<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Mysterious Ohago Malware

Minerva's Research team have been on the hunt for emerging threats. In recent months we have observed the use of new reconnaissance and cookie stealer malware. This type of activity might suggest an ongoing intelligence gathering operation in preparation of future infiltration. In order to shed more light on this activity we decided to share our findings with the rest of the community.

We chose to name this malware Ohagi (a Japanese cookie-like sweet made from rice and azuki paste) due to the name of the log file the malware writes, its Japanese-based infrastructure and its cookie stealing feature.

The Ohagi malware is a short and basic piece of code, providing its operator extensive information about the target machine, possibly for optimizing future attacks and enhancing survivability of later stages of an assault on the victim's systems.

Some of the samples are currently detected as:

  • Win32/Glodbrom.A
  • Trojan.Win32.Twohagis

A Bit About Reconnaissance

Importance

Malware authors are not the first to see the importance of proper intelligence collection. From biblical times to modern warfare – the attacker's decision making process is based on the results of reconnaissance activity.

When you strike at a target you need to know both its strengths and weaknesses. This applies to cyber-warfare just as it does to conventional warfare. Every fortress has a weak spot – a window that someone forgot to close. There are many equivalents to this "open window" in the cyber arena. It can be anything from out-of-date software to a bad user management policy. A sophisticated attacker will first search for a range of those weaknesses and will commence his onslaught only after identifying them.

This "open window" is only one aspect of the tale – each fortress has a watchtower, looking out for unwelcomed guests. In the IT world the equivalents of this watchtower are computer security products such as anti-virus programs, sandboxes, firewalls and IDS/IPS products. Just as the watchtower has some blind spots, these products too are not perfect. Recon operations allow an attacker not only to learn the target machine’s weak spots, but also knowledge of how to avoid its most fortified areas. This avoidance of security products is commonly known as an evasive technique.

Example

Real world examples of this methodology are abundant. The Anthem breach, at an American health insurance company, is one of them. The breach was initiated with the ScanBox recon platform only to be followed by more malicious and intrusive tools. The knowledge gathered about Anthem's systems enabled the individuals behind the intrusion to perform stealthier post-exploitation lateral movements, avoiding detection for a long period of time. This modus operandi is very effective against large enterprises, enabling attackers to detect specific vulnerabilities in their victims' systems, as was demonstrated several times in a series of similar cases

Another example for a tool used by attackers for surveying the target environment before the actual attack takes place is Hacking Team's Scout. HackingTeam provided a custom tailored cyber espionage arsenal to law enforcement and intelligence collection agencies around the globe. Most of their attacks were initiated by deploying a basic Trojan named "scout", Its job was to perform a series of tests to fingerprint an infected station. Only after a feedback from scout was received, advanced stages named "solider" and ultimately "elite" were deployed. Hacking Team's strategy was simple and effective, enabling them not to compromise their costly assets in hostile environments such as sandboxes, honeypots or forensic analysis machines as seen in one of their leaked email correspondence. This original manual to Hacking Team's Trojan agent's operator describes this strategy in detail:

The Ohagi Invasive Recon Tool

Fingerprinting Capabilities

The attackers used the Ohagi malware to extensively fingerprint their targets, lacking classic RAT functionality to exfiltrate any files or to perform keylogging.

We identified several similar variants of the malware, performing the fingerprinting procedure in different ways – some by WMI queries and others by calling Windows API functions. No matter how it was collected, the data gathered was almost exactly the same in each of the variants and consisted of:

  • Hardware specifications – From CPU and GPU model to mouse vendor.
  • ‍General configuration data about the target station – screen resolution, default language etc.
  • ‍Recently accessed files and lists of files in other important folders such as “c:\program files”.
  • ‍Enumeration of running processes.
  • ‍Basic networking configuration and status, including a dump of ipconfig and netstat.
  • ‍VM and Emulation detection – The attackers searched specifically for traces of VMware, VirtualBox, Bochs, QEMU and Wine by looking for known file and registry artifacts.
  • Sandbox detection – Cuckoo and Sandboxie are also sought by known techniques and a generic test measuring mouse movements over time.

Ohagi's core functionality includes six different functions, each in charge of collecting different kind of intelligence, followed by a loop that will exfiltrate data about the user behavior as long as Ohagi is running.

Data Exfiltration

The attackers chose to implement a simple exfiltration mechanism, sending the data in plaintext over HTTP POST requests to varying hard-coded domains:

  • snowy-nature.ddns.net
  • cloudgoldbom.ddns.net
  • thunder-winbecome.ddns.net

All of the above addresses were registered using the notorious dynamic DNS service provider No-IP, and resolve to IP addresses located in Japan:

Below is an example to the way data is sent by one of the samples, found on the public sandbox of Payload Security:

Obsolete Packer Usage

Packers, also known as crypters, are a class of tools used to make the detection and analysis of a malicious executable more difficult.

