loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Request Demo

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

BOMB

Dropper

Malware

loading..
loading..
loading..

BOMB: A Dropper-Like Malware Actively Spreading In Disguise of Cracks

BOMB, a dropper malware concealed as crack actively circulated following it's dormancy deployed over the targeted system…

loading..
  16-Nov-2022
loading..
 3 min read

Related Articles

loading..

Discord

Ransomware

Discord servers credentials are being exploited involving newly emerged ransomwa...

Discord accounts are getting compromised in a fresh wave of a ransomware attack. The campaign involves multiple newly emerged ransomware families out of which we will be deciphering 'AXLocker' ransomware family. 'AXLocker' ransomware family is found to be encrypting numerous file types of targeted operating systems. In addition to that, the operators behind it have also started to steal Discord tokens from both the victim's machine and their servers. The ransomware operator leaves a ransom note that is displayed on the infected system of the victim in order to obtain the decryption tool used for recovering the encrypted files. After a user logs in to Discord using their credentials, the platform responds with a token that may be used for further authentication. After obtaining this token, the user may either log in as themselves or send API queries to access their account details. Ransomware operators are trying to gain this token since it may be used to gain access to accounts or, even worse, to launch further attacks. Theft of a moderator token or that of another verified community member could allow threat actors to conduct scams and steal funds from NFT platforms and cryptocurrency groups, as Discord has become the community of choice for these groups. ## Technical Analysis We have thoroughly [analyzed](https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/) a sample of this new AXLocker ransomware family. Following the execution, the file disguises itself as the `startencryption()` function to targets by encrypting certain file extensions and excluding specific folders, as shown in the image below. ![AXLocker main function.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/AX_Locker_main_function_2b6f583926.jpg) ***AXLocker main function*** In order to locate a specific code, the `startencryption()` function uses a directory enumerator to scan the whole C:/ disk. As can be seen in the illustration below, it scans for certain file extensions to encrypt and avoids encrypting a set of specified folders. ![File extension to encrypt.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/File_extension_to_encrypt_5ab9b38322.jpg) ***File extension to encrypt and directories to exclude from encryption*** The ransomware then runs the ProcessFile function, which in turn performs the EncryptFile function with the fileName as an input, thus encrypting the victim's system files. Files are encrypted using the advanced encryption standard AES algorithm however, their actual file names are maintained; no file extension is added. The code snippet below seen in the picture is ransomware, and it is responsible for looking for and encrypting the victim's data. ![AXLocker searching & encrypting.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/AX_Locker_searching_and_encrypting_eee0b9e1da.jpg) ***AXLocker ransomware encrypting files*** Following the encryption of the victim's data, the ransomware captures and transmits personally identifiable information such as the victim's Computer name, Username, Machine IP address, System UUID, and Discord tokens. ![Exfiltrate victim stolen details.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Exfiltrate_victim_stolen_details_0cc2118677.jpg) ***Exfiltrate victim stolen details*** AxLocker scans the following directories and extracts tokens [Discord](https://www.secureblink.com/cyber-security-news/opensea-impersonators-targeting-crypto-wallets-and-nfts-under-discord-phishing-campaign) tokens using regular expressions: - Discord\Local Storage\leveldb - discordcanary\Local Storage\leveldb - discordptb\leveldb - Opera Software\Opera Stable\Local Storage\leveldb - Google\Chrome\User Data\\Default\Local Storage\leveldb - BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb - Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb ![Function for stealing Discord tokens.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Function_for_stealing_Discord_tokens_e07e79e8f8.jpg) ***Functions to steal Discord tokens*** Once the intended files are encrypted, the AXLocker ransomware will display a pop-up window with a ransom message and contact information for the operators so that the data may be restored back. It is worth mentioning that the victim gets 48 hours to contact the ransomware operators with the victim ID, but doesn't specify the ransom amount. ![AXLocker Ransom Note.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/AX_Locker_Ransom_Note_597d503294.jpg) ***AXLocker ransom note*** ## Indicators of Compromise ab2c19f4c79bc7a2527ab4df85c69559 60a692c6eaf34a042717f54dbec4372848d7a3e3 d51297c4525a9ce3127500059de3596417d031916eb9a52b737a62fb159f61e0 07563c3b4988c221314fdab4b0500d2f a5f53c9b0f7956790248607e4122db18ba2b8bd9 0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224 a18ac3bfb1be7773182e1367c53ec854 c3d5c1f5ece8f0cf498d4812f981116ad7667286 c8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c 9be47a6394a32e371869298cdf4bdd56 ca349c0ddd6cda3a53ada634c3c1e1d6f494da8a 9e95fcf79fac246ebb5ded254449126b7dd9ab7c26bc3238814eafb1b61ffd7a ad1c2d9a87ebc01fa187f2f44d9a977c 03d871509a7369f5622e9ba0e21a14a7e813536d d9793c24290599662adc4c9cba98a192207d9c5a18360f3a642bd9c07ef70d57

