- Elephant framework (GrimPlant (Backdoor) and GraphSteel (Stealer).)
- Graphiron Backdoor
- OutSteel (LorecDocStealer)
- BabaDeda
- Cobalt Strike (Beacon)
- SaintBot Downloader
- WhisperGate Wiper
- Graphiron
- Graphiron is a two-stage threat consisting of a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron)
- The downloader contains hardcoded command-and-control (C&C) server addresses
- The downloader is configured to check against a blacklist of malware analysis tools and connect to a C&C server to download the payload, which is then added to autorun
- The payload is capable of stealing information from Firefox and Thunderbird, private keys from MobaXTerm, SSH known hosts, stored passwords, taking screenshots, and exfiltrating data
- The password theft is carried out using a PowerShell command
- The payload communicates with the C&C server using port 443 and communications are encrypted using AES cipher
- Graphiron has similarities with older Nodaria (UNC2589_EmberBear_BleedingBear_Nodaria) tools such as GraphSteel and GrimPlant but can exfiltrate more data such as screenshots and SSH keys
- Nodaria is a threat group active since at least March 2021, mainly targeting organizations in Ukraine and has also been linked to attacks in Kyrgyzstan and Georgia
- The group uses spear-phishing emails to deliver a range of payloads to targets and their previous tools include Elephant Dropper, Elephant Downloader, SaintBot, OutSteel, GrimPlant, and GraphSteel
- Nodaria's earlier tools were written in Go and Graphiron appears to be the latest piece of malware authored by the same developers, using Go version 1.18.
- Elephant (GrimPlant (Backdoor) and GraphSteel (Stealer))
- The Elephant Framework consists of two core components: GrimPlant (Backdoor) and GraphSteel (Stealer).
- GrimPlant allows remote execution of PowerShell commands and communicates with the C&C server using gRPC and encrypted with TLS.
- GraphSteel exfiltrates data from infected machines by communicating with the C&C server using WebSockets and the GraphQL query language.
- GraphSteel exfiltrates information about the infected system, files from various folders and drives, and credentials from various sources including wifi passwords, browser credentials, password vault, and SSH sessions.
- GraphSteel Backdoor
- GrimPlant is a simple backdoor allowing for remote execution of PowerShell commands. Communication with the C2 server uses port 80 and is based on gRPC. The communications are encrypted with TLS, and its certificate is hardcoded in the binary. GraphSteel backdoor is designed to exfiltrate data from infected machines. Communication with the C&C server uses port 443 and is encrypted using the AES cipher. GraphQL query language is used for communication.
- Attacks reported: GraphSteel & GrimPlant used in email phishing attacks on Ukrainian government organizations on April 26, 2022, March 28, 2022 and March 11, 2022 (Source: CERT-UA). GraphSteel and GrimPlant are both written in the Go language.
- GrimPlant is a simple backdoor allowing for remote execution of PowerShell commands. Communication with the C2 server uses port 80 and is encrypted with TLS.
- GraphSteel is designed to exfiltrate data from infected machines. Communication with the C&C server uses port 443 and is encrypted using AES cipher. GraphQL is used for communication.
- APT responsible: UNC2589 (Ember Bear, Lorec53, UAC-0056)
- Attacks reported: GraphSteel & GrimPlant were used in email phishing attacks on Ukrainian government organizations on April 26, March 28, and March 11, 2022 (Source: CERT-UA)
- GrimPlant Backdoor
- GrimPlant is a simple backdoor allowing for remote execution of PowerShell commands. Communication with the C2 server uses port 80 and is based on gRPC. The communications are encrypted with TLS, and its certificate is hardcoded in the binary. GraphSteel backdoor is designed to exfiltrate data from infected machines. Communication with the C&C server uses port 443 and is encrypted using the AES cipher. GraphQL query language is used for communication.
- Attacks reported: GraphSteel & GrimPlant used in email phishing attacks on Ukrainian government organizations on April 26, 2022, March 28, 2022 and March 11, 2022 (Source: CERT-UA) GraphSteel and GrimPlant are both written in the Go language.
- GrimPlant is a simple backdoor allowing for remote execution of PowerShell commands. Communication with the C2 server uses port 80 and is encrypted with TLS.
- OutSteel (LorecDocStealer)
- OutSteel malware is used in spear-phishing campaigns with malicious attachments.
- The main payload is an infostealer that steals files from the victim's machine and uploads them to a Command and Control (C2) server.
- The downloader used to load the infostealer is BabaDeda crypter.
- The malware is believed to be state-sponsored, carried out by a hacker group called Lorec53.
- The group is suspected of conducting espionage attacks against government employees in Georgia and Ukraine.
- The BabaDeda crypter acts as an installer and executes shellcode stored encrypted in a file, such as xml or pdf.
- The BabaDeda crypter is an evasive malware that has the purpose to load a malicious payload stored in another file.
- The BabaDeda crypter is used to load a second BabaDeda crypter in the second phase of the attack.
- The final payload is Outsteel, which sends the stolen files to a specified URL. SaintBot Downloader
- BabaDeda
- BabaDeda Crypter is dropped by a downloader, which can be delivered via a file with the extension ".cpl"
- The ".cpl" file is designed to automatically execute when double-clicked, making it easier for uneducated users to trigger the malware
- BabaDeda Crypter is installed by an MSI file that is downloaded by LorecCPL downloader
- The final payload is delivered as a main malicious binary named "mathparser.exe"
- Capabilities of BabaDeda Crypter:
- BabaDeda Crypter has the ability to install itself onto the victim's system
- The malware can execute a main malicious binary, which could perform various malicious activities such as data theft, information exfiltration, or other malicious actions.
- SaintBot Downloader
- SaintBot malware was observed in a targeted email sent to an individual at an energy organization in Ukraine on Feb 1, 2022.
- The email was a spear phishing attempt that used social engineering tactics to convince the targeted individual to open the attached malicious Word document.
- The document instructed the user to double-click icons with exclamation points which, in turn, ran malicious JavaScript.
- The JavaScript file ran a PowerShell one-liner that downloaded an executable from a URL and saved it to a specific location.
- The URL was hosting a malicious executable that was a loader, acting as the first stage of several in the overall infection chain.
- The infection chain resulted in the installation and execution of OutSteel (a document stealer), SaintBot (a loader Trojan), a batch script turned into an executable that disables Windows Defender, and a legitimate Google Chrome installation executable.
- The initial loader was signed using a certificate related to the Electrum Bitcoin wallet.
- The first-stage loader was a simple wrapper for later stages that decrypt DLLs and load them into memory.
- The DLL is obfuscated but contains anti-analysis functionality that refuses to execute inside a virtual machine.
- The DLL is another stager that will decrypt and execute four embedded binaries.
- The four embedded binaries are OutSteel, SaintBot, an executable that runs a batch script to disable Windows Defender, and the Google Chrome installer
- Cobalt Strike (Beacon)
- Cobalt Strike is a commercial penetration testing tool that is used by threat actors as a backdoor agent named 'Beacon' on target machines. It is a versatile tool that is used by a wide range of threat actors, including APT groups and ransomware operators, for downloading and executing malicious payloads.
- The Beacon implant is a file-less, stage-less or multi-stage shellcode that is loaded either by exploiting a vulnerability or executing a shellcode loader. The Beacon can communicate with the C&C server using several protocols including HTTP, HTTPS, DNS, SMB, named pipes as well as forward and reverse TCP. The Beacon can also chain connections to establish a foothold inside the compromised network and pivot internally into other systems.
- Cobalt Strike has been used in multiple email phishing attacks on Ukrainian government organizations and is attributed to the UNC2589 APT group. The Beacon has also been used in combination with exploits like CVE-2021-40444 and CVE-2022-30190 (Follina)
- BEACON: backdoor written in C/C++, part of the Cobalt Strike framework
- Supports shell command execution, file transfer, file execution, file management
- Can capture keystrokes and screenshots, act as a proxy server
- Can harvest system credentials, port scan, and enumerate systems on a network
- Communicates with C&C server via HTTP or DNS
- WhisperGate Wiper
- Uses the following Windows Command Shell command to execute the destructive malware:
- cmd.exe /Q /c start c:\stage1.exe 1> \127.0.0.1\ADMIN$__[TIMESTAMP] 2>&1
- Uses PowerShell commands to connect its Command and Control (C2) server and download additional payloads
- Delivers PowerShell commands in Base64 encoded form
- PowerShell command: Start-Sleep -s 10
- Tactic: Defense Evasion & Persistence
- Modifies the Master Boot Record (MBR) to evade defense
- Delivers PowerShell commands in Base64 encoded form
- Searches for specific file extensions in certain directories to alter their content
- Downloads file corruptor payload from a Discord channel hosted by the APT group
- Download link for the malicious executable is hardcoded in the stage2.exe
- Overwrites the Master Boot Record (MBR) causing the infected system to not boot up after power down
- Overwrites files and corrupts their integrity
- Renames the files to further its impact
- Misrepresents itself as ransomware
- Two-stage wiper malware
- Initial access stage is unknown, but suspected to be a supply chain attack
- Overwrites Master Boot Records (MBR) with a fake ransom note
- Corrupts files with certain extensions and in certain directories by overwriting them with 0xCC bytes
- Renames the files with a random four-byte extension
Summary:
Nodaria (UAC-0056) is targeting Ukraine with new information-stealing malware. Infostealer.Graphiron malware steals system information, credentials, screenshots, and files from compromised computers.Graphiron is a two-stage threat consisting of a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron).The downloader hardcodes C&C server addresses. It checks a malware analysis tool blacklist when performed.If no blacklisted processes are found, it will download, decrypt, and autorun the payload from a C&C server. Graphiron uses AES with hardcoded keys. It generates.lock and.trash files. MicrosoftOfficeDashboard.exe and OfficeTemplate.exe are hardcoded file names.GraphSteel and GrimPlant are comparable to Graphiron. Using PowerShell, GraphSteel exfiltrates files, system information, and password vault credentials. Graphiron can also exfiltrate screenshots and SSH keys.
