupproductions.com/wp-includes/INC/9r9hhHW8ClD2/
364. http://luanhaxa.vn/sqeh/lm/xyrrhdcyuk_qyirb-35314660/
365. http://lunchenopdemarkt.nl/wp-admin/1gx9f4i18sbtpgnay6_pzk58cuf-16086185627/
366. http://marinapuertocancun.com/oxbs/Document/or8qjmvo4enscx9g7u_yx35q4z999-77184234256576/
367. http://maxgroup.vn/__MACOSX/DOC/4duyq5gmcuu375q2589qi8k0i3k4h1_cgufr5-8018679562762/
368. http://mediaworldindia.com/yb5u/Pages/rgjwca60yjh_5br5da-48500802082/
369. http://mickreevesmodels.co.uk/micks_chat/FILE/UAduuYQEihX/
370. http://mindscom-learning.com/tadart/lm/xLBIADVVRoM/
371. http://mobilabmb.ro/wp-admin/Scan/aOeoCGqCk/
372. http://mountmice.com/wp-admin/includes/FILE/zKt47WG7/
373. http://mountmice.com/wp-admin/includes/FILE/zKt47WG7//
374. http://newlaw.vn/wp-content/efvlskulqypsl2nd4orzyvhl48g_329lp0eh4n-698685444/
375. http://nisi-web.threeon.io/db_dumps/FILE/ebk0cs8q4rkl0p40l_xgwtjp-892746124109/
376. http://noithat-fami.com.vn/om8n/DrTYRsrUBPflQwsmsHtZHjjfH/
377. http://noithatmodernhome.com.vn/wp-includes/FILE/8ki8brhz6a_l02dj34g37-67868487985325/
378. http://noticiashoje.online/wp-admin/1zg41spy6werdeneaq171gwp_cztmh-387974113007906/
379. http://notspam.ml/wp-admin/Pages/espLunAjWsTlpVEPozgWEc/
380. http://nurai-balabagsha.kz/blogs/Scan/thTxiTOGduWJiqhGjtazjsYswMRxs/
381. http://oldays.tk/wp-admin/NrZonfrDZuhzrZPxJEtA/
382. http://oliveiraesouza.adv.br/wp-admin/StaaBYzcwaSzfcfvYaioiZ/
383. http://onlineschool.center/wp-admin/Document/yGCsJSbouQBN/
384. http://onvacationbolivia.com/wp-content/Document/xyff3cuhe6mq9g65v1zo_5tcb1cxnk-0364266887510/
385. http://opportunity.aiesec.hk/wp-admin/lm/TpSDwXjG/
386. http://optimasiinstagram.com/wp-content/sites/XtGYgwXkDjyUngdjccbuyCzOaj/
387. http://organicsoilnaturals.com/cgi-bin/CDkPCakisBYsrrtMdQ/
388. http://ortopediuzmanlari.com/wp-content/nlew5xtyg8tgoo4_0ha8i3tr-46738080/
389. http://oushode.com/wp-includes/p52qit8igtsbl1iu11q5x9og_ngj2jtxgt-26697814/
390. http://oyunlist.com/wp-includes/FILE/E0dQF3BrjsK6/
391. http://painterzindubai.com/cgi-bin/lm/UAebSiKTegqLVzjfz/
392. http://palmiyetohumculuk.com.tr/ac/FILE/cx381gq8uamy_w639rrebp-0084802356989/
393. http://paulstechnologies.co.in/wp-content/whv1j27989t1wgoxk6l4d98mkpx_9dw1ti50-762822895267/
394. http://pawn-stars-shop-uk.com/njvs/sites/YInRYQRoca/
395. http://perkim.bondowosokab.go.id/wp-includes/Pages/jyatnkrij4q4zawhbxf9cj23fq6e1s_tf6ku1s16-697389466881345/
396. http://phoneringtones.info/wp-content/uploads/qx93_k68trw3j-15334/
397. http://photo-midorikawa.info/blogs/NehDOtipfblhIrbhQaKqHjGWxsa/
398. http://phukienlucky.com.vn/wp-admin/lm/i5ht3uo4i6dh_stnro248-12071005/
399. http://piegg.com/wp-content/77wszn7k8xpxs_97swpij7dc-39610063200/
400. http://pindekoration.online/wp-admin/FHEtHBRYvLndohrusbKOWs/
401. http://pippisvillavillekula.com/wp-content/Document/v5ds4g78blp6omprrtsk7idnink8no_mbvx3ng-74129967/
402. http://pontesgestal.sp.leg.br/antigo/DOC/JhfJgoVQyaWOHkaP/
403. http://pr.finet.hk/wp-content/uploads/lm/tJqbOIzpNnAojYjKfZZTHURdjYo/
404. http://pryscillabarroso.com/wp-admin/paclm/vqjl1ioxg39a6blblyirkq_cxfhick-442732817/
405. http://radiodetali-skupka.ru/test/NvsyvArgbUg/
406. http://rajachomesolutions.com/wp-includes/WCFVkOrSYEDRATDAUkVq/
407. http://risefurniture.com.tw/wp-admin/Pages/iJffXGPsBTfSbUPgvzxvOEsGtirG/
408. http://riverviewtaxcpa.com/uaoa/parts_service/zwbmrt1q2x58yuo_8b3j4-28129348/
409. http://rongsunxanh.com/wp-snapshots/parts_service/vwncn2bwcs0q3i_a0i19md7-2717020378875/
410. http://safesalesnembutal.com/dgbx/paclm/vxa4bpqvkpjcosnazgotks88a_yi3g70tt-384757861/
411. http://samcloud.spacialdev.com/wp-includes/INC/FhWddbcmDtUNHeeTNOUrBvsB/
412. http://sciencequipments.com/wp-includes/Scan/opJSwsBiMWVgvdWnArGVo/
413. http://scrawk.tusarranjan.com/cgi-bin/eaa21pta22pr6iykyyees_lbpo77dbp-41382782/
414. http://sdn36pekanbaru.sch.id/wp-includes/17hw-m4u9z-wyqfnf/
415. http://seashorelogistics.com/wp-includes/paclm/nq69a2c65h1fypr61_04awey6h9s-343465956/
416. http://sekerlerotoekspertiz.com/wp-admin/lm/djbeximl_b6ijux6-508278719010361/
417. http://seniorbudgetsaver.com/html/Pages/d23s9qtqxm2fadyv_unfiuqoma9-551449315/
418. http://shahrubanu.com/fkix/427zyjgqewhxzauclqwgpo9qe7icwp_qvp9i63-13273134/
419. http://srishti.saintgits.org/2017test/igyu321k9z7paz475xx_3u8wakyj-2226599603/
420. http://stalwartint.com/wp-includes/oxgzjt-7p3n1xy-tuwxltk/
421. http://static.solidbasewebschool.nl/zqs4/CDxNhHZgvvweaSyYM/
422. http://stlouiskitchendesign.xyz/wp-admin/paclm/iBJyRZwYcdJBHeTeZgKMXiNYmiJkGL/
423. http://stylmusique-dance.fr/wp-admin/Scan/gc02l101qcp0fb3crq_t59tqt2lt-359499060193581/
424. http://suckhoechonang.online/wp-admin/esp/1x0unvft2qaoi5ifkbs_omcsx43rat-0154653460/
425. http://sulfurvacations.com/crdservices/6g9j4aud1mkkl99ijuv3sbeq_t91rmyji7-08924296/
426. http://sunrayindustries.in/wp-content/uploads/lLnphTVtuoqRO/
427. http://support.forumias.com/wp-content/uploads/parts_service/wmXAenxRqOIJhc/
428. http://t3-thanglongcapital.top/wordpress/parts_service/rpPyyYVy/
429. http://tbwysx.cn/tools/6svcddg4f1fs70445xempwv3nlj_kf2cjdix8-32340747881580/
430. http://technologyaroundu.com/wp-admin/LLC/8zucy2lyrgaao9kx2ptuw_adwlfe94-302815615289/
431. http://tempatkebaikan.org/wp-content/FILE/FILE/7fHC23c2p5/
432. http://terminalsystems.eu/css/INC/wsaaMiF87o/
433. http://thejewelparadise.com/wp-admin/Document/xtHPDkvQRJcQCyBYoCN/
434. http://thientinmenshirt.com/anx/lm/vcAfPBOEqhcwUUpnETk/
435. http://thomashd.vn/wlztvi4/Pages/hSqJaRvn/
436. http://thucphamvandong.com/wp-admin/INC/4zxy6wohuy5oi56vuk_geba0-87278418202/
437. http://thuexemaydonghoi.com/wp-includes/DOC/UjThFKnWkCpRvnwhiaFslaBEIji/
438. http://tipa.asia/wp-includes/sites/134r5p8kj8a3lriryjrq_g3tkvxrb-2655475700978/
439. http://titancctv.com/img/f3q561kb_4hz9e-274656581165/
440. http://trangsucnhatlong.com/cgi-bin/lm/KRpYktxNuJSE/
441. http://tuankietkhang.com.vn/wp-admin/DOC/SRPTReQwAhQlUwuIOAJqFGAGXH/
442. http://tvportaldabahia.com.br/wp-includes/lm/gzzz5mmk7azg5588ps_7f3s67y-35513447950/
443. http://uberveiculos.com.br/wp-includes/6b2hgaij5nwk4jyksy7l_zftgygk-538562898836565/
444. http://uckardeslerhurda.com/5ala/DOC/OyMKYkpOuU/
445. http://ukdn.com/TempHold/esp/yQKTGLOKeWoZVhRHUpPRSxFsROHXB/
446. http://urbix.com.mx/phpmyadmin/SDnjSGLMoQfmJDRodqqZx/
447. http://urfaprojeofisi.gov.tr/wordpress/esp/QTRDDjhcHyypwHPSoyAbNFEOHXg/
448. http://valleyonlineshop.com/91/paclm/b3uk5rgs9a6ocnatocfy4dhd7kr83e_doib81a4o-79134162245067/
449. http://veatchcommercial.com/wp-content/Document/6cvgndodepzh2ylq_uei79m76-80083264081347/
450. http://veteransdisabilityinsuranceattorney.com/wp-admin/e6u3tl33f_srobva2p-05883247/
451. http://vic-cash4cars.com.au/wp-content/LLC/h9srpbxwz74iswwspuxgg3nqbt6ixz_c4ad5-20336652544/
452. http://viettrungkhaison.com/wp-admin/esp/kcRZGnoGRmZyWSzIXtxZoxDxIRYO/
453. http://visiondivers.com.au/cgi-bin/Scan/0kqbwuqg45c61i7_26k6nw-26176637028/
454. http://vivredeprinceintlschools.com/wp-content/DOC/pWGSuPqizJglmA/
455. http://voyage.co.ua/mailsend/Pages/jk5dyxkd0cb0jh8jy_lbnqgf-33112876/
456. http://vps1.globalintvps.net.in/wp-admin/GocJEAVdXe/
457. http://wave.ternclinic.co.il/wp-admin/5hrw1b7upoo_nmmwh5rr-60403298334/
458. http://wellmd.com/wp-admin/SJSYwQyghaqk/
459. http://westerndesertmob.com.au/blogs/parts_service/qPpYQXHxJa/
460. http://weterynarzpodlesny.pl/wp-admin/wMlWHKqHiilPWIYja/
461. http://wigginit.net/wp-includes/zx8r3i7y_ehwsl-588034380/
462. http://willandskillenablement.com/wordpress/parts_service/4j4lev0dai5t3wwcwxey0r3sne9n_uz0btl7-4518299129/
463. http://wisconsindellsumc.org/psnlo/lm/rUIpaWVqZ/
464. http://www.bimeparsian.com/jz/esp/dccKaumjHEDnzyzm/
465. http://www.dryvisionbasaksehir.com/phpsite/lm/GWAAZrrmocMLM/
466. http://www.economywindowcleaner.com/wp-content/LLC/xsk5ok6vtaggflyxax99dxlatptel_ubtjmzrld0-590157321/
467. http://www.rosenfeldcapital.com/claimnote/Document/m1n7kgnpx_od7e07kh-4148993504643/
468. http://www.steuerberaterin-vellmann.de/blog/wp-content/zYNaHPdFRXPFScDLeolQGyEmflqIjn/
469. http://www.tpc.hu/arlista/INC/zc8e7mbnfbyibeil6cpr40t2_egfrju-908915343535148/
470. http://xn--altnoran-vkb.com.tr/cgi-bin/Document/bHKDPmjljGCAXxkNlDe/
471. http://zerotosix.com/xclrqe/FILE/TkaQWUDxqVrFOGVxEwe/