Some of the Ohagi samples were packed by the MEW 11 SE 1.2 packer, which is considered to be quite a “veteran” packer as it was released over ten years ago

It is unclear what the attackers wished to achieve by using this packer, as the packed Ohagi is detected by more AV vendors as a generic packed malware than their original compiled version.

As for Anti-RE measures, this packer is simply not good enough and can be easily unpacked by common automatic tools.

Ohagi Neo – The Cookie thief

The unique variant we stumbled upon dubbed as "ohagi_neo" had a more malicious nature. Instead of only fingerprinting victims, it was built to steal web browser cookies as well, (hence the name Ohagi). This appears to be an escalation in the attackers’ intentions, who are now actively stealing much more private information.

The creators of Ohagi also chose to switch in this version from No-IP to other free dynamic DNS service provider, afraid.org – their C2 server had an address unique to this variant - sunny.jumpingcrab.com.

We also noticed a different data exfiltration method used by the neo variant – instead of just sending the data over simple HTTP POST requests, they chose to send it encoded in HTTP GET requests.

For example, the malware sends the following request to the C2 server:

GET/images/install.htm?c7b25fc=1102578635&%4F%53%77%69%53%45%39%4E%52%53%49%73%49%6B%31%6C%49%69%77%69%49%69%77%69%4F%53%38%79%4D%43%38%79%4D%44%45%78%58%7A%45%77%4F%6A%4D%36%4F%56%42%4E%49%69%77%69%49%67%3D%3D

HTTP/1.1

The strings colored in yellow and turquoise are identifiers of the campaign and victim. The section marked in green is encoded both in URL and base64 encoding, after decoding it we can see it is a basic identification of the infected machine:

9,"HOME","Me","","9/20/2011_10:3:9PM",""

Further analysis enabled us to conclude the general format of these messages:

<Type>,"<infected_hostname>","<infected_user>","<infected_user_initials>","<infection_date>","<SystemBiosVersion><SystemBiosDate>"

We observed that Ohagi neo is not stealing the victim’s cookies immediately, instead it sends back the basic info mentioned above and waits for a green light from the C2 server. Only after a buffer containing the string "BEERBOOMBOOM" is received it will call the cookie grabbing function: 

This behavior is demonstrated by a sample found on the public online sandbox malwr.com:

It is unclear why BEERBOOMBOOM was chosen to be the C2 command to trigger cookie stealing, but it might relate to the hostname of the VirusTotal sandbox machines – TEQUILABOOMBOOM. This communication for example was gathered from Ohagi sample, executed in VirusTotal's behavioral analysis sandbox:

As you can see, according to the format described above, TEQUILABOOMBOOM is indeed the analysis machine hostname, already known to be blacklisted by in-the-wild malware the Neutrino bot as anti-analysis evasion technique.

The smoking gun linking these two different malware to the same author is the fact that two domains unique to different variants resolve to the IP address, hosted in Japan:

Conclusions

Who is Behind Ohagi?

The identity of those behind Ohagi remains a mystery. We assume that professionals would not use dynamic DNS services as NoIP and afraid.org. On the other hand, the ever-lasting evolution of the attacker and the dozens of samples that we were able to collect also suggests that we are not dealing with a lone wolf.

We can postulate on several other ideas about the identity of the perpetrators – Perhaps they are semi-legit researchers mapping the vulnerabilities in security products like a similar internet mapping project we have already seen? Or maybe they are providers of corporate espionage services, performing a proper recon before an upcoming attack?

Unfortunately, we can't prove or disprove any of the above theories –  and Minerva’s research team will continue to monitor and investigate the evolution of this campaign.

We turn to you- fellow researchers – if you have more information about the mysterious Ohagi, that may enable us to track down the entity behind Ohagi, please contact us via research AT minerva-labs.com.

Minerva’s research team have also notified relevant law enforcement agencies and JPCERT in case this activity is indeed orchestrated by a malicious group.

What should you do?

While it is impossible to evade all security products all of the time, it is feasible to evade a specific configuration. The set of security products used by a potential victim can be detected in various ways – with the Ohagi malware as an example of one of them.

Corporate entities should understand that their sensitive data is not limited only to their files but also includes the network and security product configurations. Minimizing potential leakage of this info will greatly improve the overall security of their systems. 