Summary:
HermeticWiper:APT responsible: Sandworm (Black Energy, UAC-0082)Attacks reported: Massive cyberattacks against Ukrainian organizations on February 23, 2022Disables the Volume Shadow Copy Service (VSS)Abuses legitimate drivers to corrupt data and render recovery impossibleTargets Windows registry files ntuser.dat and Windows event logsTriggers system restart rendering the targeted host inoperableSHA256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21daHermeticRansom:APT responsible: Sandworm (Black Energy, UAC-0082)Attacks reported: Cyberattacks against Ukrainian organizations on February 23, 2022Written in Go languageEnumerates available drives and renames selected filesEncrypts file contents using AES algorithmCreates a read_me.html file with a ransom noteSHA256: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382IsaacWiper:APT responsible: Gamaredon (Primitive Bear, Armageddon)Attacks reported: Cyberattacks against Ukrainian government organizations on February 24, 2022Overwrites existing content with random bytesRenames files it can't access and attempts to wipe newly renamed filesCreates a log file with corrupting activity progressSHA256: 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033AcidRain:APT responsible: UnknownAttacks reported: Cyberattacks against Viasat’s KA-SAT network and Enercon wind turbines on February 24, 2022Overwrites files and symbolic links with random data from the memory bufferAvoids certain directories if executed with root permissionsTriggers a device reboot after wipingSHA256: 9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9aLoadEdge (InvisiMole):APT responsible: InvisiMole (UAC-0035)Attacks reported: Email phishing attacks on Ukrainian government organizations on March 18, 2022Supports functionalities such as file execution, upload, download, deletion, and obtaining system informationCommunication with C&C uses HTTP and JSON formatted dataPersistence provided by HTA file creating an entry under the Run registry keyResembles an upgraded version of InvisiMole's TCP downloader componentSHA256: fd72080eca622fa3d9573b43c86a770f7467f3354225118ab2634383bd7b42ebGraphSteel & GrimPlant:APT responsible: UNC2589 Ember Bear, Lorec53, UAC-0056Attacks reported: Email phishing attacks on Ukrainian government organizations on March 11, March 28, and April 26, 2022Both written in Go languageGrimPlant is a simple backdoor allowing for remote execution of PowerShell commandsGraphSteel exfiltrates data and steals credentials using
Summary:
UNC1151 is a group that is believed to be sponsored by Belarus and has frequently used the access and information gained by their intrusions to support information operations tracked as “Ghostwriter.”
UNC2589 is believed to act in support of Russian government interest and has been conducting extensive espionage collection in Ukraine.
UNC2589 uses spear phishing campaigns with various themes, including COVID-19 and the war in Ukraine, and has used a variety of different infrastructure.
Mandiant has attributed the January 14 destructive attack on Ukraine using PAYWIPE (WHISPERGATE) to UNC2589.
GRIMPLANT is a backdoor used by UNC2589 and GRAPHSTEEL is an infostealer.
Mandiant analyzed a malicious document with an evacuation plan-themed lure, which was likely used by UNC2589 to target Ukrainian entities in a phishing campaign in late February 2022.
The malware was delivered via phishing email and the Remote Utilities utility was installed upon execution.
Remote Utilities allows attackers to set persistence through creating a startup service.
Mandiant Intelligence discovered another likely UNC2589-related phishing campaign targeting Ukrainian entities with GRIMPLANT and GRAPHSTEEL malware on March 27, 2022.The malware was delivered via phishing email and was dropped onto the victim machine through a macro in an XLS document.
Summary:
The malware appears to be designed to render targeted devices inoperable rather than to obtain a ransom, unlike typical ransomware attacks.The malware has been identified on dozens of systems in Ukraine, including multiple government, non-profit, and information technology organizations.MSTIC assesses that this activity represents an elevated risk to any organization located or with systems in Ukraine.The malware operates in two stages: Stage 1 overwrites the Master Boot Record (MBR) with a ransom note, and Stage 2 is a file corrupter that overwrites files with a fixed number of 0xCC bytes.Microsoft has implemented detections for this malware family as WhisperGate and is continuing its investigation.MSTIC recommends organizations to investigate the provided indicators of compromise (IOCs), enable multifactor authentication, and enable Controlled Folder Access in Microsoft Defender for Endpoint to prevent MBR/VBR modification.The detections in place across Microsoft security products include DoS:Win32/WhisperGate.A!dha, DoS:Win32/WhisperGate.C!.dha, DoS:Win32/WhisperGate.H!dha, and DoS:Win32/WhisperGate.X!dha.
Summary:
HermeticWiper: Malware that makes a system inoperable by corrupting its data. It disables the Volume Shadow Copy Service, wipes the MBR, MFT, and NTUSER files, and overwrites various folders with random bytes generated by CryptGenRandom.HermeticWizard: Worm that spreads HermeticWiper across a local network via WMI and SMB. It is a DLL file that exports functions DllInstall, DllRegisterServer, and DllUnregisterServer. It gathers IP addresses on a network, and when it finds a reachable machine, drops HermeticWiper and executes it.HermeticRansom: Ransomware written in Go that encrypts files and displays a ransom message to the victim.Threat actors TTPs:Initial access: Unknown for both HermeticWiper and IsaacWiper, although it is suspected that the attackers may have used tools such as Impacket to move laterally. HermeticWiper was deployed in at least one instance through the default domain policy (GPO), suggesting the attackers had prior access to the victim's Active Directory server.Lateral movement: HermeticWizard worm was used to spread HermeticWiper across the compromised networks via SMB and WMI.Persistence: HermeticWiper and HermeticWizard are signed by a code-signing certificate assigned to Hermetica Digital Ltd issued on April 13th, 2021, which was not stolen, but instead likely obtained by attackers impersonating the Cypriot company to get this certificate from DigiCert.Malware delivery: HermeticWiper and HermeticWizard were deployed through various methods, including GPO and the use of Impacket tools. HermeticRansom was deployed through GPO in at least one instance.Attribution: ESET researchers have not yet found any tangible connection with a known threat actor. The malware families do not share any significant code similarity with other samples in the ESET malware collection.
Summary:
The threat group UAC-0056 is targeting government organizations and companies involved with critical infrastructure in Ukraine and other countries. Their primary goal is to steal sensitive information for situational awareness and leverage in dealing with Ukraine.The initial loader Trojan is used as a simple wrapper for the next few stages.The packer used to pack and obfuscate the initial loader allows cloning .NET assemblies from other binaries and certificates.The decrypted DLL, named SHCore2.dll, is obfuscated.The stager contains anti-analysis functionality, including checks to refuse to execute inside a virtual machine or on bare metal systems.The stager will decrypt and execute a total of four embedded binaries.OutSteel is a file uploader and document stealer developed with the scripting language AutoIT. It searches for files with specific extensions and uploads them to a hardcoded command and control server.The Windows_defender_disable.bat is used to disable Windows Defender functionality.The SaintBot .NET Loader is composed of several stages with varying levels of obfuscation.The SaintBot Payload is capable of downloading further payloads and updating itself on disk.The threat actors use different social engineering themes in their attacks, such as cryptocurrency, COVID, law enforcement, and fake resumes.Email is used as the attack vector, and different infection chains are used to compromise systems.The threat group has overlaps with previous attack campaigns focused on other organizations in Ukraine and Georgia, as well as other nations’ assets local to Ukraine.The attackers used Discord’s content delivery network (CDN) to host the payload.The threat group makes use of several hardcoded command and control (C2) servers, all reaching out to the same endpoint.
Summary:
A new APT group named Lorec53 was identified by NSFOCUS Security Labs and confirmed by the Ukrainian Computer Emergency Response Center (UAC-0056).
Lorec53 is active in Eastern Europe and has been involved in large-scale cyber espionage attacks against Ukraine and Georgia.
The group has strong infiltration ability and flexible attack methods, using phishing attacks and social engineering techniques.
Lorec53 targets key state sectors such as the Ministry of Defense, Ministry of Finance, embassies, state-owned enterprises, and public medical facilities to collect personnel information.
The group has Russian-linked characteristics in attack tools, domain names, and asset location.
Victims of the Lorec53 group include the National Bank of Iran, Georgia’s Ministry of Epidemic Prevention and Health, Ukraine’s Ministry of Defense, Presidential Office, Ministry of the Interior, and Border Service.
A recent long wave of attacks from Lorec53 targeted a wide range of victims using baits such as Ukrainian government documents, shortcut files, and cpl files.