472. https://5151c.cn/wp-admin/Pages/pwy9qlm7grbyr7j5t97oglxntvgg_hsh1799t-646996337353919/
473. https://arcoelectric-idaho.com/wp-content/sites/hwhsaMJvOjoVHUbjBSTh/
474. https://blog.thaicarecloud.org/wp-content/esp/pVbpncDCtzkAknbFKdy/
475. https://chunbuzx.com/wp-includes/LLC/PblfqESdvw/
476. https://coachbagsoutletfactory.net/wp-content/INC/hQYoIbbJjQkUUcrsCHE/
477. https://curmudgeonintransit.com/f9fm/DOC/fj19qanep33_msiv6q-949526099/
478. https://dec-u-out.com/wwvvv/LLC/M3NcmSPRY/
479. https://demoo.tk/store/tvrx2le53p2ph_63qresymi-20666281672606/
480. https://diaocancu.vn/diaocancu.vn/lm/BuuZMQGIlmaNGE/
481. https://diversitymbamagazine.com/wp-includes/LLC/FczZHqnLBvCbrbhATryXlijvhHdb/
482. https://elitetransmission.fr/wp-content/Pages/ttrgxyacs2qcnklru_0jk32o4w-47168856156/
483. https://eqbryum.ml/wp-admin/Pages/r55lwa7xff7muytssw1pc_i4a8w44at-785512967/
484. https://escolabarretodejiujitsu.com.br/v5bd/FILE/wt8rnjq52zjgsk143k0mriprv5z_sl6ui62cg-0835748684/
485. https://everydaygoodforyou.com/wp-content/Scan/GYRHKcxXuFvyRDf/
486. https://fitelementsfargo.com/wp-content/themes/gpukJrTUc/
487. https://fleurycoworking.com.br/6v6s/ts6ufepur7u0c_u6k2n1p-038515080596/
488. https://fotobot.ir/wp-admin/sites/kkeb60wfibwst8utsbrquceq6gkh_or0pbfdl1c-754853850161/
489. https://grinai.com/web/iiz36l9bg_s0qjcz-661523208732/
490. https://hadimkoygunlukdaire.com/wp-admin/LLC/a91wy7mq9qjman84_wbmw5h-5132787275214/
491. https://hubrisia.com/wp-content/uploads/DOC/YkEbhBHCuzUtrv/
492. https://jvmahlow.de/wp-admin/Scan/td8nxrcnc9ntmco49_615sw-577633401958136/
493. https://kidscountnebraska.com/wp-content/Pages/cuxkCsUZPHPJygMchNn/
494. https://kozjak50.com/pmdi/FILE/mYy29bTJ/
495. https://listings.virtuance.com/wp-admin/jlrubop9_zkct0-800845530/
496. https://luanhaxa.vn/sqeh/lm/xyrrhdcyuk_qyirb-35314660/
497. https://marketingunitech.com/wp-admin/esp/GQQvAUKZwvcNsZOuiZpUx/
498. https://maxgroup.vn/__MACOSX/DOC/4duyq5gmcuu375q2589qi8k0i3k4h1_cgufr5-8018679562762/
499. https://neweducationsite.com/cgi-bin/LUYvJWOQElixOte/
500. https://noticiashoje.online/wp-admin/1zg41spy6werdeneaq171gwp_cztmh-387974113007906/
501. https://notspam.ml/wp-admin/Pages/espLunAjWsTlpVEPozgWEc/
502. https://panelli.kz/wp-admin/Pages/mAWlGWHyssWkIOHAGPaaxNQNzRDSP/
503. https://piegg.com/wp-content/77wszn7k8xpxs_97swpij7dc-39610063200/
504. https://salondivin.ro/tur-virtual/1hygpz-b5ex7rp-uwhljmi/
505. https://servyouth.org/wp-includes/udda-e1pdc-wern/
506. https://studioeightsocial.com/adwt/Document/vd71k4ua_fwk0gp-742999824629/
507. https://tatsuo.io/uw0ldzo/FILE/bp92oyylmkllrs_cmtmevs-5106762849/
508. https://thanhdattourist.com/wp-admin/DOC/VYkywxMerYGIt/
509. https://thejewelparadise.com/wp-admin/Document/xtHPDkvQRJcQCyBYoCN/
510. https://thinktank.csoforum.in/wp-content/uploads/2019/DOC/SdycWQvhYEVfLIkwGYEuJ/
511. https://toyotadoanhthu3s.net/wp-admin/86s0vl3wunz4vg4w7veq6l53i_gd5dy-6390446360/
512. https://truyenhinhlegia.vn/wp-admin/esp/zzrvDhptxaCNTEuhrqDxHPRU/
513. https://tuankietkhang.com.vn/wp-admin/DOC/SRPTReQwAhQlUwuIOAJqFGAGXH/
514. https://uctuj.cz/DOC/parts_service/9gnwxfd1lgsqkuc9ubcq_ko25hpj-021295563/
515. https://ufc.benfeitoria.com/wp-includes/uMTeSxmlmOXNcHjqrptcnhzb/
516. https://urbariatkavecany.sk/wp-includes/e18ct7nfb92lr3i2m5p2fmfvpge_h95pvij-515950320361320/
517. https://veatchcommercial.com/wp-content/Document/6cvgndodepzh2ylq_uei79m76-80083264081347/
518. https://www.allowmefirstbuildcon.com/35rnm2e/esp/c8frws6nxk2ttaf6r898572_975855y-7811681013/
519. https://www.bimeparsian.com/jz/esp/dccKaumjHEDnzyzm/
520. https://www.mobilitypioneers.lu/blogs/lm/5yqyc89z7njo7cvw7gj_04roz5d-5355090859891/
521. https://www.newlifepentecostal.org/wp-content/uploads/2019/LLC/LLC/p3k5n42wjwi68vvbjo0aqpqlf7qr62_ul9b8-95646978580162/
522. https://www.ryblevka.com.ua/wp-content/qrBRyjUmVghuaTLERuZmjEJABTKadT/
523. https://www.steuerberaterin-vellmann.de/blog/wp-content/zYNaHPdFRXPFScDLeolQGyEmflqIjn/
524.  
525. ```
526. #### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
527. ```
528.  
529. Creation Time 2019-05-02 19:30 (From ZIP - JS Based - Fake Error)
530. SHA256:
531. ddba8ddfb7c42acb88fad6167a50fe635cdc0b0fff6cb60f5e3042521f2b178c
532.  
533. http://thecaramelsoldier.com/wp-includes/ihzn9vr858/
534. http://tucsonpsychiatry.com/wp-includes/pd70/
535. https://toyotadoanhthu3s.com/wp-admin/hf4zkre2/
536. http://trackledsystems.com/cgi-bin/jqywt14488/
537. http://uzmandisdoktoru.net/_wildcard_/c52633/
538.  
539.  
540.  
541.  
542.  
543. Creation Time 2019-05-02 17:42:00 (DOC Based - ENG - 365 Blue Box)
544. SHA256:
545. b58e3864e562525a60699e36a8ad7a3ab401249bdcd961337acedf902d4909a5
546. a31b9ebd3c79ea7d6240df25a22b699a77128eb315c332af18fdba229e784926
547. f6bbc014c60c228d15455feea62338fee9208970a48cce3b3ed7a77ba932454a
548. 499b3a9f33e403cade37a86e6687127799ea93e99a552449997923911a98137a
549. 2ffdd515695709b45de9c46598821cecdee63edc6c59a31842f2013330789131
550. 8d2de893cfdff2bb43f45e0daec423ef070eb67df0dcdf7b9393113b122f8a9d
551. 20b5c05fd912231f474b6cfb1c82ea1a952d1d835e6c7b39e8dcd38b16edb0e8
552. f8c9d27529f9d2bcce30ed8f010f5f246d5fd4e7f83f3b0b28a4bef3f255d441
553. a9eb728aa0336197b0774902ff30fe603b21351282f64704cc81bc1a3ae780ca
554. 72d94096212d0967a618fb2e02725fffc3a533b4ce962cec04cf5f619d4862b2
555.  
556. http://thesapphireresidence.net/wp-admin/06038/
557. https://toyotathaihoa3s.com/wp-admin/9tyajmn47897/
558. http://uttarakhandvarta.com/wp-includes/zzyyxm762668/
559. http://theanwarofficial.com/sitemaps/j7xrxu5162/
560. http://ukhuwahfillhijrah.com/site/c139/
561.  
562.  
563. Creation Time 2019-05-02 11:37:00 (DOC Based - ENG - 365 Blue Box)
564. SHA256:
565. 1eb9f65fe87d06dd3526e5f30f0f1523479ff7b8a54b08dc30e836d1d96bfa41
566. e004665169889580886ca75a05f8d7a7739a39a94e2eeaa95bab00d9618ad8bf
567. 32dde8bd2ec90cb902ec6388b633a90e6576b0e230f5caf5c031ce870aa75118
568. 84cc9df67defd40bb40d149b493ecc31e3b19eaa24cc5bc98d7d71c96b750896
569. d458f166cc96924dc0de21457fc0cf3f794e70f2758ff014f8c5a4e0872d5e44
570. 5cd8f49395d0be8d0495633f2ca6f5f275f5fbb83ddd7e078784220141865029
571. 4538e80e3e25c5be4491c0b52d4119d71654604556c6c3b9fd79317d4aabb18f
572. afa805779d05d4746cdd39e3f7ea8586b4cbb7736badb85194a673fad468ceaf
573. afc2ac4f3fc0cd3719696f2428c5c615b8bc418b4e7e497ed38babb64b0ed6fc
574. 02dd8f41e51cffce4934a64a6a17f23a901155cc742c4cc1001ae0a2104625e3
575. 786272ebe38cbd68f38a43862963357185ce28cf57d0d2816020dcfa0cb76de1
576. 758618b1815537ec64010eee51a98afd94ac2d582eb17574712cbfca113202af
577. e98d6d03d74c3b122f5a6eb72ddb2c864f825343a68e873179659ec499320532
578. 2a6df9cfbc9711681e8feb8466b61866ddcf4a8273907263c891677fa0db4d9d
579. 38f06de9e7af1ec6849436d3e82b02235b7ab72524cf22bcf954875e54a68bfe
580. bfb762973e7154984a922fca7b00e8169a93ca7fdad035c807e0f83df3daac67
581. 6b1c137386864e9e3f2bf4fab7cf7c8b55b600f6b346ee3c7c6ade2d8f47c46d
582. e9cc355b9b2c501a852825e354361d39910f68c1be617cd4370d32f2f9d65ebd
583. 27965403597d9dce6ba0fbc8d3f907fcf228898f52db58015a628f15335efcc4
584. ee12d6a7678d385cad6d92d505223faf379e765e2e4aa55694b49d462445ae64
585. da90642a84ccf0e03150cbce192af56cff8e5ec145fde46e2d41a86989219d28
586. 7caa4ded7e7be4167ac5991e8a563e231ae9b80813dd36f5618494e30886a700
587. 5949291f649526ff88f4742c813f89abdcf6e06335b1d42ca740b5e775a58169
588. 3c76fe0b00eee4d76979eb6f27a9395ff952967b39a6c02e62f5e988ca351cb1
589. 7e5a6e6ecf5554cebd655af3e1db09d80552510bd42af3af1cd364fa84fc788f
590. 52977ea9ddbf4be1c05c0ea100009b32ad85f4be401e647c9fe13a3057413c39
591. a84f95c0558d7b9d3a2a1b254ce94e82033e880445bc33e19ad57c8d76b90ca7
592. d814311450dcfc2294c8276cdf0bdc1758016f3e66ddbec0086348ed6a0eba04
593. 75fbe40d61fa1f15700afa46c21b4626dc159ee772727d0ff492e1e599e21f90
594. a1e6f1e524b4965d9e6feb6b062b305c77414f2b47dc58c16c8e6c0a1208d4f3
595. 652e50579d8b42205db403c898b6a29eef395121faa1f3a8d5e44cfa151c682b
596. 777f9b3a59f8082a608bbfee166e2ab7632a742616ba2c28e410580bba77b7be
597. 6316788989ab49e76f6ea46f35787128eeba3bb4cb860b36bbff791ffbff9a0e
598. 9afded52c30b230da28ab2add95ce4e0e2edc0165737a3a2a49ba51885835e9b
599. 6d1135a4791ba0ad4224d6c35d0229086bad56c922883e201d7a2604a6aa0e6e
600. ccee766fefaeabe6f07024efd2e73d697fe96574890859807ac8120422de6b8a
601.  