loading..
  21-Nov-2022
loading..
  1 min read
loading..

Amadey

LockBit

Phishing

LockBit 3.0 Ransomware affiliates acting as a lure with phishing emails to deplo...

Amadey Bot is being used by ransomware affiliates, as validated by our threat research team, to deploy LockBit 3.0. In 2018, hackers uncovered a new malware called Amadey Bot, which could follow commands from its attacker to steal data and install other malware. To this day, it is being utilized by numerous attackers and is being sold on illegal marketplaces with other malware strains. In the past, it has been used by GandCrab attackers to deploy ransomware and by the notorious TA505 gang, responsible for the [Clop ransomware](https://www.secureblink.com/threat-research/clop-ransomware), to deploy FlawedAmmyy. More recently, malware has been spreading while posing as a popular Korean messenger app. ## The Amadey Bot Pretends to Be a Well-Known Korean Instant Messenger Program So That It Can Spread There are now two attack vectors for distributing Amadey Bot, the malware responsible for installing LockBit: infected Word documents and executables that pretend to be Word files. ### 1. Malicious Word file as a Case of Distribution _"Sia Sim.docx"_ is a malicious Word document that contains malicious code. The file was sent to VirusTotal. When opened, the external Word file downloads another Word file from the given URL, which includes a malicious VBA macro. ![image-152.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_152_1184ba3935.jpg) ***Figure 1: Reference external URL*** The graphic in the text body serves to prompt the user to choose _"Enable Content"_ so that the VBA macro may run. ![image-153.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_153_a6a254b939.jpg) ***Figure 2: An example of a malicious Word file that activates a macro*** After the user hits _"Enable Content,"_ the malicious LNK file is installed using the VBA macro that was downloaded. The following command creates the LNK file in the `C:\Users\Public\skem.lnk`directory and runs it. `> rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk` ![image-154.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_154_e3d05ed75e.jpg) ***Figure 3: Saved as a VBA macro*** It's a downloader that launches PowerShell commands to get Amadey installed and running from the LNK file. ![image-155.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_155_8f55c2693a.jpg) ***Figure 4: LNK file that was made*** ### 2. In-Effect of Executable Concealment as a Word Document In one instance, the malicious malware was named _"Resume.exe."_ There has been no confirmation of the email used in the assault, but the file was reportedly named _"Resume.exe''_ when it was executed. The compression tool that made it also made it seem like a harmless Word file icon. Based on its features, it is likely that Amadey was spread using a malicious e-mail attachment. An executable retrieved on October 27th, 2022 is up next. ![image-151.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_151_6eb279dc91.jpg) ***Figure 5: Pictured here is Amadey Bot pretending to be a simple Word file icon.*** ## Amadey Bot Both of the above Amadeys downloaded from the same URL and spoke with the same C&C server, suggesting that the attacker is using several vectors to spread the malware. If Amadey completes the preceding steps, it makes a copy of itself in the Temp directory, registers with the task scheduler, and stays active even after the computer is rebooted. `> “c:\windows\system32\schtasks.exe” /create /sc minute /mo 1 /tn rovwer.exe /tr` `“c:\users[username]\appdata\local\temp\0d467a63d9\rovwer.exe” /f` Following that, it connects to the C&C server, provides the infected system's default information, and receives instructions. The capabilities and specifics of Amadey, such as the information stolen by the virus and the information sent from infected computers, were previously disclosed in the blog. #### [SmokeLoader](https://bit.ly/3OyFMJZ) is Being Used to Disseminate the Amadey Bot. ![image-145.