The group used 3 domain names (3237.site, stun.site, and eumr.site) as download servers for phishing files.
Lorec53 employed known Trojan programs including LorecDocStealer (OutSteel), LorecCPL, and SaintBot.
The first phishing attack in this wave used phishing documents referring to a presidential decree and the second attack used PDF and DOCX files with malicious macros.
The third attack used a phishing document in .zip format targeted at the Ukrainian medical system.
The main purpose of these attacks is still information gathering and the TTPs of the Lorec53 group are evident at each stage.
Summary:
Threat Campaign: Spear-phishing emails with malicious attachments used to steal files from victims' machine.Malware: Infostealer "OutSteel" that uploads stolen files to a Command and Control server. Downloader used to load OutSteel is the BabaDeda crypter.Threat Actor: State-sponsored group "Lorec53" (as named by NSFocus), suspected of being employed by high-level espionage organizations to target government employees in Georgia and Ukraine.TTPs:BabaDeda Crypter is an evasive malware that acts as an installer and executes a shellcode stored encrypted in a file (xml or pdf).The first stage of the attack is downloading the BabaDeda crypter from a malicious LNK file or WORD template document.The BabaDeda crypter first loads and runs a malicious DLL, which then loads and executes another malicious DLL in another thread.The first DLL reads and parses the shellcode and writes it in the main binary's text section.The decrypted shellcode extracts the loader shellcode and the payload, then decrypts them and transfers execution to the decrypted loader shellcode.The final payload is OutSteel, which exfiltrates stolen documents to a specified URL.The second malicious library is a mere downloader that downloads the next stage of the attack.BabaDeda CrypterLorecCPL downloadersOutsteel InfostealerTTPs (Tactics, Techniques, and Procedures):Persistence achieved by creating a link file in the start-up directory using the IShellLinkW interfacePayload execution after decryptionSelf-deletion routineFile size checking before executionDownloading and running the next stage in a new processCode overlap with WhisperGate malwareHosting the archive on DiscordUsing CPL files to trick uneducated users into executing the malwareUsing xor decryption to hide the real codePutting arguments on the stack and using them in functionsDownloading the final payload from a URLPacking the final payload with ASProtectExfiltrating documents to a C2 server
2022-02-08 NSFocus - Apt Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government
PDF: https://contagio.deependresearch.org/read/Ember_Bear_2022_APT_Retrospection__Lorec53%2C_An_Active_Russian_Hack_Group_Launched_Phishing_Attacks_Against_Georgian_Government.pdf
Summary:
In July 2021, a phishing campaign was discovered targeting Georgian government officials and using current political issues to create bait for specific victims.
The campaign utilized phishing documents named "828-ში ცვლილება.doc" and "დევნილთა 2021-2022 წლების სტრატეგიის სამოქმედო გეგმა.doc" to lure victims into enabling the editing feature of Office and executing malicious macros.
The malicious macros created a C# Dropper Trojan that downloaded and executed an AutoIt executable doc, a customized Trojan designed to steal various document-typed files from the victim's computer.
The attacker, tentatively named Lorec53, has been linked to a similar phishing campaign against the Ukrainian government in April 2021.
The attacker is believed to be a Russian hacking group that uses known generation tools to build the attack process and has a bias toward espionage operations.
The attacker controls a large amount of attack resources in the Russian network domain and has been found to conduct long-term vulnerability scanning activities.
Summary:
WhisperGate MBR payload: Tampering with the Master Boot Record (MBR) to render the system inoperable. The ransomware note is stored in a buffer that is written over the MBR.Discord downloader and injector: After gaining a foothold, the stage 2 binary downloads and launches a payload via Discord, which then launches a number of events such as adding Windows Defender exclusion, stopping Windows Defender, and deleting the Windows Defender directory.File corruptor: The file corruptor payload is loaded in memory via process hollowing and targets any local hard drives, attached USB drives, or mounted network shares. The file corruptor scans directories for files matching specific extensions, overwrites the start of each file with 1MB of static data, renames each file with a randomized extension, and deletes itself.
Summary:
The DEV-0586 APT group targeted Ukrainian organizations with WhisperGate wiper malware.WhisperGate is a two-stage wiper malware that masquerades as ransomware. The initial access stage is unknown, but it is suspected to be a supply chain attack.In its first stage, WhisperGate overwrites the Master Boot Record (MBR) with a fake ransom note, making the infected system unable to boot up.In its second stage, WhisperGate corrupts files with certain extensions by overwriting them and renaming them with a random four-byte extension.DEV-0586 uses the following TTPs in their WhisperGate campaign:Execution: The first stage uses Windows Command Shell and the second stage uses PowerShell to connect to its Command and Control server.Defense Evasion & Persistence: WhisperGate modifies the MBR to evade defense and deliver its payload in Base64 encoding.Discovery: The second stage searches for specific file extensions in certain directories.Command and Control: The second stage downloads file corruptor payload from a Discord channel hosted by the APT group.Impact: WhisperGate overwrites the MBR and files, affecting their integrity.
Summary:
The Elephant malware is a threat group associated with pro-Russian cyber attacks, primarily focused on cyber espionage with a focus on key state sectors in Ukraine. The group, also known as UAC-0056, Lorec53, UNC2589, EmberBear, LorecBear, BleedingBear, SaintBear, and TA471, has been active since at least March 2021. The malware is part of the Elephant Framework, a collection of tools written in the Go language and deployed in recent phishing attacks on .gov.ua targets.The Elephant Framework uses the spear-phishing tactic for initial compromise, with emails originating from spoofed Ukrainian email addresses and using social engineering techniques. The launcher component, written in Go language or Python, downloads the malware payload and establishes persistence. The downloader component, Java-sdk.exe, also written in Go, is responsible for downloading the Elephant Framework, which includes two components: GrimPlant, a backdoor that allows remote execution of PowerShell commands, and GraphSteel, a stealer used for data exfiltration of credentials, certificates, passwords, and other sensitive information.GraphSteel exfiltrates information using WebSockets and the GraphQL query language, with all communication encrypted using the AES cipher. The malware runs a heartbeat routine every 20 seconds and an exfiltration routine every 20 minutes, exfiltrating files from designated folders and harvests credentials from various sources.In one reported phishing campaign, the malware deployed a parallel deployment of Cobalt Strike Beacon, which downloads another executable from Discord. The C&C server used by the Elephant Framework is different from the one used by the Cobalt Strike Beacon.
2021-04-06 Malwarebytes - A deep dive into Saint Bot, a new downloader
PDF: http://contagio.deependresearch.org/read/Nodaria_2022_A_deep_dive_into_Saint_Bot%2C_a_new_downloader.pdf
Summary:
The malware was a PowerShell script disguised as a link to a Bitcoin wallet, which led to the download of a lesser-known malware called Saint Bot. Saint Bot is a downloader that can be used to distribute various types of malware and is being actively developed.In March 2021, Malwarebytes analysts discovered a phishing email that contained a zip file with unfamiliar malware.
The malware is distributed through phishing emails with a zip attachment that lures victims with the promise of accessing a Bitcoin wallet.
The malware employs a variety of techniques, including obfuscation and anti-analysis techniques, process injection, and command and control infrastructure and communication.
The initial malware is a .NET downloader that carries another .NET binary in its resources.The second .NET binary is responsible for downloading and deploying two executables, one that disables Windows Defender and another that is the main payload. The main payload is heavily obfuscated and sets up persistence by installing itself in the startup directory and creating a new
The content sent to/from the C2 is obfuscated using an algorithm that is different from the one used to obfuscate internal strings.
2021-11 NSFocus - 2021 Analysis Report on Lorec53 Group
PDF: https://s3.amazonaws.com/contagio.deependresearch.org/read/EmberBear+_2021_-Lorec53-Group+(1).pdf
Summary:
A new APT group called Lorec53 has been identified by NSFOCUS Security Labs, targeting Eastern European countries like Ukraine and Georgia with espionage attacks against government workers.
Lorec53 uses a variety of social engineering techniques, such as phishing attacks, watering hole sites, and lnk script execution, along with temporary domain names like .site, .space, .xyz, and others.
The group has acted like a mercenary hacker group by using the attack methods and network facilities of other hacker groups to launch unique downloaders and spy Trojan programs.
Lorec53's attack payloads include Trojan horse programs like LorecCPL and LorecDocStealer, which have not been seen in other spying activities.
The group prefers to use attack resources from Russia, such as servers owned by Russian service providers and registrants and Trojan horse programs from Russian hacker forums or black markets.
The group's phishing attacks involve fake documents with malicious macros that download and run the LorecDocStealer Trojan, and fake download pages disguised as Adobe Acrobat DC readers, among others.
Lorec53 has also used fake websites, including a fake website for the President of Ukraine, to lure people in and send them malware.
The group is suspected to have been behind a phishing campaign that targeted Iran's Android app, using watering hole sites and an Android Trojan called Pardakht to steal SMS messages from Iranian cell phone users.