602. http://programmephenix.com/wp-content/languages/kjdx0ls2/
603. http://axletime.com/wp-admin/r0gmx40208/
604. http://5elements-development.com/wp-content/uoesp16/
605. http://bestphotographytnj.com/rrm9/lm83yx518/
606. http://citilinesholdings.com/wp/cysk9wh832/
607.  
608.  
609. Creation Time 2019-05-02 07:58:00 (DOC Based - ENG - Off-Center - Light Blue White)
610. SHA256:
611. 27f9f197a336e93d2f520b60ec3fa4e8e3b062f994f772e2af261414d2b26705
612. 1dd502d8d280a322cb97f2f738a3d731ea48f849c9d75a52300b56e293a09818
613. 553239859b03fa874dbb1da58799b9b0ffe0007f1d47c930848d7ab6098de072
614. 98ac62c5a32ed7eaa42cc552f172e968b09292c15233a19c7951c9ef10dfd84f
615. ad79acc87367bc014f33526b79ee8a0e71097eb2e383da4efa692e27e96273cb
616. f9b9b2777dc0ecea0601696230bc2cfcac0452ccff119a84bc86c14b81d02ee9
617. f2fea5754bdbeaa1aeb9b44499df21cd6f1c53b7e01ddf028548c443802aaefc
618. 1a83e067999d7270f9ffc59b474e317606e5760643632a3aa57547427ed9b81b
619. 7c26c03904ba19298d89b86815c39fce874013b15fd899a6f92672715da85f66
620. 2cec6207e10f66e6f17e2e562947c2d87e578e40ff39e0ffe919d539a5028bfc
621. 44b41f3c72d6b1cda27b4799895105e931f788f21d2a46629f42fd36fef89b1b
622. 92f10ba771b25d6adf4c786a0d65a97a7a1b5c90beb90545d12f3f16b68e9c52
623. c67b5c47df7b5d0346a97a59471c44bb6e71b3b688e19114ce2cce04b2375f9b
624. ec3dbdea4bf7ccf93ce6a7d14e3fc767b1568fc966fd412c48ae557746732479
625. d5924eb822b796f9b27ce2262b065c7fb14fc235bad718dd09766db22315d0a6
626. 1c60cd89f7e71dc9867ec2c1ad7327f555e7cfb26315267798ee54d4e414eb57
627. b9b623468f7367c94da5eab9cef1341d56a50a2880730fa3b3e933263c329f3e
628. 8d2bb644ad211dbf798452fa2d112bbfe2a45e8359543f6c3527eb0794535de4
629. 4210f3dd7b7dff7c6338ada3d0dadaeb6f35fef0288a679a80d8496e15323b3f
630. f6dc8645861e69c7413e6960a98eaf11b90c42d2e841523fb88f542b2ef770f6
631.  
632. https://www.limodc.net/bwi-car-rental/mpfg47/
633. http://hibara-ac.com/wp-content/uploads/r5zg416/
634. http://thitruonghaisan.com/wp-admin/d31l9/
635. http://ezviet.com/m267lxk/w1/
636. http://losgusano.com/emmw/z5vh6c090/
637.  
638. Creation Time 2019-05-01 20:15 (From ZIP - JS Based - Fake Error)
639. SHA256:
640. b4be331a9a01e5ee347770bbd63e1aa54d07febc0e3a7daeb77d171b301a483a
641.  
642. http://dac-website.000webhostapp.com/wp-content/7876/
643. http://audamusic.com/wp-admin/nt4v5zv04/
644. https://apk5kmodz.com/azlp/k751/
645. http://escoder.net/cgi-bin/u80800/
646. http://puntoardg.com/ybsph/yXP/
647.  
648. ```
649. #### SHA256s for Epoch 1 Payload EXEs seen on 05/02/19 ####
650. ```
651.  
652. a5bceba5ea336ba98164a941924b1c043c495a2a84c1091905d0ea6425299b0f
653. 04f38a4b742b88b501a3ed1949023ba9c92619dad4bb293c5903142f90fe9700
654. e935a9fff5f8a88ea9bee6b7e903dbc6d5059c48a031b38f2ed1229da9393fda
655. 4c2e68f3c9d1f5ceb2090a75cd637ee63302a26cc145334ef3650dd2769cb339
656. 1a4c6749ba27d2a039df15e770a16e900f50d97cb298e8e1b4bb638bf760db49
657. 3c0eff5ff26c90f89652d5e4e00a8b856e055b70378f364a30ae1c50fe41cf3e
658. 30bb20ed402afe7585bae4689f75e0e90e6d6580a229042c3a51eecefc153db7
659. 568d7b11f7989feb867ee6c9839d6eb9b7b9b6baa46837ceccf4085b7a91076b
660. 7ca8ef9629e18e231f5b2075f0c37ed9a31ff8043df1609ee727027bc31f5124
661. ad2875ec25e06a49783e8688ddae5c0779196b21fc6436d5ab0645c10865618f
662. 3ac469ccd3811c1ee2bd467d1836a43c512ed97d3ad9fa95962459a66d6fdc73
663. b24adc8f170e8b393ed6f9150da0a4a7af9fc75d6593f06653b2bc081ded2082
664. bd12a552b826f4ece4698d6d6b69420e44f2671b93825b700f9bfa4ed4936c02
665. 2d4f18928d962328d1559262138ac55ca2c54f5ba3b1a75c9a753d4507468910
666. 6f7b0a65b1dfd3695dd2742a40f0e298a9c85d7c1d7110a61069b1998a5846aa
667. ae8267af65eff4cdf73ba260478b3848b2786a9d0a455e3b8bae4a2180a7a6cc
668. d17ebe662f643cf09eeb752c5c762ff4bed75dabd4e4b7490622376dc7e38447
669. c32f22932584a6548c881f59f956c7b8121435502c56add50612e6dac2fed73a
670. 9d2f44585db7cb66f44520117b5f8e19711cc2df4965a3d504b8f69632c94ee2
671. 1025982e1f880ddc6d51a7287dba197240d03e5f2c8363de3919adc61a138d86
672. de4510ddb3bae906a10446c0858a587b1017028e7d35131812f7026473a0ca21
673. 0dba12c2686eb9ee98c7ec57b3563a4237914fd4e7d5b940345ff6c2e422fcc7
674. efc6a6d22ddbc378486fc556655dba16d9e86edad05760993233238dae2e1cbb
675. b9b4beb9f6b55ee5066b4ba0b87cc2cf0dbcdae67de621fcf104ca1bae24d680
676. e5cf907f0100e637e39f8b86bf1ab2b9f745bb894bb7da4156a0644fb80d669a
677. 864f5badb39b5785404d804530ee1c4f8017f433949a82e5d50705c165720bb2
678. 4fc09e2b1e35cdf526af2826b3f13e8bb2c1be4205b3fb54abfff3a99277d0c4
679. 05c1e1df147e37a53870ecec18bf84ebc33ec3803684bc56556f28a6a8bae385
680. ddd6ba58895766f143214f081b3e66d68ffb11086828cae056f91d1dd0efd945
681. 3741bbd22b53cf49f0b880bafba60ceefae13255dda495247e1c6272d890d3de
682. 7d3b811a7ce139de1c6481dc43c63a480c00f2f97ecbddcdb073ed2c8cf3ba03
683. 0b09f773617976cc5fbe67f400efd09a16615daf714ddfe5de29a840e62c5d04
684. a5679ea7d82a2a6af0f79a3382e73ef859545e8f375595cbb85b072d79a96a8c
685. 126ac7eae544dd51c67a075c15e3b8689e37e4e157be5c2be6ea69884a01d6fc
686. cf7ec2151d5e3196cd3635e12bc4d69baa8acdbcc79ece436829a124416d23f9
687. b93e52f1b7d03a8ba37add647403b8267773de119e63f6de9f5b695ce78d1f5c
688. ffbaba3df6fc217783b117a25e9ce24bf400dff5482a00193707ae0d3d8ebef9
689. ba887d40e8a7b2c00625b25a8484e39cf27ee27b1204f333b91af8c8eb7771c7
690. 1d4cc6c8106f90a0f951d2958baba66d938f95e845c0904c606ce7c81914b24d
691. aa31ca1a02c0c7d9d9393fe24bb0b17cf5366e02fd71a630ca4e2fb5647c63e0
692. f9f9602360f67e1e2b9c0e89e55b83a75fd72821b34f8c3200da7e0801178b5a
693. 2308bff272f4ef2511a0c2d32fdb46181ef3b83752c24219aeaccbd6c110cfd5
694. 2bbf431e5764d340352da793ef5dfd90b4aacaabee7a20bcd90f4d0cb1496067
695. 29486da6be3a1d12fd4012a9190c3752f7b3847272e452df53c589fa47464657
696. e7022fcc330ae61bea926a4f61247583c20f79533328c4280e01cbed47df639b
697. 556aa6b77f53268233a517a67f428ed92d10ae077a57831ededdcce16c4a798f
698. 4fac13173ada1e96e17a0d53076adc66b9bb41048ce4e56f59500adc5cb85fec
699. c352e77c458685679a5b9f20ff3b26f5f42f1d09388d06a7849b45747a6704a1
700. 8d419457d93c921795eec27924b152d07efa96558782272950fb7d4bc651dc94
701. 2c4a668f43f2fb12d7bf99ec1870ef7c7bdc33b7201ad753265d9778cfaee578
702. 390c430b9a3ed2abeba28fa34487f234c6eab3b18a47812d89e276a7320758e4
703. ca982bdafa4eec85775b2f47759ff83ad62a87b93f961b50f0f865cb25325075
704. d03fe574f8fa6126c74541f11474d9559c6dd8ce949e42fe5c0ea66dd8d4043e
705. 652824737480bb50d7d9943a8dbf5a192b600b5792ed0e5916f929fb52c2a90d
706. fe2959b5c241e78e8d99424af50cee0bc108d8167ccd30f42643f78e304d26eb
707. 893ae5cf3c326e9d6aba877510cf9b2073b5d67d8e557941b2054c78ba6b7745
708. 503c1f8d7aa9fb4c335f44c62390c8ac7daea8ccafa019f6bfa54de41f0915e7
709. 01b00324f21fb34576505a85963ee46153a23984f3959b640bd9daffdd0fa08b
710. cebe897a6c2c1e119084d1b68ff9671e4405e56ac3eb973d052ad724e0745ef6
711. d521cc53fc4f5a882768418c22eafef1b9290d380b77cce118b8c6a669444f30
712. 880bb6ea2a938a960827dd2c5a0ad4dde3feb6736e77e19f927ef4a99b4372d8
713. 94b73732e0ae9c95e418d4637e5d0b964fbbc74e3182d4c6c840e895cfe5107f
714. f294fbbafd14536e870392e30a4285b4a65048ebfcf1858291cb3699dd4e1819
715. 6c5378d6ba6ff07b0ce0f2f025cc8238c1dc1f81b399180d92f03c9239f49341
716. 2cfca42cbb8df0aae0fbfaf6c3b77452176285b9ff52da37e56791aa51ee8652
717. 09ab57c6d3d152efdab9eebf9aa4fd29f585ee6f647406682ca179102b98116b
718. ce709530a954dbe87dd829c4187dc9265c4b4acedeb708b6cd200f047080b261
719. 303cc3af9f31366219c6a2358c05a24531bf260b6defc9b6897392d211a5dff1
720. 5aec0b4289fac7e3413bd12dbb1840fa69a0d104818580ee1a812b5c2126f32f
721. 489ed6140b742d4bb2682ff7da80c5e2d67499ca2f97a1e2930472d4ab08da61
722. 5d4d3fe25bdd869847ba085274734d7e09afea99f172f855a21065c8710e1f74
723. bb4cfd3ba84467535b7e164fa165c2b10712c7344a9d216b18874f34e649e6bb
