Emotet Malware IoCs 2019/03/27

## Emotet Malware Document links/IOCs for 03/27/19 as of 03/28/19 01:00 EDT ##
*Notes and Credits now at the bottom* Follow us on twitter @cryptolaemus1 for more updates.

#### Epoch 1 Document/Downloader links seen for 03/27/19 ####
```

http://128.199.233.166/lib/secure.accounts.resourses.biz/
http://128.199.254.22/pjv1mjk/secure.myacc.docs.net/
http://129.204.69.15/wordpress/trust.accounts.resourses.net/
http://134.175.208.207/wp-content/sec.accs.send.com/
http://1lorawicz.pl/language/Amazon/EN/Transaction_details/032019/
http://203.114.116.37/@Recycle/sec.accs.docs.net/
http://212.47.231.207/wp-includes/trust.accounts.docs.net/
http://35.200.165.142/wp-includes/secure.accounts.docs.com/
http://40.87.92.185/wp-content/secure.myaccount.send.com/
http://51.15.199.46/wp-content/secure.accs.send.biz/
http://53amg.fr/wp-content-/secure.accounts.docs.biz/
http://912graphics.com/wp-includes/Amazon/EN/Details/03_19/
http://aapic.emarathon.or.kr/cnsadiczdy/trust.accs.send.biz/
http://aapic.emarathon.or.kr/cnsadiczdy/trust.myacc.docs.com/
http://about.pramodpatel.in/wp-includes/trust.accounts.resourses.net/
http://ahl.igh.ru/pu4mngy/verif.accs.send.net/
http://alcantaraabogados.es/languages/secure.accs.resourses.biz/
http://alimgercel.com.tr/wp-includes/sec.accs.send.biz/
http://altinlarinsaat.com/wp-admin/sec.myaccount.docs.com/
http://amenie-tech.com/wp-includes/trust.myacc.resourses.com/
http://amismuseedreux.com/phpmailo/secure.myacc.resourses.biz/
http://baurasia.3cs.website/baur_asia/secure.accounts.resourses.net/
http://bike-nomad.com/oldpages/sec.myaccount.send.net/
http://biztech.com.bd/irpw/secure.accounts.docs.net/
http://blockseal.com.br/pdf/verif.accounts.docs.biz/
http://blog.atxin.cc/wp-admin/trust.myaccount.docs.biz/
http://bluesw2014.synology.me/@eaDir/Februar2019/privacypolicy/trust.accs.send.biz/
http://bmserve.com/mobile/sec.myacc.docs.net/
http://bmserve.com/mobile/secure.accounts.docs.com/
http://bmserve.com/mobile/verif.accounts.docs.biz/
http://bombeirobianchini.com.br/wordpress/secure.myacc.resourses.net/
http://booyamedia.com/img/Amazon/EN/Transaction_details/03_19/
http://brado.alfacode.com.br/wp-includes/secure.myaccount.docs.biz/
http://bytesoftware.com.br/casa/trust.accs.send.com/
http://cddvd.kz/cgi-bin/trust.accounts.docs.biz/
http://chobshops.com/cgi-bin/sec.accs.send.biz/
http://completerubbishremoval.net.au/bywioej/secure.myaccount.resourses.biz/
http://comunidad360.com.ar/cgi-bin/sec.myaccount.send.biz/
http://corporate.letsbangbang.in/viseuf24jd/trust.myaccount.resourses.biz/
http://craftacademia.com/wp-admin/sec.myacc.docs.net/
http://craftsvina.com/testgmail/sec.accounts.resourses.net/
http://cryptoexperienceclub.com/a0honzc/sec.accs.docs.net/
http://d42494.hostde14.fornex.org/wp-includes/sec.accounts.send.com/
http://d9credemo33.co.za/wp-admin/trust.myaccount.resourses.net/
http://daarummulmukminin.org/file/trust.accounts.send.biz/
http://dagda.es/language/verif.myacc.docs.biz/
http://dailynuochoacharme.com/wp-admin/sec.accounts.resourses.net/
http://dandavner.com/blog/verif.accs.resourses.net/
http://darktowergaming.com/l9ld-0dpofc-hiwewg/sec.myacc.send.com/
http://darthgoat.com/files/verif.myaccount.resourses.net/
http://deafiran.ir/css/secure.myacc.docs.com/
http://dealsammler.de/wp-admin/Amazon/En/Payments/2019-03/
http://deathprophet.bid/adminmap/secure.accs.resourses.biz/
http://demopn.com/lab/components/com_jce/trust.myacc.resourses.biz/
http://demoudi.cyberclics.com/cgi-bin/trust.myaccount.docs.biz/
http://digitalcore.lt/wp-admin/Amazon/EN/Attachments/032019/
http://dqbdesign.com/wp-admin/sec.accs.docs.com/
http://draaiorgel.org/wp-content/sec.accounts.docs.biz/
http://dragonfang.com/russ/sec.accs.docs.com/
http://dreamhouses.site/wp-admin/secure.accounts.docs.com/
http://dream-sequence.cc/mm.ms.com/trust.accounts.send.biz/
http://dream-sequence.cc/mm.ms.com/verif.accounts.docs.net/
http://ecasas.com.co/wp-content/sec.accounts.resourses.biz/
http://editorial.wijeya.lk/oldadmin/wp-content/verif.myaccount.resourses.biz/
http://egtfiber.com.my/wp-admin/verif.myaccount.docs.com/
http://eklentitema.com/jiah/secure.accs.resourses.biz/
http://eldruidaylashierbas.com/wp-includes/secure.accounts.docs.biz/
http://epsi.in/xjsotiq/sec.myaccount.docs.biz/
http://famaweb.ir/intro/trust.accs.resourses.net/
http://fanzo.ir/css/AMAZON/Clients_information/2019-03/
http://finniss.net/temp_dc5bcf9d42ded3370fd9c92a7bf0d715/verif.accounts.docs.biz/
http://flatbottle.com.ua/@eaDir/sec.myacc.docs.biz/
http://foodideh.com/wp-includes/sec.accounts.resourses.net/
http://ftf.bythewaymart.com/wp-content/trust.accs.resourses.net/
http://ganzetec.com/m2013/files/temp/verif.accs.docs.com/
http://gccpharr.org/assets/secure.accounts.send.net/
http://genericsoftware.ltd/image/secure.accounts.resourses.net/
http://globalera.com.br/arquivos/secure.accounts.docs.biz/
http://goodheadlines.org/cgi-bin/trust.myaccount.send.net/
http://hagebakken.no/loggers/sec.myacc.resourses.com/
http://hbsnepal.com.np/wp-admin/trust.accs.docs.biz/
http://healthandenvironmentonline.com/wp-content/sec.accs.send.com/
http://hellodocumentary.com/wp-includes/trust.myaccount.send.biz/
http://hildevossen.nl/oyjnzmy/secure.accounts.send.com/
http://him.payap.ac.th/wp-content/uploads/secure.myacc.send.com/
http://holon.co.il/wp-content/secure.accs.send.com/
http://icaninfotech.com/wp-admin/verif.myaccount.docs.biz/
http://i-genre.com/wp-admin/secure.accounts.resourses.biz/
http://irbf.com/baytest2/trust.myacc.docs.biz/
http://jaramos.pt/assets/sec.myaccount.send.net/
http://jobs.achievercs.com/xvspgnq/sec.myacc.send.com/
http://johnnycrap.com/verif.myaccount.send.biz/
http://jpheywood.co.uk/cgi-bin/verif.myacc.resourses.net/
http://kan.kan2.go.th/css/Amazon/Clients_transactions/032019/
http://kanon-coffee.com/large/sec.myacc.resourses.com/
http://kueryo.ro/b/sec.myaccount.resourses.biz/
http://kyaikhtohotel.com/backup/verif.accounts.resourses.net/
http://lacave.com.mx/wp-admin/secure.myacc.send.net/
http://lexusinternational.com/wp-admin/trust.accounts.send.com/
http://logicmavenofficial.com/wp-content/secure.accounts.docs.net/
http://magashazi.hu/trust.accounts.resourses.com/
http://mahertech.com.au/SilverStripe/trust.myacc.resourses.biz/
http://majidfarm.ir/wp-includes/secure.accs.resourses.biz/
http://makson.co.in/admin/sec.accounts.send.com/
http://mallcopii.crearesiteiasi.eu/bqrsiyn/secure.accs.resourses.biz/
http://mangaml.com/jdownloader/scripts/pyload_stop/sec.myaccount.resourses.biz/
http://maramahan.ir/wp-content/verif.accounts.send.net/
http://matthewdmorgan.com/RECH/secure.accounts.send.net/
http://mawandlaprojects.co.za/cgi-bin/trust.myaccount.resourses.biz/
http://maxindo.com/verif.myaccount.send.net/
http://mcbeth.com.au/nick.mcbeth.com.au/Amazon/Transaction_details/03_19/
http://mhsalum.isinqa.com/tjsml4o/secure.myacc.docs.net/
http://mjqszzzsmv.gq/wp-content/secure.myacc.resourses.biz/
http://mobilier-modern.ro/cgi-bin/secure.accounts.docs.biz/
http://moose399.org/ww4w/verif.accounts.send.com/
http://multiesfera.com/wp-content/sec.accs.docs.com/
http://multitable.com/Marketing/verif.myaccount.resourses.net/
http://mwfurniture.vn/wp-content/trust.accounts.resourses.biz/
http://mwfurniture.vn/wp-content/verif.myacc.send.com/
http://mxzhiyuan.com/wp-includes/trust.accs.docs.net/
http://myphamcenliathuduc.com/ne6rcmq/Amazon/En/Information/2019-03/
http://naps.com.mk/wp-content/sec.myaccount.docs.biz/
http://nazara.id/ghezons/secure.accs.resourses.com/
http://nhomkinhdongtien.com/wp-admin/secure.myacc.docs.com/
http://nk.dk/arcade/sec.accounts.send.com/
http://nk.dk/arcade/sec.accounts.send.com//
http://nojz.cba.pl/errors/secure.accounts.docs.com/
http://nolimit.no/_derived/sec.accounts.send.net/
http://officeoxygen.in/itgxsq2/Amazon/EN/Clients_Messages/03_19/
http://ognalesoftware.com/rents/Amazon/En/Payments/2019-03/
http://oliviacarmignani.com/jopvis435/sec.accounts.docs.net/
http://olivyatasevler.com/wp-admin/Amazon/En/Information/032019/
http://oncoursegps.co.za/bill/verif.myacc.resourses.com/
http://oneindia.biz/DOC/trust.myacc.resourses.biz/
http://opark.in/wp-includes/secure.accounts.docs.net/
http://overnightfilmfestival.com/9uyruon/Amazon/EN/Transaction_details/2019-03/
http://pacificsecurityinsurance.com/wp-content/trust.accounts.send.biz/
http://pandeglangkec.pandeglangkab.go.id/images/Amazon/En/Attachments/2019-03/
http://pangtoutuo.vip/wp-content/uploads/Amazon/EN/Transaction_details/032019/
http://pasb.my/blog/sec.myaccount.send.biz/
http://pasb.my/blog/verif.accounts.send.net/
http://past.com.tr/wp-admin/trust.myaccount.send.com/
http://peyman-akbariyani.ir/ond9gts/sec.accs.resourses.biz/
http://pkb.net.my/images/verif.myaccount.resourses.biz/
http://pornbeam.com/wp-content/verif.accs.docs.net/
http://portalfreightforwarder.com.my/hzjvbhz/Amazon/En/Transactions-details/032019/
http://projectsdemoserver.com/mixtapemonopoly/AMAZON/Clients_transactions/2019-03/
http://proxectomascaras.com/error/secure.accs.send.com/
http://ptgut.co.id/test/verif.myacc.send.com/
http://pufferfiz.net/spikyfishgames/verif.accounts.send.com/
http://purvienterprise.echoes.co.in/il87xjz/verif.accs.send.net/
http://raionmaru.jp/wp-includes/sec.myaccount.send.biz/
http://ramyplast.ro/sitemapxml/trust.accs.send.com/
http://raybo.net/bemcadd/sec.myacc.docs.net/
http://realistickeportrety.sk/wp-admin/sec.accounts.docs.biz/
http://regiosano.mx/wp-admin/verif.accs.docs.net/
http://relex-shipping.de/blogs/verif.accs.docs.biz/
http://restaurantequeleche.com/wp-includes/Amazon/Documents/032019/
http://rexhagis.nl/RGM/secure.myacc.send.com/
http://richwhitehead.name/dump/verif.myacc.docs.com/
http://samburt.info/wp-admin/secure.myacc.resourses.net/
http://sato7.com.br/nova/sec.myacc.docs.net/
http://sbmlink.com/wp-admin/trust.accs.docs.net/
http://shoparsi.com/cgi-bin/trust.myaccount.send.com/
http://shophaimy.online/wp-content/secure.accounts.docs.com/
http://shopinsta.in/shopinsta/verif.myaccount.resourses.com/
http://short.id.au/phpsysinfo/sec.accs.send.biz/
http://smejky.com/skola/Y36TUR/archive/sec.accounts.resourses.com/
http://sosctb.com/wp-admin/verif.accs.resourses.biz/
http://sprechtheater.de/ww4w/verif.accs.send.com/
http://srle.net/fedeora/trust.myacc.send.com/
http://store503.com/vqmod/secure.myacc.docs.biz/
http://superdad.id/wp-content/verif.accounts.send.com/
http://swisswatcher.ch/alexandramaegerli/sec.accounts.send.com/
http://takapi.info/ww4w/sec.myacc.send.net/
http://taltus.co.uk/cgi-bin/secure.accounts.docs.biz/
http://taringabaptist.org.au/wp/verif.accs.resourses.net/
http://tcmnow.com/flash_4/sec.myaccount.resourses.net/
http://teardrop-productions.ro/menusystemmodel003/sec.accounts.resourses.biz/
http://test.nguyentrungdang.com/wp-content/Amazon/Transaction_details/2019-03/
http://test-website.ir/wp-includes/verif.myacc.resourses.net/
http://unknownworld.ir/wp-includes/verif.myaccount.docs.net/
http://utit.vn/wp-includes/trust.accounts.docs.biz/
http://victorybijja.com/wp-content/verif.myaccount.send.biz/
http://vismut95.zp.ua/wp-admin/trust.accs.docs.com/
http://wardesign.com/catalog/secure.myacc.resourses.biz/
http://wcdr.pbas.es/pressthiso/sec.accounts.send.com/
http://websmartworkx.co.uk/shop/cache/trust.myacc.send.com/
http://woodhousecnc.com/wp-includes/trust.accs.send.biz/
http://www.1010.archi/Armadillo/sec.myacc.send.biz/
http://www.alfomindomitrasukses.com/wp/secure.myaccount.send.biz/
http://www.hildevossen.nl/oyjnzmy/secure.accounts.send.com/
http://www.kalpar.in.bh-in-10.webhostbox.net/c49y2h7/verif.accs.send.com/
http://www.test.nguyentrungdang.com/wp-content/verif.accounts.send.com/
http://www.yummiesbandra.com/cgi-bin/secure.myaccount.docs.biz/
https://4stroy.by/wp-content/sec.accs.docs.com/
https://artistasantimoreno.es/vckej2kgj/verif.accs.send.biz/
https://asiatamir.ir/css/verif.accounts.docs.com/
https://ayanafriedman.co.il/blogs/trust.accounts.resourses.net/
https://barbeque.kz/comments/sec.accounts.send.biz/
https://completerubbishremoval.net.au/bywioej/secure.myaccount.resourses.biz/
https://completerubbishremoval.net.au/bywioej/verif.accounts.resourses.com/
https://fxqrg.xyz/secure.myaccount.send.com/
https://healthandenvironmentonline.com/wp-content/sec.accs.send.com/
https://him.payap.ac.th/wp-content/uploads/secure.myacc.send.com/
https://hk3.my/wp-content/Amazon/Payments_details/03_19/
https://kebulak.com/contact_us/Amazon/Transactions/03_19/
https://mhsalum.isinqa.com/tjsml4o/secure.myacc.docs.net/
https://morimplants.co.il/dev/trust.myacc.send.net/
https://newerlife.org/eapew8c/secure.accs.send.biz/
https://scubadiver.bg/ffpdxo5/verif.myacc.docs.biz/
https://tapchicaythuoc.com/cgi-bin/sec.myaccount.send.biz/
https://testingtap2019.tapdevtesting.xyz/drsufg9/verif.accs.docs.com/
https://utit.vn/wp-includes/trust.accounts.docs.biz/
https://www.ninepoweraudio.com/wordpress/sec.myacc.resourses.com/
https://www.oilrefineryline.com/post/trust.accounts.resourses.com/
https://www.udhaiyamdhall.com/images/trust.myacc.docs.com/

