Wednesday, March 31, 2021

Cheating the cheater: How adversaries are using backdoored video game cheat engines and modding tools


By Nick Lister and Holger Unterbrink, with contributions from Vanja Svajcer.

News summary

  • Cisco Talos recently discovered a new campaign targeting video game players and other PC modders.
  • Talos detected a new cryptor used in several different malware campaigns hidden in seemingly legitimate files that users would usually download to install cheat codes into video games or other visual and game modifications (aka "mods").
  • The cryptor uses Visual Basic 6 along with shellcode and process injection techniques.
  • We have a full analysis of the VB6 header of one of the samples used in these campaigns and provide a detailed walkthrough for security analysts.

What's new?

The cryptor in this campaign uses several obfuscation techniques that makes it difficult to dissect, and could pose a challenge for security analysts not familiar with Visual Basic 6. Our analysis provides insight into the adversaries' tactics and how the crypter works in detail. These types of attacks are a return to form for classic virus campaigns — video game players are no strangers to trying to avoid malicious downloads while trying to change the game they're playing.

How did it work?

Video game players may opt to download certain cheats or modifications (aka "mods") to change the way some games are presented. The adversaries use these gaming and OS modding tools to attach hidden malware to infect their victims. We have seen several small tools looking like game patches, tweaks or modding tools, but backdoored with malware obfuscated with this cryptor.

So what?

Defenders need to be constantly vigilant and monitor the behavior of systems within their network. As workers continue to operate remotely during the COVID-19 pandemic and mix work with their private computer usage, enterprises are even more likely to be attacked by compromised personal PC equipment belonging to their employees. Employees will sometimes download modding tools or cheat engines from questionable sources to tweak their PC or games running on the same machine they use for their job. This is a serious threat to enterprise networks.


Overview

Many of these campaigns start with advertisements or "How To" videos on YouTube or other video game modding-related social media channels. The screenshot below shows an example of one.



Unfortunately, these tools are providing a bit more than the promised tweaks or cheats, most of them are backdoored with RATs. The one above installs XtremeRAT, a longstanding information stealer, for example.

Technical details


The campaign described above used the Viotto Binder tool from Breaking Security to join two files which got dropped to %AppData%/Local/Temp. One is called "Servidor.exe" ("5ff836d3f691c9e478bb86f7a0b216082062c747e6e3faa85df246ef5a5bfb32"), a sample packed with the VB6 cryptor which acts as a loader for XtremeRAT. We will describe this in more detail below. The Servador.exe file is copied to C:\Windows\SysWOW64\Windows\taskhost.exe. The other file dropped is a sample named "GameLoader.exe" ("e2b6de1933bbfbbab5e7b6c05e4529d4cef7473574281ac161a49e87d149b135") which is a small .NET program with a GUI you can see in the image above.

VB6 cryptor/loader analysis


We are using the sample 4533e1cd680b6be739fa6c12cbfc1b0bb96994a4f6355f26f2 for our deep dive into the VB6 cryptor. This is a sample packed with the aforementioned cryptor, but with a simple payload.

When we looked at it, the file was not listed in VirusTotal. And when we ran it against common antivirus software, we saw results similar to what's shown in the sandbox image below. It looked malicious at worst and suspicious at best. Either way, it was difficult to classify. Today, you can find it on VT, but it still has a lot of generic and false classifications, most based on behaviour and machine learning indicators.



For anyone looking to dive deeper, there's no great options. The common PE tools show it is a VisualBasic 6-based executable. It only imports the msvbvm60.dll and several VB6 functions. Next, we'll load it into VBdecompiler. This software decompiles VB6 code and includes options to merge the decompiled VB6 code into the assembler view. This is quite helpful when debugging VB6 samples.



It looks like it has a FormLoad event in Form1, which is usually code that gets executed first. Unfortunately, VBdecompiler does not provide any clues which class is initialized at address 0x4DD830 or which method is called, exactly. We either need to perform the complex static analysis, which you can find in the "Static analysis of the VB6 header" section, or we just break at that address in our debugger and check out the destination of the call.


The code jumps to the address 0x52457D, and looking around in VBdecompiler, shows it is the "A™…" method in the clsComplexDataConsumer class, which is executed first.


The clsComplexDataConsumer class exists in all samples we looked at and it always looks similar to the figures above and below. The most obfuscated name is usually the start method ("A™…"). The rest are helper procedures.



The start method first reads its own PE file data from disk:


Then, we have a couple of data manipulation operations and the data is handed over to sub_4DD892.

00526A14 | E8 796EFBFF | call sub_4DD892





This is the first time we see a kind of decoded PE header, but it is invalid. This is likely built out of the previously mentioned operations, but we haven't looked deeper into this.

Another interesting call in the 'A™...' method is:

loc_00527050: var_8484 = Proc_2_0_4DDA61(var_1C)



This is a large method with more than 60,000 lines in the decompiled view.


This method is also obfuscated with the Chr$(n) function and several string concatenations, which we have already seen in the start method. With deobfuscated strings, it looks like this:
After rebuilding encrypted data strings, it decodes them via the Proc_2_1_523F36 procedure:

This is done several times. Then, it executes the decoded shellcode via:

loc_00521B91: var_12160 = CallWindowProcA(var_1215C)



The code at 0x8169A0 is then jumping (calling) into the shellcode at offset 0x8169F4 as shown below. Due to the skipped bytes in between, the debuggers disassembler fails decoding it before the jump (call) is taken.