MD5 | SHA1 | SHA256 |
---|---|---|
28f18fc7d9a0ab530742c2314cbd5c32 | 81670ac52bd2356148406e1a6dae97581cb24f99 | 14736be09a7652d206cd6ab35375116ec4fad499bb1b47567e4fd56dcfcd22ea |
8409920ef2d78549fc214718c4719d3a | 37cb1ee7842cf73cb9c1eb98a12aad7b6a78b705 | e68c83ce6359691ce63c957ebfdbf959c5b199c83fd2480aebe4220fec9f3304 |
c73d42d7546fe049f63115635c092288 | da568ee6037959967ea4d5a879c66222d9dff06a | 73e1f2762ffe8e674f08d83c1308362bd96ccd4f64c307ee0a568bc66faf45bb |
23cf0517359c014a8d25085eceb2cb25 | 23cf0517359c014a8d25085eceb2cb25 | f3f43f3f4d55c0382f9045fd8093eef66074ca7d97dad066746ace47cc47319a |
36ff9ec87c458d6d76b2afbd5120dfae | 9a3161c8570f1ca410038bed6e2aa297aebaf548 | 8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1 |
06124da5b4d6ef31dbfd7a6094fc52a6 | 265a613ac405e6c3557e36a19f0ead2d18638cb0 | 9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c8fccd7c1946070995a |
b8b7a10dcc0dad157191620b5d4e5312 | ff37d700d76cb6ed7d123f33362f5017136d1c08 | b5b989f8eab271b63d8ab96d00d5fb5c41ab622e6cfde46ea62189765326af5a |
6b413beb61e46241481f556bb5cdb69c | 189f1879fcac60030dd3a751daae46a7444245ff | c83d8b36402639ea3f1ad5d48edc1a22005923aee1c1826afabe27cb3989baa3 |
4a5de4784a6005aa8a19fb0889f1947a | a20b0724746a742bf1ea14e6c9571fa6aa29e022 | 99a2b79a4231806d4979aa017ff7e8b804d32bfe9dcc0958d403dfe06bdd0532 |
aafe14a65c2198e6f70174c620760645 | d0f1518db54f280dde5008404a2750641e76ceb2 | c8e3869f431937f4db3bbb34b0bb4afa3d7e6982d43e81ee840382eeb5525ab2 |
563ccff9d1021076a12176ae49404d32 | f9d5b4cd52b42858917a4e1a1a60763c039f8930 | a318fbaddaa11df5edde620b4c45ff31316dcfadf085d0f862004c857be568d7 |
da305627acf63792acb02afaf83d94d1 | b4100aad572f619632ec28042a76c52ba2350acc | c1afb561cd5363ac5826ce7a72f0055b400b86bd7524da43474c94bc480d7eff |
3bfb04e40b548d58ea3a9c8c82aae205 | ba9cea9ae60f473d7990c4fb6247c11c080788d3 | c73a1f1ff53e50e07cd654b2296139747c2c0394ce507de88b2d7a1248b8ac25 |
7052d63610b063c859af7f128a0c05cd | 7d44391b76368b8331c4f468f8ddbaf6ee5a6793 | 6e3917257f9239ff1c0ec0c17a7d9b6b01dead526c56218a11b0676174440112 |
1c09d7e1f5d2a7ee08a630bb22ade850 | 3a0a4e711c95e35c91a196266aeaf1dc0674739d | 449a8f555ab4ec871612374f638076ad4a7d8d6d628beaaf6799fa7723f9e40a |
28267ea322e3975f1e98c64a1c77f509 | e1d92e085df142d703ed9fd9c65ed92562a759fa | 18f24841651461bd84a5eac08be9bce9eab54b133b0e837d5298dac44e199d5f |
c3c04682c9b03439f022af6052c7c1a8 | 0d94bac4c4df1fe3ad9fd5d6171c7460b30d8203 | ef6f02c41b4bad58fc1930d0ed00a5db1e122b89bc2782ba4dbdc785bc07dba0 |
cb5e37a1c74b3cd1e4008fd3ee4ef613 | 66117493eed35fbd3824e35971b0919190cd1de7 | 92767e39f24f845c9a12fb44035eda7f801560f8285d7435e82d6c57c059cd83 |
26e326ba69f5258c4979902b5bd4f24e | d6e4d803b1062b4f55c1cef61e5a517dd98cd4b7 | 9dec13e1b0ed9337fcbe233d5f83eff09c64a14c7f2400b9b915a685b29612ea |
aa5e8268e741346c76ebfd1f27941a14 | a6772c80f51d3805d5704f02a80e08501b133fac | 2f92d416f73472db1ebe880b3bec677bcb1d96d6ad62974da00b4be5f6d61f5b |
d0a11d7904cf6c67b0b947c58aeeeb3c | 3bbe45cdcc2731c0bb4751d1098eccc50f98ef66 | 44a002ea931156d09ebfcb395ac60b7a804a8a7f94d4fb5b2fa8aa7268e1bc28 |
d8beed484e8e7e171aeaa6753ac8d8b8 | ac672a07c62d48c0a7f98554038913770efaef11 | 424ca2f8aec060f5a7268f543b71e7038d90bec60914f5380cebdbfcfd1f041d |
5f6aacd3106f727d45c295fd0f25054d | 0d584d72fe321332df0b0a17720191ad96737f47 | 14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196 |
49ac3e120ee12d904145dfaefd041c0c | 75afd05e721553211ce2b6d6760b3e6426378469 | 01b620642cc6ed6b75d0d1ee307f117fbd45ce5f1bd67d95bd80daa104e80e2f |
2e0f1315c52e8b017fb6110398b28e60 | d9b4676229dbe5192d9ec22b017b6ffa2f76f9bd | ba1066f7a47b3662b1589579c9b7100a6f275a1cd82de75b166f31e9ee913562 |
15c525b74b7251cfa1f7c471975f3f95 | 51267f49e508965de494441aacd8a0c8b43e7b54 | 39b3c82b1e7e5626e380a53df4ccb52f3002749447cfab362b8ec217189a0fd5 |
beaed555048e1074fc13cdf8431abd49 | ec148ab5332da96df92e87e9b5a8e66bb517a1de | 0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63 |
ec18353f05c0ec9c014d4eb57f35dd40 | 00e59476d9e250b342131d96bb67fea917c6152c | eee1d29a425231d981efbc25b6d87fdb9ca9c0e4e3eb393472d5967f7649a1e6 |
ef81f74875718d370876289088c93150 | 1e749ae20fe5d6ce46dbee6d4a27e8f6dec38d9d | 878450da2e44f5c89ce1af91479b9a9491fe45211fee312354dfe69e967622db |
aa6f5570b814e336cc91e57f1dbbf22c | 3d022052c70ecc34dfbfac318b05ca7e6ba4a244 | 80e6a9079deffd6837363709f230f6ab3b2fe80af5ad30e46f6470a0c73e75a7 |
89eb4a35ea3122f01f47abe5e8b4982a | 5a85b4e69a7169897fadca712eab31c805689509 | f0fd55b743a2e8f995820884e6e684f1150e7a6369712afe9edb57ffd09ad4c1 |
8b245119a08313ede84ecda10d2b83c7 | 32ce463f1125a5de26aa07377e0a7d5a86bda8b3 | 4787c415dd0114e4b709e684b3ed686aed3d0c11549427ee23083c7ba53ef0e0 |
628f41776ae3b2e8343eeb9cdcd019f2 | d77421caae67f4955529f91f229b31317dff0a95 | 8e77118d819681fdc49ce3362d8bfd8f51f8469353396be7113c5a8978a171f6 |
eee2f9fab737eef8884e0b9432055edc | ed4f5914178324405ec4b12b693313fae6ac47ee | 47a734e624dac47b9043606c8833001dde8f341d71f77129da2eade4e02b3878 |
b3370eb3c5ef6c536195b3bea0120929 | b2d863fc444b99c479859ad7f012b840f896172e | 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 |
4c2e3c21a4b4eeec05dc364b854c57d6 | 1c10158495a90ad1dfa1092cb80e387bd82f38df | 5cda471f91413a31d3bc0e05176c4eb9180dfcac3695b83edd6a5d4b544fe3f1 |
be2d21ce56597f0ba2610852f6b9a122 | 1175dc063ab6f17f28300f0c624e59c35283a04f | 8bb427b4f80fe1ede3e3ed452d9f0a4ce202b77cda4ad2d54968ab43578e9fa9 |
cdcbd3dd6a5be09f409c47995a4de934 | 769dc031f90c296e14c7e2c38823743933e75956 | b89a71c9dbc9492ecb9debb38987ab25a9f1d9c41c6fbc33e67cac055c2664bc |
09a833a75039f9b3e923683b32344415 | ac44f6b7caa9bb14483623a9bf5f738d13808120 | 35180c81ebcefbc32c2442c683cab6fd299af797a0493d38589d5c5d1d6b5313 |
c6e7af8d31a951b8c05565ab18c4f258 | 8da49c2dbaf1abd4b2ba81669b201e2ab5b95926 | 024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1 |
dd9439b5cb3b1fc91181092f9da5aa69 | f2b8ab6f531621ab355912de64385410c39c1909 | db03917ca3cb91cdebcb681fa2733c1a2a9679e5201beeba21aee911de05973e |
5d735d8c7243f61a30f5e91539f76df9 | 26474ba449682e82ca38fef32836dcb23ee24012 | f00b523635707cf97be5877c9dea1abec7abf8d0e6bcce529cc96826344511a0 |
410ff2fc20418aceee5fcbc7ab56076b | 931a86f402fee99ae1358bb0b76d055b2d04518f | 0f13f5f9a53a78fc4f528e352cd94929ae802873374ffb9ac6a16652bd9ea4c5 |
