Overview

During the first half of February 2019 there was an increase in occurences of the spam messages containing attached documents with the names in the form “Request” followed by the number, like “Request15.doc”. These documents contains slightly obfuscated macros which leads to execution of the powershell downloader. This powershell downloader connects to the domains registered in Russian Federation and resolved to the Russian IP adresses. It seems that on these servers are hosted malicious content, in many cases detected as the Ursnif malware.

Macro-enabled documents

The spam messages may contain the password-protected zipped Word document (with password “1234567” written in the email body), or only the document itself.

Fig. 1: Email message with attached password-protected zip file

Usually the document is with blue background with text with suggestion to enable macros, or enable editing and content, as we can see on the next pictures:

Fig. 2: Document with request for enabling macros

Each type of document contains the specific macro code, in the first case, executed on document open (AutoOpen), in the second case, executed on document close (AutoClose), see Figure 3:

Fig. 3: Olevba output, AutoOpen and AutoClose macro execution

The macros can be extracted with the olevba tool, it is quite obfuscated, in the first case with multiple junk functions and select statements, in the second case with multiple junk variables. These two types of obfuscation are presented below:

Fig. 4: First type of obfuscation

Fig. 5: Second type of obfuscation

These macros leads after deobfuscation to running powershell with base64-encoded command. In the first type it will execute powershell directly, in the second type it will first execute the shell with the command taken from AlternativeText of one Shape. This alternative text contains the command for execution of powershell (in some cases the command first run the ‘cmd.exe’ and then ‘powershell’):

Fig. 6: First type macro deobfuscated

Fig. 7: Second type macro deobfuscated

Fig. 8: Second type macro deobfuscated: shape with powershell command

Powershell downloaders

Decoding of the base64 encoding reveal that the first powershell command is obfuscated (see Fig. 9), but after quick deobfuscation it is clear that this is the powershell downloader. It checks if the downloaded executable file has at least 40kB and if yes, it will execute it (Fig. 10).

Fig. 9: Obfuscated powershell downloader

Fig. 10: Debfuscated powershell downloader

Decoding of the powershell command from the second document will result to the another downloader, which is not obfuscated in this case. It will try two approaches, first, download string and invoke it as the powershell command. Second, download executable file and run it via ShellExecute.

Fig. 11: Powershell downloader from the second document

Ursnif campaign

Unfortunatelly, the downloaded content was not present during my analysis and it was not available even during the analysis on Any.Run. But using the VirusTotal domain information we can see that multiple executable files have been downloaded from this domain and most of them has been identified as the Ursnif spyware.

Fig. 12: Virustotal Domain information

Fig. 13: Virustotal detection

It seems that there are more domains involved in this campaign, with more “ReqeustXX.doc” documents. Also, on the Any.Run it is possible to see the increase in the number of submission with these filenames and tagged as the Ursnif. These samples have been submited since 05th February 2019 until now, and it seems that the campaign still continue, but with decreasing intensity.

Fig. 14: Any.Run public submissions

From these public submissions we can extract multiple contacted domains by powershell downloaders. We can find even more samples with filenames like “Request15.doc” by using the search engines (e.g. Google) targeted on the sites related to malware analysis (e.g. VirusTotal, Hybrid-Analysis,…). With set of these domains and samples, it is possible to reveal even more IOCs of this campaign, like contacted URLs, documents with powershel downloaders, downloaded executable files, etc. VirusTotal Graph is very useful tool for visualization of relationships between malware-related entities. Create an overview of the samples, scope of the campaign, country attribution can be matter of several minutes. In this case, my investigation has resulted in the following graph with malicious domains, urls, documents and executable files:

Fig. 15: VirusTotal Graph

The domains from the above examples have been resolved to the Russian IP addresses from the start of the attack (the US-one is the exception, the domain pgarfielduozzelda.band has been resolved to it only since 21th February, and the black flags are also the Russian IP address regarding to whois), and also the most of these domains have been registered in Russian Federation.

Conclusion

The two types of macro-enabled documents with powershell downloader spreading via emails in recent campaign have been presented in this part of the analysis. The powershell downloaders and/or the macros are slightly obfuscated, however, it is easy to defeat this obfuscation and reveal their purpose. The analysis also sumarized the information and relationships between malware samples and domains related to this campaign and brings the summary of collected IOCs below.