All the "normal" calls are executing typical shellcode that resolves API function addresses — the interesting stuff happens at the 'call eax' ones.



At 'call eax,' the shell code calls the typical process injection functions as shown below. You can go to the last one or break on ResumeThread and dump the new process (payload).



The following is a list of API calls by the Shellcode 'call eax' instructions:

  • eax=<kernel32.VirtualAlloc>
  • eax=<kernel32.VirtualAlloc>
  • eax=<kernel32.VirtualAlloc>
  • eax=<kernel32.VirtualAlloc>
  • eax=<kernel32.VirtualAlloc>
  • eax=<kernel32.VirtualAlloc>
  • eax=<ntdll.RtlMoveMemory>
  • eax=<ntdll.RtlMoveMemory>
  • eax=<kernel32.CreateProcessW>
  • eax=<ntdll.NtUnmapViewOfSection>
  • eax=<kernel32.VirtualAllocEx>
  • eax=<kernel32.WriteProcessMemory>
  • eax=<ntdll.RtlMoveMemory>
  • eax=<ntdll.RtlMoveMemory>
  • eax=<kernel32.WriteProcessMemory>
  • eax=<ntdll.RtlMoveMemory>
  • eax=<kernel32.WriteProcessMemory>
  • eax=<ntdll.RtlMoveMemory>
  • eax=<kernel32.WriteProcessMemory>
  • eax=<kernel32.GetThreadContext>
  • eax=<kernel32.WriteProcessMemory>
  • eax=<kernel32.SetThreadContext>
  • eax=<kernel32.ResumeThread>


This means the quick and dirty unpacking method for this packer is to break on CallWindowProcA until it points to non-library code, then break on ResumeThread and dump the suspended process. The dumped PE from this sample did not need to be fixed — it was a valid PE when loaded into RAM by the packer. This unpacking method does not require any changes after dumping the unpacked sample.

Static analysis of the VB6 header


The quick dynamic analysis is fine, but debugging the file showed a lot of threads started early at runtime, and the sandbox report showed several artifacts that might be decoys. There are also several suspicious strings like 'C:\windows\system32\wmp.oca', which we haven't seen in the quick analysis above. An .OCA file is a binary file that functions as an extended type library file and a cache for the custom control file (.OCX). It looks like the Form is using the Windows Mediaplayer control, but VBdecompiler didn't show it in form view. The static analysis later on confirmed it is part of the Form1 form of the sample. The latter also likely explains why it starts so many threads at runtime.


There are still several questions left unanswered, so next, we'll dig into the VB6 startup routines. We haven't seen any TLS tricks or anything similar up to now, which means we can start with the VB6 header.

VB_decompiler.org describes the VB6 initialization process as:

"... If the aSubMain field is present, the ProcCallEngine function will launch the function located at the address specified in that field; that is the main function in the project, and its value is not equal to 0 if there is a module with a "Main"function in the .exe file. If there is no such function, then the first form will load, and control will be passed either to the Form_Initialize function (if it exists) or to the Form_Load function (if the former doesn't exist)..."

In our case, aSubMain is NULL.

So, we'll look at the event handler for Form1 and see where it points to. To see the VB6 header information, you need to load the vb.idc script from Reginald Wong and Bernard Sapaden after auto analysis into IDA.

Form_Initialize points to NULL, so the address in Form_Load is the address pointing to the code which will be executed by the VB6 virtual machine at object initialization time. Looking at the decompiler output, we can see that 0x4DD7B4 is the expected Form_Load routine.

Unfortunately, VBDecompiler can't decompile the first line (0x4DD830) correctly and we don't know what it exactly calls here. IDA Shows us that the code initializes a new Object at 0x4DD80D.


We can see Pub_Obj_Inf4_wRefCount is pointing to the clsComplexDataConsumer class object info.

Its Optional Object Information header is pointing to 0x52457D. This is the method with the obfuscated name starting with "A™…" shown below.



The static analysis has shown that the "A™…" method is the start of the cryptor code.

The event handlers of the other controls (Picture1, Command1, WindowsMediaPlayer1) are similar to the one for the Picture1 control shown below. They are not executing any routines other than the default ones, so it seems they were just decoys. The different samples packed with this crypter have different controls. Therefore, it is also possible they are just there to make the sample look like a valid VB application and make sure the samples have a high enough diversity to trick antivirus softwares' detection algorithms.



Conclusion


The attackers in this case used video game-modding tools to trick users into executing malware droppers. This goes to show how dangerous it is to install random software from questionable sources. With the work from home trend not likely to end any time soon, there's a highly increased use of private PC equipment to connect into company networks — this is a serious threat to enterprise networks. It is important that companies ensure their workers are only downloading software from trusted sources. Due to the huge amount of documentation of obfuscation techniques, plus easy and cheap access to cryptors, the common threats we see today are more sophisticated than they've been in the past. This threat used a complex VisualBasic-based cryptor to hide its final payload. The dropper injected code into a new process to hide its final payload against simple anti-malware tools. The majority of malware is constantly improving its infection techniques. The adversaries combine clever techniques to make detection harder. It's more important now than ever to have a multi-layered security architecture in place to detect these kinds of attacks. It isn't unlikely that the adversaries will manage to bypass one or the other security measures, but it is much harder for them to bypass all of them. These campaigns and the refinement of the TTPs being used will likely continue for the foreseeable future.

Coverage


Additional ways our customers can detect and block threats such as these are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of malware used by threat actors at questionable domains.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and domains, and detects malware.