Instead of just minimizing the leakage, we suggest a more proactive approach. Using Minerva Anti-Evasion Platform is an effective preventive measure against this type of malware – both rendering the attackers’ recon efforts useless and alerting the relevant security teams thus giving organizations vital time to prepare for the next step.

In addition, we recommend that organizations perform the following steps:

1.    Actively scan for Ohagi traces using the provided IOC below.

2.    Check their current sandboxing and analysis machines for potential information leakage as described above (we recommend using the open source tool pafish). 

3.    In case indicators of Ohagi are found, you should notify security and IR teams and consider the possibility of an impending attack.

For more information and details regarding Ohagi our team may be contacted at Research AT Minerva-labs.com

IOCs

AV Signatures:

Win32/Glodbrom

Trojan.Win32.Twohagis.A

URLs

snowy-nature.ddns.net

cloudgoldbom.ddns.net

thunder-winbecome.ddns.net

sunny.jumpingcrab.com

IP Addresses

114.69.103.233

122.249.229.125

121.1.207.132

220.211.132.42

Hashes

2d1ee234d05642e4ffac251a61ce860614b0516e5ae24430995a8a98c553470b

e7e680fdf8820a12a3305e09eff3382c5d47c92aaa516c192d370a664aff6be7

adf5e7f7ef83a2b21e4ecc418d0476dc768880c6e923f7903ec4f8cb76cd7101

b12f331628fbcad9619d388abf285477ad55bc2c69a6502da507409aad7ca7a3

f365377315fbbebdb8cede51819cffc2a6a9a046cec4b5c2aa3f0fc37542fd8b

657130f8687e1570d355fb9e56dfe9490203cf68978150f3a39f5751b5770ed8

adb8e698ba09a211c0e26e246d8c56166c087441f9ce3fe6a3a9a350078e8307

a07fcd2c046b91226d41f8804bf7a135131eebf00051908829c45b5a658e01ce

3ae3872abe00689c1e9ef725a7f7bc0a52f5f6e09f431c67325b6fc391f42a00

345d8a598f82a21659cac1383e37f03ebd655a81a9d2f9729fce18116db1a25f

a3a2460ecf4d97eeaa498b06ee4a812e459aabf13fc397675179f01576028eac

dd426e682347536feabdcbbb3400cf51fc20f4a228fba46ca9a1e8110a6a3aa5

909db113683b07abc474f1bbe90aa66c3e4e2b97936c6ec28796494f3f9742e3

0f2a4e1cb69676d55ab4c227a4d2b4867d5c571c661005930574f6681f5066c3

02052bb7226b6a92a6b13da4d3c25de72b84054aa6c3e5005c7adcaf0d1d2138

f618343f034c8f12c54887cb214aef0e19222e19226e4ee763974e52be408063

9ad3e1b7991cee8068f5b7f090d7f56731cdb9841d6b3be86401b68ca60a6a75

f724af9c0fc4f9b7d959740295744b22cbd558904ac1ce2a899b3d384c991705

a72fe47faaec9659024fab08c313e2bdc9737fdd771d36902d6dab3185a96e16

c8596950e5ad73232d98a22f6291d261e4a677a9cd8b7deed6780971e7da9312

0293d630b2f7ce42de4b18b710f192424d60cc547aed2a0472c7d761082ca035

b3b8bcff87973f2ccd3330785adcf78fef82fedad8dfde238148f5ad422d4085

2e1a31f8ce5ce3a64534d01907a21a92a453eab51f62d7f49726cd818f7aef9a

3c337d0d96df7ef0db7144cf6b4e71fb870f80ba1115e22b32a6886e827925cd

2c1131f9e13ae522e8c3ce836f59a3eca1e2ae54a6d007d5c8d57e5400e3a3b1

ac48e149eaaf1592dbcf3912f690e22449ed85c9cb4b705aa3467fe237ac592f