```
#### Epoch 2 Document/Downloader links seen for 03/27/19 ####
```

http://107.178.221.225/jxewyv9/sMAP-WaC_Y-V0/
http://122.152.219.54/wp-includes/kbdX-cQqA2_uaV-naJ/
http://13.232.106.114/wp-content/rndZ-N4CLR_g-Ipx/
http://140.143.20.115/hgnxlto/35909471066/Ngzi-jC_ElaIBlYh-SPz/
http://140.143.20.115/hgnxlto/611274687534208/QhlR-xgA_ssN-1GJ/
http://142.93.73.189/ufy1dmh/035833309323/VPSO-9BP_TYEzO-Ei/
http://159.89.162.81/wxr3nje/Ssgm-BH_xJNE-s5/
http://178.62.109.107/wp-includes/VEKkw-zVPi0_QULxvFEo-tZ/
http://2013.kaunasphoto.com/wp-content/7720873/CGqO-KkaV_I-l8Z/
http://202.28.110.204/joomla/3oa48-qo137-bltwgjh/
http://203.157.182.14/apifile/mat_doc/zfUg-KoXcx_pxTXVzJ-sy/
http://212.47.231.207/wp-includes/77570958/ELyFJ-YfZ9e_dFOiXwHz-hy/
http://212.47.233.120/themes/XPmzv-RmL_gbQ-hII/
http://34.197.118.180/fi-fi/frIob-27zD_m-Iwv/
http://34.238.82.111/wordpress/EsBv-gD_vuI-9bw/
http://35.193.108.240/wp-includes/frNB-Sy_KbdEtFo-Qdk/
http://46.105.92.217/wordpress/YVftN-pt5BW_OMUqkIfwq-p4Z/
http://51.175.83.46/includes/tcGI-QDlI_QiIWkwdwF-Eh/
http://aapnnihotel.in/frubox.in/PClU-4trDt_hzI-8l/
http://abi.com.vn/BaoMat/1lh6-7fh1j-sble/
http://about.onlinebharat.org/wp-includes/88510347069/BFmkU-Tk_sfXQLnNZW-t2/
http://acmalarmes.hostinet.pt/wp-snapshots/BWZi-w0Pk8_uEqFsqvjb-Pwc/
http://adequatedoubleglazing.co.uk/OLD-FILES/IyNpj-RRX_cyw-Tge/
http://aegweb.nd.co.th/taz0mpb/ETFz-Rv5_PaamjfUqO-7b/
http://agara.edu.ge/components/daqO-Bl1_IXOGzHnRU-Gbt/
http://agtrade.hu/images/SnmF-Z1h_mBIZkgnu-RU/
http://alexfranco.co/wp-content/Ajiuz-iPzW_nZ-T7I/
http://alpinaemlak.com/wp-contents/oGDPD-Yg_BWBL-TBy/
http://alpinecare.co.uk/kuw3vhg/jdkv-D7b_znS-g82/
http://alsaditravel.com/css/mUYw-lh6_HUnkpK-VNS/
http://amaraas.me.md-in-23.webhostbox.net/aijsh.in/UPS-US/Mar-26-19-12-05-03/
http://automation.vasoftsolutions.com/wp-includes/zQcTj-sH_M-M9/
http://babycool.com.tr/wp-admin/011712047594/Aerq-5Z_rrhWTJ-gb/
http://banzaimonkey.com/images/hb40-txgs0-venbudm/
http://banzaimonkey.com/images/u9er6tz-fjanvjz-bxljz/
http://baophulinhkien.com/wp-admin/ymnsv-HC8QO_Gl-Pjy/
http://battleoftheblocks.com/wp-content/iduZ-qBvK0_PZNHWj-Au3/
http://beavismom.com/aheu-jl0caf-hqfqryg/
http://bfbelectrical.co.uk/wp-content/4271022/wBBS-Uq_k-DYe/
http://bietthulienkegamuda.net/wp-admin/LZLen-3Qd1_hl-L7U/
http://bioanalysis.lt/wp-includes/0055674142/hKaJF-PVL4_PqrMYBYjd-LRG/
http://bizjournalsnet.com/wp-includes/576577061370/ALQvw-vGJPh_IWrW-AES/
http://biztech.com.bd/irpw/22709865050/AyWS-5Z_lNycki-pJE/
http://biztechmgt.com/mailer/520895937972948/zwsb-t5Sj_rOYhA-7V/
http://blog.adflyup.com/wp-includes/u3ar-t9e0efy-rwmylk/
http://blog.adflyup.com/wp-includes/zslsmg-8vnzi17-wxby/
http://blog.bhconsulting.co.in/App_Data/LOiZ-AZ7h_VhhKbcoZ-h0t/
http://bloodybits.com/edwinjefferson.com/534892856210/WfTlw-InIM_o-t8G/
http://buydirect365.net/mxrgyso/1957424179/HvbNH-mKXSL_qBT-6y/
http://car2cars.pk/viseuf24jd/80314061/hbuAg-8LZi_UvHYhZS-vC/
http://chefmongiovi.com/wp/WxMT-B7fSe_kDHSYD-Lvw/
http://chekil.com/video/EQhI-Z45_Tw-QE/
http://chemie.upol.cz/wp-admin/QQKGA-Py5_Dta-8dI/
http://chowdharydesign.com/n/Mqptz-eMJFt_vBtEqSCyK-hEE/
http://cnp-changsha.com/wp-includes/IkwXo-zgbIX_VcR-2r/
http://communica.com.mx/images/XdmQ-1FxQt_Vvx-Fj/
http://core.org.af/wp-content/lOmHn-2a_zQyWYqcB-XPN/
http://cpvc.cc/tangerinebanking/mwQQs-7H8D_fsJfEZ-N3Q/
http://csnserver.com/blog/GqQkV-1s0e_BNYWJWAhe-EcJ/
http://cutebabies.tv/css/6055400710143/aukIc-EK6Ez_yBdbiF-5tw/
http://cutm.illumine.in/reports/wHWA-an3_ZQq-X1K/
http://cyberchainpay.iamrans.com/wp-content/WaggN-FttN_rYHmQgn-7U/
http://cyzic.co.kr/widgets/DCZjP-0Ow_cC-IK/
http://cyzic.co.kr/widgets/mJlNP-Fl_OQfYAk-0c/
http://cyzic.co.kr/widgets/PjyG-q7_aHfTeMPCx-mY/
http://datos.com.tw/logssite/9973920474/EXfko-oomPg_H-xfa/
http://davinci.techieteam.net/wp-admin/941946913720343/Hguo-XU_wnBZ-8Y2/
http://deeprootlearning.com/demo/ipXXT-uW_UXqW-Eq/
http://deeps365.com/css/swhoz-HZA_ZguIu-LIJ/
http://dekormeda.lt/files/lhKHF-vS5_a-vo/
http://demo2.sheervantage.com/vtiger/fpgs-yqxzd-glbra/
http://demo-progenajans.com/academialsc/05735575950691/Qxon-VPx_WVGKGZ-Um/
http://deoudepost.nl/wp-includes/ykTT-KL_REsKgwh-2Ii/
http://dev.ameekids.com/wp/yLFw-1D_vz-BJ/
http://dev.colagenulmeu.ro/cdcapbx/nSNqO-k0r_jqcZKAqo-BII/
http://dgstrainingacademy.com/y2ss2ru/ee2jwn-trbib-vstoh/
http://diaocngaynay.vn/diaocngaynay/Trvf-0ACi8_on-A0/
http://dingbangassociates.com/wp-includes/wTDJQ-6dV41_a-5R/
http://dispendik.blitarkab.go.id/cgi-bin/iqMr-msB_djabJDQN-wGu/
http://disperumkim.baliprov.go.id/wp-content/54076625975/aGuz-nqZ4k_Cso-mw/
http://divacontrol.ro/images/guelj-Zn5_FdHHH-4F/
http://dlucca.com/doc/02391351193/WaZNS-WPoHo_H-xM/
http://doretoengenharia.com.br/cgi-bin/JDfb-QxC_GW-s3/
http://doretoengenharia.com.br/cgi-bin/TfEP-1q0_JlD-Fvg/
http://dortiklimyapi.com/wordpress/fpPpq-eI_qMaj-7Lk/
http://ecellp.elmoyeldo.com/cgi-bin/ogwj-p08i4-hzvv/
http://edandtrish.com/ares/2397985856204/ZoIX-a5V_k-t1/
http://edufinit.com/pgslive/mLey-knYH_wBUfC-qld/
http://efectiva.com.ar/img/70dh0-lnu9yg-onnax/
http://ejemplo.com.mx/fejk5ey/tYBQx-kito_duzaVp-SlA/
http://ematne.com.br/wp-includes/ee157g-zft7h1-zlxew/
http://epcocbetongmb.com/h0s94dr/bIrnH-3hxS_WeF-hx/
http://euelectrical.com/elect/EyyFQ-eh_QQPEllry-kG1/
http://eynordic.com/cgi-bin/86830123/uqDxG-HeHCO_RQuuooZl-r8/
http://eziyuan.net/404/hNyKy-O4YX_S-jlu/
http://f2concept.com/App_Data/fHIUA-Yekra_bZ-Jk/
http://famaweb.ir/intro/xUoOD-fbF_yqcLDbES-WV/
http://fareastgr.com/vslaaky/336691252945/iGVbv-rd_F-7P/
http://fastech.com.tr/wp-admin/YfVSt-tD_wKMwbL-uQ4/
http://favoritbt.t-online.hu/logon/mHck-9oca_V-0UU/
http://feder-edusi.quartdepoblet.es/App_Data/UmlHO-0s_jOGCu-lmR/0000460429/iLww-pp_Vs-Dj/
http://film2frame.com/iyw2-zvtkr-zzbkvl/75140682/qlNfi-qe_WEtfXC-qK/
http://firstmnd.com/wp/wp-content/444086975/UxJK-VjYb_TO-MIF/
http://fixxo.nl/wp-includes/ZFtnJ-7b0R_uyOsAEi-0zh/
http://flaviamarchezini.com.br/blog/wizheo-klqtga-bxxa/
http://fondtomafound.org/wvvw/SPvNv-ykr_ZUDJVEXA-0yw/
http://forex.repairtech.website/wp-includes/k3j7u-oxeixt-ysoverr/
http://fpsocial.com/cgi-bin/imod6-d7efl-ryrsjt/
http://fullstature.com/mid/1pux-o1blr-cjhqgqz/
http://funmart.ml/wp-content/ODKE-tcFii_Vl-7L//
http://galacelestia.in/oxbyfzp/r5glooq-d53qe-imod/
http://ganzetec.com/m2013/files/temp/7462042602/Ldvbr-vL8_gOM-BoO/
http://gdv.stomp.digital/wp-content/bZkY-kx_zO-fE/
http://geceliksitesi.com/wp-admin/jxvo18c-3jbuj1t-rrmgc/
http://gisec.com.mx/expertos/lHBk-k7VH_SntLTu-iaf/
http://grandautosalon.pl/YVczT-5cXF_TzzA-LqD/
http://grupomma.com.br/divina/waoO-lMX_RxDiaEXI-wx9/
http://grupoweb.cl/wp-admin/GWRNO-cnObm_vPjqWOhmf-bY/
http://haberweb.site/wp-admin/jdcK-IfMW_ILDnoUVm-iHn/
http://hacosgems.com/wp-admin/54340934088/DqBjO-v4_XE-aZC/
http://healthwiseonline.com.au/wp-admin/208134077/DAYm-7hff_DlKgRxW-nb/
http://henterprise.bythewaymart.com/wp-content/sKByR-ViU_HGRnc-bb/
http://hidakitap.com/viseuf24jd/naeyn-5jemej-jmdr/
http://highlandac.com/css/0735777770/HnyG-6uh_dXHIHc-UU/
http://himafis.mipa.uns.ac.id/wp-content/uploads/65533872/LpEi-w21WH_FSHHmCIP-C3G/
http://himatika.mipa.uns.ac.id/wp-content/c2ac7te-znv1j-dnawm/
http://hishots.com.mx/wp-admin/EnQS-XVM_anyjKXJDZ-3u/
http://hnsdxbbzuk.gq/wp-content/1572655005070/yOGJe-Ov4SY_OXxpON-Im/
http://hoangdat.vn/wp-admin/FmYp-HK_LwDB-nFp/
http://hostzaa.com/song/oEWG-13tBc_FK-aB/
http://humas.lomboktengahkab.go.id/wp-admin/hywfax5-ybxzm-cpvyoy/
http://icei.pucminas.br/templates/ri2y-hip9a1-pzcxre/
http://igt.semseosmo.com/wp-content/6288723081893/MjsE-PFJ_ijDmRS-Pg/
http://impro.in/components/vSelm-lrl_s-ggj/
http://informapp.in/xvyf69e/ahlf9-pmyb86h-nqet/
http://infuture.id/Files/NTBPC-q8D_ebqMRXB-I1/
http://inhuyhieu.info/wp-includes/ay90o-ohlwrj5-ijhurzs/
http://insightaxis.ditdev.net/wp-snapshots/ngHz-7RC_BbZsKzK-2n/
http://intrinitymp.com/site/PMPwP-fVcm_aYAS-mw7/
http://jimtim.ir/0/ml1c2w-qztfvg0-oiisav/
http://jns.dst.uz/wp-includes/jw460-bp2zo4-cswj/
http://joerectorbooks.com/tangerinebanking/KRDrw-xcHxx_dDsMoSBU-SV5/
http://jonaenterprises.com/images/555568790/Drta-4h_o-uT/
http://jotaefe.cl/js/JuJMF-kH_Ir-EJ/
http://jss.co.ir/cgi-bin/kcHk-gX5_JgnjGliZ-WNB/
http://jthlzphth.cf/wp-content/d2sk-b0h5zb-shgblx/
http://jthlzphth.ga/wp-content/IuTE-joJB_CLz-lh/
http://juefuouyang.com/wordpress/qvvh9q-qxod1aw-kcbhf/
http://justmail24.com/wp-includes/FTIZ-Rj_zTbnPPvm-Rr4/
http://kalpar.in.bh-in-10.webhostbox.net/c49y2h7/5blplu9-2876h-atqasaf/
http://kamel.com.pl/wp-content/fzp5513-5w3hlvh-tuiiwhe/
http://kamir.es/controllers/EMMN-Uvsl_wQQlP-L3/
http://kanittha.rpu.ac.th/wp-content/uploads/xTjP-rTC_qxnHPbxm-Q9O/
http://kelp4less.com/wp-includes/OPrSS-QIc6_XanEmAAUE-r9/
http://kepegawaian.untan.ac.id/wp-content/hef9q-df32z-vxmpq/
http://khwhhappsb.gq/wp-content/QUuOJ-on_KGAoMfTLP-nfP/
http://kmgusa.net/a2test.com/nnfe-t5fhmf4-bqvygs/
http://kovdal.dk/ww4w/xzc6g-o60oad-maey/
http://ksgroupglobal.com/wp/PCMYW-GT8_BF-fV/
http://kudaminsk.by/wp-admin/434538013353786/SVQVA-Pm6_WRfVFgNs-Weu/
http://kueryo.ro/b/oCuSN-Dy_aHI-7o/
http://kursy-bhp-sieradz.pl/pub/CElUY-I6Lyp_rTXnk-LX0/
http://l8st.win/wp-includes/2846839962/ptjJB-zwzyx_Dc-mwP/
http://lanbien.vn/sitemaps/gzbkqbv-ljfl8k0-ucvc/
http://larissapharma.com/fobn/zoOq-rpwa_AliIkOQI-xqn/
http://latenttalent.nl/vv71ypc-54vd1-pwqgoqi/
http://lemaitremanu.familyds.net/wordpress/5l50dwn-jrpcb-rwwxa/
http://leodruker.com/mail/lvba-vfq1sz-nxigwvs/
http://libtech.com.au/wp-content/uploads/2016/07/ilRE-1vU_qqJaZnPI-ul/
http://londonhypnosis.org.uk/media/hx2d4sp-90msizz-lyciz/
http://lpfministries.com/123/dDGT-wf_ciMUFJl-2i/
http://lutgerink.com/wp-admin/yNJks-jDlc_cEc-ymO/
http://magbine.us/wp-admin/0cke-1hgl7-skcvas/
http://mail.villavicencio.com.md-1.webhostbox.net/moodle50/8xtbd3-fce9p7-bxcs/
http://maisbrasilphoto.com.br/v2/gVuAe-uR_OdlTBDr-RU/
http://makpar.net/cgi-bin/h4mlf-981ooi-kkmh/
http://makson.co.in/Admin/PMgDA-pH0a_hf-tVk/
http://malabarhistory.com/uyhgy6s/YnfSt-6VS_dMpWmyIN-8vP/
http://maravilhapremoldados.com.br/imagens/gtz9wql-5aucps-ywpgu/
http://marcofama.it/tmp/amcz-48ptq-ynjel/
http://martianmedia.co/wp-content/fonyz-zlq7_zTr-HZS/
http://mattayom31.go.th/financial/a0hg98-eus06rn-uqrhglo/
http://mcdonoughpodiatry.com/mnjnszp/620200373365449/soBb-Ssh_MtxvvDpO-U5/
http://mediariser.com/wp-content/NmKN-yQ9k_kdAcunW-PdO/
http://meghaparcel.com/backup30122018/App_Data/6440064257139/BVMx-vQE4_XeZy-E8x/
http://meiks.dk/VDbT-nY_iZxqN-fAx/
http://melondisc.co.th/47bd/160e0-ydv5d3-bakcx/
http://mersia.com/wwvvv/wr6x3f1-auqyh-awejizb/
http://miketec.com.hk/etulh/QYGPm-blZZ_qzktY-yt/
http://mireiatorrent.com/wp-includes/SAgdB-Zld_ZzFQybdvC-X5G/
http://mistcinemas.com/cgi-bin/ju5g44d-s6hr5b2-mamqdpx/
http://mkiasadmol.ga/wp-content/9ecof-kk5z3-esvker/
http://mktfan.com/admin/25528040/fzbY-BAv_NEkVwGQpV-5J/
http://mmcrts.com/wordpress/wXPl-zY_NMVdMx-uM/
http://moefelt.dk/prototype2/p582t-1ac1tbx-uyybgjw/
http://mofables.com/wp-includes/hre6l-y0s32-akvn/
http://moozi.in/wp-includes/e4tse-dv6rg-qyagggn/
http://morimplants.co.il/dev/Ihuu-ruCK6_GWEg-ul/
http://movewithketty.com/awstats/12ydwuz-ej3ls-fotjhr/
http://mrvine.com/doteasy-under-construction/pUPo-aq_boennvv-k7y/
http://msao.net/rvs_library/jrqV-r5_FErg-Hro/
http://muacangua.com/wp-admin/21110198438/eHEhb-Xph7_PsMvPcAew-lm/
http://my-innovative.com/wvw/pCiZ-YYmx_ZLKuWjo-hPs/
http://mythosproductions.com/ttt/vsOG-pL_Vktqr-7L/
http://nammuzey.uz/includes/hYPl-aKNf_ylWT-8rT/
http://nanyangbaobao.com/wp-content/59492239527/eRKW-RS_WlGWHy-Zu/
http://ncep.co.in/wp-content/uploads/tFjVx-YU_qjtTrSlM-sS/
http://ndm-services.co.uk/stats/lj486-0kquats-huco/
http://nehty-maki.cz/www/wp-content/qiaoq98-5ytsj-dcuqew/
http://nethouse.sk/isp/rrrh23o-zluodid-tftql/
http://neverland-g.com/default/063511605150/ayQi-rQGP_yaEAwvmTU-dB3/
http://new.hostdone.com/wp-includes/MejC-gEa_PX-FcF/
http://newportedu.org/wp-admin/tCbak-NcwGO_TCwhjpX-ug/
http://ngowebsite.developeratfiverr.in/images/RAvhe-YglBZ_EEg-oRU/
http://nirhas.org/g86abwf/72111355/HhXU-6Qv_EQgHh-FF/
http://novelreaction.com/wp-includes/VdFDS-FuSH_ZfvGak-VNM/
http://nutrisci.org/bozzowi3j/33209460445613/ayzqv-y4_km-z1d/
http://okiembociana.pl/admin/gwru-3im4wb3-nppj/
http://omada.edu.gr/wordpress/PHVc-BN0_peYcoiWl-gK/
http://omega.az/IRS/142526965/HYnC-ppH_WYf-s4g/
http://onlinelab.dk/7mobw-hnwi83-heuixzh.malware/UANqz-UT_mHJ-yL/
http://openquote.co.za/try/2626084936/kRmRj-z0_TqeKCExUh-wXZ/
http://otoarabakiralama.com/ebcmlhm/iObXz-mbRUY_OhqDV-yZ/
http://ots.sd/language/oJroa-JtAuQ_zUTnYI-dtX/
http://pamelaboutique.co.uk/g83v7y-l00ur-dqvsn/
http://papaya.ne.jp/tools/yyrKx-HVSIT_iq-9j1/
http://parbio.es/wp-content/lAEJ-Qq_kFPpuoXq-yw/
http://parisel.pl/temp/77108967/DHFs-p3YZx_crKPQfnf-gKC/
http://patrickhouston.com/beavismom.com/aheu-jl0caf-hqfqryg/
http://pennasliotar.com/wp-content/zCAFi-wC85_KAlJY-oH/
http://pepper.builders/wp-content/TziwV-2E_hd-or/
http://performancelink.co.nz/cgi-bin/counter/data/xnLTb-3fxs_tegXq-PL/
http://petcarepass.cz/wp-content/ZMMNZ-Ls_LRZ-9h/
http://phitemntech.com/serveroptions/lalz-LxFRF_YmgRxV-yK/
http://phonelocaltoday.com/we5r87y-6aqlcpm-ylmc/
http://picdeep.ml/TARGO/zxAEE-CX_fxNkYB-KIY/
http://planetnautique.com/2011210/qaUez-kD2_YE-ytd/
http://plugnstage.com/logo/zki2m0-x6xpv-uulypaz/
http://powerfishing.ro/pdf/pIjr-upuO9_qj-xVb/
http://ppusvjetlost.com.ba/xd6re7a/MVfC-lIa0_Q-Fyo/
http://privcams.com/screen/RXHgM-bU_uCD-Ko6/
http://profilegeomatics.ca/rvsincludefile/jcEuf-HiZBf_PZIoV-Mp/
http://project.hoangnq.com/tour/images/catalog/LaMtM-bFp_JZTCQVD-YSR/
http://red.pe/api/OMJvA-awk3T_H-yX/
http://riasud.org/temp/cgaSM-H4l5_SDioz-V33/
http://ristopietila.xyz/icon/FZiH-kwf_YX-qN/
http://ritikastonegallery.net/new/QLSj-4ja_FAok-RA/
http://ritimasansor.com/wp-admin/bJnL-jACp_qFlwcltmN-Ro/
http://rivergames.ro/wp-content/jzvn-RWQWq_z-FI/
http://rjk.co.th/wp-admin/imDm-1WL_Ef-CK/
http://roxhospedagem.com.br/chatonline2/gnkjG-iA_uLWLGQA-WW/
http://roxhospedagem.com.br/chatonline2/UPS.com/Mar-25-19-12-36-02/
http://sag.ceo/wp-content/tqQV-mzU52_SYWWeEie-f2/
http://saironas.lt/itimma4/FAdya-Wj_FtCyYaoyC-wu5/
http://salma-dental.com/wp-includes/hMlV-Knaz_Ca-Epf/
http://salua04.iesdoctorbalmis.info/wp-snapshots/KPOmI-qg_ndg-XCg/
http://santinas.cl/jopvis435/pUcz-Md0_idhCREipz-M3t/
http://seewho.kuwaitwebsolutions.com/wp1/EQGqG-1I18g_ANTifAW-zci/
http://shagua.name/fonts/Mizu-nM4Xl_WhW-1D/
http://shagua.name/fonts/RsOos-LRVdU_JQXIcanV-bD/
http://siamnatural.com/tmp/LeqBn-fzZ_hGKXZ-2m5/
http://sisitel.com/wp-admin/86216274977769/ZPMXK-14V_s-bh/
http://skanecostad.se/wp-admin/dpKQ-Hpur_WSMlZDbiK-eZ/
http://skulpturos.com/wp-content/ILTi-ee_uTsgq-jS/
http://sonicloop.net/fvijvpo/fCUIB-5hjZs_OhidXWitB-9uo/
http://staging.pashminadevelopers.com/wp-admin/lqGsH-r1_aBcx-uC/
http://storiesdesired.com/stories/tkuL-me3Z_ZiDOhE-n1v/
http://super-plus.pl/wp-admin/146829290785/YSLs-r3zM_L-Ds/
http://taktastock.com/ni/8209109938719/POyEu-getc_BkRpLkh-P7/
http://taringabaptist.org.au/wp/71116941659687/hMLVo-Ld_yNnGut-v9X/
http://technorash.com/howe3k5jf/FwQHP-iioev_zw-1Of/
http://theshowzone.com/dzXTs-oS3jd_aAKpXSCGI-Mo/xUrF-kVG_sMUvg-tEg/
http://thimaralkhair.com/wp-content/sQbm-8A5_HlmtEXe-kb9/
http://tlslbrands.com/wp-content/bxMsZ-YqQ_O-cL/
http://tokozaina.com/wp-content/03856676759593/xRIb-hCEx_tmmSle-of1/
http://tplstore.com.pk/wp-content/947612745/WPXu-Piad_SsnsaR-et6/
http://trinadi.my/home/81949614489350/VqcJO-J5dh_Ev-mkw/
http://tudonghoaamd.com/wp-content/sYgQ-Yky_jsV-3A/
http://ukproductssylhet.com/wp-content/fray-dboQa_XZJWPlh-grH/
http://uommamnhancach.edu.vn/wp-admin/ZntI-fAXg_EZWrBReE-1z/
http://vicentinos.com.br/wp-content/eFQBI-tlXs_I-kx/
http://view9.us/zoho-auth/mAag-uBP3i_AlHWPsw-UK/
http://villasmauritius.co.uk/wp-includes/lplt-hYPP2_alzsSG-Vk/
http://vivavolei.cbv.com.br/templates/8874652135/WunVV-pJOf_m-wC/
http://vncannabis.com/rzkukb8/0083083/jIEn-tmUz_XCkTY-14N/
http://warah.com.ar/2PS/atmp-q2IH_iBift-Idu/
http://wcdr.pbas.es/pressthiso/tDuY-L4_rX-eh/
http://web.wolkebuzz.com/App_Data/YYnK-VO8_ZMVD-yx/
http://webzine.jejuhub.org/wp-content/uploads/pPpz-LLuBe_qkaWKyiK-abz/
http://whitedownmusic.co.uk/Choral/QQFtq-FMB_bgkwFX-5dj/
http://workforcesolutions.org.uk/wp/KNhCO-rQk5G_BwcDDWUF-9hl/
http://world-zebra.com/css/644407005/pDqh-7C_GcqTQ-Rn/
http://wp.10zan.com/wp-content/secure.myacc.send.biz/
http://wpgtxdtgifr.ga/wp-content/nd7mc-a4xcm1u-ywlcf/
http://writerartist.com/images/27070379041/Vljj-8Ce_k-U7/
http://www.7status.in/wp-content/jScZw-ge_VAHBrpFUh-qPg/
http://www.alexfranco.co/wp-content/Ajiuz-iPzW_nZ-T7I/
http://www.b010.info/wp-includes/UcGEb-6iC_ZuKbICJ-7I/
http://www.bilgiegitimonline.com/wp-admin/AVjrk-NrK92_GcagQlsXy-NO/
http://www.buybulkpva.com/blog/wp-content/BxVJB-27G_OIIVcgeF-umh/
http://www.cbmagency.com/wp-content/CWckG-3so_R-3O/
http://www.chickenstitches.com/install/181334654406/sImcT-QR_JcSTeLFNU-rQ/
http://www.conde.bioscursos.com.ve/cgi-bin/DjWHX-cwPqS_WLj-5C7/
http://www.giztasarim.com/wp-includes/4242145534/iJTD-ed97I_IZqxHwbxR-YJ/
http://www.hk026.com/2zsjmbk/diVT-ptKVa_BnH-EC/
http://www.hurrican.sk/img/gCKah-vE8t_GKFY-R7/
http://www.hurricansk/img/gCKah-vE8t_GKFY-R7/
http://www.kuy-ah.id/asbtrans.com/ep4250-m3pc58-sjcncxo/
http://www.lifeandworkinjapan.info/wp-includes/aSNp-8s_c-vl/
http://www.magicwebservices.2lflash.net/cgi-bin/aMCg-LF8_kKhn-bw/
http://www.monfoodland.mn/wp-admin/CUaMu-zx_iNtlj-fr/
http://www.nltvc.com/wp-content/uploads/xDGCA-eGu_tvqXu-Rg/
http://www.nms.evertechit.live/cgi-bin/ovZqd-NoC_NzQi-DWR/
http://www.oliviacarmignani.com/jopvis435/NBQce-yW_r-pr/
http://www.shreyagupta.co.in/a7kuxbk/35035790/wVDP-pv_Qimrk-X72/
http://www.teacher-wuttichai.com/cgi-bin/Dyptf-9u_vYfyXtMr-Ag/
http://www.trolleycom.co.zw/App_Data/97903278278055/XwRRk-eeUi_OqYRBEZkr-beo/
http://www.unibox.hr/wp-includes/39128184758/zssL-IB_tnRDdm-rgv/
http://www.wirehouse.evertechit.live/cgi-bin/oZEsK-rr4_gMHkwliW-Sgp/
http://www.xtime.hk/wp-admin/vWCTz-5dhRC_xVlY-DfG/
http://www.yufengzx.com/wp-admin/cFcJw-u1uCD_xaS-S2T/
http://www.z0451.net/wp-admin/dAOvQ-u15_MnteX-5Ly/
http://xianbaoge.net/wp-admin/437481401055279/XUtr-eYZA_blMKiE-bQ/
http://xn--80ajoksa8ap9b.xn--p1ai/administrator/KMGVH-DkrGd_o-7Y/
http://yelarsan.es/wp-content/uploads/333755948995396/CwPoK-wcK_fXtMxWu-He/
http://zafinternational.co.id/wp-content/9935665413/VVZEg-cN_atDc-Cr/
http://zlogistic.top/wp-includes/HgWnN-oA_Z-YFc/
http://zykj.shop/wp-admin/19664217/QJBT-wYGp_dNtSQ-Jq/
https://abi.com.vn/BaoMat/1lh6-7fh1j-sble/
https://aduanalibre.com/backoffice/node_modules/es6-iterator/test/#/gNmSP-rWwo_mcwUiJ-dC/
https://avtovokzaly.kz/wp-content/PpAb-hnP2_sY-ptB/
https://blog.adflyup.com/wp-includes/u3ar-t9e0efy-rwmylk/
https://blog.adflyup.com/wp-includes/zslsmg-8vnzi17-wxby/
https://catba.goodtour.vn/wp-content/plugins/adventure-tours-data-types/assets/fonts/vvHcc-22RyA_cWqyojuKW-bmg/
https://chowdharydesign.com/n/Mqptz-eMJFt_vBtEqSCyK-hEE/
https://dialogues.com.br/p/dTcE-DY_kEgJDVdHt-dMj/
https://dwodjwqwjdqijd.tapdevtesting.xyz/hrpqwl43ks/tHWv-djSO_BKMNKqa-KRJ/
https://epcocbetongmb.com/h0s94dr/bIrnH-3hxS_WeF-hx/
https://ewoij.xyz/XgRiD-Mt_j-hL/
https://fbufz.xyz/nLQu-PTpAA_DmGor-Nx/
https://fk.unud.ac.id/wp-includes/GnQj-oof_abd-Vr/
https://gilsanbus.com/SLAmN-hhtH_PUkvyNudz-h8/
https://grandautosalon.pl/YVczT-5cXF_TzzA-LqD/
https://hacosgems.com/wp-admin/54340934088/DqBjO-v4_XE-aZC/
https://ilimler.net/wp-includes/RKKuQ-zHoy7_fL-kV/
https://informapp.in/xvyf69e/ahlf9-pmyb86h-nqet/
https://inovatips.com/9yorcan/YDpB-s9_W-kW/
https://intrinitymp.com/site/PMPwP-fVcm_aYAS-mw7/
https://jthlzphth.cf/wp-content/d2sk-b0h5zb-shgblx/
https://mhsalum.isinqa.com/tjsml4o/7233086522/GuPgT-Qyp1e_nFhAVOi-z0u/
https://morimplants.co.il/dev/FpMiG-aI_tmSSITENB-6a8/
https://morimplants.co.il/dev/Ihuu-ruCK6_GWEg-ul/
https://patinvietnam.vn/wp-includes/theme-compat/66029442212/MSFhn-nYczu_vmZWoc-vOu/
https://praha-9.eu/www/wp-admin/images/p3z7go-nx6k4k-ayeli/
https://servinfo.com.uy/crm/f2ase1-uuyz6aa-wbley/
https://sisitel.com/wp-admin/86216274977769/ZPMXK-14V_s-bh/
https://tokozaina.com/wp-content/03856676759593/xRIb-hCEx_tmmSle-of1/
https://tomjapan.vn/wp-includes/YdxR-BXnqK_gTdMtWa-3QD/
https://vrfantasy.csps.tyc.edu.tw/wp-includes/oawdO-9hxWY_wabIxsZO-VzC/
https://whitedownmusic.co.uk/Choral/QQFtq-FMB_bgkwFX-5dj/
https://www.hk026.com/2zsjmbk/diVT-ptKVa_BnH-EC/
https://www.kuy-ah.id/asbtrans.com/ep4250-m3pc58-sjcncxo/
https://www.la-reparation-galaxy.fr/wp-admin/iEkWT-qhPI_RuapExMKI-25w/
https://www.lifeandworkinjapan.info/wp-includes/aSNp-8s_c-vl/
https://www.thermalswitchfactory.com/99jxom2/kEVK-qhBI6_EIj-8P/
https://wzydw.com/wp-content/uploads/NZFEZ-vwIU_FqDVe-kX/