48e26159d9aa517ba2a1f1010c8e7c00 | dbc9c8a492ae270bb7ed845680b81b94483ab585 | 7e1355e51eb9c38e006368de1ae80b268ffab6918237696474f50802e3d8a9c8 |
c717265dc91b1980921320c8d6257b53 | dd2444ddba96fa070559828934c025b4c2fae86a | 07ed980373c344fd37d7bdf294636dff796523721c883d48bb518b2e98774f2c |
6af7a85274f02d1bc61f2d90674cb131 | 15791db60928df6d7a86d80b80b88609c15aaa20 | 2b15ade9de6fb993149f27c802bb5bc95ad3fc1ca5f2e86622a044cf3541a70d |
5077eff8ea0ad83e30860ec93c18fc2a | 693607b23dec9d41a373a41aed2e8c32e17098d1 | 891f526fea4d9490a8899ce895ce86af102a09a50b40507645fee0cf2ab5bef5 |
900e892c8151f0f59a93af1206583ce6 | aea15a7ce95761a556199f5a774be293a82c17c2 | 96f815abb422bb75117e867384306a3f1b3625e48b81c44ebf032953deb2b3ff |
f7f23e5f3ff42eef595bb4b804c68eea | 968126ecd4e526e9b6e1a16e9d001efcfde8fad1 | 157b05db61aaf171823c7897a2f931d96a62083a3ad6014cb41c6b42694a0c2f |
0e16df6845cde1260087902f25842f79 | 5698c8836bf2d5b542a7534b9a49c29beba3af43 | a356be890d2f48789b46cd1d393a838be10bdea79f12a10b1adf1d78178343c5 |
b2a5d1107613834cd380b492afcdd930 | 9394c4528bfb504d6a4aee256dbbbd1cf177b821 | 882597c251905f9be31352ba034835764124c9a9e25ef1ba0150e5998c621f07 |
ae9b71972359f44c60ff636a761efd69 | 82e3bf5efbad08d27428aacd27018bec8b040f34 | 2c879f5d97f126820f1fbf575df7e681c90f027062b6bcb3451bb09607c922da |
6296f167c93a0ca4dd75af9c23c94232 | 9a97b0957ddc18e4c445099f533d2400f5dd2788 | 52173598ca2f4a023ec193261b0f65f57d9be3cb448cd6e2fcc0c8f3f15eaaf7 |
122975532c1e1af554d4d39511e7eb3e | 8290ba1e792c291ea039fdb459c652e2c7fea5ad | 63d7b35ca907673634ea66e73d6a38486b0b043f3d511ec2d2209597c7898ae8 |
5ab92ca35e41b9a7aa07cc7efc60bbd1 | 468a2d057a805ca971047b6fbd5ec359a67bc20a | 461eeadbe118b5ad64a62f2991a8bd66bdcd3dd1808cd7070871e7cc02effad7 |
a8bb31dcf791e09e656618ab726cdc2d | 9533ffa146e213e64e70c236344cf84484caa993 | c9761f30956f5ba1ac9abc8b000eae8686158d05238d9e156f42dd5c17520296 |
081a6edd07e2de8c8161380bcd60547c | 3d0011d42e69b962f97b2d35f25012c4e5da55fe | b7c6b82a8074737fb35adccddf63abeca71573fe759bd6937cd36af5658af864 |
1f7fc4fd6c7d2735dfc446f62ada2e09 | d2694a3201e45a5d4239b36483e0c6b05b4fff1d | d99f998207c38fe3ab98b0840707227af4d96c1980a5c2f8f9ac7062fab0596d |
096eef1eb2bb266e37f1eeca0db21bd5 | 5727ee8b41c309e0935748a2fd9633d0f972013a | 354868cd615a0377e0028bcaee422c29f6b6088b83a0b37a32e00cce5dba43f9 |
333796e18eb3f3d1529d07ec90c63e61 | 051f30587f7ab8101602b40748f7f21fac21658a | 0be1801a6c5ca473e2563b6b77e76167d88828e1347db4215b7a83e161dae67f |
847b071fa537e21507e78c80b5aa7d59 | 9455119a6522727905dd14ee3b29e87f55e88a26 | a60f4a353ea89adc8def453c8a1e65ea2ecc46c64d0d9ea375ca4e85e1c428fd |
efcff826fa14c23c9abcd53e0a148383 | f79f22761707f666178f8855fcfb95a46065dd21 | f6ae1d54de68b48ba8bd5262233edaec6669c18f05f986764cf9873ce3247166 |
51e5c14cd5a2be650ab6e932b86d29f2 | a65f8e57c960bf32fef0ab2d611dbb1871b024a2 | 4fcfe7718ea860ab5c6d19b27811f81683576e7bb60da3db85b4658230414b70 |
44697aad796c0d82c1adbee15fd1266b | 0349463deb6e3803c425fa7725f7dedaccc6e6aa | 9803e65afa5b8eef0b6f7ced42ebd15f979889b791b8eadfc98e7f102853451a |
99b983e5885f7418a950b822b5d5acc5 | ab94ce54005fc530851bf5443117441e91555b24 | 92af444e0e9e4e49deda3b7e5724aaecbb7baf888b6399ec15032df31978f4cf |
f7b0f59bff65176713c678693f1bf1f2 | 417858f4722442a311f4ef2d5126c8a8cae760cb | a16e466bed46fcf9c0a771ca0e41bc42a1ac13e66717354e4824f61d1695dbb1 |
5107d2108da21e3572db8087060a53c0 | c0e9735b42f00ea0c45a5eb3c1b858a407fb3fcb | 64057982a5874a9ccdb1b53fc15dd40f298eda2eb38324ac676329f5c81b64e0 |
fa23f43fa759f0f38cde2b703d98ba05 | 0412055469c67c4cfc63b3c412833d064ec06270 | fbe13003a4e39a5dea3648ee906ea7b86ed121fd3136f15678cf1597d216c58a |
b56975725c4e260370af540f9c0b6709 | 77741870383a8d347c407ffda23e26d1b440500e | f69125eafdd54e1aae10707e0d95b0526e80b3b224f2b64f5f6d65485ca9e886 |
6bbe141ee44548490fbc55127e59fd37 | 63d1b7fcb7d00a1b8326c896e30dc2b44c54ca1e | 2ec710d38a0919f9f472b220cfe8d554a30d24bfa4bdd90b96105cee842cf40d |
c26566e3ac35986456f68bbd9e29db73 | 1dde1d09bd13d54baf2022974e83ddbc623880b2 | 1092d367692045995fab78ba1b9b236d5b99d817dd09cba69fd3834e45bd3ddf |
7de66b5c7d3ddae321fa6cfeeaa94819 | 2c399c6b34a3ff2e09b29ed98d941d9550ad423b | 276ac9b9fe682d76382ec6e5bc3d1d045ce937438f92949c23453468eb62a143 |
2ce1c17b5a46a7fc42f98c67edf2e409 | f0f8095dce21916470f0aea2b9d0b8486038fe54 | 275388ffad3a1046087068a296a6060ed372d5d4ef6cf174f55c3b4ec7e8a0e8 |
dbdb7908b3c16fac52a8e279b43ac83c | 02e623c353ca99c8572c9bf44a4d288f5d41ad98 | 677500881c64f4789025f46f3d0e853c00f2f41216eb2f2aaa1a6c59884b04cc |
549334edbfacd98b6c5c3154949d5b12 | a17eef04cf987d16ab2f7c23f97885e6e428f500 | 33a4655fd61e471d8956bc7681ee56a9926da91df3583b79e80cb26a14e45548 |
12840e2c8a5f378153d9eaea226c592b | a6cfa25e5a9eb7fca97b19b2f5b8003ed7c7aaae | dfe11b83da7c4dc02ff7675d086ff7ddd97fec71c62cc96f1a391f574bec6b4f |
df45ee66dd410b491e3e01c8880f6966 | e4fec41a80337c87acc8f67864047aba34690bb4 | 434d39bfbcee378ed62a02aa40acc6507aa00b2a3cb0bf356c0b23cc9eebcd77 |
664104684583dcca00c6aa94b2d5e8ca | 9b41eac0a97ab72885cd15e4d6beb93cfc55ae6d | f0d99b7056dac946af19b50e27855b89f00550d3d8dc420a28731814a039d052 |
5897322f62070e894488b4115463939d | 217490d9df6b3eb30caec933c6f3a04ae3a3a82f | 101d9f3a9e4a8d0c8d80bcd40082e10ab71a7d45a04ab443ef8761dfad246ca5 |
0a3d8fae9ffbe6b9e8cfdeb4c485cf88 | e89ae58166546908d3e4ecf1b0eba601c17c1882 | 5d8c5bb9858fb51271d344eac586cff3f440c074254f165c23dd87b985b2110b |
19b6965b648160b89e7057ab02898162 | 1d3b1bfecbbc17d521e4da93104a426bd690b392 | 5d9c7192cae28f4b6cc0463efe8f4361e449f87c2ad5e74a6192a0ad96525417 |
7516e343441c2f0e782dd42f5fa85d8b | 54a8dd58216e1afa4b718e51fa86b435bd08f621 | 90ce65b0b91df898de16aa652d7603566748ac32857972f7d568925821764e17 |
803f772489ff905eccdc4684def6adde | fbb3e24f9d517714c312fc88d7e60ab05860dff6 | 10d21d4bf93e78a059a32b0210bd7891e349aabe88d0184d162c104b1e8bee2e |
5e8c9f85256e83d6042bbbac2905d1f3 | e4d3b29b69ce6d80bb8d1c6309d1c7ebb12f9942 | 0db336cab2ca69d630d6b7676e5eab86252673b1197b34cf4e3351807229f12a |
5f6aacd3106f727d45c295fd0f25054d | 0d584d72fe321332df0b0a17720191ad96737f47 | 14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196 |
db6ea5fcda79fc4253f423fce607dddc | 9cd4c35204e7753ec5ae5836a0398e960e964241 | e39a12f34bb8a7a5a03fd23f351846088692e1248a3952e488102d3aea577644 |