03502b4511e228d056a3f539a764dc8be0bb5a4dbee21ab4e76b647868419985

78b84460282ce4a0a76ac317b6f867c2b4eae427293580b34555181acff4ad78

ea97c0635973f190fe6be2fcf90563ddda6f0b44e5f610bae0f9f1ab0635b81a

d3d2a288f4845fa7e075d5236808aa6ab48e2a9d82788d9ec9b52305bdf355fa

878ffae604fdb5929def6cd726d556e0f673123288a83f4ac744c1a6ed3fd9ab

7d37db18817a829c0ea7aa672961383a069d8852e368b6b402e42610ef3fd263

8c989539258ab70cefc19eeb379021f203381c550d646b5c0bc96e4d294aecfb

a726cc68ebaeca0fa4d91473e9784f8c385b8c54c5699d62cd0e2f2acc702189

e66873ea7b60a5cffe02165a2f47491656db8ae5ada664ed405a468fe76853b7

19069919adcff98542bf596280d67cc524e2a35403f6a56c49e229c8f2cbabe9

41d34776364c145270a8f68314e6dd575c9ac3ef601b5902a5be3af426f30170

2bf57ae25110d861cc7bd8b615b2048978ac0e34ea24466cbbfe9bc3762f6bec

3ac67ffed8bc6a379c253317145e420cfb2244531328ff4a6fe65b65e9abfde2

9448c26e11a82c1516f3c7e8c10ac8b94e87a81f9c9f73b66cf422b07f00886f

ca7c895d142b0adcc7217bcb942ff3dbed638c7c37db6b767ad7894ec63d37aa

25550f8a4f57423e644b3cb4cf3475b7a4424f7f5fbe570faef6ace1d3abaf00

d4ef4d46c1eaa575b65a5f5a49e5c01f1b220875638bcc4a65696ff2106a6699

c45d043483ae16b509b92dcf08ddacc91579ff9d5a24d92a01becf160adad821

0b8a6a22e883a1ce26457246268aa714d08c1cd04a1f090eac1c5b9910e7b1f4

8b013261f6c8e9c5f281d5c570251a2f8714f59ea3f0f3973882c6ac642d02f7

938b48e4adcc78a4bd31ad7c5357b3d0319cc8f0fc2f22678b7d7d9b395a5767

04d41a1639ed226e17b806ec4ab9753d096b783b45f2bf8c61b015f3847264ac

4875d5b81c1e231294553a7bd119779d229cbf2877750811d7b07940832e8db7

e28e12815053472ab7176e34dd67f0ab238f8d74ed0857857c027645927c6b52

defe13202320bc02602aecdae10c0c1e8d46b48fc9a942b8222fcfa96d290eca

4c2e6ab33f1caa10feaad77fc8fb0070e96217f872aa443ae8570ee3f1fdfcad

3614a74da1669c4991225e9769c0cb91a0b02b8eec7af2a7ca0e4173acb560a5

1c19ad13c71cf829d1b9a4b3cbdab0610885b9fbe75f24575fd5f1f17cd5f571

6ace8d79fd17988b2072f7fabf6a433d0905bdc84856c755e7a718a4dc7ccb6e

c03e37235b96c3063cd271e689d690c4b9c3cb8506392255fa6a641d8757a0fb

210ed4c05d1143f161d161db4620b0212cde0bf0ba66f25f581527a8d90b7cf5

028c5c8715936a52bbda08cbea9242b373b8c74c674fe654f3316c87d9e1645b

a1202ce4b03452f254f32184f064551f458632a0fc757863f5dd1e0b9d9004eb

c874bea4d8418c7ed105c4b4052ec69635c19088de27f0f501cdf4e2ed84a862

1625f59353f7d6d9236f6669b801a06d92c93123080ba51f535d9e7546fcc475

01259cb8370fd8a7b52c2b1b42555213f397f43d5311202e9fc783fe2b345d24

3d27f5627f485e15d0f606e1b0c3ca284b373c1e3a5e4a4e7a3e74103ea2a803

1ee628ab3c78d8f870e0e5113a99c84bb405ee0af52f2b64463085f32f2a2daf

fb9e6d7613d5d420ffb03dfc0c0a98087c22f1b5cff7876df6ecef589cb6d8f9

a5dc6e136c2f9e0e7bd27ede4cf5fd5b34e2520d8280e0c54cbb97b4b0bcd3b9

19e1b3dd4f3969e81afeba38c092087f97714d82ba84cb1b9fc6f242b2063c39

18abc465e6513b97799aafd39f33b8bda16d94fa9537f8e26fae4c41c24b956c

c580d28a4f6f3da779b81c4c8ed3945227c5d09a0e4954f3d9df08a71d2a312c

b3d4316f29a3f3fac01b04a4161fcb38ad0faef1592e59772eb620b02ffa0b91