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_145_538fd9fd85.jpg) ***Figure 6: C&C Communication Model Used by Amadey*** ![image-146.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_146_740efbd40e.jpg) ***Figure 7: Login screen for Amadey*** Each of the three commands sent to Amadey by the C&C server downloads and runs malicious code from the outside source. LockBits come in three different formats: "cc.ps1," "dd.ps1," and "LBB.exe," which is the executable version of LockBit. Each one is generated in a folder with a name that matches one given by the C&C server. – %TEMP%\1000018041\dd.ps1 – %TEMP%\1000019041\cc.ps1 – %TEMP%\1000020001\LBB.exe ### LockBit 3.0 LockBit is executed once the malware has finished downloading. After being unobfuscated in memory, the powershell files are structured for execution. ![image-149.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_149_e4378bb965.jpg) ***Figure 8: LockBit powershell malware with obfuscation*** If Amadey's downloaded file is a powershell form, the command below is executed. > “c:\windows\system32\windowspowershell\v1.0\powershell.exe” -executionpolicy remotesigned -file “c:\users[username]\appdata\local\temp\1000018041\dd.ps1” Since 2022, when Amadey was first released, Lockbits have been widely spread in Korea, and the team behind it has published many studies analyzing ransomware. LockBit 3.0, whose distribution keywords include "job application" and "copyright," has just been verified. Themes suggest that this assault is aimed against businesses. The desktop is modified as shown below by the [Lockbit ransomware](https://bit.ly/3EFSu6g), which also warns the user and infects files in the user's surroundings. A ransom letter is then placed in each file's directory, claiming that the user's data has been encrypted and stolen and threatening to be made public unless the user pays a ransom. ![image-147.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_147_2a510f8448.jpg) ***Figure 9: LockBit 3.0 ransomware hijacked my desktop and messed things up*** ![image-148.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/image_148_d02095f95b.jpg) ***Figure 10: LockBit 3.0 Encryption Note*** Users should exercise extreme care, since LockBit ransomware is spreading through a number of channels. Users should always have the most recent versions of the programs they use and V3 installed, and they should never open a document file that they received from an unknown source. ## File Detection – Downloader/DOC.External (2022.10.31.02) – Downloader/DOC.Generic (2022.10.31.02) – Trojan/LNK.Runner (2022.10.31.02) – Malware/Win.Generic.R531852 (2022.10.27.03) – Trojan/Win.Delf.R452782 (2021.11.24.02) – Ransomware/Win.LockBit.R506767 (2022.07.27.01) – Ransomware/PowerShell.Lockbit.S1945 (2022.10.29.00) ## AMSI Detection – Ransomware/PowerShell.Lockbit.SA1945 (2022.10.29.00) ## Behavioral Detection – Ransom/MDP.Decoy.M1171 – Ransom/MDP.Event.M1875 – Ransom/MDP.Behavior.M1946 ## Indicators of Compromise #### MD5 – 13b12238e3a44bcdf89a7686e7179e16: Malicious Word Document (Sia_Sim.docx) – ae59e82ddd8d9840b79bfddbe4034462: Downloaded malicious VBA macro (v5sqpe.dotm) – bf4d4f36c34461c6605b42c456fa4492: Downloader LNK (skeml.lnk) – 56c9c8f181803ece490087ebe053ef72: Amadey (1234.exe) – bf331800dbb46bb32a8ac89e4543cafa: Amadey (Resume.exe) – ad444dcdadfe5ba7901ec58be714cf57: Amadey Stealer Plugin (cred.dll) – f9ab1c6ad6e788686509d5abedfd1001: LockBit (cc.ps1) – 1690f558aa93267b8bcd14c1d5b9ce34: LockBit (dd.ps1) – 5e54923e6dc9508ae25fb6148d5b2e55: LockBit (LBB.exe) #### C&C and Download – hxxp://188.34.187[.]110/v5sqpe.dotm: External URL – hxxp://188.34.187[.]110/1234.exe: Amadey Download URL – hxxp://62.204.41[.]25/3g4mn5s/index.php : Amadey C&C – hxxp://62.204.41[.]25/3g4mn5s/Plugins/cred.dll : Amadey Stealer Plugin Download – hxxp://188.34.187[.]110/dd.ps1 : LockBit – hxxp://188.34.187[.]110/cc.ps1 : LockBit – hxxp://188.34.187[.]110/LBB.exe : LockBit