Email Security can block malicious emails sent by threat actors as part of phishing or other social engineering campaigns.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with questionable domains.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.



IOC


Domains:

Dracula4000.duckdns.org
Draculax.myq-see.com
Macroso.ddns.net
Win08.zapto.org


IPs:

45.163.152.127
51.79.47.48
51.161.76.196
141.255.147.114
177.18.137.16
179.253.227.97
185.185.197.247


Dropped SHA256 verified samples:

0bfb087059a4c04cc55d8b691f3c6297e22f6e94b0354265a06382d9e725ee16
2e50dcebf10fedf43a108fab866b930d2c53318e163098182c511418293a7997
A334b1b057a8c5a6c10a186e59324b2ea856fc0b8d5ac987953633a9641e660b
Afe683c3c02ac87b88e2980dff9440f2db8889f981ae09109dfab3ef2efa9d6e
B91090cd27f4e34ac102ce77f40fb1d2fa38d75e492461b0f074158ac783464f
E2b6de1933bbfbbab5e7b6c05e4529d4cef7473574281ac161a49e87d149b135
2725f56e664c751c536c421196de874f8c66a4347948596112273675a827a0b2

Unverified related samples found by Yara rule (includes FP) 

d62d3ab00318dba0d89190319e791a378f49fa3aa7631c373912fa07bdebae98
a22e1a81c5a91140d081159b6e42428948fc4b2f137421bb03dad3d99628a07e
3285df32cd00eea928830325e491abf9b43818dc8756685d11cf2211d3dfb9e2
c18242d6bef30342aef2c6f1ba7b23e20c1641b6635d80c7ec9d7ba23bd6f3d1
182ef43e333b2506363a3f694104eed06487ee90b4c315d65bfd5accd7daaaeb
c56f601adfb9da9c81abbb8c033ac9caf07283b9986b6533b86970802e5a9666
7d2f9dcbdb1b2c89781535dd96adb367af99550584540d5f352a1c934d2c5de8
e406757e8f67107386c83972d27918a66d03828f67624513e4030642d0bf0d7e
5e3f27128bad548c90e140cedbf153afdcac45a302112545fa3a56aaea714e11
4533e1cd680b6be739fa6c12cbfc1b0bb96994a4f6355f26f26745adb9a7b4ce
405d5122eb0355732fa99f715437f7493937a763b86bd7346c916210a6a6c71a
6853f50efedb1a724e3cc85f0747ee64bd1c05bdfdb1fdbab482afc2b7be5df2
55038208bd28244d323e8cb268e66c47f797de4fae784ac849081edf2c8c1ce5
e777c479fa37bbed039bf956a337b7378bc9aa0d71e0a27dccf710ddd8939a50
3d668c80d1299a53e2d9b552ad1e42fcb975adf1ab6496a7fab161255ec1d7a0
cd71599e8a745baff11b0c8c2e2b3f82f7ec65fb737c781a8d37c8a395576bb9
d2fb87bf72b583d59dd52e876fe6b08dafa2e5731d6d5d8df92128c6cb19805a
3f45f3694979dafc7daaba955b7e1a90a35a4fccb1e112dcd5326866165ae62e
d9f7c053c812e3700bce729a42023988ba612cc4cfc0ce833631b2e85db776ec
e6c45e705a8b59889e71e47b0538dd676fe064d50969078e23740cfa7a2623d0
b732fc7936bbbb056ffae0f7a3c4e814a02382e4e2c4387aa54ca2381c77a7b4
5190e4975e0c2ab4e48b961281baac398b7e57efacd65fa13077219ab6a406f1
40be82b16ed852cc5cc625476d00247458c1f8eb603b30d127cd8da8039b4ad8
870005ba243b2a7c5879164e3fa598301703086ee06e5f098aea1846bf174cb4
ff826fa39b79daa0670b1d238d8285c1ae65bdca271f4586a129d72248333e5b
368024811c9d4166a3b4fb11c5120ca193caae0db6d97fd5219be4357abb8d03
51e8faad145a6c0566d5303af92ea6b3b68e0c5aefb32142baafbee26af8f933
ae159d102f3cb65d509a86e3e20958b66324af3ad802f84be0200c930bf4d039
30d6c8def02dd3045a81012ee64d27b237ab089f5fd6a2fc93d2af799e69930e
bdc3860e31dc11d1a2019e87626874c1cb168c96db68bd6647deb91b72f3ce2a
04a581ffda63bee68daa8d8a2885e4105978f8ccb98e947b6bb7b56183d3599b
03e9d27e7fb2a5e8cbf6f325a30dbdaa68d211afb8ba94e368d26bf1afeab7ad
9ba4fb3f201e4946f93e5614383d29e34fddfba37b9468df6b655ff474008e43
8f3e8fb9c3846d32438855cbea190ef85f0972cf77b6f2cb268381b8d9216fc3
85e803adc61e5558bffee93978288071762b9ad0307ff48e6c89138ab273f130
36373fbd144c8087db31beb0c8d1d6e7d66b356e9bc95c19320ac2460fbc9dd8