```
#### Epoch 1 Payloads by Document SHA256 - All Times UTC ####
```

Creation Time	2019-03-27 14:41:00 (DOC Based - ENG - 365 Blue Box)
SHA256:
87750caffc8fbe4109d678333a28134bc58096cd9c56e6d3131ac0d39234b9a9
a5b83356c5af3eb2a1501283ee2b6528d1a66bcf3250db4c9ce135d2c1dbb046
89743cee5c079008ede2990284c229f074a501a88fff45585c04b529edbb422c
89743cee5c079008ede2990284c229f074a501a88fff45585c04b529edbb422c
64877c2ca66f4be260d79e854cb9c6c53a3e7ec4fbc5a3d11686a2bbe6801b2a
cba8ed4ec262fa92530dbd498b5e731c7fba84cf56d0419aa2b864cc46fedc84
f5ca2bb01cd70b2905fb37bbc02fed796fe635f7278822387fa99c36157c0096
ea33e9015702086bfbbbff98f3ba25c6b48be1502e175c3b47dbf70db6d16128
6539caa562270bc8a34fa89fe55ec70e13db54f7d096f779d1cf2a2cbc443beb
12aefb9788dcb7742691cb65f47fe77eb529d1af66629aa23540923d8bf8a3cf
359a860da0e249af77dff2968ed3a47663a8500ae7959c0f4e32ddded4430937
16bb2cc98db47919aad31b64f89faf26fb9eb4e831a334e1132b843659533147
d894bd04d5dcfa46856bb122d3c8c4934302a513eb6326733608271b102ed414
390e1912a2e15d28182d1119e691a015c19badfbac587d9a0ffe2b6ac65e09d5
16a1211eaea306077774dfa0429f826433dcc8720e1bf64ead6e95f44c9e436e
723dc518933867170ed53b6f73a82b1685ece913d6c42e93a415e50e23b582ae
ba4a393249fe369eac65cee06624824db2ef81079d4625e251ffbd620299796a
2d263ec02c682804c3718006450a30f3c8c49449c5c4e7ca6cdb0b0fa4994bae
885402297b94bde75190d29262083790e59f00e61e30d17b49caced0c16c9e94
9fbe26b424b3b913ec607ef2dad0a2203a726d4c21e8e46604ede2e3f7a2bdbc
13a946f83012f506e765696958fc4c3832f2aa9a651fd99ca131c8563e329106
7282f6fbb637af7bac0005621dd72c6b3e10d673a04a8942d9598e3ed6d02976
062e43db2b3fe0234038bc344f9c373bcd3b9bbad6aaa9a79063ae6a34678a2a
0aaba1facbac29babd5369061cad8ea1c7474a34d6e4161c92176f0c6e264234
658e11714c066638a196aec22cd6bb82c64fb23eb9b4f34961ae40e0401f2d78
ca9797365b1b83b2af8fc4927f5dbea16b23666de66b791d321ba11aabcd943b
d1617c63791d831f4e955d46d81323be0cf5a4d4b3e733c0cc51b83265c24847
aad488236a6facc524453cd9ab9c21b22665db79fa23b28ef34f81aa2187d67f
24f46cf9f9ab93c9c30fa9571f1ee7f0dcf4aaa395f45417c3631454435d40d0
e6cb3218881cb9606cae6d9fd388fcb5fba42adfabf13a8e40940205d4cbffef
f3e45144d393cafe8b83c144496b37d765ab032ecb2ddbc3883c2d99d9fb82c9
a196ccb4650badd3b67d60f1377e0612d9dd0c4171a758fb96294ab66a4b0349
bbed2e1a2d1cc935ce62cb37f46d2d875b39c388a5d988265214f8d7af0db999
3ae6cd5463eabf42e788e07db353ac9eacdd6714317f7b0e91a3673c6e24ea0f
ed9296e309d943c5a05adcbf525829b3780c234306aa2957c73e5b00b8c1b5b2
4bb9d92a1bdf23ea51867519c7bccc0778fa9687c8df511dc6abac8ac1a20f4e
e8f22748b1322aa8e74b659e04e9721b7ffc9fe32b2ecfe477c43da49c3f9ee2
25faccdf2b352d11cbd02b95314ffca85c3a44b55aa374b6ff9bbc783176bb35
903263934af39541d0484f1b3108e0a3232794f46dd217e166e475c061d4ea47
77ccf29ca6938ccec807a5d114c72dd94da670bb6d98c0ad19f9717cab3ecd9e

http://testdomain.asthingsare.com/css/G06/
http://octoplustech.com/wp/CvAy/
http://sonnhietdoi.com/citt/4XD1Oh/
http://raitutorials.com/xiy19vm/Q45o/
http://omegawiki.dynalias.com/web_images/

Creation Time	2019-03-27 13:29:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
3c6eb93b60497869e5d1851d62970c1a9dd57309f928de7417eeab3ef60a9c63
b79f34419aa656d4779c6cd41a2d126ea26bd8e5ccc9187dc21c3f17e4d2adf3
dd699909eacc293b46c5b645cb1440eb3b06040eb75cae8e2f8e596bc86303e3
25b98e713077f5a5a7fbf5fe5c2932e738254438f384e8ce39a2028e5ae1612d
705e99ce092739709709ed5709c6898e2c18c42224f093bb52a403d2661ce06d
4c11b524c8a7b0291152113bd6b524b00f5ae39a4bd52e3dfd03641de0dfcee7
705e99ce092739709709ed5709c6898e2c18c42224f093bb52a403d2661ce06d

http://drmarins.com/wp-includes/W4/
http://turkifsaizle.xyz/wp-includes/Kdr15/
http://247everydaysport.com/oslh4nf/flpQh/
http://siamnatural.com/tmp/bu5U/
http://sannicoloimmobiliare.com/s5v4bzr/Vjx/

Creation Time	2019-03-27 08:49:00	(Creation Time	2019-03-27 08:49:00
SHA256:
96518aa2c43b66dcaa0796031b3f3740e50a983d0ac9e69ceb732178f59d98d1
d91a0853fc364ada76f614480747300259f4b6908201f1b67223699fb5f4c116
d91a0853fc364ada76f614480747300259f4b6908201f1b67223699fb5f4c116
cd6afe300affc5091dcb3a5c614a977cabdace1eafddcb2adc872623a7c0c964
29523b92e42dcb55a4fb75221a797471a76f5ff547f86b4838bfc69f6c6dbd5f
eb0ec2f6f80d8f10e8e7715129bb0b0b40908e29c27d2ad05a1a8a0286115313
94a40ed6b2e0445fe985fc174bdda4ebd18c056aabb9883c891ba33168683c33
dc14d27a746cd813e6e35b61252ab6df41f8d1a7b0ca8a76eee1e8caa7c7d396
8483f2cafdf83fac6fefaf34d898898fb6c18e8c3d3b35e4ac404f501f2a0963
1b5a6bcffbc70a7b5877229ac8b328599b446db5f103514c4ab5ae0460564236
18cfb027810d5fa95978678a60e9953cf41ff3b1cb3fec15c3dd3ec3f0914c7f
7034155b96c22680b299a05ca465e936438a53a7c433e44e312b2f4367101ca9
89d36319c7d7d4ad658702c40cfae11f11bbb53b7449d733cfe0ed58e3f5cf19
5e8fb251f6ecc3e679b88b4893138633ed331b41564159bbc01df2b114997090
1764718797aec2dabe14534def521357262d0b77df339ddf36eeb99ea3a33ef8
ef171c0902e5877266593a312afe7e474156afbb0d3ed51fdc04f842fc21e873
03e7e094f81a5d6fc3cbc723266612cdc66185b980b65cb31e936874c3e8c185
ca8ec692ef819696d702d2e18272e7a5755597fba150ae592c24e74bd1a66750
f37b829bc7737cc9d4771da6ec050b3809e5b887e9076e4f05b302e0987c281d
86e8e0f8326dc4a49767f3bf3df8cd78dc4075cb70301aee6887db5701a089aa
72391e5a3ba01200f63d16dddba5c2cbbab5aa4cc9b34a37e92870e6e92de9ff
86fc8023a04ce17447b3aefafa4e118be59a4ace3d9b8741cd13063b03945a71
7c1e163deec9384f8b89234e0e7dec231f5738f86ef2d53fff4c9ef9227466dd
32fb4d290511be530c33fbb43c12807f373061158866ea2855ccac7a6b9a3961
778775311f561d9e773f22262e152ef251bf78978a7db87c48b8da3d8a378b72
2c0dbca954c43dbd98dbc9b293929a4797eb51f053ae03036ac1aac8e52d594b

http://artecautomaten.com/wp-content/IXLg/
http://naranjofincas.com/imagenes/HVp/
http://not2b4gotten.com/bodybyjoy/05kaQu/
http://nfbio.com/img/upload_Image/edm/pic_2/azW/
http://nkuk.com/FaceValue/prjcW/

Creation Time	2019-03-26 19:55:00	(DOC Based - ENG - 365 Blue Box)
SHA256:
0d41c62d50a16bc4cda1e323288f3e2cda5e8ce6eb452cf7a5fb697b18c70f1d
bb3c5b56d6d614cb598b4794bd07676807d804cd97d4e9888ce7578b7a75fb60
e717c0d2aadb80bbd081acc5b0c5b60facada2f0e054c2d8a550e4d5b8243df2
d6d376d37614aca98ed335758933ad30bba597f57e037c16456e17125053ee1f
32b50465098b642879702c1a118a933d239466fed0cab72cfb595e0bcf20a4b9
37fbdaac20f28e03fb0ceb7d6065042fad3d24c7c556ffdae6dd25159ff1a3d9
36d51869688503d5854e7d2f888662620f237c3e316b50c92da4dbaa3f00f879
3852f2f5e0d2ff022a57ba0058f7e30d0218383004233bb137120e558505e06f
28558d1a2e24e5a4488d71b7ca4de29d553efae10b81d2a57cd35517cf0ae7e6
d6d376d37614aca98ed335758933ad30bba597f57e037c16456e17125053ee1f
32b50465098b642879702c1a118a933d239466fed0cab72cfb595e0bcf20a4b9
37fbdaac20f28e03fb0ceb7d6065042fad3d24c7c556ffdae6dd25159ff1a3d9
36d51869688503d5854e7d2f888662620f237c3e316b50c92da4dbaa3f00f879
3852f2f5e0d2ff022a57ba0058f7e30d0218383004233bb137120e558505e06f
28558d1a2e24e5a4488d71b7ca4de29d553efae10b81d2a57cd35517cf0ae7e6
0d10fe705e970034049229c93062cce13a3c212827b5a94aa9bd51764fac480f
3566f8a0761166ae946b37a2fdbe138757ac498fc54036184907d1d69cd90ede
c61249e0be72032f2d7e5c7077675d4a8b727a4fc34939242138578ac36fe4f8
1c0067ea78fd5dc7ec2e4e96a05a4d3ad3c2e549a17d24ee53dab9dd56debb01
6461067f4cc442b618f615cb2550d49a22e3713cc8ded5c37e4c33790e6b3ac6
c726a571842a6a994426f89fceac37f0814be50027f5740eed06a67e99866718
5bc71bb74dbe33abc468fd251e325c62d499668d3b5559064a46c8ed96be330f
644fb6e3362074360b0ebe741c0f4b35db1056592ebe4ae87e3ad72da715b936
d33c2f96facfd8a2e38b608449676b53fb7816e319196208acc1c89f3aed6687
a8c972d20ee636ae08ea92cc42bf637b0b563120d0769fe624bfae2ca9fea616
0a0868534ca307d017bf9e8100b64db110ec120c55672666b6971b18856a8348
f10851f56f0d72b44f10858d77f34b90554550c6c536a59814014c608da10afb
dbfc56024d39ca02603fe07af8e2c9296ab309fd35cad7f823a011d54c182ece
3def65c76aaad7814e2bd400ddb6801b610afa0f7b5829302cdd46422851a236
b45d76d8d15602f881a3758aabc9803f085f804c2eb4b2365a6de844550adec4
4652b3359429e592a38e7e4cc7abda60d86e502a8b834c774f2a435ee49f01c1
8a72e9a09b39f3e902704a4773670aa9943a1bece3483a86a687c355c5a24bc8
f1bc63e5f837b29a1d4a8d3b7eea34e0ccce4c914183951d52fc4a176ed48f26
64fe77df67c91877b8884e84c97b8265143847dc666884082155a6bf76735bde
4c6eeeabdf7cd01e8b5eea4afd8aaa1196f891c9cca4d762225d014bb38200a3
454de74ff184137a6aa46513ddf0e3a7fb5d80013a1604c2d7e162b3846122a3
51eb2718354554ebb1d700d8ce340d517af0736c33c636414259ca8921ab3087
9e8ac6505237d758b4045651762375bcc02fba42a18e4e1bb4a4826e2f35b728
9bfebd2b118cdd5e106d6c86972cf3a14970889bd9342e57e6e471d1fbcd392d
1bd1dcf49594afa742dd213a7c15f9cf8bb419478b81a74196ad26e6e1ba9bc3
03465981951d923fc1a43510a9477f908736d666fa4a8c9369eab7e4b46a5455
3b830090200e332b076c8cc1844a217be005a562aac2d27c4e355e74fc73326f
f9823331bd35b3d6261f188cfa806840203a16258ae986afb39ab1af3f0fd1cf
666080a584f4ea6d25ed424b7911c2c0ad4de7c4f33efd402eb2094d06923852
2374ec382a76e66bade5c869b9634f31863fdfb0ac2e92ce40609c29a37a5612
5751b2a8d795d362f66a6e1ae7a5bc4d06cf242453667f7ac5600cc960b5444b
69ea3847f4be1650782e07dfc4db91afa83bc8cb45338d2a07d8b239316f7420
53a76c85fe1ccf2b8363c9456cbc5e88383760323b95b8aca19648749f2739e4

http://grcklasik.com/ytpawk3j4/qN3P/
http://eurocasinolive.com/test/paAQL7/
http://heuveling.net/9op/
http://haru1ban.net/files/Ep/
http://netwebshosting.com/whmcs/DjM/