IOCs

  • IP adresses:
    • 46.173.219.104
    • 46.29.167.73
    • 89.223.28.184
    • 109.234.38.152
    • 176.32.33.171
    • 185.120.58.13
    • 185.228.234.159
    • 185.228.234.5
    • 193.187.172.169
    • 209.141.58.88
    • 213.226.124.245
  • Domains:
    • d49dv62iea39.email
    • d74yhvickie.band
    • fmarquisecale.com
    • g53lois51bruce.company
    • hkf98ua36ou.com
    • nuavclq20tony.com
    • pgarfielduozzelda.band
    • rz70tom99.band
    • veulalmffyy.company
    • wbfnjohanna.band
    • www.g53lois51bruce.company
    • www.nuavclq20tony.com
    • www.xvirginieyylj.city
    • xvirginieyylj.city
    • zgnoeliakatelynn.com
  • URLs:
    • hxxp://d49dv62iea39.email/
    • hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php
    • hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.phpl=noos11.harz
    • hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos12.harz
    • hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos15.harz
    • hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos1.harz
    • hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos2harz
    • hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdophp?l=noos2harz
    • hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos4.harz
    • hxxp://d49dv62iea39.email/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=noos7.harz
    • hxxp://d74yhvickie.band/
    • hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php
    • hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?1=cubom13.jam
    • hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom10.jam
    • hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom10.jam.
    • hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom[1-16].jam
    • hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom13.jam
    • hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom17.jam
    • hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom8.jam
    • hxxp://d74yhvickie.band/xn102sp10zk/m10ps1-slx.php?l=cubom9.jam
    • hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php
    • hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid14.jam
    • hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid1.jam
    • hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid2.jam
    • hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid3.jam
    • hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid4.jam
    • hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid5.jam
    • hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid6.jam
    • hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid7.jam
    • hxxp://fmarquisecale.com/xn102sp10zk/m10ps1-slx.php?l=ledid8.jam
    • hxxp://g53lois51bruce.company/
    • hxxp://g53lois51bruce.company/xap_102b-AZ1
    • hxxp://g53lois51bruce.company/xap_102b-AZ1/
    • hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php
    • hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php?l=xtex10.gas
    • hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php?l=xtex[1-15].gas
    • hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php?l=xtex15.gas
    • hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php?l=xtex4.gas
    • hxxp://g53lois51bruce.company/xap_102b-AZ1/704e.php?l=xtex7.gas
    • hxxp://hkf98ua36ou.com/
    • hxxp://hkf98ua36ou.com/xap_102b-AZ1
    • hxxp://hkf98ua36ou.com/xap_102b-az1/704e.php
    • hxxp://hkf98ua36ou.com/xap_102b-AZ1/704e.php?1adnaz8.gas
    • hxxp://hkf98ua36ou.com/xap_102b-AZ1/704e.php?l=adnaz19.gas