loading..
  09-Nov-2022
loading..
  1 min read
loading..

Wanniti

APT41

Spyder Loader

Operation CuckooBees resurfaced since its inception in May, involved in a series...

Secure Blink threat researchers have been continuously monitoring a likely continuation of the Operation CuckooBees derived from the series of recent intrusions targeting organizations across Hong Kong, which spotted the inception of Spyder Loader malware. Over the course of more than a year, the same attackers from Winnti APT later Operation CuckooBees Campaign remained hyper persistent on the networks of a number of government agencies. Operation CuckooBees was first identified back in May 2022 by the help of an intelligence-gathering campaign that had been operating under stealth mode since at least 2019, stealing details on intellectual property and other critical data including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related datasets from the compromised systems. It was later identified to have close links with China-based Winnti APT leveraging a previously undocumented malware to wipe out classified trade files from multiple organizations. While this covert attack campaign was primarily intended to be targeted at multiple technology and manufacturing companies across North America, Western Europe and East Asia deploying different versions of Spyder Loader, PRIVATELOG, and WINNKIT. Windows Common Log File System (CLFS) mechanism and NTFS transaction manipulation was leveraged to Evaass any possible detection. Most of the affected companies were government agencies, and the attackers remained active on some systems for almost a year. We discovered installations of the Spyder Loader (Trojan.Spyload) malware on target networks, suggesting this is related to a larger operation. Although the campaign's final payload was not visible to us, it is probable that intelligence gathering was its ultimate purpose based on past behavior detected in conjunction with the [Spyder Loader malware](https://bit.ly/3sq4X9b). ## Operation CuckooBees: How it all started It was anticipated that the threat group was able to exfiltrate hundreds of terabytes of data after having years to execute covert reconnaissance and locate data. The attackers not only targeted the victims' intellectual property, but gathered data that may be utilized for future intrusions, including information about the business divisions of the target organization, its network architecture, user accounts and passwords, staff emails, and customer data. Researchers at Secure Blink ascribe the intrusions and Operation CuckooBees to the [Winnti APT](https://attack.mitre.org/groups/G0044/) with moderate to high confidence. Winnti, also known as APT 41, BARIUM, and Blackfly, is a Chinese state-sponsored APT organization notorious for its stealth, complexity, and emphasis on obtaining trade secrets. ![Operation CuckooBees Replicating Wanniti Infection Chain](https://sb-cms.s3.ap-south-1.amazonaws.com/Infection_Chain_3450c318c8.jpg) ## Link between Operation CuckooBees & Spyder Loader SonicWall first [revealed](https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/) the existence of the Spyder Loader malware in a March 2021 blog post, where security researchers claimed the threat was _"being used for targeted attacks on information storage systems, collecting information about corrupted devices, executing mischievous payloads, coordinating script execution, and C&C server communication."