724. 8401b00b6fb0f3bf6507d6576475c909a6a013b998449a80b27321d6fd52f0f9
725. 164f46a11704351b8aa0c8a049be812bd7e992ba764a69ab6bd373c3e1db788b
726. c6bb94a5f0f1f297ec0e6b27067100a596920603d5ea1e2484f95060c2bc1bd9
727. acba54a4b5b72bba9b5b9036485fa0257c5dda20856f360dc8ea8cf0d764bac6
728. 5478f7400c77e6347d2002d235f92e522cefe6eb2902618bc0f0e40138419f55
729. e1822ac2311a869c8ea79c59b2e5c3081ae000d500d7e09574d651ca3e538c39
730. f157b22a20feeb0434ca66806ab77e590603a97c863656f0f734f1cde5e87b95
731. 6d7f0b555fbb9279c1de3447e01004c99813e3772ae41ae67742fd67560fd57a
732. f5764b9f57309dfba2a87b93497cf9162fca2f0dfc110ccb2ffebb16a54681d0
733. f4456e473304e3d438a3e7cf58d601c5b56d16b1b81ddcf5e5e16b1ec20c172a
734. 6fa555681b9e23903a652e6f0a5bc22f5db618b00c263dd874636502ed731e3c
735. 79d80412f4d09dc31d5f99ad663931b38a477bb0a6da8685376163dea21d947c
736. 9a7424efcd36756301589ccfa23cfa42ccc82e0fee29cb61fa3ff404714ba879
737. 7602c8cfa06e26a6416250904e17e088fbbbff8d7ccb2d3dd258c60a6920e843
738. 4384db57f8098be4eb16caa008dc7d87a349b02d9574c4ab5b13f50ee888fa54
739. 90cb1f8d6e6d54ac207dada4c686c794ecc03bcd232719e7bf37e1ecea96a199
740. b6b3e4bb2918655597fdb1363119ec230e3c8d37794059dc4b2f976c4a204608
741. e392370cc393aa7f23fd365625779b48d09669e8699fa09239bad257f4c418aa
742. 94e3dd6d07d2ccb2b4a5dee974af9c815c25777aa5e87962348d24f5991a182b
743. 375ff9ab594d2ef65fb6ef221e261220cce769eddf71869eb469914096f61819
744. 40f21c0af710962bd103f0d881a6f0bfd3ae9d2f0c1c5f8a1dcc90268ad35579
745. 48fd75ae1e9bca0a3a1666b035c50bf8b9595840ee865233d8bf58aa979a9c53
746. 5820dd4ee3893dc9f2a0cd523d4927cd23a9e4fb63a8d8dddd78e79869fa4333
747. f4aff8cb5dfb1fe35444eae46866e318398d96163eae5de17e8dd2921b91dc4c
748. d68217e5f0980a040567a66fc1f2c308527c44d69800122222b5c4edb12c390d
749. 83f4a0e4957d574fdbd7b79b99e511fe8a8b99c70b57b509fd9a571193188e3b
750. 40622910c037949966d62be0a7187a8a290b500f18303e08d9a492533dcd8c36
751. 6d88f78c1a1a57962bf393715e8968a68c5afcbcecb3e3883180b4291afb1a9d
752. 2588b5c34a3b67739e23fcd751fdcc24d94c52319e18e4eafcb6e7fbba21abb6
753. 223fc1e77320c0a515a20fb2de9c1914a47708dad5aaae4454b91288156dbe6e
754. 84d127321b93032e15bd170a291b072c548b12882c53d367aa52698bcaff12b8
755. 48260c3ffe79f8cf498502778c192a2cfca7b69866141a9a88fa75b0d0093557
756. 66aa942d8dc8714c54e31c733d37d5f6d29eb27ff64e3cdac40ee9ffcbed2f42
757. c7a696fb7cf6e210f114ffbf88e789e075904358bee61d81d4bf85312707312e
758. 93022b11ce1b14ce27a6edc912fddfca63cf53a844845180409a11c2fb1c5d7c
759. c31465c6ff3fb1ffbf48da86250e8ab62e8d192af81c886d1293d0ee082117a2
760. 1b6aa692ba88e13ddec659e9c601d305146fba99e16181467cdfe49c7b109918
761. 79a44b5796a6c8f3dbe3050dcb7cd9a53abd0b568903b5eb079d33d93f1d8a7e
762. c37f470bdb9d07f59a00c714bca64abb91584a040387d1a3419cd97e7b90bd22
763. 0e54a79e6387d6d2d260fe44680f651db4148d65d579db5fc284abe9a951e984
764. f9cbb23ef0d89593cadcfb443b6ec7eb789b3ab5cd7ed2afbbddf53be0f5e9a7
765. 3b5acf6213221055de8d43376ca1cb56555d30a944ff9f60ffe8cec6a8bd325b
766. 643e37cdc1863366d925409441ed240dd926040c0cf0ba97eb31167b111236b6
767. f357e35687a83a0dd1e8844ef01944db9658da4d616be6174b0730ab07f26578
768. fc7cf3f6bf9b02163ad46c045e008583b8e4432ebdbfb2f7d2bd4f098a91074a
769. ed397a5790f55d0d2a2439c5657763b99ba756247a8c8327ebd450b575ca218c
770. d7adad75b676060b0065fce8d74f3a41400a2b9b2e304fff8c7cb6a016877398
771. ccd26cf9cf606fb49a237a501e9e441cae962090bb6e5b24e4e93898ac5b3383
772. 73d49eaa2981d7de3ed1b0d252823c62c86ff1ca6ffd8e6c9d0aa294da75efa8
773. 8d8e3670e4e0aefcc95ac53fe2a5215b2513cbd804da5db6d754d026a3d64f5c
774. 29ce6ee552676eadc8f9c770d9c789c21d323a92acb61fd5471053f51ecc0e44
775. c6a767ba8c7fbd15990e376a2ecf6acd3933770982b7c591d35cce684770e719
776. 39c7cb54f8880626d582bb00f43aa28087558ef73a9b311bf6440ae168e6acc5
777. 8761299b8ebb2aed97151601195f42ced376e2e0aa83f99f0bbcbb00158627b7
778. bfa9f4346764ccf4f2b721cdb1ad12813907113071e7c4336cb0f68f12a04ec6
779.  
780. ```
781. #### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
782. ```
783.  
784.  
785. Creation Time 2019-05-02 16:38:00 (DOC Based - ENG - 365 Blue Box)
786. SHA256:
787. 990801c1de058647b506c19565ee7abf0c886af33defe87c185c91aa65f9b579
788. c775e0d5046bb333d8ec48ccee14f6b50a394d750836412c56c98f100efa3718
789. 8217083c9e4b5ff7f2e438a2e50d8fbc5f75cd170801dcbd6bf1592b4ee6e76e
790. 4146e3cf4f60248ab8855463ad47ac44eadfa77f85a93d219f31d7ee935d9da6
791. b9f18fa8392dd9be62fa5e88a7ce0d5e94998280d5e5021f073f6ba5bd3aa43f
792. 8d811bece1938911aa657dc5292eb1d12e09c27c1c53b0933cd390e1713fa25b
793. ca8b291d0dc68db57dcde7e61fa81d3da86f9c65c5006a6228e7fb80cd8ee651
794. f268669cf7822cdb42f9407a39e23549e79930c64deabf9fb45acb7c33aca728
795. aa801261e72e6b957bbe8aca839c416734b1739fb133a1890f59c191768d72f9
796. 15d6cb9824fffd568458004f7229d69b27e35d5832a06314821f924491c61f3b
797. f38d5609ce63487e3e63cdd748f198d3e2afff98ee43ed99880ccac6a883d3b6
798. 4f1f1458e0c5595d9643c0247bdffe0f225ccc61594a91c00ca039d989b946b7
799. 24f92e105f2203de4853e057f2ee4a32695a1d1cdf14d7d58e0e533d72e5d96f
800. aebc1103f9344e4926c8904a4f9a6eaa1edcae4a8eb2fcdf5c19d535737a0b57
801. e94720b4121c2f2d41e0ee3d754100229d76b7f7085c5700cc059ac806f0a59e
802. 61084b80fc69d146f8193be390def46f1f2098dd074a893154d32a5baaa2017e
803. ea4bcbe90240950b3246ac90b8c4dbf5c2f03b839328ea0583e893e0ad72ddb9
804. e3a103a9172dd50524b0c0964de06d03923e3570e35af57064955fbf000d459b
805. 354a0c17e9b347d1d27a3b8d605f7f1bf162d5ed17453430d9bd70ad026da3a2
806. 8349b412581a466e885158f9a83aee010856a203586fe21fb479d87fd23c2826
807. 8d2c0506d65c170fbc8989260a0f3a61ec6ca809c9d462fcb858cab170b6a92c
808. 279da8586939650e58af66d116101b17bc938c19bb18661aa9f44475bf1a5478
809. 4a4e5f7221b64a94e9ef4e6aa74464802d5156b0fed3258d36bc778233fbf8aa
810. 4f5f72888a2a10ba0715f11df129cff23d1ca9b1931a51e7d9fff93734f9fd92
811. ad7f8db9d25f63a5eb7a79a11d3a565cda0c31bdb3d6a4cd1fe72426f9fde0b5
812. 0971308893645e1e89941d0f1534015f97e2cb928d9109721c7cd7cd0ea1cac1
813. 6c1d9bbd9dcad8b950dcada8139a8b21e31036ae9d319050f7513d240ef31995
814. 63c779e66565a408efa9dbe3f38629a8b2e231eacfb78c1ea20f16d254eaa2a8
815. f3e6d361295086c6ba59367cd7509a310118f08c0d0324141b41b42dfbbc0657
816. a4439bd06300584d703127e8fd1d2261eb45b1a90ddcf65fcc8addd697a6a8b2
817. abc589d5ec63138ee0c588f744cb6c8ba59baed47e9316419c174ef6e6a7e393
818. 7b492a6aa0b683eb1c70b5363eb6649a63b0cf81cf23c8534546d71a762be37c
819. cd75e6f5d568dd055fc68f5d4fbd544dc851fb2423d08aae37d5b8243cd14e49
820. e13b9bf9d03d25fea984a5ec113277a7ee1b22941e392cc3614867c272dd3fc4
821. a0ebfc81ba0f08dae4cfdf68e03efa80addb7ce41083ecbf98370acd020459ff
822. 9412268f1f2c0eb9a06cc682d774e05495a3b4e468749c77e157a5a354c2c8d8
823. 77eb40705926158b5dc43657acd06acbd152a96b25ffa0c7570deb2d30f30a55
824. ddf9e67e5268bbcc69f0fc467ebf6dbf3a7a669e89ee9e24e4e40121a5546933
825. 5f4e455a7b03f049de3775140eec2cba95103b1cbb11acccd700533724bcffea
826. 48735c4ff3f7651891f927ad38236a63867ffcbd2a702e9a79daa03cd9c63420
827. 77097aa9879009420abd97243ad99b01d6f37aeb4a0f10db935af76d24071f60
828. d658d1c903a310720f251727c6671496fd6e83e4993c4646ec6bd48b2e3d6207
829. 0b1310aa7bb2e7465a222a04326079ef48b0c163b96e95a1860e79666b479b7c
830. 1ad6ccae75006eff67a6adefed9ab969eb30456f9bfa2badbf680767f36e4ad6
831. 5a065c412c5ca5029a12a0c5bb8fc9ea3fbe72f7b3a89fa7fbaede2f06ae8185
832. 0a0052896d023efd6db21fdb504e996474df83abcfe4ffb55b55bfd894125505
833. 0b7bd2da70c954088c58dbc28b9470dbb262ba21c13648eafd0a15b4814cf9d2
834. 0aba359f77ac576510a26b160b60e4b0bc470db5ec0341e64234681ec8c607c1
835. 592706d46283eeff5a73e3bc816333334ae78f9d1f8162cc5517f402646e8f71
836. e2ed5e816faac04190f6bbfeb09ed618a79bcc85d5a3ea6ace4a678cb715f4a2
837.  