    • hxxp://hkf98ua36ou.com/xap_102b-AZ1/704e.php?l=adnaz4.gas
    • hxxp://hkf98ua36ou.com/xap_102b-AZ1/704e.php?l=adnaz5.ga
    • hxxp://hkf98ua36ou.com/xap_102b-az1/704e.php?l=adnaz5.gas
    • hxxp://hkf98ua36ou.com/xap_102b-az1/704e.php?l=adnaz8.gas
    • hxxp://hkf98ua36ou.com/xap_102b-AZ1/704e.php?l=adnaz8.gas
    • hxxp://nuavclq20tony.com/
    • hxxp://nuavclq20tony.com/xn102sp10zk
    • hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid12.jam
    • hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid13.jam
    • hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid4.jam
    • hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid5.jam
    • hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid7.jam
    • hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid8.jam
    • hxxp://nuavclq20tony.com/xn102sp10zk/m10ps1-slx.php?l=ledid9.jam
    • hxxp://pgarfielduozzelda.band/
    • hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php
    • hxxp://pgarfielduozzelda.band/xn102sp10zkm10ps1-slx.phpexop12.jam
    • hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop10.jam
    • hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop12.jam
    • hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop13.jam
    • hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop8.jam
    • hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop9.jam
    • hxxp://pgarfielduozzelda.band/xn102sp10zk/m10ps1-slx.php?l=exop9.jam@B8_944473A95__13691
    • hxxp://rz70tom99.band/
    • hxxp://rz70tom99.band/xap_102b-az1/704e.php
    • hxxp://rz70tom99.band/xap_102b-AZ1/704e.php
    • hxxp://rz70tom99.band/xap_102b-AZ1/704e.php?1=xorof4.gas
    • hxxp://rz70tom99.band/xap_102b-AZ1/704e.php?l=xorof3.gas
    • hxxp://rz70tom99.band/xap_102b-az1/704e.php?l=xorof4.gas
    • hxxp://rz70tom99.band/xap_102b-AZ1/704e.php?l=xorof4.gas
    • hxxps://g53lois51bruce.company/
    • hxxps://nuavclq20tony.com/
    • hxxps://pgarfielduozzelda.band/
    • hxxps://rz70tom99.band/
    • hxxps://rz70tom99.band/xap_102b-az1/704e.php?l=xorof4.gas
    • hxxps://rz70tom99.band/xap_102b-AZ1/704e.php?l=xorof4.gas
    • hxxps://xvirginieyylj.city/
    • hxxps://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw11.harz
    • hxxp://veulalmffyy.company/
    • hxxp://veulalmffyy.company/puewpxmasl/s
    • hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php
    • hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?
    • hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf13.harz
    • hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf2.harz
    • hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf4.harz
    • hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf5.harz
    • hxxp://veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf9.harz
    • hxxp://veulalmffyy.company/puewpxmasl/XXX
    • hxxp://wbfnjohanna.band/xn102sp10zk
    • hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php
    • hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog2.jam
    • hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog2.jam
    • hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog3.jam
    • hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog4.jam
    • hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog5.jam
    • hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog6.jam
    • hxxp://wbfnjohanna.band/xn102sp10zk/m10ps1-slx.php?l=tdog7.jam
    • hxxp://xvirginieyylj.city/
    • hxxp://xvirginieyylj.city/puewpxmasl/
    • hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php
    • hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw10.harz
    • hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw11.harz
    • hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw3.harz
    • hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw5.harz
    • hxxp://xvirginieyylj.city/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=batyw9.harz
    • hxxp://zgnoeliakatelynn.com/
    • hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php
    • hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?cubom16.jam
    • hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?lcubom
    • hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?l=cubom10.jam
    • hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?l=cubom[1-16].jam
    • hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?l=cubom11.jam
    • hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?l=cubom16.jam
    • hxxp://zgnoeliakatelynn.com/xn102sp10zk/m10ps1-slx.php?l=cubom9.jam
  • Samples:
    • 0090a5eb10e90e9dc8969e1d4ca370a24a81cacae7813f004c35c96b3d34ef5c
    • 00a87f7662cac33aa1199e1d36b15d71064b093ffcadcf71ec19380d775323e1
    • 01dc719df7ef8513ebdb85f1cd2bc4603b8873c56ce380f9d3607419f571c419
    • 0344ec99e907790b9c1d851e1e07814f046d8b595b8b064d0214c1d5e5183616
    • 0ab17567f4c1bbad33f8021384b8afc96ee02afef0e55dfe59563302d8d6aed0
    • 0db384aa1bd02b3f983b8503879200558a2c44590a90f44087792ce0d00d43e9
    • 12a05273cdf3182b9bf2208cce3180c72c15ebd784af771ab0a158369814b6d9
    • 13f4f6bfa687c3b0a01c16f4c313bd10960d76258c2b97429b77a15b69870d1c
    • 14a813a38243e7803b74495c2be94a34c7d702d11c416e0925c5e33e6720d3dd
    • 1d57bb7ec42a9437e35b2f8a8d7d2bff6dc1615f6db64bbb8af481211561a83e
    • 1dd20cdc8f64e052ffc7ff8aa3edcf0b487a03308b7855f55e62cffe58b89188
    • 1e1509a6a58b807e396162f2ead1f67d361d2b663336a66b2493acd92bea9a2a
    • 21057a60024538576afbc3ab4fa60b0dbaf447f3424f05430d58b0c5b3a11fa9
    • 22286debebb3db5e95c654e0a03634347ec255a2489469c9f73093c3e923235b
    • 26ae9013972716985d16a30b9bb67c763a0b9403855e81ed2dd3a5235188b635
    • 281ebba397af5de8db77bb4b6413f88327c14d06a1f77b6b126c355a64554626
    • 2b7ef4b46a5f23b8a50a3a219eaf6b87440c2882069292ec95e38c034aece31c
    • 2d4690b8d373bb95561af26c44c4b3843d2e14280258bdf09d8b4972461f5b45
    • 312a01c19348d4a48841f1e0c6b77605eeb146e9bdcf2886411a2d18f9985ae8
    • 33672b3d477e75c8c1f9cb222a4fcab2184fec1fd9b98767e061aec7e576ad60
    • 373b866d92ef04e1b5d5e9a9400b1c18e389aa3b6829c4f80bea9812013da78c
    • 37c342b36a8c0b107ce510397a9b335711f0953cbbdbcdb41b88c50ad07c6bce
    • 38262decdac6c7aa72450c399141d7c058f17698e017e3baa0b7b54298439546
    • 3b155ad9f8b983c960de85b1e2cbf26e76b7b0a591520626a49ad8f00a35785b
    • 3bfc794becbcc085e64125b3b7eb46f1fffc80bb93d2231790b57bc9bc97725b
    • 3dd1c0ba9dc20f0d27e63e70563e8bdd8b5133510f09df6d59ccd9943143bdfb
    • 3fa080a3b3bc2333173c8119b940016143a1d20abe80994499017f1e9e70b41a
    • 45763a1bae98f75a15d5e0e8f7a2e0a0fb085d39989eb0193efa13124d98d35f
    • 46c9ad9ac2d0ca987f094d27ba8643ef613f140d2a7e0d7738e603925ad9449d
    • 486b52be2ef32efde11ebcc9dac6413a95b72167a0cfc5c323c114f7179f4b6b
    • 4a3e65a9d0ec3daf38e9c81918c3971b95390599956874398482b13e20c536a1
    • 4d6f73f7a470c95894b345d33e1852c29cf91476d27f3871546f09c8429a2c99
    • 4e931eaad8790f1edddb72f0ea4a9b50ab3c93916f09b5b9659378328b97f3fb
    • 4e9ea2399fe1d593a0a7d233e6f92bcae3ff521f3354cb5127ad8d31c9a26b7d