1757bd69732d76d8eefa89e7d4d395b08f244dca43196d244d53ccff61708e53
c01035e288856030253cc09d7d73eaae8683f4de0e5dd5d2881c793227d77d73
b06ac83c0d5aec138505e04300a4324e79aead11866999b2f9c52167295d3f3b
85c3634301dea0990d9c4812fe28f0c97122441ed37e3211575ac7b90f039e3e
e4945f7f35d25712087157a1d77a9ace8f4b037b4fec2024a8f85de9b987a798
8e01a3b2a1774d5a73fdfd9b325c1724407421c5ee3903520eadf7747f44a8e8
7585548ecd44e3904ab15f673fc850099770d0581910c9bf114887d75f917a68
973e09623939a06b8e364471057970521dc17e33c13105cb181a858ce30bd124
53d6452c2baaf7273c1fd4a5142f57092dc7a76dc8a0769698e5738a019c34cc
435cce0c101a54e950a7273cefd2e4a11697f732d2677fad8dcce290d97758a7
b675b2a7eb7892e0e1c76657f0b0f3f4f372f234804eb83027fa692dacf2ce61
8e38d8d3510d65bffb8e1ee0a377aa3e19442216ab5aff4b9a2163bdd87bd636
3b3d70dbaea977bef7ec854985bee8163c0a7d2cadd5a0d0c552fa79caee2d88
1d4aa1324012eb2eb09a62ea4f936e1cdef4f59ff0042044c54da8378e918d50
94c86a5b98930d99a5182ced7fe21402f33811c4a541ea8ad1ec7824723f7504
4d48781dae78c93a2ec71a0938f6b295b7a160030d34c2b5f1c88a899b4f911f
45fe1c6d4c46132803eb9f2c4784758ba805dc9f49c963fdbe6799debd7d992f
29dc7a80610a5875c5a8484f3793263aa00218963130afea6399a6219a4038f7
907fd2665b414bf2a91bb09656927b2cb9642e3c017b1fbd88947d2be4b99440
1eed2c95b7ec43ac92876fe4e0745edcb32d7f19c2ebc9560571059c09860ce1
211133604ef9598961070899a6031eb51dd9757ae7d07e9f52eefe809a763abe
db1a430eeb563994801635a7742ad7b2f838f8dca77cb183186a679274ca016e
5848752771c64c7810bc3eba5e0a17846d63aca4f9e16cb701b99e86f1a6930e
a4118b539ab904b261ae801d25b554381b4289898a27309b9200e25ee147ac71
cf4122db5ccd44c847e4091855efa2b6a3cd13a22d97ac0ef66f833a793ae70b
ce8970bb5cae008cabc3a113137df9908d7b7d38dc3524996746aec42e9c9339
fece007679ed50af571e93013890417f14b853ca816c58b3a15e480a5eb350c2
0d7e9522ce1de3b494aad3b8e098a4f7bf87af2834cb99be8ed90df717a1de67
9a73c8437321cb5718d33e84ebf8a92530975bd3829a833c2240e24678577680
d86f28b3a6a49b2e6b7e7597a5b441cf6af7429f6f1fd74568ba0890d4cca0d2
93c384857bbecd9676fba62f07ac1694dd8b3bf4586081ef2047dfaef36beb29
07f6b8525d29fcac499efa840633c8e5a440455bb6af9bb27cf657e959bbb915
2d26b3b4791273321cedc110e4933c1bbc3a3c6a28e02fe38244e1b286fd51a7
06b3bb77245ce7f3c71b7fda49e0ed3d3a76501f9e27f8d211c17289e99b8f60
0b138b61579a11994d2b8f2ce18d176a703b3dcbef2d617e2f6d5e7325f49d29
8f9515284eea5d7d997d54545a8860d978f9d9d2aa2e4369e2953c6ea4a487f8
a70c5726331e54b0329b0aff069d0a80e87861469ed5450f4815e5dfb6090410
23fb98ce0b45d5bfcb55ac71ddf2b3cfec4c1f42faeca37308e95d601d899dcf
d90422586d685e521c791f7260ecbe59892a32aecc9ebed251d961ce83aca160
bc16c4f44d4412369eaa8a293d7221c7619568553dcb330651a5ac8bb4d7442a
bcfc04bb8fc2895011812b3ae5b25617083a1e9f49222e028d536302490688ef
954728991b45f82ce6229e7d79034d09b5fc38e3bef189af70f3b940ac2cdacf
5119e4d55c7de56230f2c71ad14936ee126d6aa99e9c339f84276270bb42e502
16074317440e8e6841d073fd3cc5ba7e7992cfba62c27ada5b678d08a6ce2534
3c2ccf70e10e271e4cc67bb960d14a1bf9ff89d606170aa4cfc09ae3a5cd47c4
fc2c4af817496c90fc1a31b89b9d3eaa036d59c3e47a0b79c249027df6e8d208
cfed8cd9c03af1fc8a845f040f2ea46a2739bf5c5470b7460553b6119535f612
8f1b0e9616c7ccb0df26d0b85b3e4e69c199929f4f27748b69f541c2c7ccea21
ac5ea224dfed1017b0c5e7d8d03867f934808aa166d99b654fc310ff419623c3
799d682f1136c1fed2047032d803ee8efec3e07f1e078f97d3cc2c850f0b9b34
3412eb2c9b57ebfa2b4c571e5fe35016d8b7231f05998e3820ec2fc7d7eca90a
bca7f9066e2f1fca2caa80804c07083aabd6879c5375c69f17e625ecbdc6cd7a