66de28a0d0769f9b7f1397ebd10d2ab4 | be7ca341419631d12032ac64269d9c36e445f9b5 | 68313c90ca8eb0d5fc5e63e2b0f7a5f4d1fe15f825fe8ca0b4b3e922a253caa7 |
dc202f657b67b99186b20cd15ae85184 | 6c38f8ad13512c535a1350e50378d0e5c36f9867 | 5227adda2d80fb9b66110eeb26d57e69bbbb7bd681aecc3b1e882dc15e06be17 |
afc8158cd8f52a526dc77bd2236e0987 | d90ccb4cc0c19a71d90eb768d1c9957478971d74 | 84e651b2d55a75ec59b861b11a8f8f7cb155ed81604081c95dd11b8aec5b31b1 |
be339b83946635d6aa3b1dc3e42c1b02 | 9786ed20fce197edbab2f1bc4c61d153b353bb78 | 8c8ef518239308216d06b4bf9b2771dbb70759cb1c9e6327a1cd045444f2b69a |
09a4937fa4256020c5b1a5efee53452a | 8dca575d32a4c362e81eabe4d778e9ac6acedf01 | 5dabf2e0fcc2366d512eda2a37d73f4d6c381aa5cb8e35e9ce7f53dae1065e4a |
aa3e4c243b101ed6c92b38fe8670a724 | b85ef90888d2169252af104e809726e92aa518ef | 172f12c692611e928e4ea42b883b90147888b54a8fb858fc97140b82eef409f3 |
d7510192dd826e6c63266ba412c4a8c6 | e51431ab4448d503db3d154d1da7bec25eb5aaac | ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28 |
65792e4d02f910d20dcf74487cb9fab1 | 942337f3ea28f553b47dc05726bb062befe09fef | 9fbeb629ea0dc72ac8db680855984d51b28c1195e48abff2e68b0228f49d5b0f |
a92bd5072f0e3e683be1b27117df76d7 | a80db2f724e6d10c4b704f8e221c0946f5a12ad8 | 2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca |
059c5bbec45da7e50d92a54160622d36 | a97230965dea34f32ac9db418aece125ceb63426 | b83c41763b5e861e15614d3d6ab8573c7948bf176143ee4142516e9b8bcb4423 |
cb408fab657233d0ed6aff130def8984 | 598f9c6d330d6a3ab2428d66655694b0f1bb9856 | f4a56c86e2903d509ede20609182fbe001b3a3ca05f8c23c597189935d4f71b8 |
75d6f57cfba0ebc3633a49a8412a43e5 | dd7a31b07f1dfdcdbb72f59c3535636b41d0eaad | 2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b |
29e47258c517f5f33349caacef044645 | 42cfb37c1f47de8f1ef6f4dbd047c1a06922adc0 | c6c47d3d7e56213f0d0ced379c64e166ed5a86308ea96856163a4e0155b1fc6e |
ede3bf69a09cec27ded2d20c95ca78e3 | 8d3a1b800d73d5315998b3b5f966b084fdb4b806 | 320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2 |
a718ba0edee0b2108aad0ce0fd7fdd0f | 711b27ab368a13ccda3c279a8645a77c8e9fbf4e | 9917c962b7e0a36592c4740d193adbd31bc1eae748d2b441e77817d648487cff |
e9da5c53a8d86b9616c4163423699dbd | f5af420de5ae4835a292d262a398342f73a53ef5 | 0c644fedcb4298b705d24f2dee45dda0ae5dd6322d1607e342bcf1d42b59436c |
2a211218afa6a34db27c1ac6f6ba3390 | 92fa9d3de5d976391e2dc3ca6fcf053ae072b654 | b02c420e6f8a977cd254cd69281a7e8ce8026bda3fc594e1fc550c3b5e41565d |
b69de5d4550ed214bcc8ad2f839735d8 | f7806011d03923ffe4f4eb92891289efdeb003e8 | ec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc |
abc87856247dea1e4d01e2c3b352ab77 | fa48ec02991837bd7ce2248a130da934ec6555ad | db8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34 |
3b6f68801cade1cd388138500fd8e986 | 9bc818e0e6ef9aaafb02065800a97d8bd98ee76d | a61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a |
ed1deddf6287d2435e1c4c02daf0278d | 7b67ed1f42e5cf388a0a981566598e716d9b4f99 | d4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26 |
103118660a0abadc99831e23777979b5 | f69be5dcf16ef31a9aa66dce34f35fd84972f3e7 | afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a |
eb0309e8c3246307635d24d035322895 | 9bdea3ab3b6ea567997de2d9ad37d5dbe5cd863e | 975f9ce0769a079e99f06870122e9c4d394dfd51a6020818feeef9ccdb8b0614 |
593ac1acb0452748340d6a5ccdb18f12 | 2d2af604a8e4f0df9b36c047c8f9e9b0759327e9 | 82d2779e90cbc9078aa70d7dc6957ff0d6d06c127701c820971c9c572ba3058e |
79c66ae4a99e15d855785cbf98762e21 | ccf3715644dc622e8f3815e2feda5fa62e7d5ad1 | f2bdde99f9f6db249f4f0cb1fb8208198ac5bf55976a94f6a1cebfb0d6c30551 |
92ce4437539947884d25ac80756a624f | 1a4ef45b728cd415a92eac24b91140bd1cf466db | 61f5e96ec124fef0c11d8152ee7c6441da0ea954534ace3f5f5ec631dd4f1196 |
fe6663b00d94a8106c07b4a951522266 | 24492ca47b178e1990c4e5bd684547bb62bfad7a | 4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2 |
304d1ac0296fedec694a097480b341d9 | fb60d4ab152acf71847dbbd36c75b8032c5da303 | b2f5edef0e599005e205443b20f6ffd9804681b260eec52fa2f7533622f46a6c |
e852e90f778f616f09900b4f1b05c03c | 91b6442fa2c070f07437a887fbb42805bf59b8cb | dfc24fa837b6cd3210e7ea0802db3dcf7bb1f85bff2c1b4bda4c3c599821bf8c |
6181cb68aa34a470503452087a63bc1b | 2b12581fbfcf812b39d00854e71c9ff641d2f79a | 005d2d373e7ba5ee42010870b9f9bf829213a42b2dd3c4f3f4405c8b904641f2 |
ab2a92e0fc5a6f63336e442f34089f16 | 24f71409bde9d01e3519236e66f3452236302e46 | e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c |
259f06fcdb971f606d239b3178110981 | e2180bf4b9783d42d396826fc25ff8f9394cd430 | f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff |
b8cd8b40bda5bec1e8d5b765b5a90db4 | 41057c8497d0845fd54771d0e23ca234af9b3b2c | df3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3 |
2371d432700a7e1f9c070a6e97fdb634 | 00d6c66ab2fd1810628d13980cc73275884933b1 | fa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e |
247951ff7b519fa8d39ef07d33e0ba5b | cf4587b6015d2a00c26a369339504595a266401f | ec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03 |
fa4d702a335aab44355c84863395617a | a2a308cec43c9bea9260243970aa914fb8751707 | bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc |
ec0883bd8594cc34092a5e9a70a1b249 | 4ba9c7d411006de1bf589eac2fa179d1d7120468 | c222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574 |
2e0cee9eb10dd9dbe060f5a25cebfa80 | b7d4ade87108f36ff04b07c7adba6a2be6005412 | 27868ae50b849506121c36b00d92afe3115ce2f041cc28476db8dfc0cc1d6908 |
f6ce89bf34e3ff6509a32347c400ca8d | c4da78729b0e12c30c55036b1df7093ccd0ef719 | 8ab3879ed4b1601feb0de11637c9c4d1baeb5266f399d822f565299e5c1cd0c4 |
6bd9390577ee23f236d81f7d20d47fea | 34a08fbfe099b70fa547b240d0b1ddd41c4959a5 | 3075a467e89643d1f37e9413a2b38328fbec4dd1717ae57128fdf1da2fe39819 |
d34f6a8493b14371e552f9f317aac50f | 884917375758a77f708c96648477012a70579c02 | 0222f6bdfd21c41650bcb056f618ee9e4724e722b3abcd8731b92a99167c6f8d |
01033729316e2886515a15dc93ea85c4 | 8d7e3b9e1f5cedeb6050f4808ec057fe6603c3eb | cd93f6df63187e3ac31ea56339f9b859b0f4fbe3e73e1c07192cef4c9a6f8b08 |
572fdac6723a4031febc449795f51df5 | fdf8662e68a5dfc900cec85fa509ac392471e856 | 9cf4b83688dd5035623182d6a895c61e1e71ea02dc3e474111810f6641df1d69 |
a7913461e211158d5ac34ac3bd06bc7b | 71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b | 5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13 |