838. http://pressuredspeech.com/dngn/cEmgNTByQ/
839. https://phoneringtones.info/wp-content/uploads/qx93_k68trw3j-15334/
840. https://freewallpaperdesktop.com/wp-includes/50lz_zkln03lbc-8209361/
841. http://safeservicesfze.com/wp-admin/ZmVYmAXv/
842. http://noingoaithatthanhnam.com/wp-admin/voytvHre/
843.  
844. Creation Time 2019-05-02 13:11:00 (DOC Based - ENG - 365 Blue Box)
845. SHA256:
846. d8c7142deff2a26b21e0a6d90be7dc9c182f9d0d1f12a78a73827f6ad9c28bb6
847. 11f45c2f0d6d243306cbd6c70c01f1efb2050836b14f4d669b7a471511ade739
848. ca014e6230918cfcc607b656e4d58d48a11f073abd1be05dbf3c5fd93c20bd5d
849. ca20d2a716b4f8a6f33a2817ea8dce45a08cf19883ad41b221fb2b12b75cceeb
850. 31828b00ccfd454be6bf5ba07bc67f0986b28057583cc2812a5e690c9b9afa8b
851. 29d5a0eb1f8b938839724b100c9d78b140e82567e8addd0d15bf06f98e61de90
852. 6fd96bc05d0194613f21bd6315bfbf2d6e4606b291ab673209ebd70ce801b5c1
853. b35b244a1b523f3cf796b6c6dbfe4a4d0fe1b3f733b6410dae9c86fb60128318
854. 733c298095ba5ebf571f1a1c965b4241dd96cfff7626aab4c287eac9bc45f7d8
855. 8e9d93194c497235c8905b587e9762771a44df5b5a62e334e0cb27a7d4f0ec3c
856. 61363331b4ed5c211a5108f4820e0e7b31451bb9fb50da87d537b88e01159528
857. 692814008db3acff680edd583633e98789c8458f795753f459410f89869d59cf
858. 24654f8db73340d450b7f0096eb353b5b764a0f53403da045534f4fb1407171d
859. 5df383f04feac1ecc7ff1cda2e577d97e612db6ded6d2d33830eaaa3fc0d569e
860. 3c37cb5bc7d34a299c3442b5d9877e8f4932af1dd6ca5a8b139a668fed5f9786
861. 676593b3137422bae95a34c1bc6e6c4966e8a1895feb948faa1c8edddef80e2c
862. 0b0b4e6628b0e040b4d1f188dba616fa53dfa0100e25ced74f9ee3ede164695b
863. 94f9a3e8cb648efb537b8a9a1e4510d286b80f06b04a72ad3ef9c4c474bcf810
864. 456c3edf43e0677174dad7da916faec9c2534520655a62ad5be950b123060dae
865. e1d98af63da307eae302d60d18a6b0be7361cd92514a4eb2a22209151d035348
866. fa0e3b3660ec8e52b4817f8e030a678bdc2308af9c111f8241901d1e0a7396db
867.  
868. http://pineloautoricambi.com/cgi-bin/CfXHkcupBR/
869. http://thaiherbalandaroma.com/test/yoWfczmHJ/
870. http://fiestasendirecto.com.ar/wp-content/YxOBaTgCa/
871. http://www.thesamplesale.co.uk/rprv/0xsqzs0va_mh2r8-58/
872. http://tarh.card-visit.com/eal8/RZnFltETpR/
873.  
874. Creation Time 2019-05-02 09:19:00 (DOC Based - ENG - 365 Blue Box)
875. SHA256:
876. 986dc14f11ea0f528b1b42056dff88e24e1834eeff08334897ad814335a6ba87
877. d208f3eff68d5739131aeb2b16c66c1b6afb8fae27517f1b7b9029d4ef8b1ce2
878. b1dced28edb0f204dfeddacb104281bf43b041d6dfb17f063aed46e5b5437998
879. 460bb3ec0ecd906a65785dd78b0cdc5493f99adc417a5f8dbde21ce4a9fa9112
880. a64dafa37b662494a38730bcc5e028b2531be116573db369d5afc8d881e33f8d
881. c00f51900f0ea1f2b2f180fce863a775f22285c5e714f71db05511ebbff40bff
882. 71f892530436e11f487144a6a0938fbca4ee47850fa221ca6518d6c2f9e4c837
883. 71bc0919dd2d7b84656383c07b7ea006e3c3e303c80a3d4b309485417aecd634
884. 2582818939828ca255c6ce74274a0ecac3f7d0dce6167eda77d6db061ab2a485
885. 8715b1a0fca07aa174dff8f761755d3879f305b1c5201960fda42ed8840822ae
886. b0ac55a9a3533916702fcb365a321abaf4990b73459a2fd1a32a3378cda957ed
887. ba194c165790fe37e147a5148a0e460acbf65bdbafbf0928bc1bd762359e0691
888. f369360d06eb8817d505540eef0a467948a1eac2752e0eb89fa308ce02987389
889. c4bb3c6de8d16d8d68841fd2fd8230fb13d8f7c51feaced318d5f41c78f15da1
890. fea2192a0625af323042fe1f31e647d6a4be939d0ad615b8eae445e1d29bfd8c
891. 19aa70715bb894cffe28f94b04951b36d44de3e38e334f2885d281dd464289ff
892. 05a8d63623061e357e6537d32e097ef07f792fbfbdbb534d37533e5f9632c5ad
893. 195a1fb436c1c7497259f18d4332423f886a38242d824dfc498ee40625ab82c5
894. 1c97b7f3209e9d9ec53eb970c19973fd0a805e6f621aaedd613235fc9fbe453c
895. 0fce56ba5ffc2f0f9d972591a22a18532cc8b5fbf0a807cbc4a61f4077e15098
896. 0902f960b630274cb21ecbde3e6224d1f72d570c624965528a3b02266630e914
897. 8e4a311d2368b3ef3374691d891e860542fbcd33a8c5df81d9264762449a41a5
898. 7f1c516c36a737bf48d2ec5556e1e3232d47994d94c10675f7c00ba10b04aa00
899.  
900. https://fepa18.org/wp-admin/vZJPXdJUKbsQoR/
901. http://infokamp.com/edmatvu/XcvhTJMoveELDQSwTUGIwp/
902. http://aaitrader.com/wp-includes/TdWfQOsyteJAaXt/
903. http://hoststore.ro/wp-includes/iIyDhkZnoKGa/
904. https://ioszm.com/wp-content/VKvRtbEjecrTUWtZwLJPTASMB/
905.  
906. Creation Time 2019-05-01 17:22:00 (DOC Based - ENG - 365 Blue Box)
907. SHA256:
908. 17f4ae8fba484e7fb87c16216ece4622556d70db4d807d8b0a4ac207eba7d015
909. 1f7f4adf00079e629d57f4d60246bad091aaf746a26386323e414d5dfe9cf126
910. 57f935a706180e4e617c73331cd0a57f8ae1fcaf0537e0fd11294aa0e20e0feb
911. 8849cbdb89ef44865f23e8745eee176d529ca564c20c66da99aa5c04db555ec3
912. d450310c315301ebd8307408f8a534d6fd108c8649bdf0557d2c375fd7feeac5
913. e67b66b18eae119a39f810d45ea3987486699e4d7b83f2a43150fb4a865870e2
914. 8c2940f2a0b9eeb17e9bbbb8c465085982bc20dbe2fd980c532eb87ca96f2090
915. e5bdce92d2075dbb2d3f7601032665a77672b238c34b72edc5af8dbc0ecd7912
916. e39ace0837155e85d59f5059bfe202ba3de02a88c848a6067c9965cadb79c5ae
917. d0cfa6322bfd78d66cbe8513075fb57b181eb60560ed6558c707d38110fc9c95
918. 22b56c3fff64cc6ccc21bcd5ac8a4ce68a75b19d7586475acbb445a45144e401
919. 677e0cc93380965dc2a1f323cf07e84848fcd41950daf4158e244113536896ac
920. a2fcae9f16ba8a88c03ba2fa986fa6f148dbaeac41f94546467a81b9846ae9df
921. 4208aa9b2a8e40195be3444efc9bc9cd2accf732b249c921025207feb62a0970
922. f65dddc5f054d91554fe20e60a06c22d0a8a6cdd6555ba5c7098e06150c66ec7
923. 6a817c04b3ec3fb6f85801ecf4999db95505445ecbc8f741cf2985972f2d6f75
924. 07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
925. 07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
926. 895e4424f07b9de1284d596c17b8e10dac11fade371885fb4e8d9c73bd2721ce
927. 314285230457396f78090f46f2faeff452e0f80e97f1b8fcc3371298cad19557
928. 438757f58f956c0bf3c4d88c3270f25c6bef6cc6c7599d01e2050871e1c7cced
929. b4acd9d62915cecb1ba384e9ef86b7b9b26f38f0c0ee405ba3b4a396b44b56a9
930. bb393d58b6809fff86d32f6a6b5f3af0de4ecdc371a6454ecd9fd2e47f55e59b
931. af6b2d8591fc986c0fcb199d2526efc8e0089ace577fdbb925a7334ba5eab4ca
932. c0d56c06f445e3284464894bb9855dac7036a7f5e0da7183ad31c6d0c2477db2
933. 1f4a46bf19d090bee1282d5920e1ce502620c0a50cb4d5165d735d5b52e4a79e
934. 51d6fab6ccf8fb3460ce156af02cfcbaf6098f74d37e5d323a3d9e2c07e4b8f4
935. e12f25d5aacd3c073171d6f5613fcca942c7cf9cec4cedbed74acb9dbee513de
936. f28f62f33ff6ea0d8d9708e54142e83603afe0bcdcf1206bca2f2dfa00e05b0c
937. 8e56b9601576954a6830441430cdbf339831df28e8b6a4c29fa76471d83594ce
938. fdafca6a40ef4527b1dae33e85b89efa3d854bf937e4cefe026518f191309470
939. fdafca6a40ef4527b1dae33e85b89efa3d854bf937e4cefe026518f191309470
940. 899845fe4fe39f97c37bde716b7ba0b19169ea817e93cfae5d7e3cdeed7fc639
941. 811f6ec9cc7105d1b81e5352a0b9f90df420a293afc43ba91507952e7cb49f72
942. 571210656adbfe8cde574bb15f96232169cdfb487f4597ce1a4532c7a0258f46
943. 64b75110604d920b41da5dedf56cabebac63da64a209a35cb664ba69764fb8a8
944. f0f7cfb434c2a3922d011186c1bfeeebf9cf5444b33cf90104ae09407bb65e06
945. f9aa8059e3a7418a2e686036ca8198cde4ba026f1d0b05ba2a32774825fb71a8
946. 72f28f83d17f71068693f8f34ea40d09dc75d111635427f1b58fa9d4cad29558
947. 404f20fabcaf9c4c086a38eb1cb139e49e2e08d6249ef41b88d7eb2c0e628bbc
948. 394d047267664ca7feaa87df65b83ef559a4a97d7660e855fd84ad39ca15c17f
949. f485bbf5f58215b48cf1d3435a75007749edb2a502238899c462b7f8b47c410e
950. 3b338a2b75997eba6f9666aaea6f422da3e38754657f4be7f7e0e9967c479a63
951. fa4963b59046a924250a2c0d7599ae98fec4d4d0ba1cdf8de575a7438c570563
952. 897c6162e1f5089706797ca8cc5e75026d5bbc7707bac7271767e378815e514a
953. 9af59ed0cd1f739a62f9e8f478b2d237913d0949d9ca7b0202a8d22115323f94
954. 9c51bcdb82373007744c0dd18a11c06decaa000f48880f23f1bf9a335e5af053
955. 60fef10a83e873748b44cf932f3e0fa0a0d891f414e591696daeefc00f0d01c9
956. fef5c94f160ac594834251f184900922b8b802d3b8460c3dd75f74e895e7fee9
957. fd0666be8043c1d58b39868e5236856bd32f80fdeb994081e9a1c59974fe101b
958. dc49d2d7421719050d62368d665c84629bb08d6874ade0bb8940f133b619d9ae
959. 854cdddb19feff91dc4b4fba1ec91452c996a460cd5bd9ea2ff6e88f8c20f66c
960.  