```
#### SHA256s for Epoch 1 Payload EXEs seen on 03/27/19 ####
```

6ff3ac24304956cbcf1264cffa8d60fb1d8e2c7698ad26fa667ebb50d7ce398c
1a245ffd568fe135440d5940ae27d9516d9444cde36e9d8995df107d4469f522
2cf81d8af3348ffa639f096fe42a99b87f1772f113aeb143612cda01dd03d4d3
6917f9226cb96b2bf808e8bd4c44c3c3f900a8d21d7fee70141888469f55be51
7d4efe8755c7590c920349e45af9a5f01d9f3edadb2f3785787f0d6aa2a321f8
8cdc5e182968632b42f975c3c8042e0923ccae4f1b721a1edbe21d81778bcd70
fecabad5cf13ca5ab5b371460e2732f3383f89ebea32ad7ae4b8b92a86ddc46a
b4c3653b76f1b7fadf54e91eb1f22de2ab7aa862cf544299eff90b393d035bda
d72cb1b7a97c319511c2336ca5483cc517443f88f8d369dabdc832f7cb552945
82322d6ef2f5d5140b87249c5dc2567a2cba03747a7815e0f7b350cd8401aad2
bc433460d3aecf75fb94f36d9157bc0b188e4def9cbeb51762f2d36ea99bf8f5
edc40341c06515586624d4fd76ce18e644916e7c407c01fed1c1550e98fcd311
b4e7e7bb6121d1318997f9e72e01679b59feb26c28923a906474a778215bbafe
072f742ae88de343c79ee6a32634ed23a53f1fa8755905bd9f6e12e70cf75bc7
0503ee5af3e0f70f9360e87fba5ccf15874e58f63d857ad097eb0176a583e5a7
61d4a847d8a38c1192969ab0667f7d90160d9dd4d327969c3e788ba831db0bd7
d2142ba6e18c1d3195a7f07039444b356e58e0e12f2676dcc4699fd59ef50442
be75fb5f2a42701b6aca4f71fcbc34cb1197c9a04bced3611e1fbc2e418777ab
6dea26fc891ed8f26804553ebd1393f7b1108fff0f1ac90ad0ca497bf2d073df
28d7ffc204edbd97e750803a194846064218ba305afed721560e9e116c4e9e14
757d8b909f1e83bfc3e1b5571661226d2b52ff3e38d1d193e64c72eb3654f8ed
93457a11bb5a9e31d2abaa02c39af8237d3bb0d98f35aafe21436b51503fde5c
3958a8c284e5d326b188a693ad749828a2ebc7105127ea03f6fc9644cc7c4944
d0b5b32115d53cafbc55a8ab838cd2e0033205c7b29c6d63c82edbf3f1e0c34d
91ab040b3bc087d4a1b20ea48b1b2af4edfdf1fc418c22daad33c9f0d6c60f53
9351e987fed28206e5ab1ad5893b2e165bb9f737d0ebdcf99dda00b90febe7de
a0ab9c94437d3d6966410e4061ed9ee08ae4d8bf6c1edff04daf097d15f14943
9b1b6448c8f5eb861a990d71d25f3889f962ed341556f0136ae0ed74621f90b6
58d8c6c470a001da6a38952b5acbb86eef25352a2ab07fcb8d5b37f62a922e43
5c8684964abe27a526737a5d67ae411b328642e3d2a0540da95f39808089f51d
43527bee3fff63468f0d88ceec297d842c86a206549957adbdf29266b3f17408
45c6fd16d252df6eeb5c57775460188b1a02d4fd82e83afded4966743de4ba4b
f60c854f8dfc2e85643fa3a227bb275328429c573336a62e9b33b9c9fa7570ed
1245886c579749f383fb0022e8dd13d618ab3fd694c3405b9da2ab43953f9ced
441c4202746ec2c40422b345b408d2e91732df01c8d3878da265374a4ad034a3
7073d1e584d2782d29d316c2433be65b1f1f0aada005ace4de86e3969a9f662c
416609a9bc190ebdc8d17338a3150316da81054f65ebf58be86cb946ab34992d
197d0649c4d2dccdaa9315a2324e42c0d27beb9b98c32c0e2fa4746bc9c7b4e7
0fe5dab13195c078d5cf389150455ae41a769a35e1c785b9fca11b0627e17069
f21026497963e10f6cab01c6bc104a8ec1afedb88f115e7b90f713d883d8e49f
56b36a5eeab0ace57f9b8a9e478628cf9ff2d9c32da8accbd2d4dbd57c23b1a7
26937f3ef6b765e4b0dddc1343decec9dfbaa16274138877cd04ab363b72ee23
5fd6568ad5d12db8333929cd076cb6fb0578042311005db0907a44696cd7f980
3f1cbc226a59f79e2bc6b2f0b833bfacfeaed3b91a3f09fce7b6f6bf1fc769a2
20dc46208458735a0916f6537fd079496832f239552d77f8387e5b0c76a157e3
4bd82e2fc7a5a87c5eb19fb3e7d8a858d3ce27f8bc872b7c499b8b6f7a44b586
ac30985c1b403b282cf4230b9a3888c083d772a5f384ae34438d24642652fcc2
e65c1de030b29194b922d426fecf871cc73845f35f3d2cc6bc7fd8afbbacaf0e
39c4c872406e0bfba81182db3fed022a73e51ffefc5e807d6e180b9747a1f719
fce2129e26f4fddeec4fb7a1f0bcaa61d03ee0423584238527ba37ddd67c28c4
1083579e485f2667d6ee9d481b912f9beda48d6bbd671395ebf610988024c01b
f8273d7f31a0697f2071ad8e6bed5a3c282addd4e3e3558e354911635bc2b84d
b8bc1925463d9939db5864d5a6ae3c7c62039124d50fd1e033135282b7030e34
3deb5df6726bdde2e5d14e50240ce020b554951887b392614d8806c9406bf176
108d6751ed08fe6b0653886953e513f366ad5e8fe0cf72075e58330fe86cb002
4787a160dc18d8734badbcf9b5c82631c8437f2d76cb9e2e66a03b83a523b281
38ee87f6e1650b4bf9db658ae91b1dc912e79d333082e2e5f977f9eea07791bf
e598bd4c38e73f403880153cd51418bb822facc1548fcf45333d1514367faf6d
0ed1342c703b5e8e2ebd4d0121549c341e897caacd69edf893eae9776efe963f
18eec598704cbd6ad1aac0e9abf6e0a329f93bde0f51de137882f9a74316e21a
47aa446cc3de24f375ded822e0195316d0ea665563c273feeb5da4af9b847247
9298044a5320afd3897a30811c581dbc2405643f06d8439691e31ee63c70241d
386dc7076a8f9f348bc247a4ad2fcf90c1842e4647ddceea5596434bd426da2c
f08a33b6130b66bbc6bc57117acc7f589783d179dfacce4f02ee327c6dcb41b0
ede9534a57c19145e976f5714d668c7c5fe0928f77653b5956cf4050f5fb7c20
4fa6e6e55d9db880dbf1b37ecdd7ffa4ac628c0d5c15a2554331915fc4439a06
bed1f2c61dc1b78a7bc4a15a2740444454585eaa01723f28ddfdd1843181fadc
6ed7dca9418699ef71767f853c23e922a3bd7f858457469a606e43ae6137d43a
9867046414fa9dbe22615aa29963931eb6bafc53ddbf17ea6be33321b0efd780
fb9fd2373d947fc314e0ed958e0bdd616486e89effc59652b39865f8f80402b7
0e55685307a2ab8b1144d4fcd504df13b985d986c4687e565a51a6aaebc534fc
f63f3c9f17f61b8bc90189e263b7265087201c4f8be67ce8118434f206e37b03
1c08760cc7263826b112a929e4f0330e51870254b76487a8fa4230fc0939b2d6
7f08f2f4e3baa4d8cc665a34feee2d1e1df972fd24dc3d1d70d32c634b5b8321
7d5266d31ce2d8af34235021f2d3c35402179e64c70a02d01de2e65937c3741f
6741e8add7a78a1a176c5ff106ae0ac5b87cd6f520226a4a8e9d32908ccf65e6
122b3c58b37d4326edb8443094f5c824c7337d068f2e2ad90f15137bb754d237
2f9b7d6832f5a33577278c8193e51a13fa128c002292dab1467eda099b93189e
c96846e204dfb4787bc6b3db5ba56052f5da166eb0e3f778f61732dc86cd2764
7eedc042bd7bd8fd29d5fd702eaf04dd9503fef4f819aedcf97b2d5605583763
5dd7698e563079beee864ba34ca45ff4fe97dc3dfc350dab2b9f49d9d07dbd13
dd34cf90746be568a6e9def5420200335589e8570bab63e29055282d5872bd81
6b1c81e41a01513c740954bc5ef6b1d9951f6778f07f0b17a841a8ee55724975
b59f519267d88139c9b3c42495836582c33a6cbc5174f27fae031d3c15541857
2485e60ebd7c1dfeeac8778d5f89677ebd5cfdd36d60e4a0415c301c19908821
04ee03e074c08933010d54412936a5f5a1dad3fbbdd7ebbba2df2fea55727878
3a0ee95818d47f498c028f2873fd96c8bff31a3c47c69d69ffeb93003bd56099
53233707becabfdd849dfccf8c28465b086a295697e15b5e8b6dcdf6449a829a
c8b6f6fbab5f3344733da986f015276ce56dec566c7df52f83575b54d19c2804
3d2ecefff0dd1283a663019cf4580b2e89540927c09958a13cfa14026d53f44f
555835e073c2f19fe984f0d4f081e7515381569ee609324144f0b9bfdf5a4e12
c1db4b2578729a1faede84d2735eb8463bfd2c6b15d2fdf2de7a89f1954d0dfb
ba3715cdce2794e44af126e5fe52abf6d5d0201702d2f27ed559401a21c7ebd8
17b6fb98db05ec5d69a57da1783869b715f53a9d6359432aaa9763fd120922f4
ad0ab0dbde437cdef4008341b5b1b9e9d01114d3d4a7a058781922430ba9d85d
313f6e9adf3ea40437f02a370556c0314f501154346abd7a9990bbe2fe87ce92
11778603dd9bced3ef9c2e4b82212c42f6a047e524c41fac701bc18fbab2fe93
19f3b58bc659efce6f8cc7bf9115d54ef8d0540c6b76e0f30f1ca635f7739d01
7ca82f07c0a44cf67d5d37d268f79e394c962aa5c906281dd81ffe6f33d9177e
b50f76742a25cfd2c6c7ead08c7266237934f35fb8bec95f094ed003156285a8
cd6fb2c14c4b5abfee2fbb01549d5c712bbb559b6d742dadc24a093d491e796e
71d2e81fa5dfb3233f88e9b4f5edb7a7f588c8e622838b25441b10f1d661f375
18eec148343aba6fdb883b60d2e077feea783ebc19c399eda57b13cd044082b1
6e8293fafdac59582ea70ea4219f3bdce17d0514d767fc7270c5dd46e8859102
b5e9c270a5375722b7e7f97867007a2332edd3dc511c237013b2edc373a6cf7f
69a951ac9717a37eb24c6fb687e465142db317c623514b9f42f9c7ed4343e176
bf55878eaf9c748912568ec3f20a43f7c4a6bea8271b2c4e40e730ac39a6de62
5198c282a99099910dd7cb97c87b4411b3d1b9672b309ed6dc23f0a9e94f46f5
d3034a180bc7c42c6639a4d2d103aa9444e9deadef93bc69b21aa5fafb844b68
e8e00026a34b70af6b1063e4d5d128079e3c81ebe4ab582126e14153c60cc781
47ebc1f10a672015280de22ceb4d9912a0e2c92c2fa45e7491a8494997cbbfa1
47ebc1f10a672015280de22ceb4d9912a0e2c92c2fa45e7491a8494997cbbfa1
2f977d2e2d526f45aa74b60b55f261514dd5ccaa3a08609f2739fa92b24f0069
a036ba5d94731e86cbe1a5e80b899bb78d90ecd21a653088bbea9a6fc1be22df
d8c70398aca2848960a82240347869cb449fcd8f58b23b25c49e81ba5db64156
029c9f5ecae3acfc8dfa4c6dfcc8589e9b4f541cd0e156bf8acbfdbd97987f46
e47a2ab0953cfbc99a8ff73fa35ef731b331359da7fbac0af43217f9bdaa0ba3
284711f91c8ce69c21f71a296ff1fecc69612785a1f3bae14cb0e809a46674b4
f84b3ff2a40bcc71eef09a171c4a07d724fa72912fd8f0c8dd99db0835fa31db
c6c7f49b346fa564e1b6e1badec0e11bc828aa9ea58ac2342e95b07a43ec78a4
b9af4c8a76ed27c1f8188e608d4b1b756b02b1829bdf835527333e80250fcd72
8657bde2f93a231672e1c86ed6ce13304302c6d45ca2c0e7ef359e2e9ed58356
c12bee9423354a3bb82a16d0dfacdf3461fc70bdc3d84c5f18d2ba54cc562a6a
5663715b744761fa75ddaa72e349b09f2014855bb4eb04fb917aedd29b4b96a3
96ed1038254b80bf64e123dbc238dd93e6fd073a17de436c42e2978f2bafcf67
cf40cbb92efb1aff17d1fb3a91e63e7a9a41c7170bc9652057a1dd078dc6b791
79aad7d0bb1578ed9c4852c30ad853d27329620091ba6ee662f8318c25838d48
e130ba4498804fbafed7a687657530a19b8af4cc0a94710eeec7a94e1c7a40f9
0036d294bf884f872215b29e2ef27e3c91c3414d78ed9254fb19cca8ea2f4e50
7877998b0ef9b66305dca4366a986ba8d8ae20735485773ac3cf47e2f7eb23d6