_ We have continued our analysis following these key findings extending it into a detailed elaboration of a long-running campaign goes by the moniker Operation CuckooBees. They claimed the campaign had begun in 2019, at the earliest. Attackers _"targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data,"_ according to the researchers, who found that hundreds of gigabytes of information were stolen. Credentials, customer information, and network architecture details were also taken, all of which could be used in seamlessly executing future attacks. Spyder Loader was also involved in that campaign, establishing similar behavior as it was heavily deployed in the victims network. This malware is responsible for obtaining data from infected devices, malicious payloads can be executed, script execution can be coordinated, and communication with the C2 server can also be taken in place. The attackers also made use of post-exploitation tools including Mimikatz and a SQLite DLL module that had been trojanized, allowing it to receive instructions from a remote server or load an arbitrary payload. Despite the fact that the final payload delivered by this campaign remains unclear, threat researchers believe that the entire campaign's motivation is driven by intelligence gathering based on tactical overlaps with previous attacks. ## Technical Details We have thoroughly analyzed the available malware samples compiled as a 64-bit PE DLL. It is a modified version of sqlite3.dll with the sqlite3 prepare v4 malicious export added. As its third argument, sqlite3 prepare v4 export expects a string. Reportedly, anytime rundll32.exe executes an export, the third argument of the called export should include a portion of the command-line for the process. This loader extracts the file name from its third argument and expects the file to have a series of records when it is run. The malware sample needs at least records holding blob ids 1 and 2. Additionally, the sample verifies the optional blob ids 3 and 4. For blob ids 1 and 2, encrypted blob is encoded using the AES algorithm in Ciphertext Feedback (CFB) mode with segment size of 0x80 bits. **"Encryption strings is based on the name of an affected computer per GetComputerNameW() API:*** `def generate_aes_key(): computer_name = [obtained via GetComputerNameW()] hash = hashlib.sha256(computer_name.upper()) digest = hash.digest() return digest[: 0x10]` In addition, the initialization vector (IV) is obtained from the respective record header. `def generate_aes_IV(): return struct.pack("<IIII", blob_id, blob_size, blob_cksum, 0)` Develops FileMapping with the available samples through the following parameters: `hFile = INVALID_HANDLE_VALUE` `dwMaximumSizeLow = sum of blob_sizes for blob_ids 2, 3 and 4` `lpName =` `"Global\{94803275-9AEA-474E-A8F7-904EDE192BF4}"` Next, it populates the created FileMapping with: a copy of record storing blob_id 2, but decrypting the content of field encrypted_blob, (if present) copy of record storing blob_id 3, and (if present) copy of record storing blob_id 4. It next examines the status of the IKEEXT service and, if it is running, stops it. Next, it saves the decrypted file of blob id one as the next file before launching the service.: `[SystemDirectory]\wlbsctrl.dll` It seems that this is supposed to run the