f124197f3a7c8f0a19132a81addf19a202fbd50120f896461e3de5b93e533790

65e3caa1da7e1e526fba27a6523a07dc65febea24daa4da07db469778b9adcd8

7693cf07b4a8feac65a51009049f3c81646d0ae7345f675e1f5b77797ed89652

6fe99e70a68eaf2e0dd3a9b1a2bd5247b82aaedc34a35a89a8d2b715eb5359cc

f24ed956a96d45102f2367097defaba5774f7672afb4dfd6811ba958d5223173

a8ab69f07edaeef205536444ad6fc90a19961e56e46292d566dae3213685ed33

91701710fff5bc29e15f4ad40ed4218f7f003fbb8ec2afaeed63a3f25253c995

013f85a6e076ccbb76b716e16f62f1ca00c52bb8a4b1b535a07e059647430cc2

854acbc1222fd85dc373fb44ebec8f2e19cb70d1a75a684b2586b609be3b9e1a

d7a4df811dd8f2bc6d023561d7cdc0e421ff9e1230f00ce089fdf3a80dab7e22

d0d7c50800ecf49ba6f85a71e8d01caca21e130cc8f2b44407e4d1d3b4b919f6

7cf5fa1f53ff99c90cceaa40801680ca318519b4e88ff430e7d43618976db969

26b72cdf5459ea1d99264b8ad28ea89bcba310a335314011c79825e07e76f489

c2c68211b4d75e58729dad6574342f2aa8d7cb74ec717c8a9ca39bbe768a3625

3df37738a792058b18bb6f82b3b29b37a81128a95711b99e66f8b70df9d1ee51

a5dbe4f0347dc1226d8ac686c48c9c49c8b7c94cafc39591c47c5edcff821fe8

098f5a334cc7ca77153865d35f9111cb7dfc92a552137bd85c489c5d8cfd90df

0493c5d5b42a09d1f94817797bc140eba059fe9b35cf85ff010e686c74952259

eb083da48e1caf49e682d02a63e6d064d1efcbcf71b511894472792c7f4eca61

7707bc4e7bfc79aba2cb517d9b9524882b563e21dc1cfbd863788890342633d3

ade91d1d4b13de0b0ac395d2d3f7754ad6de4a1775e233c693071e66fc2f7a35

f5e07ab16ff933e8e846c4ccb14120f5fc31e5581304a669f8eda50b439c2be0

2a7ad3428bc49904eeb192e554362b153359acb545628133357fcf62f6b82dd1

b558783aa1440f7e82f605ccebf884876c67890fc745701bed262185f94f7621

2e982f6ecd13962138247bf8d2b8b8d3c9f923bd089615394cfa7e7d7dbccc52

d75d42a91a4cdd1926e089c7b6493c21787960d23f6b1cc8bf34debabd0392f1

d2d2d921edd39de1403bb787e72e1e8eb7004cfb006253315f75672f888e39e9

62a478762fa3b6793df4c861b3111d1ad63f6a0b151ac54e93da64b5e3152caf

72fc079b9ded20fa084b2a9a7d66934f188adeb7a303b9f4f1e7589f489055e0

0e4c2222ceea00aeb0d4601c5487cfd92125922084bba2c19d57eddc86e5ad50

f064be0e45b41d7243ad17f9e6f071fb7b4155a53fe7960be6d28139bc401f2e

8ed226a04253d537c30958264adb15344d0e67ca4667263a9d504bccab15ad3e

0be45a39a215ef93e93f22f30cd3bb3f73b844f1ec6569a354501445faffbcea

90595761ab701cc4f467614478b560226ff3e496e05c3b4f06034d07fdfa942f

72e4df8bbb9c50de36c7a84077d722a9ced64988180796554ef80d0ef88b3f96

98cfed1fda03ac82dbdb0101e989ce35a0274a6e6dc46d26e126080025a28368

f6de6010ddb4559d277de45b9231cad17cc2e4a1a24d3210704f199d5b9c1803

ba30be6f9172d564fa5059b4dcaebe7b723755aece2d6bcc966365e31b76d4b4

19cc2d2798a0a6117caf34e610e20ae6b8c7aaa50723e1544305a3eabde1e782

d178603d90da5662df0dcea4c63a956e285e72b6076c9465334e968ca81b7e9d

c4ec11aa182bc099b9788251fa1e64c3a0795cc1c30fe1e166f879526570f390

9ff0eb51560f2ecaafa916562c0cda96ad7356f7f44ed2b9323ff43d2e53c06e

9511c22600baea68deb2a7cc182cec9f4a39795677138eb03e38a874a667a6ed