961. http://depobusa.com/foamorder/tObUfzBc/
962. https://www.plvan.com/wp-content/vPTKWuAOUoglbXLQxJufgAVZbW/
963. http://hsb.pw/e5t9/zbqlHAhTtRZd/
964. http://mestand.com/wp-content/akMmnMBbAPswO/
965. http://jobstud.ru/wp-includes/QIUEwMypGbuDbhAaEimcRofGNckbVn/
966.  
967. ```
968. #### SHA256s for Epoch 2 Payload EXEs seen on 05/02/19 ####
969. ```
970.  
971. 0139d5f3393114110523a0ea71b7b30d501be5c38f396cb942b71702bdad5dba
972. b92a484b17dd0e44b952822ef0820900b931f77480aad707f4e7d8af3f641694
973. fd6154f314914fe0e0e3dbca0be331be70dcab5e0bc8692e882d041053a109cb
974. 1b488aac749d96e9dd0091608fbea2467ee5241f4c4d6f7c099146396b8f53be
975. fc317b28b08515c6c5b16cba48deb8afa50d4f1292e79ce76bdee19dc913b461
976. 4b7f66ef2d6ad844e08416508a6f022331efecb85655a13a8a75f7732ef58412
977. 4b633f5e8245c61f3ec3a46cf245acb56f66f7caa72bd6157a01f422163edcc1
978. 682725e8ba8b5383e9cda584b67be4b0e1a4b521fe1ac428bc2699f65dccf7bd
979. 14da8e8051b0b163bcb6a6cce736bab0173804c8da57ce12eb665e630e1e229a
980. 4a0dbccd45e0163057fd7cf9f33719f71768868381ca95ced1c7ebf6620e4aa5
981. 61a108b133f8964df693cb0fa7087b680066cba4c317e73f05d988da74a5990f
982. a360e01a8777b08b618e01677c264e3f45719b0da50f24d783660626cfa7cea4
983. 27d6f4d39b0af4ec76b0372cfa69a3ca6c11004d3c9ba8bc082fffefc48e8c35
984. 710db143dbac331d8f696b67e39604391a269696d957afe0cc4c798ddc1c1526
985. 39f70a1393856b97175b5aa8eda32b6da0f6600f58ffd029d65826ce8a707650
986. 9c80bbc85101eed3a43886d783dbcbeea4fa72898406a07d8b710f79044fc865
987. eb8099bc018fb1db097f303b99dafe4cb07d81102209cdfe2406eabc97f66d54
988. 35c2d04c8b877ce46095f02273b0c23cdcfd7e9e76e93e195bdef170baabcc87
989. c7a6a3f927f5a7ada67f91c8609a3745ee579c3e63b76147494e50cf77a79614
990. 2f51263c1a9fbdecdd806809b39a29fc8bd1f84ba6dbefd260e12f3960d1d7bd
991. f3131feed900a3128d1fc6da0cd753d717936037fa92b04fb9403e3abddef267
992. 6657685b186d7e072376685468ac8f2ac64ae76b586b02afac9be5729f2817f1
993. 8247f6298dbfb5aa6d7f9ce1a58576547f7cdbb089d76129268aceb367ba7d42
994. cc26319bbb77b56f938fadce821cc0e6aaeb047b9a2dbf0bd2791be32bdf609c
995. 6f35d5ccbc35c1b6560e9c242274c13d2880f34a03caec1d9004ebd0d142e32f
996. c6ae5257ff2633ebd01a8103e43d7bb35a142e28a9c7d068a4beee163f350288
997. 9d762f0b106089ce170f31bdf626c248d5eadc8372dd3def6df531d838933544
998. 2e8b8ad9a3f86d616b0e51a4c69dd57722f1a31528ac75ea58e1994687a63a68
999. 5d7ba6f8e8b2953de1b71a89a41f5c5460a897eeba86db1221424c20e34b8de6
1000. 3bcd74eb064d631d895d6bdccc6446fe9c0e53fb5cfadd03ec349cc2508745cf
1001. c7e31bcd18e097b53f77aac99e9e3290ae208ffca36e4011d32de04e8d02e883
1002. 8dde5c3df0af262a5252549f3288f42aac599a649afb5b8fb7a7d18429ad9d75
1003. 3dc47ff912ce79f18c177a5e114c2cdd7e30962ca08107546cce59b28db9825a
1004. 9d5af1e5e35581344aca81cb15c9f94bbf26f767a1259f82dd33ec58af16a0ce
1005. 34288f730dcccd5152294b5ec6ca11317d69e333e9f34e597903d47b87994115
1006. b164b6db06e4372a3d9d3177725f8d64e424a0cb5b97fef7564464cb7e55d6c3
1007. 44cfe6a073ba14f3d23fa0a340f8b49f050f20f78200ed0abfeb6b6aecb7638e
1008. 90762b10adaa2ef61827e0e617e36809a4c56359ed56c8c46d179bae058c9f4c
1009. fdfdf45dfc03c3c2991385f7dcdeb33e8ea3cd5eeec19ed8169432284a4292ac
1010. 8f3408f3fc81e83ec623b7d1d2b5ded56f62ac74bbb9470db439467d93d688b2
1011. 3f79f7ab88c5bb3682dea5d8899823bfd3dfac0c93b5cbc9ee4ffb98ccdf9056
1012. f579be47727e9be4bf7386cccae98af8c5762f0de67e6ba3f050576827d0b366
1013. c05a889d62751e96e5fa2d95fde4692eebce6fd1d1427becfaa25b93d1e59d39
1014. 3c2e9ce3f68e52a9f944fbf723e265f99710913459cde221cdc17d34f28449b8
1015. 67ebe896ba8c32528affc78733dfc20284c1f8bdfbfeb6e58658aaa8e08e83a5
1016. 5e7ba25c34a6948780320423c4f1554098e2e59c221f44ae409c168016fdc34f
1017. b100b8905ca0652747efd09bddd043cd2f2c0e075baacafe5b01ab1ff5a4b6bc
1018. b6ddb89d617f97116cc3e3ae894cc62f040968c39c10b8c1c542d5df77212ec6
1019. 2b43ae0e2ae9dcec606ee2f6ef183caf00b85b7f3207e76e86433d4751c1323e
1020. c67e18ea855c49bc6c853b6970f1fb7b2901041a5b290218e7fd52279c122fd9
1021. c4bf558fdb6da807060414d7146c338c50e66037d88cc3973e8cc2ded57d8d0e
1022. 37466c19bba687306f7bb9d15a78f2542390d2887ab99f89f3e52c0b6dabe33e
1023. b7f145c761b67d8702f25c301e148f8b14582d75e2e9c7c9a0e108b1f928c0ee
1024. 5a25325d8e0b04eb42f5a4e26b3d67e459d21f10ab5e4648fd544a209f5aa23d
1025. 1b7c6c4aedb6e643487ca113608d72f09a431aa3491acae8458587b63de65fb2
1026. 5ddf46fa58889a227ff95ebcf05061769a5e526c7a7f097d69412839d39fb291
1027. 15cc6aea744144130950dea1abac2401d1f51c151e7c664ebc3e3df4cd6b1909
1028. 100a63eadc781896e7ad9def4340ebbe9f221798aba83ff2b580ceea2ccc38ee
1029. 852c81a19ec64efdbb3353b2dc3b9cd564996e4b29361f884dcc730717ab9df0
1030. 3fb189dc99f52402bb2cb1336b35afd2e221e607f60a7b3780528c6543409fea
1031. c4e8255fce89155bfbbd4767862733971c9306aa6a2d01fe82cbd45334387ddc
1032. 548c1bc7710a59d6ad33c3c3126508e52e63b8570badc3887f4e67fcfb6b91d2
1033. d6a27acd253a1946092d2b1abd800789c9e43df52cf5a522531028b4a5bec82d
1034. 57e8da94216e5bc5b28a79c465ef8040a4db12aa06ad91fdc3b562cd906cb051
1035. 55f5b6dc1e0ff0b674b322b301385c13b101259787e4ca977f4e7ff9a086b211
1036. 4e845c1e743375ea8c337d42e4d30ff4491dd1fe34afbd7bc260ca10a99e8c5e
1037. 8448c6957d755834a7f644a8d49e3094adf5c506ce32e0b157bfd7d60d025e6d
1038. efecccec4cf166a4d72bc2dd68f46310c55ce88131f910660635403633bed7d0
1039. 25d5ce0c95bfc75729efa56d8d0dec4e249144357bae0ccbca17f61a873f4089
1040. 7e7aa221638881cb37b280fd9824e7347fc4b519e9cdfdcc546ad5d3de1f78b0
1041. 611500650f0bff1315099d3712d6a443e13d3c488040a0bf3a5a5aa6471ba946
1042. 853409f1c256b9151a2567ce0c75d86fdea92c4bfadc8ae9381460b8369ef597
1043. 9c88fa19bd75bb4c34a5fe25c27a2f08846f4463268453610b00409fbae31cc2
1044. 2c5d86005043ea6ecdf66fc7fda301bbd22d9d5aae2115ab30109bf941d5dfd7
1045. 9ef9c01f42b204d85975d5475f9f6493afd2292a68666602cb8516bb8517a103
1046. b4c619d17fc86b39bdad1cf76a416eab966d5a8a46ec8b25164414d7c970f447
1047. 11e49778e470f4f98b729147fbe63029b9c22fbb40dc061ba3ba5c7edbc36df9
1048. ef85f1df03308b40716507203a71e1501ceb5ed5d71d74e1a089ddb8d5c0059d
1049. 8e870cdfe40e7b11d7a2b7978ad1a7abca3c1a276db07e33c9a1494ad4153ca1
1050. 723e2a6cac714b533b3846076907899d9833790528677c81d2acf3679474b9e9
1051. c3908e765c16319d95467f2e0257edf0df968d889caaf3262e9b9fad3e76b916
1052. c3f0273a8a97fbfbdba8027da06fd0cfcff36abba681359840cf99a71f81b0fd
1053. 6f6f1661ea7bc6f022f88cfc059e5fdf016d794fd9e5432082b56c879618b8a3
1054. 338f6a6cc054071c08a82b6ae8460427126e025225359e0b16f0f54a32fb67c7
1055. bafb626f61ebbc0f7056b8f9fba4995c8241077288084298b8134680445dddae
1056. 53b2abce85b3f2c261c33d98567c316e43f1ba65ed76e36b0850499cc68dd43b
1057. 5f0a0eaf37f81de04ad022348e50f126dde35354bfacfcb1815777049dec23c2
1058. e3b923ed549a34b0309be4e0b4538fa6f1f881905af7e622e95c827951de59f7
1059. ccf8423c8dfef5e0158bc8626dff73c8ffeed44facf62e8d05316ecda01381e6
1060. 44c47ce3b9f75b3d8775be16a0b2927a7602d0d61f5c25fd213c7bba9dda29d5
1061. 9484b9ab6c1e6ef3a5ba75ee23766a6996067e57105df6c8e13efaf9ba78a823
1062. eb0adf723100d7c2044bb96d333f104e0a3c62ae8d1baec91f40d627ff428628
1063. e442a8c1b7e19e2576f40ccb6751d7d34a2c56249ebe5583fb698790e28c8a6f
1064. 0866f591f33417377d087978c66e6939d36c32bd2d1e7e572f24730ea80559a3
1065. cccc1ccc54f9d889539cacc4be1a2d54f3813979a64aec5c8b27c12631fb26ab
1066. 35cfe4d2460b11ea8c240eccf2129a92f263b990ce1c06a1580ac90ae36ac4c9
1067. fabc080faad015e151c3bade908ccf70ada8828947461c2e1c26d07802552dba
1068. d62668450c1a95a5560756d37f6128ccd5ead425b11a7ffde131df4975c30bbd
1069. 34eeffa1a2d0facdf46989783ebdc5b0cd55a71ee1b535d93ea7a2102fc9a83f
1070. fbc2eaba1caa3bc650e3d098c9b7cdd45178c72b799f73169498819dc957d5ae
1071. a25f2e639d0f10ef4a503441d050263fcf75965fb9335045b6700b7a94c7bc7e
1072. f14ab77fa8c5bbf78a33c843c46d91f3a8bf67645389df08f10e51f03e449939
1073. 16cc274e63b246ab057793f97f645321dcc64d7b8c90179f24b68953f98f8fcb
1074. 60ba7d9129ee291ca713d86d91c8d8b8138c356e30c5a58cea1863e093a5de4a
1075. 4cefba804d352f991a08307af38187df192d0116521a6647bd3007b5b20ef48c
1076. 4ab07124fde0875689458403fa298e0413ca35f60baa1aff655bfc738d3f9e0a
1077. ee5a6caa4444084871449cf6f2385c6191f5c382761cd6223f13ee08efcbd624
1078. fc48b19fcabae3d5a4b9d2254fb3e42ef6ebfd721981229258c13b92d6d264ab
1079. 299c75f64d439ad734c456bebc444b3635339fd01c79e8fd2cd423e6418ed80b
1080. 1744dc89c20bfcbae1f7fb2a3026e6c306a81049c38b9900099ae54ea9791c42
1081. 93cf79ff996ba9e30f92fd3d0a7e2e27cf3ac0759d1bc3625ca58dd882031f6d
1082. 4cd9648a811b059ee43540eb499b46a15d8f8e6314c400bce79b86afd185bc38
1083. 19a8fee1ca628e49c2ee43acf796c6cd0a6065d9bfb1759e93d3fb0a83613c01
1084. d53231f84eb46224e4f7cd3c7e0bfe2bc09efba6f0302c16ebcf2d6ade912146