```
#### Epoch 2 Payloads by Document SHA256 - All Times UTC ####
```

Creation Time	2019-03-27 22:32:46	(From ZIP - JS Based - Fake Error)
SHA256:
5199bb6ccd9ef41fa650456edd466703d01327b1643271ae2a2a38392a8c6c40

http://www.wuweixian.com/we_down/k2_v/
http://khaleejposts.com/rgk/m_Rs/
http://www.hasandanalioglu.com/wp-content/N_v/
http://www.staging.pashminadevelopers.com/wp-admin/G_j/
http://www.lindenmontessori.com/cgi-bin/hr_9X/


Creation Time	2019-03-27 18:39:14	(From ZIP - JS Based - Fake Error)
SHA256:
b0227f1fe2eb5f48ac4c1ad691b3e092c8938950e015c0a95652347f222b6727

http://www.pro-verb.be/data/tV_K/
http://pirani.dst.uz/wp-includes/W1_6y/
http://saareautex.ee/wp-includes/rJ_or/
http://strona520.cba.pl/oqwqbvg/7z_1/
http://pub.aumkar.in/wp-content/uploads/W_E/


Creation Time	2019-03-27 14:49:00	(From ZIP - DOC Based - ENG - 365 Blue Box)
SHA256:
da9b474c898d6b3d73e5c919ffde598042d50c3774542573a2f48557dba224db
a4b35a58d9a362a4d22bf6e45d5b30e1a367c2aed5539a2be6f08a0fc8328589
fdcb3b2b27c0fb34b1f5002d57c0194a30c1242ea6548074ca7d28b3dfee911d
6c7d91a25b74683d94d841127ff8cf2808ce9dd1253b7a3602f158b999c16297
39cc5bf7428158520f313b274da475d8125b3c1b8e1780afef39c9a3a3a2bb49
e9bdad70bbd4f75b287b084cd7d5615986dfd649cb3e74d227b29348a3ee3b87
996e1bc2175267c546e9bc2b63009a79059f1822ea259c8ecbb31d16b1c50ab3
5c7f438374f98c2b814e7c01173b4aace26168fd460cc236a6c54d6453fa44ea
f34ca3af8784ed925cbbfc18c18d1ad85ede2cff83d85014dae893d94e5a1bb3
8195eb875080865d38d7405904f60a13b76c4172dbe1b160d8ee27087570517e
8f480275a3582f8fcd2f48d3105e59b37d31150db8c744f29f5a390e75d83f97
173bfd2764afe967ce41bd1b4847bc2d92fc71e1b371faffbb28b4b87dbb3fe6
da9b474c898d6b3d73e5c919ffde598042d50c3774542573a2f48557dba224db
834e6307622e113627ae08c4ec345c5d43c7425c83c8519b8701160da4f1e2e0
a4b35a58d9a362a4d22bf6e45d5b30e1a367c2aed5539a2be6f08a0fc8328589
fdcb3b2b27c0fb34b1f5002d57c0194a30c1242ea6548074ca7d28b3dfee911d
59838d3e05415150dc2df373f0ed8c94e1d5c1591c1a3bb6bca5a37fe40f410c
6c7d91a25b74683d94d841127ff8cf2808ce9dd1253b7a3602f158b999c16297
be0f692f8c09b0a2cfcca38af6a6c464e16e3433cfeea8830f21e3664cf4cbe3
a08814604305d02882a31663ce7e8bcffc1478709099804af145475e68f0fa64
39cc5bf7428158520f313b274da475d8125b3c1b8e1780afef39c9a3a3a2bb49
d0dced36b4607e809d75949bb3dbcd61921d45b855fcd9d22abef672922a0875
5cff126934d300f7bc14beb17e4a9c824b0873d198c5474f2e9f5d5a4d5e1988
946df21b06d86095101e5bf826f7e0d5cc64e592cdc767a38f290291d2daabec
e9bdad70bbd4f75b287b084cd7d5615986dfd649cb3e74d227b29348a3ee3b87
f8393adb053159ae3a38f52735431dfb8f56634e6c06e5df35496969f11a820a
996e1bc2175267c546e9bc2b63009a79059f1822ea259c8ecbb31d16b1c50ab3
6b8d4747acf4497887b2f131c86dfd78c7af58d4406c89e07e0fd35affe38e13
8c5ba7c69e919d6e52f069ba8c2990ae94c6c2251b1676cb6037bcccf3843dca
5c7f438374f98c2b814e7c01173b4aace26168fd460cc236a6c54d6453fa44ea
157ba71d6aa166b9420317f580b9cd521cb0e988cfd5220d17bae8747259aac0
f34ca3af8784ed925cbbfc18c18d1ad85ede2cff83d85014dae893d94e5a1bb3
70a5fe899f945fe2ed3235edfd50ea2f213e873136a4b3be1cb3e7712df63a41
8195eb875080865d38d7405904f60a13b76c4172dbe1b160d8ee27087570517e
f2af50876a8daae7997ab4016da1affd0e26565a60efa9cf35c4ee683cd9f782
95a01628714034c58432497f473c01ae6ea17e016059e97dc55582ab468614d5
8f480275a3582f8fcd2f48d3105e59b37d31150db8c744f29f5a390e75d83f97
409afa3d0959c8ae11f48ea63d04dd3b93bfe6fefecaa7e1f6c375b005b4392f
173bfd2764afe967ce41bd1b4847bc2d92fc71e1b371faffbb28b4b87dbb3fe6
d9b81bbd973d6bacb77322a201ed36c43962247602b10073c0eef77de9843025
041a09223b6e93a603dd79cce31c780e3838407c5504dc01835e67f3290624bf
834e6307622e113627ae08c4ec345c5d43c7425c83c8519b8701160da4f1e2e0
3ac20c785773ee12498bf3d4a26f4595b16b5d3eb825a033cc6397123c92a78e
d0c2c560df10dec2a79f8dd2fa903894eed568eca89836398c564a97c76dfe49
8622ad306bdb71845e69086858cb7bee044585ccf0a478d0610b1b04a192459d
be0f692f8c09b0a2cfcca38af6a6c464e16e3433cfeea8830f21e3664cf4cbe3
d4e66bb5668763d2edae2baeb91cc7528eef21998b914a403e17a1704499b4a3
a08814604305d02882a31663ce7e8bcffc1478709099804af145475e68f0fa64
32a002db37bf228240a73f917438ce30995536a1b6b5cd3321df35fb1ca29dd4
f71f4702f82ceca1dc68b304d4bbf1ec25bab5fea2ef53f05584f3a76c0e040e
d0dced36b4607e809d75949bb3dbcd61921d45b855fcd9d22abef672922a0875
7f2a7d646ea0af0ccd3fcab0b2edd046f77a618433b0ae292e2d795c1a7a20c4
5cff126934d300f7bc14beb17e4a9c824b0873d198c5474f2e9f5d5a4d5e1988
946df21b06d86095101e5bf826f7e0d5cc64e592cdc767a38f290291d2daabec
f8393adb053159ae3a38f52735431dfb8f56634e6c06e5df35496969f11a820a
0faf43db16c8b061def3dca83f687c4e9bbfda274d75c0c370175a3575e81ae9
6b8d4747acf4497887b2f131c86dfd78c7af58d4406c89e07e0fd35affe38e13
4ddcbb982ec8e77b7c7591a63862b36d0c86083e5e3e02aff4af29d96e33b572
8c5ba7c69e919d6e52f069ba8c2990ae94c6c2251b1676cb6037bcccf3843dca
8b4b82805c62319792ed6439e7f7405e56a5f5250c4cb61ee9bdded267435911
80266352a8c60f023ff4848647a79512cd5fdf745c75b9457b541395d4c9f135
157ba71d6aa166b9420317f580b9cd521cb0e988cfd5220d17bae8747259aac0
1ebc6dc0fd967abb22fccbf626ed8e0699c823fe8bac09c82c73b8f3c93b4113
70a5fe899f945fe2ed3235edfd50ea2f213e873136a4b3be1cb3e7712df63a41
932d57231e1771cb31bfd6a8d9356c7475bcaa972a0f5931c309e89a1151ddd8
f2af50876a8daae7997ab4016da1affd0e26565a60efa9cf35c4ee683cd9f782
95a01628714034c58432497f473c01ae6ea17e016059e97dc55582ab468614d5
409afa3d0959c8ae11f48ea63d04dd3b93bfe6fefecaa7e1f6c375b005b4392f
d9b81bbd973d6bacb77322a201ed36c43962247602b10073c0eef77de9843025
041a09223b6e93a603dd79cce31c780e3838407c5504dc01835e67f3290624bf
3ac20c785773ee12498bf3d4a26f4595b16b5d3eb825a033cc6397123c92a78e
d0c2c560df10dec2a79f8dd2fa903894eed568eca89836398c564a97c76dfe49
8622ad306bdb71845e69086858cb7bee044585ccf0a478d0610b1b04a192459d
d4e66bb5668763d2edae2baeb91cc7528eef21998b914a403e17a1704499b4a3
32a002db37bf228240a73f917438ce30995536a1b6b5cd3321df35fb1ca29dd4
f71f4702f82ceca1dc68b304d4bbf1ec25bab5fea2ef53f05584f3a76c0e040e
7f2a7d646ea0af0ccd3fcab0b2edd046f77a618433b0ae292e2d795c1a7a20c4
59838d3e05415150dc2df373f0ed8c94e1d5c1591c1a3bb6bca5a37fe40f410c
0faf43db16c8b061def3dca83f687c4e9bbfda274d75c0c370175a3575e81ae9
4ddcbb982ec8e77b7c7591a63862b36d0c86083e5e3e02aff4af29d96e33b572
8b4b82805c62319792ed6439e7f7405e56a5f5250c4cb61ee9bdded267435911
80266352a8c60f023ff4848647a79512cd5fdf745c75b9457b541395d4c9f135
1ebc6dc0fd967abb22fccbf626ed8e0699c823fe8bac09c82c73b8f3c93b4113
932d57231e1771cb31bfd6a8d9356c7475bcaa972a0f5931c309e89a1151ddd8

http://asahdesigns.co.uk/ctmg1zz/k_DC/
http://torabmedia.com/wp-admin/5E_NE/
http://onlylaw.ru/cgi-bin/t_UO/
http://biztechmgt.com/mailer/9Y_Mq/
http://test.stratusconsultants.com/cgi-bin/9o_E/

Creation Time	2019-03-27 12:30:00 (From ZIP - JS Based - Fake Error)
SHA256:
7a210ee71d69241a68cb19ce33f918846aadc7a4d461cf3e9e5a9a989a6a3047

http://magiccomp.sk/projekt_eu/II_pj/
http://nrc-soluciones.com.ar/Imagenes/T_3Q/
http://iwishyou.info/generalupdate/e_E/
http://ferdinandos.co.uk/App_Data/y_4/
http://85.214.72.154/wordpress/7_ZL/

Creation Time	2019-03-27 09:00:00  (From ZIP - DOC Based - ENG - 365 Blue Box)
SHA256:
a5244fd330c010b869e7ac452d68e91382e8e95977dc8fc3f7f26e5d5d92d33a
29db2e4d1467c8d88f00c8a642a46ec4615d0e9aaf7c084bb95a08176cf08bff
17bff6e75ce787444bbc48108c5a0c31c1a3c03b677f5990b65d87c50aeeccf3
56340a19f364dc8479c7df8832b048631a40f972fc59e808f9caf9388ec66de9
97cb6f34eb37fa7339958997d1fd2ce53305dca6528e5731507a941a13c6e974
11f2ae5293398cf6a56707ada538bd976e02ec570c20f247b1811208f24c5d4d
95b41f6033830d2e261e92ccb6e77e397d9b2ec1fdd2e3339de32a54cb709e18
29b94ce3bd9f5e09d6314f6e2d57e345aa2182e3a74e261c5f2565b3ecd1ab0d
7761c5b2ddabd554f743addff9012f1644c05fb82b400e19db67d38328257dbb
daeb3f56f2f4f68599259442e057425899e5d922d5900cc3f0386cb3d4d7359e
1ce61864f0f234ed316999c07f5cfe62499d8cc491dfe81dad2dbf3edb9f2de5
cad6ae4b3281bca4394e928bcbf19928f375693d0123722638c7bec67b782b7a
808690689d3fbd8316a0db64ff30528395d16b6c15a5a9d70e50beb7fb0d4d83
015924d5bf2fd94b806aad406ff4dec89ecc17da5d0247231e2ae1ded25aff5e
e599afe677e6ab5e9f0aa3ce8f275150a1ef7aa0e8d01cad1ee4d671413529fd
4b44b4e87d19bd31b4652f8fd4eb2dae69dd6953f604fdcd701c8d90cbc4fdf4
5930802567671384b717edf74e414b4c7813e7e953b09f8581beb9f8c6e0c268
62dd57aeef7f8e64910d09976baf1d7e3ac450a8fb11f3c20fd3fd0cb65bf76f
3e024c72c8f0e292eba530a2a79aeb980ceaf3ea38e8d24a5070864bb59f46c8
e191814c10f01f21ce079950a9ec3defba121be3f65f5f01abd5111315333492
684556be31341a22c5c11df870bd0830cc96c2c347e9681f29cc3d25713676c9
8a108f519d4707a46d61cad7c1c65495ed26c2ba01f2efd75150f462cc596447
2444ec93d23cd77ac56410921f9f01d9c191143607bdd762f8a098f30a8af95d
05ba0aebd711d60db39935955f8efdb182571627966a6e129e537223577fb63c
7af35b23f969bb0a8053eb2faf5862b5e746ff8a15a3f4342600453a361d1ee3
caca94d59ef65006070c31205d14778a6e6ec35121fc677d3798e5c3b23de1db
1c6870532e5b6e13eaf11871daaa703fe93c206e7902bebe6ce58d270065b4b1
ddedef8f21bcd53ebc496e306599f0b5f0ec33edc3588dfaf1ac87ca9ebddbb3
d9feb9ce54dc51fb2d8b9ca9487aa43d132f2c0e93e1c0abfc3fc487be2074f7
7bf68152579d01ba99862b61a91689e3507d8ee94024c729dda3e40635e3d671
a25092edf711c3f9c847d8f3df596c9ef69d2582976bcc4d3c301b625f82af90
3cd1cd9590c721d8390b75533e98b136cc1cc27ce24508f947cfff9ddd26b0ba
1ec1d54c7bc8f6e232a42014695e74bd9513ae3c12137562d4db923f85ddac2b

http://holipath.com/wp-includes/5_Z/
http://malaysiaonline.tk/viseuf24jd/S_5f/
http://gin-lovers.shop/cgi-bin/T_I/
http://malalai.com.br/site/kX_z/
http://icloudbackup.com.br/wp/b_y/

Creation Time	2019-03-26 18:01:00 (From ZIP - DOC Based - ENG - 365 Blue Box)
SHA256:
46946372c81802503f01b6d9739fd4dd9fe39225973c8b9c22ef625666d48deb
e51f057ce172ee70159a9fc7bc8521e6f6197831d054b8dc445e7f8ce0989d5a
8ca56f45320ae34538a0bef0318e6c28b758017ba91e157369363b7dfa3f2598
6026ab30130b1065ac3d1bbd68b0d3eb29e79390ebd55e4d5c8e55313abfafc0
180bf19071710aa548394486ddfd9a2017d075c92f5404bee95db874407a6b57
629ff8cb90bd2b3e646edab9e5e4352f0c13d3ec987d95e778e9bfd8009201e9
7718b1b4a6fcb490c5e5912dd0155a450de8a86586209b56695a1d77ca21425e
372238290f87df6fac0d3054454aec2c23d5996cf93aaeea4e9f941e4298462c
bf3ac1d80daaf533b3af1f1c3b030803791374ac22ad5d4530d8c5b8b3a6c5c8
7694d9fb1e7fe87f76527ae391e7b01fa017b7f27b42c9b92b889e03743917a9
6163a454f25dfacc796c48e2146379966021d53a4112f6943d2ccba979dc84fd
4f910d9c86a9f647fc2c9ee8018925b2c7bc974cab6331e252d5d17485ec1e06
11c8c7925688057b16afdf4748708010c0825117287695438c08891ebaf3e188
618ffb4801042057ec632be5d3d3312c5a468774c45df3c98dd81776e2cac610
4a2de059b24cde110ce822adef190218a365e9b41f0a96b06d5e45e6642faa23
a9d21d20bbbb2d334dec6c21132fea22fbdcda22eb310ba33e9563c4922e6f86
4ca46c60a901a99b2fe3c6efb21874792aec4b7b0aef8066e31392c4c3b76360
6dc961267d310273be9c3755f9ddb21914619fa0b78a47f5a22594284a0e39cf
fd1ab287b966c90d87f1c0c82207b73227661fa18628a1ce00860293cd63c11b
3ce066794ab4c20945fec02a742d62964f0439eb067abb7144df55770e2b3fe3
f8d23636c045e3ed40a552d3d37c81f46c2b885ed0dbfe789dbc9ee81dcf086d
39359bd1fd059e7d75989074ca6356844a13145f2075dc6e2cafb20d101b12ab
00792cc131f75e7f87f2c033780021fbec3eb2092d8bb7e6e9cf0ce9269eeef9
78ad7fface477d0c80f8e451aaed8f325ea725dceb195d522daccfe1b8a5ec98
f0cad2a3dc988d1eb449f64bbcd58da2cb8d570b7acbf67a9272f8ccc98b7e53
cbf9cd66ccb6e969c0ad9878fd01a8122c73c7af7bac9a4518d9e26a38260e6a
12801117100fff39edbbc870c6a21e4f180a7dabb92168a0ebfc0abdb2617f72
07c63e38cb12e5e8e259602a0a04acb44cc372c7d09acd675b395be858adc06c
48d5c64139acde1dc8c38574f629fde4d28d4ce056062897672e0b7fb825712a
b722d6b36059fec99ce7a4b6ccf982819f03f1118257117ea104ab9246b11018
d1088a3f28130c469fd7922ee9e0c86a8906a89383570cb103bbb242b5177515
1e2d2671557feebad52345615fab7e476650a584dc9117be0f401bb441f08f8c
d50dafe82359c1310261a636fa955dece9019245eecf47147b8f35ac7cf498b8
6551d4b043e9a9d4c95724fbbd9ee838bdce591dc23603e9c7438cb28cfbe77e
5538a2481a1b136d55aea8bcd37393b7438d76a0db04385b9fe8ab61c5791261
f2a3fb74265fe14d74cdcfcbc96e59b58037e4de0a288a0253be7bf593359fe2
b7dc25eb170e014aa6332e47b981374360c7c96a3f887493d7b606d9fa5748c4
6437e54cce2c515d0b802937715868468c6fd8fb41f56dde47952d676173a10b
85982aa85a801279440d5782c60e42cf55348bf0c3011d7fb3144ea0c05a39b1
f4acd650bab0d94c962c57530abcfe59efc59529acf55930d34868670dfe9676
8105ec977a583f71aecbbdc0b643111c569ccba023d60a26481bfb5231cd6679
9d638e393cf9c49ee287c8580b501b52b0db09aa60e03668d04c25f608d70a9c

http://kompy.cba.pl/gif/lN_dl/
http://fisiobianchini.com.br/wp-content/uploads/2016/05/S_U/
http://dev.dimatech.org/wp-admin/Hu_jj/
http://juangrela.com/admin/bB_m/
http://coupedecheveux.org/yu71t1x/c_V/