wlbsctrl.dll file. This file presumably functions as a next-stage loader that executes the contents of blob id 2 from the generated FileMapping. The remaining optional blobs might potentially be utilized for further phases and/or configuration data. This is theoretical, though, since we did not see these extra content blobs being executed. As indicated earlier, AES encryption is employed when the example use the CryptoPP C++ library, but the ChaCha20 method is also used to encrypt one of the strings. In addition to cleaning up produced artifacts, the virus overwrites the content of the dumped wlbsctrl.dll file before destroying it. These measures are probably used to prevent the activity from being evaluated. Debug strings also indicated that the source code location of the malware was the following: `e:\works\2021\stonev4-legacy\cryptopp_5_6_4\cryptopp\secblock.h` Similarities between this activity and the Spyder Loader activity include: `Use of a modified version of sqlite3.dll` `rundll32.exe command-line example seen seems consistent with how the third parameter of malicious export is used in this sample` `Use of the CryptoPP C++ library` These various similarities led us to conclude that this sample was also a version of the Spyder Loader malware. We saw various variants of Spyder Loader on victim networks, all displaying largely the same functionality. ## Additional activities spotted on victim's network In addition to a modified SQLite DLL with the malicious export sqlite3_extension_init that builds and starts a service called GeneralMantenanceWork for a file named data.dat, we saw numerous additional malware samples that carried out a variety of activities on victim networks. We also observed the execution of Mimikatz on victim networks, as well as a Trojanized ZLib DLL with multiple malicious exports, one of which appeared to be waiting for communication from a command-and-control (C&C) server, while the other would load a payload from the file name provided on the command-line. Another sample installs and runs the below component of winpcap as a service: - It accepts either -i or -v as a parameter - i installs and runs a service - v checks if winpcap is already installed Files with the names npf.sys and packet.dll are then installed. ## Covert Campaign based on Intelligence Gathering Spyder Loader malware overlaps with the primary activity, and the victims spotted in this latest activity make it most probable that the objective behind this activity is intelligence gathering, even if we weren't able to witness the final payload delivered in this campaign. The fact that this campaign has been running for many years, with multiple versions of the Spyder Loader malware distributed over that time, suggests that the players behind this activity are persistent and focused adversaries with the capacity to carry out stealthy operations on target networks over an extended period of time. Companies with important intellectual property should verify that they have taken all necessary precautions to secure their networks from such activity. ## Wrapping it all up… Intellectual property theft has a difficult-to-quantify economic effect. Though it depends on a number of different factors. Nowadays, information is the most valuable commodity, and cyber espionage appears to be difficult to distinguish from espionage conducted by nation states. The repercussions