3c3edd1ae5827178860b8a5feb176f8ac97a309a87dfdee1495d7432ba3aee03

f102e1791611428688c19acbb7275a072f9557d6103e72eacb724a8e5892cd4b

b6c00438e299622257959170404d0656a56bcd2b038ecb21b309d6f5ab0d9791

7639a5cc49ff9b626796ea1ee603df1db85d94435fd6e5d1034e70130f558049

74bdcc74ef18e67d0eab63d0710e7664bfb352d7de627b72f14df2ee5bd0c187

7925dca02d6fd976539f3ae5e7cdc8438fc1121c30a492a658db5d6fffb54864

e02d13986c6b20727faf6eb177ca2ce0f793ec22e8b21475a8cc191353b8b729

2152abfccfeda970c04c79558e36521f0ed2324b8a603eee33a2af771552b7c0

7369b5d032e251c62a6d8c2b22ed4ed8d4860ce607ed55764d336a2f1e25c84f

f1f37c00dfeb7150de9043a1392de7fcacc2de171711be265f703d44bdec5959

650fede487f1c4614a31799eef28c32ff90a75c9bc9c3defa42f167c023f3671

3fd7f3780932298e9027ff02377219396961a3304c375bc13bf9b4c02906d73c

b9312bda8ac4da6ca786eac442c9fbdd338f9a5ef9731437c8de64f8991b15aa

4a7ccdf9151402a802c3f720a4bf7e85bf862d25d3b7cad26d9df26eda82cb92

9ab92fdf0dc2aae9ab91bb565e81c8fdc70d731bed56c3b12369316e6c390f55

635747484d4675519f6a36fcbd31517093691bb77639fc86135f3fb073b5c94d

1b7981194c8fe343f9341a7e1260d13a87a5a07bd552202405f53269a17e1b5b

9fd2c844bb06227f6b023e091c5f261ee10b09db82e1d4615ed8cad23007e637

1131b8a5a114b577c55b307ab1ffa9e39148cb3ac5c17d8029f167075e63e516

39d4a9f6100ff237284240e235254696ddbadcd78db2d5269a764a78eff1a3b8

0b24b637f34350ac9b5d51d5fc0f19a636a3e1c1a524ef9cdb3cbfc9d5f8f6e9

d625a26c0517a1a37d3dcdc9a4bfe9d193f2447dd81e457ee88ee1806f1872f7

1350d90d4de4048f9da5b1bda141d397b8befa3a11d7c4528f3c7e85f109c2bc

8338fa12d2a59751bdf1dfae07af20b1fae39f82d1658db1c4eb2e85412be1af

0b80d7ce746bc095f62d7d32417764aef43db437799089821346ba07cb2e65c2

76a2ee1a805efd214316c87b10b70e115cc64d727d76125465e1cfbf6954407e

fa1cbc0d78fbf211a8e4a6b3ac9c469ff3dd0a4c8fad99d382ff56872f8a6d89

0ca7abf54e889f179793583f3d5bcd536557ec3b591e352b9403be6c5cc0f33a

304e67097992e526e24157c311761b4d29b70197feb3e05c36880e463ebbe9ed

5fe86c0060a0e9617865bce84757eacc9936bcfeb1d404c6b3a2fa00a8c56282

53cc571eb884fa83da50e77771138a1831efa1e67e41076b5ba162d687028a35

a855bca9af2afc1579c481ae3aaa88a3a93552f6f7d3b67f1fa6ca8f4c4fa549

371c7c3263f9bb765527c93e25ed453b8f3826b49342c97c40f2ec93f4f55a36

d56f503b3d842d6617b0682b9301ec63201ff7f5c73772df68c6feed982815bf

d1e737271d42beb5390e1889af2f14b85216712bb93f45e25a974e5c12dc9709

8b52434ebca79b998361b6705f327fe12abc8fcab75dba640d54db920f4dad43

638be0c24a1c723bde3942a348d9d437131d18deb4da288e870fcd093e00e493

dfb6705042508292efa0cfc8187fcfbed9052a7c81f6a55c4c1d841bb5d35e64

98d8b23fa6319477c5c9b3783ece257b3a1f54f827d688ffc33e95c96a399316

62e5bd49e37ec65d8635229663035a83e40bcdf68289ab1fe0f5ddc7596a6e64

c45aad58d0510455d753c1b7275918450f1a4d47c41c28a7c986be0e5354b706

4c9d930a0797e91aa1d4762601eaa73706d9607aeeca4194f787bce3ed0efa94

4ea3d3af375ef0d8e6f073a0346984220b498f754e6c0224603a3175de3f3dea

24ff15145277a3478ae3409873a5393da1e997844ac78603479218b728ac5e86