```
#### SHA256s for Epoch 2 Payload EXEs seen on 03/27/19 ####
```

77ab2396dc221423d421f49eb2746aff226c7735981906e2bba44fac2fdfa640
ff283e9392e4c85cdd0828416b5b8392f85e5df526836c065a1b3aa260a7d175
f01c16ffb52ab032db901ec3f25589e698d5deb3f511a27db335f62dd6d70aba
4870de432baf1796f794be7a0a6e1b93af704cf99b6432afa1a50ff7f2912daa
37c5fb6ab5b876b4c2b480f7cf30cb01e612310aa353f5d85f0a294a60a1ef8c
c79d7d6cac57b2c300f26a940a732b2341b5772953243d788535bd0bac125a34
3416ddc83c28e7a45e050cb3f6d90858ff877890ecfbf08dd75466bf2814d5e4
78d78ae02167abadab00aa6b88771227d133584a5aeac26fe000942fc4629b77
aa2617fda6fd3d6f5a61ef1b4163482fe93ac34c419bca2f8a4d9e3e740bb839
75364586b0e657a8b08544efd9d4928f1ef2a6e2fa9e843776d5ad5c35f64cdc
3b327baee714627288cf9fe57c911fd7f3143bfda3f3a167aaa422a4bf98e975
351ee2708a6aa17b1bf7a5c91869669ffd4ae3e68bbf754491c813c556b606ef
4537d018f20cff06446c0546728896cc20d007d128f3fc2fad00fadf41984697
973d2a506c28fc536a7769e86c8a11b596b4037b272204145787625d0449a29d
4015276e403f59417e9e5a11932a330d8b7dcd680cd41bc2e9e0285f39f44bb9
91d1858524e498abd42208d87d7bec6490ad36235f3747683db653b3482fe7e5
6dc507932eb47b4fbd65c15fee266576b8a05ace5be7000fec40c3e41e668309
e46a2d9430f87b83b333d3f2d50aa69ca5280a785f3e24ff3beb888e3082ed81
ce427b47983b1cde7444d9d90b4a3bf40fb81f54010863688f26dfebe4ea1871
1a551464f38b623cb4b7c6442843ffd18b877b2c9b14ec90a9d6e1d2ef9844c4
1bc770076d51e89ec0d8d436253391fcf42007aef747ac288158267a40ebe500
cabf4b0e46464a25fab53f745113bcc616c3a35672d88cac3b04e4e38aeeb3a4
acd9625ad394305a4f2ba7801d66a84cb4329206d5b57931c88b8f9b1bf7ae94
d18c562e7237d577c6403a386951fe2022eb9e83b11a04bb370218754bdcedc9
23a46a2588a264cb14d319e827e70195e6a760c29e4f06f2d6db5e21dbb65732
f8929198b6579f1c5c6ce78321d62131bdacbdeee3b4b9c5038149acf3e134c1
5e1c1bb8d10e56f467f847be6921b39145420cc77de483010f2d665dc017b590
ba120d00f4d0f122b7774d953877a641bef256f21707dac099291d4e1cfc71c2
cc3ce410cec8258f88c88efd992b0def235bf42a3d2a310598b7ef79d2240dfc
9bd733d27630c2a1a80ce62c4021922a3286beca64adfb2873bf38322531dbf3
f88cebaaa21a6bc34987e2e4d9cbd353941c18f9b1f852e8e8d6c372b4445f7a
8d54bf956e4a963aae6d57ff91f422386e05e6ded41cc3d23f6a56b555c8d430
13fd033c0afa20bf7768ef56257fc8aa474d4eff4585c41d8440462d07d280e2
7f9819238481ccb51988565e0ac00074be36a49b7db8832fde8abe104ac6c9ee
e6facc68c54ee2b5651e54fb8d16a68b9862293d4c08999fd74d2f9b84687d7e
73520e1a27c48f84742a363e3f3dbd92f6c004d4c7a53637e8caaae248548231
8fa2e6e0794d44e4e9d5be0d13078b7e4633b5fe8438ceba0a227fbaaf9fd362
764add6b84feef019e5855efd19c6f03d7f714a7522ffc45030179787a2d0791
d303b6221478664559d5adc85a0e005188f9cbc55646449e8c08326398b20b59
f214d29293cbcea1fbc8c63d095ccd1c72f2c31c2395d18403771b556ce7eded
b514db8fd2ac5ce5b36a3577543552f89d0adff1b188fa4b212b3bdcedcdd8ad
7e5ee1ae81ecf858eaf66b1e4c26dcba17defe7e2b02ddbd33d695011bd98bd2
2c1b3435589dce5fe2b07ba4b22e6023529a34bf83079566d0791cc86e45b8dc
585405cc1ec77bed1c2f188fdf033ee73ebf03c36a61d85b73312122901d84a9
1706bd3f0e2d5f753c79a438363515695c606d042083c7a97b47d9a037634c53
52e29a2da7e05749fd1955ffd5f98e5e2e3993e3e84eecfad6f1612e26bd4696
22c5d3bcc1fa232105493f3d433793426b639f182a6e08145422274d2157f059
cfa4b1df72afc2700e6d7d952b764b105a4cb0d8d2f17f61f55b2eab00fef453
ab7fa49e8ffc15665aeecc7a0be3134e094c13a4144e81e6f00b3ce1520ea39e
681f8f57b95662d15d91e9449c8e28df0eba54ea32d9b0c7285b315046469572
82cbb618726907453f7e90107390995e4f24202856b42da8b2b5d925ff34fca9
d1fe12e9e3d64da130868886e4d14dd8e472b803bd4b27ab3381daaac730e744
b069bc0c8ee4065ce0c1f2c39bbd6b8250178ce7f96314b855931d83cf7d10cc
bbba5d2c1082b6247c335760a3d0e3bd64fef1e809768acc03b5d9838195cea4
776fa504195a3ca57149d38e6eb606680f80bdd9d18db9c2ce0bd03aba31837d
c2df08564fcc6afaaee961b1dc89bace5cc717685b6c1f590932fc373290b305
17e1a1b579f4f65dd07db04432dec39d1972654657af6d68e1417c19c77ec8fc
19c43ab31317f12c56a0e8fe4d190540d8f2ccab575c3ad82e3db69679f3af77
0d3eccc908949d9d44e66ee463fe9fa259d5f91157a632f0bbf283ef9f95711c
f157bea28d0f54a6323b15c95d78e20442b109202865821cb458664b571f681c
140cd8f9195c2c95b807383bce0a50b1e44d2130b9091c87dd288fe9edfa2ddb
6c00fefdb83e9930983db48f55af574c5c2dff1c5f991b62c6102fd9753b3783
a6f271385e7bf64e26fbeea40459b4a6d0d825fd1ebc2be23f3a4ecf0ea173f4
e120ce197e9d7cae8c598b46e212e8926119856d88473c3a520110448bc4c160
9d677e1083d270f719cb1f15780ae7c1a7e58e1f177d198439479a173fc06bda
54427b368ffad28e3fc805a7a15e6c9cffc1f7417d5aec5bec8d4164c3bd1742
7a3e5ebdaa83f38a7fc86c36102489c9e98a24a14cb0e26905d74d54a0e80848
4ad92a4205d20562428077543b9eb56ea7453b07a4a6ae116da5acf3a2a3e75e
acd6c51180722d25faf5c58c40afcf0e9c386c67da0a14a4b1c02dcb778afae4
69284ba7d6bd444cdaf05b1ae99d793e5a1f2a3fed5c42c7b18e329d80606d46
0dac7c6c96908ed8326b06e4ac59716bbaaede6410ac7e2c201abe7d350dfeff
a32656290bd3ef395858879ad72a83e435397683f78e09e74e5613cec1ac44c7
7996da1050bd39278622e8bcab3f4bba3db31a3ec20a4b3fd2f1cfd374f98fd8
5ea8cc4ee75d58f559803059a533b2e38433f08661d505b80dc3a8983aaea181
19e415857d5338b09a898bbf8056e1ec2e83e7352d8b09bf22b5771d9bcbede6
19e415857d5338b09a898bbf8056e1ec2e83e7352d8b09bf22b5771d9bcbede6
8fb3ae8f3f2e72cef614dc8c2f0fc056901f8d50b329c00ae98aa1974c87e7bb
335f300f41be2c2dc612dbb72b773f72ce83605d2f8d4eeecf9ca87b65c71408
7d08ef83244e8e522fbb82f41bde555a30289024f217afcbc6fe539e275cf81d
27594c322ccd86df012a3d15d2f3d6d803d3c879ce566b4c627cef12e33bb064
cf5f8bd33ff24f5d689477fee4511d656437c154ade1e16420fc53c6cee35d0e
a64486ec9642f1f4e8903f4236f5858d6132fb68471b19c6dcbf72da60c8aea1
4ac60bcf148ba6134ede27481161d8cbebc941359f41024928cc03cb5ef91e63
f7c748f495eadc6627efe343e45093081540e5d0440d49af128a1a5e3f624d27
14feeed2c125accc752fc1e4d226970dfcc55cf179cf971cf1126d9a012c7bc8
2f4af5d08c3cb7ef69e86ebebe692192bf2fcbe51b019a08a72c30935cefcae3
ee278c851fed3fd602477bf50b295a2acc665352ad6dd12e8e636c59e140db96
06e4e44bf05569f92e407d2b9ef8748ce6886dbcdd58f27c097c5754bbb38997
306a0d6f2db27126f7fcc40b27701227f8087bd988e6c809cf0cc0a9826900f7
895cd267bb558afa5726eb1425fa919abba011b7431564157ddc81516772ff41
14c7b74acc3c279e9b4773871fb7ed23c53402e0e2a083bae7c3553166cf4939
ade1e0421b9241fef68571f68c4b1cb7189d4b54aac1c5e563b59a5b7a85745b
49ca8b8dfae71f67c6946401539861a2b5d7cbfdde160334ea15dc52b9afbf63
b25ef0dac2d1a17e3a60af27b2186c21c92aea6f1faef014ab0e9515c5e2d142
73ee6f0556c41a09caa3a4b0f0a7bcd8ba4e144047fd570101b7519b31627590
e2b9951c7744decc4f473716c04dcff3cd5b4e2f980a0c056de55c9ddae71564
a6e715eb6b059574fe6def8ebeb4c164b05ddf376356eb8609666d0a3d0a0d40
3192b7bff4106267ba459e396195d0b2cd68a074caa8c3a3f381a576cc19b79f
7b18e83009cee3193268be9c6d523f0d0d06c0e35448b7d28752052580372351
6ad91b87955f399bbd95c804cfc2fbbc77b5b5af8c5f3aec4f264268ef3fc789
3d7ec48bbc75f0a70f07e70f721558a4c93ecefbdc2ebe79c6461037c767bb3f
40b146085b5846ac88e181813ea5e25045a962d0bddf3674ac2416034f2b19bb
aad948113b714d4bd5d01d2b70bb3632845c9399a2c0ff96f85b3bbad64d5348
1507c56d27426f161926df194ea6867ee95aea2e0b3203ba9355ff060633e611
af1750a1e613e120ba19bb7534b416f7b695535866244443444f1461400a74e3
af8e1c6506d6e651845c02a3ed14522b55d83704159fdc7eaf92fbc2f01b3a0b
c7fcfac14d401662130a4d752418b0b1fd009c7f89d03eb95ec36be0d165d11d
bf705621f2263e9e916f0f3b603857715190bc1c9a1e8391519d09edcb5436b2
cd27016ee10398ecfbf13a56faf3913721fb39c536c019dfee89a6384c10d4e1
1da5cc07a36ffa6f9ef56fa3bfb816bd5d383bbd175f9118002c2d6e30622a0a
4e87fc660790ae69cbc1f277a4fce74da11915ce249bf49de32f0cc1cadecc3d
069074539c5cda242b5b8f8ecfca69df2155d5f32553675b849a5e29486b5a00
fa8a25c86b1d8abcfd3016956f995697946d5d5f5ca7db893beaa95db6207362
7e11f32f2f23beea5fc5c54f7d31881153656a2466bcc7949af88a9c7ab6e279
177bf1fde5b16a2c515cbdb662bc53fd9dc712c135b88b91355d28677186cdb1
548e38e75c99a877198b95eea065158aa6e7951d2e33f561abfb7786e3fbe88b
265683bb63e487ed8c0cf4a30d4bbd7c1ed55c7ba8105085d2dad4888734e6b9
0d9e49a1ffcd38a059cfe98efd39c76ccca6bef630df9b69fbade3f838923d7c
40da50a3dc3dba8ad20b39b1a8be1b5f94eb61de3ae5e3ba642e8984284e82fd
cf76636c412957df0a0d837c674ad0740dd0e0db5a54b591c3d657631ab9c5ae
0e9561cbbc857e086cb15d3879d55576339654f34b26034a80c23a11ffe4f8cc
8a51c30f9409656199fbd63991cdcb9ea300606f17c02063096f55974c162e60
12c2f47e2c2dfc04c4e53c4ac45bf4724924019dfea0276c9ce89230a0ff9d2c