of stolen data might be dire in a number of different contexts. Losing terabytes of sensitive and unique intellectual property has a devastating effect on the bottom line and eliminates any competitive edge in the market. Due to the intricacy, stealth, and sophistication of the assaults, it is difficult to determine the precise number of businesses impacted by Operation CuckooBees. Winnti is one of the most productive organizations representing Chinese state-aligned interests. Multiple reports and US Department of Justice (DOJ) charges have linked Winnti to large-scale IP theft schemes throughout the years. Secure Blink threat researchers estimate that hundreds of other firms may have been impacted by this or similar Winnti attacks. Cyber espionage often does not elicit the same level of alarm or public attention as other hacks, but this does not make it less hazardous. A malevolent operation that steals intellectual property invisibly for years is very expensive and may have implications for decades. ## Indicators of Compromise 54bcd44d4606e0fdb1b7c2110684f429f9e234269d213ddb60c9665e7b8679c7 00634e46b14ba42c12e35a367f1c7a616fb8e8754ebb2e24ae936377a3ee544a 06ed28c4ae295dec0bd692cd7fcecb5fa9de644968d281f5e4bf48eb72bc4b63 0cdbde55b23b26efd5c4503473bd673e3e5a75eae375bae866b6541edb8fcc84 181a25cbcd050c1b42839a5d32df4f59055e27377e71eaa3eb9230a43667f075 228784cc7dad998f1f8b7395bf758827eff9b27762a7056d9e8832bb8a029aad 260d54c2fcf725a8b6d030c36ca26f65ba3d01f707fa0e841cac0166d06218c0 2879253c8c8dd3ee53525c81801d813594bb657ad4f7478ba4288112f0315c9e 2da683d54f12d83f0f111b5c57f7f78016cad5860b2604d38b2aba37ab3d5c55 3196e74004816227323d6864448361fb173b3c96cf3d1b0aa26dfcd259a61505 33aa5df5470ae59cd30c7ea4c2ad1e13901a8fd13ea6b4b5584d10ffdba31ee4 396e35b2a4f920182d3148c834cf70f00b6094600e51e030d6fc297cb0ca5c06 3b3df3ada05e521ec8ce2f0deaeb6fd4359a2de9cadb0dd51c0d9d7a835473a4 3d96132412d8587849aa5dfd35c968755b30a08b100ec42eb810ff1f042e9fd0 3e10500c3779e56d2daa05da920d014becf33597f5ccb67c069320c5c43d40d2 4164cfc533621e37c8ad910f29d4afa92d0180c1697b7970746243574029a1f1 417a65be8ef81cb36021dbe56b07bf5dd65b7355e61b7a94bc988aaa335b22da 4221362bba10aedbb2d09729567d090f543c5de8543ec55ca4a6516815202064 438dddd93333ccfce4499558c92b20341166a134a8451ffc60ebf6ec5e0890dc 48658c800b724197cb91cbfd064df060221bc72bd77301707cb30b2f7c2b81fb 4a9cd0c32d6992077d3140917928f1b931bb2bf28e88f0dd8e4c92cd5d9cbe00 4bc3a4e4d74b81acf19621da7c8304527fff954747ab3393b78e0758306b3fa6 4d8784b957d826acc00e5a87d7317bbaeb63c7f9f86a5f446a41a5a355de437e 4dfae8301a9284eea4e975476ceaa652d5d3c799879dec7c5c9e18bbc2930885 551794bd7c66fb064d81230161b25ed81a714aa9377f2a9a1af69626dc99d385 5bf03354d708d3c87e82a50d3f4c948fc8c6e8186537b0463edafd9546b51333 033313b31fbea64a1a0a53b38c74236f7af2e49018faa2be6c036427c456ef6d 5cf6bca323851a509120399a975edc759a9d2c5c21aff18ee6cae506b0f93d67 5deab41977d5d6217b3e35cfab81015d83f270650ccc170dfb948e55e92478dd 091e3e806b6d66cf1eccbd57a787eec65df5f07ad88118c576b3ae06c08af744 5f477c03a689b4aeed28dcb2f8bab3dfa7fc834223062f16eddb5426c2cfa2e6 6741a9ea57e38d1e9d6014bd191b0ac517d2bfa2d79cb091c64fb8011c8521d3 69d927abbacdfcdcad0a1d878e8c0a8543a940a101447b9127365034f7a2d773 6d07ce2ca82489599ae609c6ed18f587059ed5cf2d32a513c5ea6d35861695e9 6d689996a8721f8417de46d645dc6b66b261afdf8ee30b4a0853ff94ec87d3b0 72424e99c1814a1d741508c198eac3e3e84626ce39d961c014718e7f8abb6fe5 