1085. 38a7c5792b7e10728d7b586fed4ee8e2719f2738ece96f2eb8ae080163abcd6e
1086. 6f76f6b51b9a9cec05f4150034c2bc9f6b0d7275563f8b68c245876155b92059
1087. f2ded594ad73d56c20117ed072c03e1d0b0c8ed099cf1c806a84506a410013b8
1088. 8d7709ed6d34e8637aff2a8aa78c75440874f7cfaf2668377e92f2ea405d130b
1089. 21f24e8fcc40ed43f86acfba78022a53b93456f770c61af6e9e62df8070df9d2
1090. f0d9f9f83c550617c9c5221b9a277926915eb983cb629968ff0713384e9d56e5
1091. 02338fd1762aa746ee87612d92067e73f787a5c7d13f42d44058ba11769bdd19
1092. d530161b8f01c24699e97cebd206c50e834e74c352e9defb50e194a2be268974
1093. 82a2df016af0708a590457d9b6b2db96800e30934e7b437c1a97fef85faf45ae
1094. df1dd5f50c6a365a3327d6d985a7d15aa14ebdaa6cda563ac57730e53dad964d
1095. 1c66cdaf670fde0ed8a09346395839c6ef8b7856a4dc1801d7eb3d64b6576c57
1096. 8a8a99282fcbe466ee20cd9c90a8bb7b109cf8b1e1598e30df6b6c9d2869196c
1097. b2ee80cb05e8f2eeeeb74c34e2ec8f890280ec2c990ccf4eb7df93f078986be6
1098. cc7f943b05fa5d7d63caa25e9f7b4bd883d1f43759e5d085269d1c0b3e9f9969
1099.  
1100. ```
1101. #### Epoch 1 C2s ####
1102. ```
1103.  
1104. 103.201.150.209:80
1105. 103.213.212.42:443
1106. 107.159.94.183:8080
1107. 109.104.79.48:8080
1108. 109.73.52.242:8080
1109. 115.132.227.247:443
1110. 139.59.19.157:80
1111. 144.76.117.247:8080
1112. 159.69.211.211:8080
1113. 165.227.213.173:8080
1114. 175.107.200.27:443
1115. 176.58.93.123:8080
1116. 181.142.29.90:80
1117. 181.199.151.19:80
1118. 181.29.101.13:80
1119. 181.30.126.66:80
1120. 181.37.126.2:80
1121. 185.86.148.222:8080
1122. 185.94.252.249:443
1123. 185.94.252.27:443
1124. 186.139.160.193:8080
1125. 186.71.54.77:20
1126. 187.188.166.192:80
1127. 189.196.140.187:80
1128. 189.205.185.71:465
1129. 189.213.208.168:21
1130. 190.117.206.153:443
1131. 190.147.116.32:21
1132. 190.171.230.41:80
1133. 190.180.52.146:20
1134. 190.85.206.228:80
1135. 192.155.90.90:7080
1136. 192.163.199.254:8080
1137. 196.6.112.70:443
1138. 200.107.105.16:465
1139. 200.114.142.40:8080
1140. 200.28.131.215:443
1141. 200.45.57.96:143
1142. 200.58.171.51:80
1143. 201.203.99.129:8080
1144. 210.2.86.72:8080
1145. 213.172.88.13:80
1146. 219.94.254.93:8080
1147. 222.104.222.145:443
1148. 23.254.203.51:8080
1149. 24.150.44.53:80
1150. 37.59.1.74:8080
1151. 43.229.62.186:8080
1152. 45.33.35.103:8080
1153. 5.9.128.163:8080
1154. 51.255.50.164:8080
1155. 62.75.143.100:7080
1156. 66.209.69.165:443
1157. 66.228.45.129:8080
1158. 69.163.33.82:8080
1159. 72.47.248.48:8080
1160. 77.82.85.35:8080
1161. 81.3.6.78:7080
1162. 82.226.163.9:80
1163. 85.132.96.242:80
1164. 91.205.215.57:7080
1165.  
1166. ```
1167. #### Epoch 1 - Spam/Stealer C2s ####
1168. ```
1169.  
1170. 31.172.86.183:8080
1171. 104.236.185.25:8080
1172. 50.116.63.9:7080
1173.  
1174. ```
1175. #### Current Epoch 1 RSA Public Key ####
1176. ```
1177.  
1178.  
1179. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB
1180.  
1181. ```
1182. #### Epoch 2 C2s ####
1183. ```
1184.  
1185. 103.255.150.84:80
1186. 103.53.44.20:80
1187. 109.194.50.231:80
1188. 119.15.153.237:80
1189. 119.155.153.14:21
1190. 119.93.243.2:50000
1191. 124.123.42.93:80
1192. 133.242.156.30:7080
1193. 136.243.117.85:8080
1194. 138.201.140.110:8080
1195. 144.202.9.18:8080
1196. 147.135.210.39:8080
1197. 149.167.86.174:990
1198. 149.255.56.242:8080
1199. 162.243.125.212:8080
1200. 167.114.210.191:8080
1201. 173.255.196.209:8080
1202. 174.93.130.148:8443
1203. 175.100.138.82:22
1204. 176.63.173.71:995
1205. 177.230.108.144:22
1206. 177.242.214.30:80
1207. 178.152.78.149:20
1208. 178.62.37.188:443
1209. 178.79.161.166:443
1210. 179.14.2.75:21
1211. 180.150.87.75:22
1212. 181.39.51.243:993
1213. 182.176.132.213:8090
1214. 182.188.47.206:990
1215. 183.82.110.170:53
1216. 186.4.234.27:443
1217. 186.85.38.31:443
1218. 187.189.195.208:8443
1219. 189.134.78.42:50000
1220. 190.112.228.47:443
1221. 190.193.18.37:20
1222. 2.50.4.159:443
1223. 2.50.52.255:20
1224. 201.220.152.101:80
1225. 208.78.100.202:8080
1226. 211.63.71.72:8080
1227. 212.22.215.140:80
1228. 213.14.166.152:990
1229. 216.98.148.156:8080
1230. 217.13.106.160:7080
1231. 217.199.175.217:8080
1232. 37.211.38.50:80
1233. 41.169.20.147:143
1234. 41.220.119.246:80
1235. 45.123.3.54:443
1236. 45.33.49.124:443
1237. 5.230.147.179:8080
1238. 50.31.0.160:8080
1239. 50.99.132.7:465
1240. 58.65.211.99:50000
1241. 58.9.168.7:990
1242. 59.103.164.174:80
1243. 62.75.187.192:8080
1244. 64.13.225.150:8080
1245. 67.205.149.117:8080
1246. 69.198.17.7:8080
1247. 69.45.19.145:8080
1248. 69.45.19.252:8080
1249. 75.177.169.225:80
1250. 77.56.253.112:80
1251. 78.100.187.118:80
1252. 78.186.5.109:443
1253. 78.188.7.213:8090
1254. 83.110.155.238:8090
1255. 84.241.10.111:53
1256. 85.104.59.244:20
1257. 86.99.35.122:20
1258. 87.106.139.101:8080
1259. 91.205.215.66:8080
1260. 92.154.101.154:50000
1261. 94.130.35.140:443
1262. 94.76.200.114:8080
1263. 95.128.43.213:8080
1264.  
1265. ```
1266. #### Epoch 2 - Spam/Stealer C2s ####
1267. ```
1268.  
1269. 198.58.114.91:4143
1270. 213.136.86.219:7080
1271. 91.205.215.10:7080
1272.  
1273. ```
1274. #### Current Epoch 2 RSA Public Key ####
1275. ```
1276.  
1277. MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB
1278.  
1279. ```
1280. #### Credits and Notes Section ####
1281. ```
1282.  
1283. WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
1284. is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
1285. https://pastebin.com/u/jroosen
1286.  
1287. NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
1288. I am providing them for your benefit in case you want to parse them to be sure.
1289.  
1290. ```
1291. #### What is Epoch 1 and Epoch 2? ####
1292. ```
1293.  
1294. What is Epoch 1 and Epoch 2? (updated 03/07/2019)
1295.  
1296. I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
1297. payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
1298. Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
1299. rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
1300. This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
1301. to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
1302. time period.
1303. Here are some observations I have noted since I have been watching these botnets:
1304.  
1305. - Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
1306. Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
1307. being delivered in maldocs on Epoch 2 at any one time.
1308. - Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
1309. - Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
1310. - On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
1311. Monday morning/Sunday night.
1312. - Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
1313. Epoch 2 may have a document hosted on host.tld/B.
1314. - The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
1315. - Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
1316. *- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
1317. - Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
1318. - C2s are never shared between Epochs/Botnets.
1319. - Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
1320. via C2 to stay ahead of AV defs.
1321. - Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
1322. - Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
1323. - The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
1324. easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
1325. - Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
1326. spam template, word template, document type and even payload.
1327.  
1328. If I think of anything else to add or if anyone else has any suggestions, I will add them here.
1329.  
1330. ```
1331. #### Community Lists ####
1332. ```
1333.  
1334. https://pastebin.com/ZrG4Esuj - @HerbieZimmerman
1335. https://pastebin.com/aYRnNU44 - @malware_traffic
1336. https://pastebin.com/SNWLK5BW - @ps66uk
1337. https://otx.alienvault.com/pulse/5ccb53f09ffabffe44f5e5f5/ - @SecSome
1338. https://pastebin.com/XF9r4JwC - @executemalware
1339.  
1340. ```
1341. #### Credits ####
1342. ```
1343. (OC from @JRoosen and/or combination work of the following)
1344.  
1345. Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
1346. @0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @jcarndt, @gorimpthon, @Racco42, @papa_anniekey,
1347. @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk
1348.  
1349. C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
1350. @devnullnoop, @gorimpthon, @Racco42, @Jan0fficial, @lazyactivist192
1351.  