```
#### Epoch 1 C2s ####
```

109.104.79.48:8080
109.73.52.242:8080
138.68.139.199:443
139.59.19.157:80
144.76.117.247:8080
159.65.76.245:443
162.104.1.255:443
165.227.213.173:8080
173.248.147.186:80
181.129.83.122:80
181.15.177.100:443
181.16.4.180:80
181.170.252.83:80
181.44.231.127:443
181.56.165.97:53
184.95.192.237:80
185.86.148.222:8080
186.138.205.189:80
186.3.188.74:80
189.208.239.98:443
190.117.206.153:443
190.146.86.180:443
190.15.198.47:80
190.185.241.151:443
192.155.90.90:7080
192.163.199.254:8080
200.114.142.40:8080
200.116.26.234:80
200.125.190.126:8080
204.138.46.166:7080
208.180.246.147:80
209.159.244.240:443
210.2.86.72:8080
216.221.73.45:443
219.94.254.93:8080
23.254.203.51:8080
24.137.254.148:80
5.9.128.163:8080
51.255.50.164:8080
66.209.69.165:443
69.163.33.82:8080
71.11.157.249:80
72.47.248.48:8080
74.36.4.206:80
82.226.163.9:80
82.73.220.225:80
89.211.193.18:80
91.205.215.57:7080
92.48.118.27:8080
99.243.127.236:80