ceb8cef408ccaccfea1fb33da1a1f5859c3ad1df6738f8a428a02cf915aa998c
8134aa3d5bec6796a7ac0610573a10138e4bead7b50021eba329f5e11535e313
f73b0932b5a2b0ce769ef63a047042d2de840b420fdf0676307ed3f45cea1fd4
5203d899b56ac5688b5ee1262632667d43494f4a3dfae413719dedbca356de83
112e3726f2e18165129b3d16b4fd938b2c00a3358e18979f3b23639a09998df2
dc3682b099f9d6f1d6ca2092db1be227a1a3fdfdf8b31f0076fe462b34c24d6e
f258b3b1b3f1bee952a76e2e4ef2f14fe15e75c68132eab307b101a0696a4850
140cb0865508570daa56a4d3079d82304ed3c59241297ad6ba12650b4270b06b
f9f254fcfbc093cf1799efa291313fd39e6760ce5fbe06607df85b0c6bd53ae4
d85ee4b7609ae5e93a36f328c28613066699e194fa71be6fdd68996d2a6fd9e6
01c06ac7380d819a86ab7cbbc41cc1fc4b50cb87e491f40cc592067f14f74227
9204adebc761c0cca881c4b3f5d4059bc4203eed10b44bfbc4c7ce057725dd86
02ea24c34b6de335237c164b212c65efbfb6ea3f8f771b303c28fec371af78d5
5891234b02305216074ad1a792629c90604037a904f6282eec16dc3875fc8bc9
cb268038003d622e93ef2902920606e66061d8288e45b100c4bf143ad86d858e
5cb17598d9f5722235450195ff540b52ea9532f9813976ffde25b9def1fcdc37
fad0ed0cd1f0096c2fffc2885b3b1bcb15e7b2ed2dd92b5875cbf843aec907a8
8e6db626085778267c8aedc138c822fc2206c995050b985b88d6bfdaa7f4ac22
51977da974c77a2b1c968248eff04bf391c69183020c115e5348b7116791884a
39342904ee0137806331ce5ea4526b6d881a5402ceca4fef63781c91fd83171e
1ac297aecd85811ee6117cc60749b3aa32ba23a6c1eebb2decc5dde174fcf6a5
91f38232f1e11b1b43393c42ac822b686ff187fd11291318f63f90a276c1738b
e9ca01a8d7491391889f9e11a44263b7f86a4ad5d87d78d70580a16ef3e77667
90c79efa93a3b5ae03a80e4678b53215bc2fe8c5931f03c46a0d7c060df3293f
a0625d05405299c996ad3a060dcb7319b4fc5ee47f0515f8dab71a6d6ab624c2
5640d2519b9d390b7350944a24bf69ab45ca905f4c3594099ddae3340c19c867
5b3bb026ad01ea693afc1e8c7669fd478258ee335bee9baff31a8edf691b8b4c
7d4d3c943cfd150bdc1a32396e8dcc09b7b9ced7ca8f72df6c48120ba74a1f6d
641438b35830029a0cc6213ec7f4c128c51f9b65069f863c35f517ce569b2ae8
eccd52a6cfd8e1277f0f204b248f032d87821a4901536f5faa9f3fe2550060d8
7faaebce62576dd049b7c8987d9519699df4df1e498e1ec157de6515857e8b1b
62baf9934d6116716eaba7d6d00b4d95048ce816283ba0d3c66e5b4f86154a28
9a7d54c3efef4809036f88d86b67ca1f21c08fdb4769d7e97d7562165b5082e5
845866aedc4a4e17abb04ae875e967161cc5e7dda94b996bcdfec39c9b68737c
bfc90268d234ef38682c77b2d91f2c1b6d8396b0494e2958626e94d21556555c
dc8390499c253eac16c9fe920cf8615e2d0e515d35fb7dca51d8204760f83b1f
91c7198f36977fed15e8585a7c5e0e03079959d461f9cd6cc34627484f67c6d9
193631dba484489a2413087a5b64dbed387b607b74825d07721710fd92ce5910
4808f18d9454149798566d88e2377e3a1cee73149835593051e01d93580c1a13
7b21b428a8f3ab3bff7f65d5f3631e0944c83833f5de871a2c83428ad465b52f
d93093fb0646daa14797dacc6845bb46475a985c5e63f38b4d910be2b0aa615a
caa8d805b7aff78ab01f2a5ff81426e55cf0f9d7ddfcaf0856cbca0a75c971e2
5801e2686141c6d2944ffe798e1c7671fc904655cb047e87d3d9c58eb358cf2e
ebb60f16f22f800241d9f849f12d8f957cc1bc457dfabd13997a1587e9ebb2d5
13854c219978deabd657a242df591b0dedcffa480523bc28a7d0cc1790232ce6
b6b571644dac5294b3253fdf72a0489923d6446c9c6910270f523f689e760ffa
a7a5b4cca19fe4b9b8fdc1a967b36e721ceda04f93c5a01902c2873fd5d6ff83
b9d3da101a7ce14a9689c2c602375d75eb5e6931130ce60a292e0188ac7f53d4
3bad0537b33c955cabbd99abda8f86645d657a2a6dd1c43488c08c95e6a2a454
f5a07994104c28575b7a1c1ad1e938e1d4a3604caca0c9cad85d679e5f42498c
2cafef15e141176c36dc65c054b5627360e6a0120d104addac68bb2b92bef6fc
a8240c3c8a6023301a5580bfa0234c0ab6842088f5bea9248a004147b5d045c2