d99817cc888aa1173c8d1f2723e10f03ddf368c6f1d91f6cc40571d6bc0a39a8

47a7ef1547b8338c3131eb9c178a0a1b64a54f36608d14016cff7c8b9a3fe7f6

16bc005f8367c31c2700da3d9416784287b004b5225f8fc85a6d4696d8494030

1cac8a6fc490bae6cb346b1ae01feaa581a7779c8d984f3073cd3578ea1fad75

94c1af8ce58abf92d47c4c60eb2b43ab2b64b4547065515efe58ab33158e302d

00af042f1bb6ec93d0a2ffb59e42dff29c33c8ce096a6f144a7a2a2d43d699ac

fd49e6ce1af28aec10163ea1e10f196ad8c1496cc16f4559d82180196dd8bd00

f4c007f67baea26822862d15529be562cf85cd3856b13abd40631d5681e4aac0

58abd68d31659bec5f84b34607547bbe59e3277e2b5babaf5a86fbc42e565e7f

fcc1e07174c7ac7cf106b58abb6d7ea0036cd5436b3baa16ea9c03b40836337a

e3785636dbe5fb1d001821b39f880f213f480d4714a11c4ad171e69c1b1545e3

eda727531e9b8e618049481a34146b13f29e741075909166fcb60d3e976ed79f

b37d1066cff636506e0b13f8912f951fe287b315832952cdca8bb172ee81b05c

f275b7100f951234ab8e0a0ad78995fd33b6c14561786bedf6b9114c58555bec

e57b153f889aa3fe2dad9583fb0be61d19bb4cb2bad044891beda76e1d1b01b0

c7de8797f3928607ffca00836986734906501dc4eeef9652c7d71ca86b6b421d

2c5bc373925677ee860d7e11758987140cd030ad19ead9c6b98c98ed5d968470

3c0e2b553743458bc71d0090126a8317d313bac69eaea0ec9af4ec359b37345b

203e41f9f38136d2f3b3fd14b731d5ec86fcf7e3105039619b8a919360cf778f

0f35c49af2d89f81885f8fb8e8095e1ae4ea80ec2f1eb6d47671a3bd77de430a

82450b84b4d26c8ba30d43660dd5142a43eae1000deeb3e220abbd5dcd3ca00d

7d004b9a94c65f1b379566057f896b1bbf003d428b7dcc40eb3eeb395ed893b8

4a980f2101e1a98b955f2da9b223fd95ba90f7aa198d82f697ca8f1446027fe5

60dde2dc3b0ca0434181137db7481db36c3967be2d6cc664769bfcd704a5a2cf

8d08b7db841b189f1fc204cb45190d4c40d22e75362d5bb8ecf5eaecf2dab288

aa4631a7de7cdb086c9c3b77465a16ddea960716e2fd6dbab4f37d68f2d0b327

4ac50fd6c041a52636c09d97b8860e1fc40daa3b6deb292db99bd6c9f8c5d033

b6519731ce1b1b0527d3c077707bc7f0dd8acdb0c7e263af42e9558e7d46ac98

1a359f24be26d283c4065a7aab098c620d27d2ad1099123a5013ef789dc3b405

f879bf7e68d2dd871fa609318cdb7a081736c2d4579dd2790c132f9f756a38f9

ad5fda493b80bd5bca18e9834d051d268bdf5a3a2d4c442ab7004132bca1c13b

8dfaa4d52f7c429378306962c26c6808e6d2ca359727e2b2104f0a549563e1c5

e4e883050200431e05b87ad7c185e06ecfe4367496cebcd39576962dd47fb3a9

3fdebad1c4d482a62d460f75be65e95a0a8f8759593df754c397c9c095c6fe8e

4dba83e209d216bf9ca8a0f5b7161f1e4680cf217b2c71ea9efd7f0de38ee5c4

939586cbcb78f8d964fbf931a4f7003b6d3fd6a33f097c90f7bfca2b943c0eea

e9180a36f941c9f42cd9f92d23268e772ff8d1b1dc69608a22a6319e1a1889a4

4f274c649c14935bdb38a56e1c6618310724c7454711101c60f0c2f8b2ec29a6

b62903db533cfbcef3f95f232fb74d6f5cc779a5029819eb52aa80867d103adc

48051c6c0f6db10ecb357b306e21ca10fcc4ea5d662902b13ad5acd6fe1a024c

39d852248906e12615f24d2101903627aa54d374ba0f32ac5882ba57238a77d5

a9264005fa1a17db72547baad066dccb89062832ebb84ba6a54c7adeaceec510

b2f9beff90e8caf287e527d30035285ac82d8656b1c44c33f0e7e4835403de59

74947b368840fe70f12dedd8501288127262a0ec1bcec087077ba14bf37549b9