```
#### Spam/Stealer C2s ####
```

31.172.86.183:8080
104.236.185.25:8080
50.116.63.9:7080

```
#### Current Epoch 1 RSA Public Key ####
```

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAL9KRKWqcld40xbUZ6hRh+fPNkgJe7K+ 0y1rR0UFqc2SBmnyoR/2Ctd+8MRvU8zri2eNVkVBxCUH1Cthf3AEgRqY2kGva8gJ Wcqls3j7RztZzqFoL+wM9DNnz/OWuiyPAQIDAQAB

```
#### Epoch 2 C2s ####
```

104.236.135.119:8080
106.51.237.174:50000
114.79.191.12:20
115.254.91.178:7080
120.63.130.239:465
133.242.156.30:7080
138.201.140.110:8080
147.135.210.39:8080
162.243.125.212:8080
167.114.210.191:8080
171.101.196.138:80
173.255.196.209:8080
173.255.250.241:443
174.93.130.148:8443
175.100.138.82:22
178.62.37.188:443
181.39.51.243:993
182.176.184.81:22
185.191.177.79:143
186.4.234.27:443
187.189.195.208:8443
189.252.15.206:443
190.35.109.41:990
190.97.219.241:80
2.50.4.159:443
201.146.85.239:22
201.220.152.101:80
201.236.95.82:80
201.239.154.191:443
203.210.237.200:993
204.184.25.150:143
208.78.100.202:8080
211.63.71.72:8080
212.122.71.196:995
212.31.106.90:22
217.13.106.160:7080
45.123.3.54:443
45.33.49.124:443
47.202.17.6:80
5.230.147.179:8080
50.31.0.160:8080
62.75.187.192:8080
63.77.201.245:443
64.13.225.150:8080
67.205.149.117:443
69.198.17.7:8080
70.57.82.196:80
78.186.5.109:443
81.134.59.36:8080
81.22.137.186:8080
83.110.80.67:22
83.222.124.62:8080
85.104.59.244:20
87.106.139.101:8080
87.106.210.123:80
91.92.191.134:8080
92.154.101.154:50000
94.250.55.138:443
94.76.200.114:8080
95.128.43.213:8080

```
#### Epoch 2 - Spam/Stealer C2s ####
```

198.58.114.91:4143
213.136.86.219:7080
91.205.215.10:7080

```
#### Current Epoch 2 RSA Public Key ####
```

MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMPLgcO0RQdJg/LTgiku57nH4KcLwHCx S0lbynOUhHhKjTnmENrMA2idUbK6hI0JRZtii9oJSlb3e5NZiCK+Qr/NB2u7ZNRc hG87aibm0ndS9xKDRXcmWwaQkF0PFuOHpwIDAQAB

```
#### Credits and Notes Section ####
```
Updated 7/13/18
WARNING - Some links may have been taken down shortly after I reported them to URLHaus.ch because they rock and report everything to ISPs as it
is confirmed to be malware. Additionally, this list MAY include doc DL URLS from previous days, see the previous days here to get the full picture:
https://pastebin.com/u/jroosen

NOTE: The doc DL URLS are in alphabetical order now. The community lists below may contain content I do not have in my list.
I am providing them for your benefit in case you want to parse them to be sure.

```
#### What is Epoch 1 and Epoch 2? ####
```

What is Epoch 1 and Epoch 2? (updated 03/07/2019)

I have been tracking Epoch 1 and Epoch 2 since May of 2018. I called them Epoch 1 and Epoch 2 because they followed a different timescale of
payload updates and history. In short, Epoch 1 and 2 are two botnets with distinct C2 infrastructures with separate RSA keys for communications.
Epoch 1 is currently the larger of the two botnets(MAR 2019) and I think it is the main push of Emotet currently. Epoch 1 WAS a smaller more
rapidly changing version of Emotet at one point in the last half of 2018. Now Epoch 2 seems to be the smaller of the two since this time period.
This seems to change back and forth over a 6 month period. Despite having unique unshared C2 infrastructures, these two botnets have been seen
to move bots from one to the other and show similar behaviors seemingly controlled by a single entity/group. E.g. going on breaks at the same
time period.
Here are some observations I have noted since I have been watching these botnets:

- Checking a document download site from Epoch 1 will deliver a document that is different than what is being delivered at the same time on an
Epoch 2 document download site. Specifically, Maldocs on Epoch 1 will have a different document creation times and payload quintets than those
being delivered in maldocs on Epoch 2 at any one time.
- Document hashes change very 10 minutes on both Epochs while distribution/spamming are active.
- Document download and payload URLs tend to become orphaned as templates are changed out and they age. By 72 hours most are no longer updating.
- On Monday's of every week a new set of document download sites and usually templates to accompany them are generated early on
Monday morning/Sunday night.
- Both Epoch's may share a host for binaries or documents but NEVER the same directory. Eg. Epoch 1 may have an EXE in directory host.tld/A and
Epoch 2 may have a document hosted on host.tld/B.
- The RSA keys will change every few months so for C2 communications on each Epoch/Botnet.
- Binaries for Epoch 1 payload sites are different than the binaries for Epoch 2 payload sites.
*- Binaries used to change hashes every 15 minutes to 2 hours but now (3/6/19) are changing every 5 minutes on distro.
- Each binary has a hard coded list of C2 sites unique to the Epoch it was derived from.
- C2s are never shared between Epochs/Botnets.
- Both Epoch 1 and 2 seem to go into "break" periods at the same time for several weeks. During this time binaries are updated every 2-4 hours
via C2 to stay ahead of AV defs.
- Spamming activity seems to cease on each botnet at around 00:00UTC each day. It usually starts back up around 07:00-08:00UTC each day.
- Spamming usually does not occur on weekends and the Emotet team seems to take weekends off.
- The easiest way to tell what botnet a sample is from, is to find the payload and then check the C2s/RSA Key. HINT - CAPE Sandbox makes this
easy now, use it! Thanks to Kevin @CapeSandbox and @pollo290987!
- Changes in behavior are often deployed to one botnet and then to the other as if the first was a test. This has been observed for obfuscation,
spam template, word template, document type and even payload.

If I think of anything else to add or if anyone else has any suggestions, I will add them here.

```
#### Community Lists ####
```

https://pastebin.com/GzqzYmSQ - @pollo290987
https://twitter.com/ps66uk/status/1111040321083850758 - @ps66uk
https://pastebin.com/JeHBL2ej - @ps66uk
https://pastebin.com/f07BAUze - @executemalware
https://otx.alienvault.com/pulse/5c9bde41e792b316e44699aa/ - @SecSome
https://pastebin.com/b8bcnqtJ - @Jan0fficial E1
https://pastebin.com/CfCpcjEW - @Jan0fficial E2

```
#### Credits ####
```
(OC from @JRoosen and/or combination work of the following)

Doc DL URLs - @James_inthe_box, @unixronin, @abuse_ch, @JayTHL @dms1899, @avman1995, @pancak3lullz, @pollo290987, @malware_traffic,
@0xtadavie, @Bitterman59, @devnullnoop, @Bauldini, @baberpervez2, @executemalware, @leunammejii, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @shotgunner101, @HerbieZimmerman, @Outkast_TI, @ps66uk

C2 info/RSA Keys - @unixronin, @CapeSandbox, @sysopfb, @pollo290987, @MalwareTechBlog, @ps66uk, @JayTHL, @malware_traffic, @0xtadavie,
@devnullnoop, @gorimpthon, @Racco42, @Jan0fficial

Payloads - @bigmacjpg, @decalage2, @James_inthe_box, @MalwareTechBlog, @ps66uk, @dms1899, @avman1995, @unixronin, @pancak3lullz,
@pollo290987, @malware_traffic, @JayTHL, @Bitterman59, @devnullnoop, @executemalware, @Bauldini, @jcarndt, @gorimpthon, @Racco42,
@papa_anniekey, @Jan0fficial, @OguzhanTopgul, @HerbieZimmerman

Spam Templates - @0xtadavie, @SaurabhSha15, @devnullnoop, @raashidbhatt

Special thanks to @devnullnoop, @2sec4u, @unixronin, @pollo290987, @ps66uk for creating scripts/servers/infrastructure and
helping out with this!

Very special thanks to @capesandbox, @bigmacjpg and @decalage2 of the ViperMonkey Project https://github.com/decalage2/ViperMonkey ,
@digitalocean, @mploessel, @anyrun_app, @MalwareTechBlog, @unixronin, @hurricanelabs, @KryptosLogic, @abuse_ch/urlhaus.abuse.ch,
@urlscanio and @Virustotal for providing services/software no charge to this cause!

```
#### Daily Log ####
```

I only received a couple malspams today which is odd. It seems like the majority of E1 stuff is links still but I did get a
few attachments of .doc files and the body was in Spanish. I have not seen any E2 malspam today. I do not have a lot of first
hand details so lets look at what others posted in the community.

https://twitter.com/executemalware/status/1111079704579264513
@Executemalware - Told us he was seeing PDF attachments on E2 again. As before, some of these PDF type templates had an additional
attachment that was a "certificate" named the following:

cert.txt
certificate.p12
digital_sign.txt
digital_signature.p12
digital_signature.txt
sign.p12
signature.p12
signature.txt

Previously I have only seen the digital_sign.txt and this is interesting. Sounds like more things to block on if you are so
inclined.

On the subject of E2. I did not that there were more payloads than normal today and we saw 25+ URLs for payloads. It looked
like they threw in some .js independant quintets that did not show up in the .DOCs (or the .DOCs named mislabeled as .JS).
Towards the end of the day, E2 stopped doing .ZIPs that contained .DOC files (named as .JS ext) and started doing just .JS files
in the .ZIPs. The .JS files still have the fake error in them but they are named things like the following:

"2019_03___US___PAY47988827252___3452570734749809.js"

This goes back to the excessive _ post that @jaythl had last night:
https://twitter.com/JayTHL/status/1110757656875143168

As stated before, I am not going to post hashes of the 1000s of stupid hash busted zip files. I am now calling this crap
Operation "Zipper's Stuck". Here is a review if that:

"Each of the ZIP files on both epochs were really cycling hashes at the same moment in time. 10 different sites would give you 10
different hashes at a point in time. Then all 10 of those hashes would change in 5 minutes. This effectively created a huge pool of
noise with the hashes for .zip files and I wont bother to put them in here but I have them if someone wants them."

I still think that Ivan reverting to .zip and .js files is going backwards but fine by me if it takes more clicks for people to
get infected. This way people have more time to think and get a few more prompts, so they are less likely to go all the way.

EXE Rehash is still going nuts and we are seeing new hashes every 5 minutes.

C2s did NOT change for E1 and stayed at 50 combos in total. - recorded above
C2s DID change for E2 and increased to 60 from 55 combos in total. - recorded above (lots of replacements and new IPs)

Time for sleep. TT

```
#### Sandbox 03/27/19 ####
(all with fakenet and MITM unless spam/secondary infection)
```

Epoch 1 C2 run on 2019-03-28 at 04:00 UTC - https://cape.contextis.com/analysis/55702/

```

```

Epoch 2 C2 run on 2019-03-28 at 04:00 UTC - https://cape.contextis.com/analysis/55701/
```