5d8d98707dafffa5fcad1eb1315a216cf2ded5b43565abb1595cb0442110897c
cf5b7c2f9cc1460be0f9726dba5f43ba9c5347e562d4c2552b1bacd4b44e9ec3
beab49d18e004430d4291c18ceb2779a6fe227a29323f1ad534438aaaf9824a8
b8243e7f88a7d70ec6997663dfe5e6f990934ca243bd263c322e47264b7beae7
fa96ec5366f0ce4c02369861c47d09cce58cc26d10a269821ff8e8c6351f98da
eef0dbc13ebed9e6f411cb9e51d19445f39c7322a763b9eeae079e8d29094832
ee43304e01d31d78b51250f7a7c4833117d0e98ca9f02e7a0fab330b2c898d0a
1b02a69e864f3cee070ecaf1e2b21d24220235cc5c7c868ff398980e5b62d5bc
32725acaafa1fde8506bd98da3f600929f61bfe09dfc39870a451f803beb7d4b
ad7db33177fa587eaf9703db0f0dac2581c6130557f46842fd3b168d14c64fc8
2e0805bffc03503832a3708ef83c7342910d43b837003af4d4ec94d54a1fa48b
00438ac12bfe890592558b8ec7d0286e4c85236e92dd967a76b623a099455189
c58c16c3b5a65caad7b9f8851e25d0889b8833c77901a073388931d48d3dde2c
9a7ace6bd52d51d9d97a06bc2516049462e83db49a69ad385f94064f29ade1fd
ab5ab7385fb553fa36c63c9021f38e836461f751c0f8ced0aa103733a463942d
9ec1e50137deeb16ab3937d07f725acda409658bd4e3bf7f06e3e65c71efe4c9
dbc9ef77bbc310283e22fe7140a55dde1e8d2975c6e7527ed8b5b6167caff0ac
248c3b210be52526a6f4f9333e0333bd962c00afc51ea26e5aa14d9d0fd400c6
c2f31eb16ac9c1570157ae82571aae2a29024ef64351ef83c6528be3dc7365d2
12bc39e341d8a34d49daa07980d7eeeff485247a66c0ce5d02ca67530fe4409a
43d706e961b91e1b02446e94100dce40a9b4019c6b43cde5281033ea3e4024bc
1542b160836efce062826ff0a622e020d55e081018e5654e3b41a2b0267d2758
83408d34305732c1478095b093d7ba0a2ec8d64d322796b708e5aad4351b848c
7bde4d2fda0570850a1c86e97dada058d06ee055f91873a06b8606b89b4bfca4
506f1a4d802eda86bbfbc554cc3ba0f61af089618267bf03604a52de10719a31
ad6ab3181e7657c051069dfddeffa4d6384d3178186857b1e29b76e5023432b2
3537461530d40bf6aa827cbd6d641a926d64fd096773983d6d2ea4261a269f42
5ff836d3f691c9e478bb86f7a0b216082062c747e6e3faa85df246ef5a5bfb32
8b1b3d601dd51462aee25807b944859baeeba1e497b77b708770ffde1dee17fd
24d230d088719b7164218d1dbc746d85c10d0d37da1c9ba30c5997bc1655d96d
d11f17415a4d2dc4cc0910425abbf2b2440ad7d9a0720ff5af3b9f864684fb08
ed97006d4bdae028446ddf585a99be3978b659f78eec0b9aaa095b7269203aa4
5468653e26a349792abfe4c3c11384270d214e92831d0f9ed76576b264c35c0c
2914da027c0f19da9f9b9053086849c286b9e5f4ff96b34828638fb1e1822210
fb161df933953af1df30a3af9479d832230dc403386e85f4883e00ec0c62d411
2fe763e17a58fa84e3cb8186e5aea55d66ca12c1e3fb23480489238fbd204b45
723976603791f147e4502e7d5edcdb5f16ecee8f17319a7e12e9671b7323f936
00a8b7db92fb0f8f1c453459c8b44154ad057777cd220c90c95f3b9e92699b18
aebe26001f908a6e9e8c9986bc382077d63e2b38918967806aff35c1417874ad
403a339f3c5396896f82e8931064454ffc278d2efb459137238a52f1d493024b
ed3a4dad2e90725735d3c4cb92fd1d5f93af51740ae20acc7e62a5741e6d37f9
857b20d13e146c601eefa14079d6acceaa7a5d7769a5182dd5facbe53277615b
36973bb91c912d2dc7ffcd55266a550a6c6d796e15ce19edfea9a459f803a639
68db87c9b848bb9584ef73dad70d7541d21a68ec4a273d1f4a166d325ca56f81
d5618ae98ac37a85673a75d5fe4d04a1877721bb5a66e845707cdc09f039e14a
851d5c82b006d053cdb23b9e27a206f9c42fa81a9f09269d1f42a5996776ed1a
2ce1a3fa1edb49e9d8c6ca1fe2b70cb4b235d972d7fd06c30282f2ba554bcbed
abf02bb5015f67cc031b0c7fb3fcd9edeef289fe4e5cab3739ae9cff22957dc5
dce87e823eff3c7484d9c6720d6042842552f07af5a54d6b35b5718e24d5970b
db0296ab46537cd6c65f56e9a5233d14fa0ad5ef8507b17c3aee96237aee34f8
74c590c364e4510e60713508d976b06589d638a4fe9e5d1338e6c2f4bf0a7c1a
67290959a99562f141fae5cf643ad907980e44283bd1bd006015552cf0b2c955