e0ca9d7fdf345af474332533ee50dfb6 | 303f5df8841a33886413435a61809d338a66639b | cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1 |
23f5b5fcd6f181088af23614bf6e015f | edba6f00b0b697b59ce958c01f8c62bfac51b021 | 9ec80626504ca869f5e731aef720e446936333aaf6ab32bae03c0de3c2299f34 |
7327a3dd34b3a6c218d00ef9cfa2ef1b | 2b12fae645fce9c944e6035f6e69bdc67103f28d | a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb |
d9300ff1b9e6c7ef3f1c6cac4c30bb72 | 833a8f095aa555f3fa3e873adadc0879a4bcfc5a | 71e9cc55f159f2cec96de4f15b3c94c2b076f97d5d8cecb60b8857e7a8113a35 |
e3ffe9b1db336ca7f34e0f26215d4ee4 | 3ec434df80529311342401ac7a7acd066e19c90f | 700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901 |
e65e7ca60642f80fe2a95823247f8726 | fc0700076fd443edb24777e4ee7eed802411fd70 | e0c46e23bd1b5b96123e0c64914484bbfae7a7ad13cbd45184035d4c0f8a10a2 |
893b17ed65ecffa8376063349f22d2bc | 50c556277899d6b9da5ec125c0a58650a14a08a7 | ebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9 |
2124d2e449117ecbc66c3e67e3ed289c | 5455fb1f943ec04431c69857806de4a7a0625eb3 | 707971879e65cbd70fd371ae76767d3a7bff028b56204ca64f27e93609c8c473 |
45abce50a00d40dff21edb7264824758 | 0861d2abbcf16bf6394dc7aadd341b348a3c8c4d | 3f7b0d15f4cbe63e57fb06b57575bf6dd9eb777c737b0886250166768169fc6c |
d4fa9c88bd43d2b9bcb66c3e7292b52a | 5cf627b7cc836506958a5e04e902f8530cdb58b6 | b8ce958f56087c6cd55fa2131a1cd3256063e7c73adf36af313054b0f17b7b43 |
13ea6a80588a9eeea6b919a4f104a7de | 7e79e0459e7aa0fa54bd5a2e5e79b6c0587f2334 | 1e6596320a3fa48d8c13609a66e639b35fb1e9caae378552956aa9659809162b |
e4855693722de3856421b1b6920ba54d | 9c50313f3b6d84a2b063d0acca64417bfe283d6d | 0e1e2f87699a24d1d7b0d984c3622971028a0cafaf665c791c70215f76c7c8fe |
d377c71f7df1c515705eb6b0cc745f7d | a2ac278ec99ec0bcab10b55427753327da1cc3a4 | 89da9a4a5c26b7818e5660b33941b45c8838fa7cfa15685adfe83ff84463799a |
091cd6e1b1addd88794b7ea0dd09750d | 97f4863b80f584d5505e799661976f588624b383 | 9ef2d114c329c169e7b62f89a02d3f7395cb487fcd6cff4e7cac1eb198407ba6 |
e640bdb76d7b30cb9ca9250d5b6631e3 | 0540792efa9eb7ecdcfce3340dc0be1204c1e8c8 | b1af67bcfaa99c369960580f86e7c1a42fc473dd85a0a4d3b1c989a6bc138a42 |
44f05f473b7d568be2abd9d498fc10ef | e9768aac3c51d92a377d7b91e6863c38ea762680 | b72188ba545ad865eb34954afbbdf2c9e8ebc465a87c5122cebb711f41005939 |
7910a78498cb7953b1c0db2ef4f8db27 | 8f61608330261c1d5214f5d19f98b4d64f51ac12 | 9528a97d8d73b0dbed2ac496991f0a2eecc5a857d22e994d227ae7c3bef7296f |
1bf3028a0b65a4174a66f3677e872026 | 1e33b01f84a96b93cdded1d23fdb1b7f6f58a077 | 619393d5caf08cf12e3e447e71b139a064978216122e40f769ac8838a7edfca4 |
78e941e780adc1a159fdc7090194c96d | 9cd8a786572a7ee8713492302555fe4ce3432911 | 7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32 |
3640ff45519f1acc1505348010626b6d | d5b85fddbf7c893e50560da787d7bc0dcef658e9 | 4ee84419fb9267081480954f1be176095a45fe299078dfa95f980e513b46a020 |
d3d15e62d61981e85ae81ad54bd23b40 | 053d987ff528964bf18ffc1898acd678b8917dd7 | 6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79 |
b9d5a18d4cb2ad3afddacc3a3a25b146 | a6c5f29fe14fb234fc0801c348876f215c30e0ff | 494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365 |
bafdcdfdac4e0d5a835c1048af2a3815 | 8ed85a4739ab5945ee21e05947eb204ef04bcc02 | fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3 |
67b8f4bb9c81aca61abf8d49640a85b9 | fbf00a827bf1a44340a1e4bb1698285b27dab56c | 7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4 |
dfff334622bccba782126e953bcf1fae | cac977827bc96e7ee2a9291f315f0da4e4eedb70 | 9ee1a587acaddb45481aebd5778a6c293fe94f70fe89b4961098eb7ba32624a8 |
48e26159d9aa517ba2a1f1010c8e7c00 | dbc9c8a492ae270bb7ed845680b81b94483ab585 | 7e1355e51eb9c38e006368de1ae80b268ffab6918237696474f50802e3d8a9c8 |
c5baf146ada97b638b337d94eaeabe22 | aa3e65e4881e937b51286c3ae0649df5dd7eda6d | d6e2a79bc87d48819fabe332dd3539f572605bb6091d34ae7d25ae0934b606b5 |
ae37c9bfa13df2a6353039fe6e7a54e7 | c99c15bd925d9364b5101f490bdcb05e3227b2cf | b6e34665dd0d045c2c79bf3148f34da0b877514a6b083b7c8c7e2577362463b3 |
66c3ae9bddbbbcc2cc979d23792f15ac | 822c3ee867e390135c260590da2c7bca5dd3112e | b0b0cb50456a989114468733428ca9ef8096b18bce256634811ddf81f2119274 |
167ac4792548676f7e9b648a5c4b5546 | 90ef8db9cea3d981535659c4fa6b1476744b3834 | 4d59a7739f15c17f144587762447d5abb81c01f16224a3f7ce5897d1b6f7ee77 |
eb332fd9cc8be8e6a60d4ff9c5f5fcf7 | e18df098c2fcb6a3961c310fdde58106e07ef9c0 | 4715a5009de403edd2dd480cf5c78531ee937381f2e69e0fb265b2e9f81f15c4 |
c073d9f6c0af5eff0a7150debe1d63db | d838a5b99044f8be1030a179ad3f8322ea4fb010 | ec62c984941954f0eb4f3e8baee455410a9dc0deb222360d376e28981c53b1a0 |
2699077a996951eac7b369b6356ff296 | 8c6acecf8009665e0670ce634ce8f0d2907481c1 | 7419f0798c70888e7197f69ed1091620b2c6fbefead086b5faf23badf0474044 |
e3ed0d3b6f801d8ffe8dc18b262c14c5 | a3c499d65a090b2df7fb519a9a366f4cb3d39f79 | 506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f |
ee6021e6682455f1bb8bead3d761530d | 9bfe2745dd3123d6c0e3057717e394b6ca601588 | 0fc7154ebd80ea5d81d82e3a4920cb2699a8dd7c31100ca8ec0693a7bd4af8b7 |
f1639890944c37c25e1a4bdea35a6012 | 228684d884a11f1434620ce8e9af9226ab636658 | 6a698edb366f25f156e4b481639903d816c5f5525668f65e2c097ef682afc269 |
a7eb8d7b83e5fd622c1e205c911a110a | c685312922a40d841e583f9399f66d35d6ccfb46 | 187e0a02620b7775c2a8f88d5b27e80b5d419ad156afc50ef217a95547d0feaa |
a31cb445d3131bf567720c43f2a74484 | 29e763a59424f9bb147df11a7b2ebfe9373a451f | 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256 |
9ae3d8ba1311af690523aeb2e69bb469 | 1357dbf294817122b1e193762fb3d66a5d73e651 | c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a |
89aafef2f334d6349d3d850e7f68f10f | 97b4b5f19be70177dc5f867ed580478c9dc7e2b6 | b0b4550ba09080e02c8a15cec8b5aeaa9fbb193cec1d92c793bdede78a70cec6 |
363e2b62f93c58c177e58dbe0a247fa0 | e8abab85ccbaf646305aa5a786c0894d59bdcfd1 | 75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d |
959553930a01d5518588340aa55a2de2 | 32e80ffc4948828009b192076fa85922528a5740 | 1a1fe7b6455153152037668d47c7c42a068b334b91949739ed93256d5e3fbd89 |
124f0b9dadbef030a4cba26393ce25df | 15479f31109fd0a367ad681fb3ee63c6fb0ade0a | 3d7a05e7ba9b3dd84017acab9aab59b459db6c50e9224ec1827cbf0a2aee47db |