1352. Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
1353. @pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
1354. @papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman, @lazyactivist192, @TrendMicro
1355.  
1356. Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt
1357.  
1358. Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
1359. helping out with this!
1360.  
1361. Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
1362. @digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
1363. @urlscanio, @TrendMicro and @Virustotal for providing services/software no charge to this cause!
1364.  
1365. ```
1366. #### Daily Log 05-02-19 ####
1367. ```
1368.  
1369. General News:
1370.  
1371. Updated regex patterns below for E1 and E2. I received about 21 malspams. A far cry from the 100s I used to get. Others seemed to
1372. get medium to light volume today as well. Mostly links for me today but a few attachments in the morning EDT. It seemed like
1373. the EU received mostly attachments at least according to @ps66uk in his report here:
1374. https://twitter.com/ps66uk/status/1124042396877111296
1375.  
1376. In other news:
1377.  
1378. TrendMicro had released a correction for their article here:
1379. https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/
1380.  
1381. @HerbieZimmerman Documented some incoming malspam from Emotet:
1382. https://twitter.com/HerbieZimmerman/status/1123954979805511683
1383.  
1384. Brad at @malware_traffic received an email from Emotet today from his "Billing Specialist" and documented it here:
1385. https://twitter.com/malware_traffic/status/1124040302191415298
1386.  
1387. @SophosLabs - is observing an outbreak of what they term as a "novel ransomware" that is possibly delivered by Emotet.
1388. You can see the post here: https://twitter.com/SophosLabs/status/1124095568999895040
1389.  
1390. Personally I have not heard of MegaCortex but this is a new development so be on the lookout!
1391.  
1392. Email Template Report:
1393.  
1394. All of the 21 templates I got today were based on some sort of Invoice or Billing ruse. They were all generic and mostly from E1.
1395. E2 sent me a few toward the end of the day in early evening EDT. The templates were the following:
1396. ___________
1397. Example #1
1398.  
1399.  
1400. From: "spoofed org" <compromised@poor.tld>
1401. To: "Victim's Full Name" <Victim@yourdomain.tld>
1402. Subject: Invoice for you OR Subject: Open Past Due Orders
1403.  
1404. <html>
1405. <body>
1406. Attached please find the wire transfer form.<br>=0DPlease let me know if yo=
1407. u have any questions.=0D
1408.  
1409. <br>
1410. <a href=3D"http://lejintian.cn/wp-admin/lm/CUBhsurjIYlmEDiyUA/">http://spoof=
1411. org.tld/inc/77736998644/spoofedorgname_36756832446_May_03_2019.doc</a>
1412. <br>
1413. <br>
1414. <br>
1415. <b>spoofedorgname</b>
1416. <br>accounts@spoofedorg.tld OR billing@spoofedorg.tld
1417. </body></html>
1418. ___________
1419.  
1420. Example #2
1421.  
1422. From: "spoofed org" <compromised@poor.tld>
1423. To: "Victim's Full Name" <Victim@yourdomain.tld>
1424. Subject: Paid Invoice
1425.  
1426. <html>
1427. <body>
1428. =0DPlease find attached your most recent documents.
1429.  
1430. <br>
1431. <a href=3D"http://gkmsm.ru/abuebz0/Pages/sedHliEaUfqrmTGVfmUvIYukOMQ/">http=
1432. ://spoofedorg.tld/files/IDWGI-132-G4422/spoofedorg_28062590710_May_03_2019.do=
1433. c</a>
1434. <br>
1435. <br>
1436. <br>
1437. <b>spoofedorgname</b>
1438. <br>accounts@spoofedorg.tld
1439. </body></html>
1440. ___________
1441. Example #3
1442.  
1443. From: "Spoofed Full Name" <compromised@poor.tld>
1444. To: "Victim's Full Name" <Victim@yourdomain.tld>
1445. Subject: Re: open invoice
1446.  
1447. Dear Customer,
1448.  
1449.  
1450. =0DThe attached invoice is showing past due on your account. Please provide=
1451. payment status.
1452.  
1453. http://blog.memareno.ir/ozwh/trust.accounts.docs.biz/
1454.  
1455.  
1456. =0DThank you very much for working with our company.
1457.  
1458. -
1459.  
1460. Spoofed Full Name=0DOffice: 906.842.6564=0DT/Free: 1.809.653.4564=0DMail:Spoofed Email
1461.  
1462. ---
1463.  
1464. =0DThis message is sent in confidence for the addressee only. The contents =
1465. are not to be disclosed to anyone other than the adressee. =0DUnauthorised =
1466. recipients must preserve this confidentiality and should advise the sender =
1467. immediately of any error in transmission.
1468. ___________
1469. Example #4
1470.  
1471. From: "Spoofed Full Name" <compromised@poor.tld>
1472. To: "Victim's Full Name" <Victim@yourdomain.tld>
1473. Subject: April 2019 Invoice
1474.  
1475. Good Morning,
1476.  
1477.  
1478. =0DNeed to know where to charge this invoice.
1479.  
1480. http://data.iain-manado.ac.id/wp-content/trust.accs.docs.com/
1481.  
1482.  
1483. Thank you for your business - we appreciate it very much.
1484.  
1485.  
1486.  
1487. Spoofed Full Name=0DPhone (Business): =0D825 080-6931=0DPhone (FAX): =0D825 08=
1488. 0-6477=0DEMail:Spoofed Email
1489.  
1490. -
1491.  
1492. =0DAs always, should you need any support do not hesitate to call us.
1493. ___________
1494.  
1495. Example #5
1496.  
1497. From: "Spoofed Full Name" <compromised@poor.tld>
1498. To: "Victim's Full Name" <Victim@yourdomain.tld>
1499. Subject: Payment Advice Note
1500.  
1501.  
1502. Dear Gordon Powell,
1503.  
1504.  
1505. =0DCan you find out how we get paid. Is it a check or bank transfer? They j=
1506. ust charged us $532 or close to that. =0DNo one told us anything about that=
1507. I just need clarification on this process.=20
1508.  
1509. http://fitnessdenofficial.com/wp-content/verif.accounts.docs.com/
1510.  
1511.  
1512. =0DThank you for being a valued customer and using Spoofed Full Name.
1513.  
1514.  
1515.  
1516. Spoofed Full Name=0DOffice: 967.700.2378=0DT/Free: 1.860.655.5990=0DEmail I=
1517. D:Spoofed Email
1518.  
1519. ___________
1520. Example #6
1521.  
1522. From: "Spoofed Full Name" <compromised@poor.tld>
1523. To: "Victim's Full Name" <Victim@yourdomain.tld>
1524. Subject: Your Spoofed Full Name order has shipped
1525.  
1526. Dear Victim Full Name,
1527.  
1528.  
1529. =0Dcan you re-do this invoice?
1530.  
1531. http://data.iain-manado.ac.id/wp-content/trust.accs.docs.com/
1532.  
1533.  
1534. =0DSincerely,
1535.  
1536.  
1537.  
1538. Spoofed Full Name=0D486-629-9586 / 486-629-9092 (fax)=0DMail:Spoofed Email
1539. ___________
1540.  
1541.  
1542. As you can see nothing earth shattering here but it gives you an idea of what to look for. Example 5 and 6
1543. treat the original sender as a company with strange phrasing. This is like saying akward things like:
1544.  
1545. "Thank you for being a valued customer and using Joseph Roosen"
1546. "Subject: Your Joseph Roosen order has shipped"
1547.  
1548. Not sure how the data is selected to fill in the templates here but I think Ivan may want to lay off the
1549. sauce.
1550.  
1551. Review:
1552. What we know about the threaded templates/reply chain:(changes are marked with *)
1553.  
1554. - Emails are sourced from once (or still) compromised users all over the world.
1555. - Emotet injects a reply into a real email conversation thread between the compromised party and another party that replied
1556. to the compromised party on or before Nov 2018 until at least January 2019. (may be up to present) Also have seen emails going
1557. back as far as June 2018.
1558. - Now on E1 and E2.
1559. - Now seeing German based templates that are essentially the same thing but in German.
1560. *- The injected reply is usually prefaced with the following:
1561. "Attached is your confidential docs."
1562. "Attached please find the wire transfer form."
1563. "Thank you for your help. Please see the attached."
1564. *"Load instructions attached"
1565. *"A printer friendly attachment is now included with each email."
1566. *"Click on the attachment to open or save the printer friendly version of your report."
1567. - Both attached and link based delivery of the maldocs/ZIP/JS have been observed.
1568. - Attachments seem to be in the filename format of *_Month_DD_YYYY.doc/js so far.
1569. - The link is customized for the display text of the link to show the real domain of the spoofed organization.
1570. - These templates are pretty limited in run and not very numerous.
1571.  
1572. Link Regex Report:
1573.  
1574. Regex directory patterns - The following patterns were seen active today. I modified some of these to make them better. Any with *
1575. in front of them are updated or very active. Yes you want to take out the * in front because it doesnt belong in the actual Regex. :)
1576.  
1577. E1
1578. *https?:\/\/.+?\/(sec|secure|trust|verif).(accs|accounts|myacc|myaccount).(docs|resourses|send).(biz|com|net)\/
1579. \/(Frage|Nachprufung|nachpr|sich|sichern|vertrauen|([DdeEnN_]{2,5}))\/([0-59\-]){6,7}\/
1580.  
1581. E2
1582. *https?:\/\/.+?\/([A-Za-z0-9]{4,30})_([a-z0-9]{5,10})-([0-9]{8,15})\/
1583. *https?:\/\/.+?\/(assets|blogs|cgi-bin|demo|direc|Document|DOC|esp|FILE|INC|LLC|lm|paclm|Pages|parts_service|phpmyadmin|Scan|sites|test|themes|uploads|WP2|wp-admin|wp-content|wp-includes)\/([A-Za-z0-9]{7,30})\/
1584. https?:\/\/.+?\/([a-z0-9]{4,7})-([a-z0-9]{5,7})-([a-z0-9]{4,7})\/
1585.  
1586. NOTE: If you get a lot of false positive, try adding (\"|\n) at the end of some of these after the last \/
1587.  
1588. These Regex patterns are to be used experimentally and at your own risk but they caught 95%+ of what I saw in link malspam.
1589.  
1590. Payloads Report:
1591.  
1592. Still seeing E1 and E2 going back and forth between the new and old loader. The current state of things is:
1593.  
1594. E1 Distro: old loader.
1595. E1 C2: old loader.
1596. E2 Distro: old loader.
1597. E2 C2: New loader. Seems to be stuck too.
1598.  
1599. Everything on E1 was straight DOCs today until about 19:00UTC and it switched over to ZIP/JS. Distro had the old loader until 1300UTC and it switched
1600. over to hash bashed new loader with 15 minutes or so interval until about 16:00UTC.
1601.  
1602. E2 was basically straight DOCs all day with the new loader in C2 still. Distro had the old loader until 1300UTC and it switched
1603. over to hash bashed new loader with 15 minutes or so interval until about 16:00UTC.
1604.  
1605. C2 Report:
1606.  
1607. C2s did NOT change for E1 and it remained at 61 combos in total. - recorded above
1608. C2s did NOT change for E2 and it remained at 79 combos in total. - recorded above
1609.  
1610. Closing:
1611.  
1612. Not too much changed today and spam volumes seemed to be up a bit today for me. Honestly overall, Emotet is less of a
1613. threat for me lately because it can't seem to deliver the volumes of malspam that it used to. Even the reply chain type
1614. emails are pretty bland and lame. Perhaps Ivan should give up and move on to something else. :)
1615.  
1616. I am out tomorrow and @ps66uk will give this a go. Have a great weekend.
1617.  
1618. TT
1619.  
1620. ```
1621. #### Sandbox 05/02/19 ####
1622. (all with fakenet and MITM unless spam/secondary infection)
1623. ```
1624.  
1625. Epoch 1 C2 run on 2019-05-03 at 04:00 UTC - https://cape.contextis.com/analysis/71309/
1626.  
1627. ```
1628.  
1629. ```
1630.  
1631. Epoch 2 C2 run on 2019-05-03 at 04:00 UTC - https://cape.contextis.com/analysis/71307/