75c2f3a092108a731849444da732a037d596f71f758fba914715f2b16d8bc8bf
109a98bfd9bbccf644db8625d1a717877c5cea4b0b847949bd34d0da257bf305
3b886446aa1e95835bd6a8f8cf8006bd22bbb47dc066107bcba290eba6e6ac22
73bb192fc98def5ab6ac6fa9c73074df84fc5ea0a729f7ebc1438f34f22c45b7
0a0794ccbb07effeb3583673325d927fa29fc1796c51945a944c8dc0d51e0382
a502fd0ddd29b251630234db5a5f2ef1c785469048b6b2e11d81dfff219b972b
a80ce60bc7050508a2b5c0526070014e81c62662e8297eb794ed65c396630f72
979176bfa7402a559a6205a4eb8f2ea9c2c2e075d545263d2aaa9254ca3f6d57
836d0c95fadc13619ab8dacb382cf25e91523b9f99a197f94523f041cbd276bb
6bdf798c4c40cc351a305cdfabf42371a6fe4cbf350d28cf48ae3fe7b978e996
4e6be07ff566f21cddcdddba0ffb40e490305a14ff43abcec85c51f3b31a3a0e
7c6a455a5e2d19db6ea61a683352a7886f25fade82629ca7471c58ead98cff84
ab4cefcbc9a88f8c0bb54a0b9fafcb2a140910b93e3d3ebc0f401b47703d52e5
cb6119d1e74d20390d01f8faf708e709790fa278e12cfeb8c06cc425b9a9c607
4f30bd20e104e635d2219b9eaeb398397bcf66348ac4bbe8a4f6e362537fff48
b24ed459bd007af4e54633e40c1b648fe801d19546c86a6f1a4295ee91481580
773dc693ad65bbbe0852882060fb3bb7724cde70e44a15bbd78a419f055c331e
bd79250be163cc4c9e1be892b130f8442a28b30109587dd5d64439cd30d15c63
80f0aa79c139d0746b5ce181305e72ada7429902b6dad38153bea05b6799aff8
a7a71e3d3a0a2e2beb1788799a988834a9835052f4f20b6ed9f42837d6356200
fe2f1e24ebd4c0c2fab46f66a141a8659f1f67d092a6a3a48f44b65bde572ab2
61d6aa4d530f6970cda9c5ce712c9aa3cba111641420ee858d1904cb85390a47
a0772b3cc2d27bd27a1c19bee7101c3a92eee837a3beb12d7fc95641bd906c14
3b96f712bdff4840006d2a2f481b77a61dadf18f99b79b41431029e009648b57
fc31484929be85ea49c390c043f7eb938ca2d9d52c2c51f1a75eb7af7f5b5b8d
750b02c29bc9bdad4407f1dbc26f26b130e3066fd96d2bb0551ca73a4500d847
f93bfdea9c654ed1b7bd7c6b8baeb73dcdf4a5b5f9c0f8d605cefd848ed2714f
aa6a90f7584ff553aa1f3f4d822ff1e0bdafc99ee6dc26eb29f22c771ae38ced
141f6941dd7a9e199567e3ea44a07185cc45bf3508ebcf7c20d0fac04f5165dd
2ee83822e90bf9077a0060a2cdf184329a0d7463077881fbe9e534ac0c5aeafa
d6b3c860787fa02452abab2ae6b158b50c99c543a7a518738938ed1132a4c05f
db8bf49cad8a72f5077c03e794d180cd803fe3fa612f038f336f75368a55bdbf
9d46a3ee045fab910e0195a894717563df6b1f7490607175c867a958fd52a9cf
e9b73413756d5e5be1d9a86999ebf4b6ece681572849545c8a66c43df07aa614
cde11975c9715bfa0f0bfb192f920b04e637fc1a417e52a4a8ef650c367b9f5d
57bf128dd42cbcebac753c89ead426c684b3f524272bad0fedb50d206c9779bc
6527da30f4a6c1fdfc7e9a2a81b9ffb3f07bbfcc060d77df6d1c3ea62760ff5a
c30ce4044201ba3ef1173a3a64eba35eb7524f0635b59d5169099f94e3219c45
a034749109dbb495c99787a7243321994eb6a5816d8822e8ff7fd9fe333b6433
a71868b3cf2cddb53977ba095b90685f900043ff64c804cb406a0c6a42fc88ed
0094eabd4e5fab823f11004e0c639da777467f29218d76685c6f43dff2c8a60c
fd36d0a92be3751431ce5b6d866d883de0632596af4b2dc0a6d0d403d3782da9
9b402811635664887ded1274ee27245b573a4a5adfadcfc575514f311c2d62b1
aa52c6bb2a28f615c7882c97c3b5e8a5ae12cdd5faf2f279fe6ae7c4c56c40d6
326acb77b32a1f00e28bdaec32e023b0745e7e70359488e0626609dc61739601
48f75a3b10d0c49a34ac0dab32e107d403d2d8d7020bc65f6cc70af514865d74
96b8a0a46eed5cffcbd12f1d017dc9353e9609ea63bd2a6842fb6caaa14e75f9
ba975c7ae2822b5fe2c3a3f57632dc419d5880ce9876e9ada1ab45f1f8111327
5b1a641537a96c93eae51e311fdbe2ec0c70f71b6d597e994e3eb491e58e216c
9fa4f4fa0ccd9006be413b20a0352788f9c1adca9692e80c446bf7195038cfce
3531df9b9279335d25703f75ab3172e84551a15162aac06054ae1aa414b01d7b
71f7faa069b2823432ac004f2347557ebb4a9212ce8dac5ec90736c66999c34e