946a1974ec330a30aadb514efe8c394d | 7af3c242e9dd444a7498de118911b0f5ad49a969 | 2762cbc81056348f2816de01e93d43398ba65354252c97928a56031e32ec776f |
efec7686f695867bd45a4d2ccaf964d5 | 04af410cffd8f4b7ef0270ccae11ce6e01cc4633 | cce564eb25a80549d746c180832d0b3d45dcd4419d9454470bfd7517868d0e10 |
ee3895f50bbc6316a746c239afc47e71 | 4aaf0acb7891fe06868ea442f55e5913961117d7 | 39e8455d21447e32141dc064eb7504c6925f823bf6d9c8ce004d44cb8facc80b |
fd0ed9f5ffa9c912ba8d677687776448 | b7abe535dccf587c80cbcd2d4cc0c30e330b3a54 | 750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c |
cf584e69d6832fb7f92af0633e6e5222 | fb652a73f6d6de07d22e13de5a19e9fc6f9814b5 | f24ee966ef2dd31204b900b5c7eb7e367bc18ff92a13422d800c25dbb1de1e99 |
c96cfe462657240c155d4b1842292a4c | e94483c338213c667720a44d89c12a3f50547c71 | ff07325f5454c46e883fefc7106829f75c27e3aaf312eb3ab50525faba51c23c |
83cd7984cee0a4fde468216521d9d3fc | e8fa43110dd36085d79199788d2ea5c57236136e | 37be3d8810959e63d5b6535164e51f16ccea9ca11d7dab7c1dfaa335affe6e3d |
28267ea322e3975f1e98c64a1c77f509 | e1d92e085df142d703ed9fd9c65ed92562a759fa | 18f24841651461bd84a5eac08be9bce9eab54b133b0e837d5298dac44e199d5f |
eb8385915f68d5fbbf7c0c05e480a999 | a72734fcddbad58308d91274ad444a5b1d970c21 | 7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019 |
22840909e11530390e8f74c6a162ded1 | 78d82f0ff396393e958553f25a47145916ea4e39 | 9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e |
577df0d0d1ebfde0c67cf6489d9a1974 | a57a31db630fd55666cfd3ccdacf78cec8fabc43 | 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e |
22cb7775c867ac98f7c4b1266e3534b4 | 55b6a0512a9da7f7e854cb5155708e3f7fc34d7a | 7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871 |
1e2e2b8f1c81c01bac895e113f7a4846 | 3bcf40b51363e2e69aacea81f700bd246fa99882 | c532d19652ea6d4e0ebb509766de1ec594dd80152f92f7ef6b80ad29d2aa8cf4 |
9e2b456c62b027c89b36dc9109e50f01 | 617fddb80de29bc455c0ecfd4b64d194fe911541 | e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909 |
61a3d983a1fde813204b8f6f13842163 | 336a3a59b782b49c2253bd0afeefdb43b24f70b6 | 7963f8606e4c0e7502a813969a04e1266e7cd20708bef19c338e8933c1b85eda |
f5de326683df44d71ed1b986fd836e0b | 33bc899da6afd2b82b27d59acd0844b521e57079 | 17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f |
268c62a4b45d08a0639ead11b2feebd8 | c1d9237230acc994067fdc1d6502b6a84afd1b9a | cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293 |
2d9702caab94b9c7788443c13b1b1ce1 | 08cef1c0cc4942221a5304ad0a680324a2f0f39a | 0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c |
12ed130045b2e731bc66c9261c88efaa | df697bee43eb208144496ad3ab56a02c92d3b69a | B258a747202b1ea80421f8c841c57438ffb0670299f067dfeb2c53ab50ff6ded |
65792e4d02f910d20dcf74487cb9fab1 | 942337f3ea28f553b47dc05726bb062befe09fef | 9fbeb629ea0dc72ac8db680855984d51b28c1195e48abff2e68b0228f49d5b0f |
08982381ef296038ae7ad8d083ef8ca8 | 8cf1d9dbd5d41dd9481249a1d5b1d930afa083d3 | d0aad99f10bdd6f6af2f7a0f6c319ed7d126de4d1ff44ca86858e7ffc17cc39b |
df32b34cc480934ca2ac0895863dd030 | e0256ff9efa8fca3813924d7ac556ddc44dc08b1 | 5fd4e486bd7e12454f67ba8fcdaa9afc88b4d1c29705b0cffc9d32000700d314 |
a89521c26b2c660d41101ca0a6100cd3 | 75c8cf7b14ea7bb8557efd80170a1df1c89d9797 | 6f3994ad6b418b55ba2a3cd4f4d8cff35284a5790ea3dd38f1abf8699410430a |
65501683cfe1e0af1ff7463de684a2fe | fa7887bc9d48fcfc6fd0e774092ca711ae28993a | 61da1819361c095f802ce2151092df02531eeeb713e7db07100a9a80874d902a |
079766094541035de5f115a9bbb4f583 | 8423b25054aa78535c49042295558f33d34deae1 | 6434913278186cb5b12ca38580a4e94b2ce2af83a836f7e50ab9c5ea8e265a59 |
d8434e637305cfc941744807698c846a | 0de3fce5c10b9122335866f5c1a817ed8a6d4269 | a98e108588e31f40cdaeab1c04d0a394eb35a2e151f95fbf8a913cba6a7faa63 |
d2efb0b8b82576016416aacbde6c3873 | 19cac454edb76d7e879598d8c7e8e032f9d006d2 | a4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969 |
f690fa242d8200f27e71e11d469b584d | f14f8a0ee542b6db79c52266450c5fe0412a0d62 | 2d88db4098a72cd9cb58a760e6a019f6e1587b7b03d4f074c979e776ce110403 |
4d01975268c215fc26ed79ebd17ec22d | 64c6752af3632f6f49fd6db091182e753e5d9f80 | 992df82cf31a91acd034411bb43a1ec127fa15d613b108287384882807f81764 |
cd8915c63f3134425aa7c851f5f1e645 | 3ba578e4396145b18747c914fed9d6c8f027fe2c | 0f9f31bbc69c8174b492cf177c2fbaf627fcdb5ac4473ca5589aa2be75cee735 |
ccc3750d9270d1e8c95649d91f94033b | 058f0190a58646ab1a6295eed496732e1e3f7cbf | 29decd1e88b297aa67fef6e14e39889cfd2454c581b9371a1003b63a28324d0f |
af9a60ea728985f492119ebf713e0716 | 4fecd1895b6f7ff41b8b0dee700b5f194743b36a | 9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a |
5d5c99a08a7d927346ca2dafa7973fc1 | 189166d382c73c242ba45889d57980548d4ba37e | a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 |
14c8482f302b5e81e3fa1b18a509289d | 16525cb2fd86dce842107eb1ba6174b23f188537 | dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
e61518ae9454a563b8f842286bbdb87b | 82d29b52e35e7938e7ee610c04ea9daaf5e08e90 | 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d |
3907c7fbd4148395284d8e6e3c1dba5d | a67205dc84ec29eb71bb259b19c1a1783865c0fc | 34CA75A8C190F20B8A7596AFEB255F2228CB2467BD210B2637965B61AC7EA907 |
e61518ae9454a563b8f842286bbdb87b | 82d29b52e35e7938e7ee610c04ea9daaf5e08e90 | 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d |
ee47d6ae8414f6c6ca28a3b76bf75e44 | a983bd69a71322d64199e67f2abcfe5ef0e1bca7 | 9cdaacaba35c3a473ec5b652d035a9593ee822609e79662223869e2b7298dc0a |
ba45247858c0739865a52996768b7485 | aff0b6eab23bbf4e5cb94fd4292c6d961dee060e | 00bc665d96ecadc6beb2a9384773a70391f08f8e7a2876253f32ceec793eb728 |
6f93fd91f17130aabd5251e7bae3eeaa | 2af6e61d203191b4b8df982f37048937a1f9696c | ff3b45ecfbbdb780b48b4c829d2b6078d8f7673d823bedbd6321699770fa3f84 |
14c8482f302b5e81e3fa1b18a509289d | 16525cb2fd86dce842107eb1ba6174b23f188537 | dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
56af47c87029b9fba5fe7c81e99cedca | ea65565404ffde218ebccaeaca00ac1a2937dc57 | 35ab54a9502e975c996cbaee3d6a690da753b4af28808d3be2054f8a58e5c7c5 |
5d5c99a08a7d927346ca2dafa7973fc1 | 189166d382c73c242ba45889d57980548d4ba37e | a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 |
db600240aecf9c6d75c733de57f252bf | 8756712e2c73ee3f92ded3852e41a486be3de6e2 | bbe1949ffd9188f5ad316c6f07ef4ec18ba00e375c0e6c2a6d348a2a0ab1e423 |
No comments:
Post a Comment