7443e17e80dec2db6cfffc0a272fd8a27b2a98a42ffc15fb9065c072dc5904f7 74ff4db3af082d73dcba597cacfd4cae64e00c68169a64be2f3715a0f06535ae 7ccb9cdaff8c6c7785ee1422aa70723c976f62795593b02fbf0923f09c6b647d 7ecd5ec38db31cfb7146ac684eb75912e418c3fbb69a2562478b5fce2ae2c615 8344fcc55534f0b0e08f48f44607771d7cfad130f749ddcc434ffc6fd9012eaa 8535a6e49afa4057e504fa8f4a21a06f535f51bbafff0631c662d7ade5aabfb9 8648bb183abf8aa2111f4d98ecc386e5bcdfa614033efdd124d61ee155261a13 86a45d92282ed3c4f82687eb1d6cfa6a906d6fc5033014bdc6c57da07db1b1b2 892c1f324fa5c2370b06dedf691bd60fa0aa70a4bd6502b9c615cdcd3d5e698a 8a42bee7190e23f76e46e66f9194c33f33a60903a28d267acebf4fd8dead15e8 8a8109f2af10898cdf7259467d18410f2b61a89d5f0d7031b5e45e1bd3b8678a 8eeba9d12cd01b8eb245c76ff16e34eb0455001243fcf1889f28655e55c1d1ed 8fe7cc990ffaf4f156c0868b41e1e92d09c1270e11b96c7320498e0390cc93c6 9138916b9630c81a0b7b6597f4be72ca46c7e3dc1e6fd89d14ddb12f1deb7fdc 95bc468f50483f337d3ef6e1c5d1765beffee4db9c057d6e49713b3a099b2eef 96e22da2b69f599cba297a9aafc971a09c99433bf7f51ec37446c34ed3701d12 9b114bfec2561e76fd8d0c9b31633c2089abec8f3a99c297f0f6416838567452 9b7d8827685b71e92438355872f10c2364d7e3a3811df884eb41e371bcda8f6d 9daa43c1204184634b9833718155404d6c0366fcdd524f945eacfc3e5760c116 a43c9dbfd2a9c1a065eb7a9212f2125ea6e6a73256081bc2deacd50913162a6a a7f291bde213d9eb4fa60fb3517a6ec6fb7a057457534afe895c1684db0ba21d b02c10d8a83857352c99f09548397bf8e0ee0548b8e050e138b82eb08b98e938 b13bc2986f098580e2432dac7004a9dca2254c6756dafa3b7f67aff743ee060f b382824cbb11c60da6c733855c825dcbdf2bbfb8104a517d27af56b56625ba9f b4703af681c75d2d16c555f008bc4308a4d03767ceed55c02d1a892341444304 b4841104c663f4f013b467220d576035fd2187a92c84451709abff47c8fb162e b4cdc814f1536264cc5e469cebcbf351ee9d1b9620248bc0a6b14725fe38d5a0 b82a19a06270f37e3b12047a1382796678895fe1c58a9ef799cf5250f6c96dcf c01f402b942502889aa854326405b29a4d33947547074fbb9eab7c4c4a896d77 c276300d47daff9cc1e486e4ea3d776d82fa9b3f8161eccfe49fc3218afdfbe9 c3d41387bcc9c9f2d9858b1286ed51369a06ed12abe7623344a31a0e0f18f36a c57236c2e7fe84334d5bdef6420cbf121ab9f918f5d8e4323d7055b12947abb6 c862f2cdbf817f6d7c5568a4af2d8766a30719297e31a71620503e50176fceb2 ccaa5186451c0658b6294f5d8a78b3ec02505164c1ddec2b418259564cd7b23b cd5a53fc5bb675b47bb4055d8f3e4c45902a8245df2300ccf03d7da6464add78 cdaaf781557e85582dd42ff6a58ecbbb68a7cb2e0dc7c7aa49b1d5df5391330b d06730e1d07491a70b4b18b52e8f35c92509b5049239e3794a6be73ce160e2c0 d2939897865906fb339e878f620f928bff36c7dead15bb6ed94f7a9df16300e9 d3a163a7313629cc380b9405aafb847247d2a256ae48b60bffd0bfbe3082c19c d76e32647c3890100fe994a9a0f84a3e6957af08195366e86299e4033c2551f1 dbc60a4878ae9f1a2184c44837db9968a157f2008a16e3a350909a598f918dd9 dc4218b67f99196fb5d71c4bd5ce762e9b8950d8206e198a755650c5e6d17fd0 dc647ce87c62b0ac76530362694d1dafdca5ca414e5abb18c324dfd24f0e9644 deb0e05adad48b90a534beabe2ef4261d2a864112945907fbd2d020b90f24507 e1af76d84f98eb4cd7af04d35030e37ffaa8120a7d048fafe0cbcb2a7f86c460 e3b82ac4870a2ae86dfe88cf7ecf9bc0dc6ed653af0ad1aaa20194cae8aff411 e4f4b3a554c8a0fd693201333e8d634f8ef1fa4ca4445ca556492bb9d0d486c4 ef24840ccde8c7547b3329c7854fdd22d2178c7ad7f931303da2e6eacbf16d1c f17278d4eaafff971864c02efdc0e4435defad96e7f5203e580a4e32c64681d8 f8ebd94779851fbeca029db4ae938457c7ccf4e010b09f025ea5394b715b1838 f90dc76a9500ee2bb3380d5f4589289ec7ffa647be4262ee7674d37ce02283b7 5d868bfbfc767515c35ced7b0da36f41ed4728914ba081f132a9d9c54564ebf0

loading..
  31-Oct-2022
loading..
  1 min read