ddc70fe84c40545b60c791844192c3c253d8c70c4960526ede8eef4d5ed77d36
4d0a21bbe4d9aa6c9ec28c32d3fdbe51a52323f05ff25b39f16776945e070b68
11740541565857b4e7f70560b5ae3983cfb13c871bd5cbcb4e326d8da1bdc5c6
3b44112a6fe65dfe852b09b0e2db595f3d42787ebead184ddeef22027ad634d0
35892e97a064feac4188b1c280e2cbc64d210f8e05beec4c3e306fee339b982f
ee3a1ff5c23e29359b76bf69158dd9a0b084a7fc917da78d6fdab735d895ec91
afadbb3713763aea2ce6e694df12608ce8b030dd484b24b571dcad7d7f35381c
1d6d59e43e78210113840131b86cc800291b84bdca09a317955b744db892ad8d
3904a5f52707e41385bf7ca2d989585673c8644951bfa6ad7465a3e2aecd7262
862b3849f8aa783b26340dd0979070e412e9f4d18ebb70116ef3032ba59adbb9
4b7453fc3049f5c5917e5a3c8855e294290a94117b5c7f9b1202acb814bf721c
1be3fb470a45b3b2d0e62f9aed1deb11b1be7ec4dd9d66fc6e90406aa2c709ab
b129ed8e6d7e6fe3d18e2c041dd18a2565e162b1c568603e6f3ddb984a476e42
a3edc482bf428a1234f841ffc2812f65ccd76afa56c1423a4e9561f90a2ed52c
f6aa73bf17a967c169c1cc128487d5236dae4baa45a8598ede1b1d20e9a05305
451724eb6b379025fd49e7d683aa3747ead9ea1ede8eb0b0369311d24ee266e4
05ab5972c0a4b1ce912c9137e4d849b7bc5166ecc753078aaf7c82565b22af23
56c57baca73420db6665cd88dd49ec55aa5101e9e2866040a6b86913629ba859
6f7b7e6a8fc6e66cedd8667e30e71f3e000d951f4e65c7bd929dbef3042abd5a
91e032a087db1b4718365b458f0cd0aaaeeb6852d281f64bbfc3dff02896774b
b129362de7ac7eff2300a8bfc998c034644da285748b3ebc6293545b0e1bc409
3696a4eae0c1af42ba024b2ecf6c688311d89539dcbd62de09ed4cd2cbc9e06c
6a1d03f6ed62f7c90305487e24911056f3cd3bcb7c9b4f2529f6e9f05e960681
fb94dd1cf674c7200be979175c0c466980a267c9d3c0efc00e45d703bd61679c
a56d74da16cf15d798c280f8828d1ec228416f77949b8fa3a2ab57be105bdfac
a0dd3434b8d4409f20b38f4b4d8c5ae940345a6262677549a32a4dc142d6c03b
0adf78a70a3442348a70224cb9c3ad1f9a2df08b4d0c7567c7f3c6b269e4117d
4028159aab4d2f048ccf177ba816e68161f2d436d042306e4640950d03d6f837
32139088da2b2c8b10393292a5789449a2a0721d0090665d5a0e676385e901a1
746da1f97c0a4265d0457adda3a5ef27b54853e1ea24ed11b1da23fa3bb23f27
c8fa54e1c06ad6c20fd04b08425c94fd133757953ef0d6fd322630c4a4e72cfb
6aa9b90084a9c5d1d2b52b92fe9f40175fd1adfb9555cf2130417e0a78999d48
e9b991c65b0b60d2ad9ed0b267e1f7170b1d32acfa2311ed216a247fa26fc822
667dcb0b6de5e52880e5ec219b9731ebef289d9233d94b7806bd5127beaf0c22
5b273bb88e59d628b9de823dd93a3df51f7c5ad1b06df905463abf74ba8aa756
bee585e7af295dd5b6f2b6578088369457e7a22219ab8c8c81cbf3eb654ee7b4
bbb8b34d64c475178311dd81e16510b984a989021412a89ac1f12bea9f075066
7ae0c90f469d1eba3bb7f3ff971882a42a030b5f17ae6041499a98f1b14a5020
19524722fe6fd437656c1a2b1212c293c57347725402ff425593b32de91bfac4
6545e89baadf5dd96b70e0f3f5dee9a29c47cd0ba1cca22b06fa488493da0472
5eb034edafc1e81f0ab353c89e6643a209ad1fea9eb68333cbf1ee94eaa942ce
cf4ef7b731f8ed00fe63775440145314ffa93e720693a533b7206f29fb43eb08
4440dab42b0d92c3d3322f5c9366661ba0ffb8c2a8ee59df0a226f44d1abf182
afaa7ec44de3bad769383c31b7d8ff1202c7d9db5a063bfbcce48869690b72da
aaf1c64a5ecc7cbd560c1e98c3225b1cb9d05f23945ed1cce7fec48e4910421b
83b34647edb04b335bfc66e2a930d60e36665870b568c30724a2ca32e400db4c
bb23ecf3e72cff788ff83e5a5c0fb37349e8f15ae53eac2c99b9c6da70a6edc2
9a6f0880ed01c2f3ac123cb44c588515674c7de39d54b887ebc4d295851f5be1
50cb84ce79cb5b2de946a69987298e6ceb0b133f5f70943cfb8b165659133d2e
cb85ce68d1b644a162108d0d1e5679a2ba3b0ed4da0720a984c9c1b2be756bff
2067f3ac3d7775036c36551ff911a7e2653fc7cf152f3dd27cc9c129db8f56d4

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.