56438fb52cdddec5ab514a4130e46b2f35266ad013837e26db60e1f2150ce76e

02bf744f2f1d3a951f44684ffa54eca7bd059c3a12e078a37e74d4652d6c5e1c

8a1480f46d03d38d6840a3a40a13ba89822459e4dbb9c5d6aa69aeca3bfa4eaa

28a83b2838cf020083d70710e5979c5fc7a9309e80a75339dfc50ac60469f864

83b5737047e47b7ae44070ca214841f9ae8b699ee7968db48125a303ea8e24f7

b85b9968fdb3f91441f6e9ec171151a359c0dc2c6a36ba7fd27a96edb8556fc9

30b3e0dc642dc82f16b7b4e53b79e01ffc206f4bdde67b4902c1c7f144448c6f

a2ae02eef442e64569c33e88dc077161e58895365b3794f98ed3b75a38c893cb

3cb86fe2bbf1ccd2e79f9b5f769dc7098599f1306b2af5941a73c2941ad7b986

a0f8ed62734b3bc3047f95f383bf024e4fc0a6d6beb309e5b617df73f1c1b2e3

f33d89ab118b3190950f7186593062f55ed786356e8e855e7a9efc67e1cae908

62241250da771889cf8fe149dc0a4fd71c20f77f2833fd4443de9b17ed05e604

deaf15f909c8e287a2c4834b425076087a372c7feefebdbd9454c60965c4f67a

b3735417caa40594b7ae54365cfdb40dad0fcfb3d994abc7bde22ca8b8b3506a

342f1d7d8d99d8f1508909a35fe323d7cbc778d1cd58d233f85e5842cc1c0611

454d6d7fb4ce3cc58ecd6a83d3e1513782f5a2dcc34f4c7ccdf5745fda617909

bb008d877e9c15ee8bb953aacd62add4189529648553dba49682000ef69117bf

4618e288488af006e15c7477083eaefa73cf3db1016ae1f6bd4fa0c8de8fc406

06c8563653c29ec0dd2590111158b47cc899ac1e442c4cdf06fe24d8350b4fb7

b01d1b86b6c4e0cecb5ede6a33f3b20b8f1716ff23c39c80be7a4f3ffb54efc2

5be002a2d8f30a3320cd4eb6ec02666bde9f2e4fd54257e6eb2d665e992f80fd

0eb50cacc3ee1e28c16018908cac189c5e974c21cf69b829caf8a218de524749

61764c87f5987b364f18b5422bc3bf7442cdc79bcd9612eeb7bde603739db33e

404743bb867dd3c1214f72d3fd2a6993a3eab127be258bd721b3a51bfd0d8c8b

2f76389228b0ba05d2b0ef9c7b5162ad0d44e41733753f1376402b966985e1c5

041d57b5087bed4ee2c745ad2573732ed6ace59d64db5c71ea0531a7d00a44d4

881d8477f02a139403417334d6b9588a0514faf0219098faf32f0a6fb2daf195

129ba253fe444113790128dd980805b70f78d2bcedbadebcf953087c2036c548

b4998539727bd15a61e9401d1c6b9b2f9cc00610d42e8df79a9d334c02ec4f73

adc5ca9a579c751ba04346d77dd05c4810fef69ed5760c42e830a0da3163b51c

a8ff949bb499908ec93c6d2d62c50009e757e17d0b2d27c912bfa6db5b725518

1d1adbdc691bc0ab47f9013feb4bb4880846efa23b847bdafee38479aa3e9cba

3ebe39ae9066584784d883b4f023dd0a27b25a9b854f384929261a4565fe9c10

d57e51a89c4156a820bd4e47a34399b61d1ead6d00b917cbd42ac92e3ae62739

5ef45289cca15deadbc5a7e9900166d317ec216843e5d1274a52101ab34ecefe

9a2a4c9197b992ca719d338ac52b1d0789fe08edf2ab9e83fe8401318ecdb2d0

0ee99d0674ba38ba50931d03f3ce6a4a2c415c3785ba0d99a5d8ed39ff165b1d

ba028e638876acb2fa9244784e6ae13f27615b4ffb0a3a87d1dfd4cbbacf5c39

2e8c9f42877583e2d3e0eb453b7d772c6d5f759e53acc1e732ccb70dd97232ae

b19d04a9759815d6b64d01fbc5a223ada331577e68fea22130f2d0624bbc3789

145fd2f0b4d4d244e0c1bf8e0c8bcedaa137a46c501ea251439ec7d760e50260

111a3dc4fe626bcfaa731e78dff7a76a0bbf5c5a185a5cb2ca896438e790bf3b

4b79569de0ce71a79649f9a9c8ec60e714005701560ce2e461d31e78a0ba3764

Subscribe to Our Blog