    • 4eb6478ea45a6c78b641b282a7ff0508050044777c668df8ed959b06ba661abf
    • 4ef7b518d42a8e0fc1f879dc175fbf1c7d0f0c0e1c402d63eef73db4bf27a895
    • 4fc7c0491710340f62993fb62a94848e3c5935c7d9d3f950700bacf8fd56d29d
    • 58da1463d41297ab73ff61354aa54e422e8f1889af499fc75f44ca7e9c6d7d58
    • 5b43d8dbfc3084e19c4d56949a48d72a269aa804dcac0a48bae5e1aad77a5647
    • 5d15ca9342abc08594f76d2ad16aae8058d0ed18038e1dadbcc0551bdad0760f
    • 5efe82556278fcac1d9d662d3e1a0abe060f48b24537e2843c74532ee13150f9
    • 5f5eb22a5cd351c63392156a865eec79361721cc56f7c7dcc9d1be8720308741
    • 6065712d7439ad5478288ae075eb4e3a7b25f769983e0782f73091d9c66adec4
    • 61cc4d1e5b08f5161d7b597b8231ac01e30ab39af2741c79ef0740febcaf2859
    • 63058d4d1631ab9bd4bef4016384ef164e1a7e8fc083c4609d0a1d37f75a53de
    • 6403adc739161960f95473477bbe4eca0812e35bf8b0510c4d221ce95348e4b1
    • 6921ed58c5396697eb8dc3beb2f1c23641b7af30259a83b31d918b062bb649f3
    • 6ac8a2f2c73bd7e77aa6f132a2300e8b04b8c675f23b74f9cd5892f9a14a11d3
    • 6ffb1eeb01acb2760a1b1358fa7d30ab1eb06f45f4ff7b64f48a59fc4a795e93
    • 7202707191fc9f702ca503aeed19332afb15b169d9c37c21767434501942695a
    • 74477d34586f996af7d2c915315ca29edabbbe9fa0f28d6a96f9e7374d307d14
    • 7475ee8bb92dfde99a385fbeb715d9dc3b6340c69cf9045aaee54a6ab26654f2
    • 7650fda380fb569b1be96b605e799de2e5c683c2bff449333a34c10b1a85a613
    • 77af4359a5c056aa2ab20ee2cdc4add00419bcb30371ab1107470a22c308b9bf
    • 78e3f5ba4f4207b547dee306c3a6b9e282af662e74ef804363ebe2665c827465
    • 7dcc1f253a147a68a5abd44f83b71e820d2403aaa13552e08e009ea68967766e
    • 84067c07cb3da2c063b9fa3b0a1b28e71133ab7cf8889745820fd2abcd422028
    • 8495f62347ec3ac79ece995fde2327b08b96b11d50ccf6f7f6fbe189ea9e8ce2
    • 8bdd831fa3c5d725724a2f1fd8ba1d806b1719acfa89d90b10b4121c018937c9
    • 8d2e1ea4eec9578f4d4054bebb2d48ba06460c9b8b472128a8f0239e52ae2975
    • 8f542cacbb8ed0c7f04d486a952504f64768a2c9c8e18645444416cf88a2490f
    • 90d4ce9b2f662e296ec84442c81d7e333f09a8f0ec02877b9b8f8d0ea99bfcc5
    • 92a89e6c942eef866662ccde64a1cfe400c7086c852f99a513ab448fce899911
    • 93b2b31876ffc0391a5d0aa9524a8600009ba8d11b19d805a096365419f02938
    • 95c056737ce3b7de42309b56fe596d857d52d6c7178f5b73f1baa07e0631a95f
    • 962586a1754cc4ae1d3b2272995747eca7b2a2c3115022beb8d08238451849de
    • 9639acbb1a74e968f42f74847df5b39e53b0b529a114f1c25a6cd96a2cd60b5d
    • 9775c86c4e6183e906925d9686a0e4bedd6b3fcfded5ec86f57871919b195240
    • 97e9afa9e21c07e71b802d99c7a41f462f9aad47a8324dd364dc307b20e0565b
    • 9a0091c9222c189dd8dcccbded1e777a67d6fb5add08d960df6fbaf840c4e602
    • 9e5e850d8150fcc67361620e85d0ee66ca5e63785ec9c6452d68eef7300af396
    • 9ed51707c31f4a680222ec2ff45ade5f08e134e0975d1c3b1dadebfb3d90d90a
    • 9fcfda8562185821cf3a6147565e87438f769c663bab23500f77433644c13a20
    • a0c95628b45f8c6206d0db547791b0ec7c86f9c53578c74af641181130ae42ec
    • a30054ebac6ba39a70031aa8a84c04ba106354b5cb3af12deacc0c26152d25b3
    • a32f96b630d2d59b3977618d9fbc0516c40aa1868302aa32dbeca91bd4abb884
    • a3c172e12ebe284d809d31bc193b37061dca3e9566580a4eb4ea3040a0d97b77
    • a4ec868b4f4a578b97f498896a42f8882f345bd4f4cae3f6b29bbc0319279434
    • a634a2b1175c6cd20c7a1b5c88d8ec7ebd26df661fcd1f5b83187f06efd47382
    • a6f493975810828f203d7297c84678b90248a1be767aa13fe5837c57ef6b0a6d
    • a81dbf05c60e71229e038aa267ba66ce1ea3ce890575d3f0eb58c79c2c57085e
    • a8a4640cd5e39c8b96aa01f3ad7f2208fd71f76d4491ecd9cb73dd2e4e2ce27e
    • ab37f3c2b6d280a1c573e54386023696eb03bdeb4dfb4af3051846f4b0cc060c
    • abff796e1bc6d32c36d40c48542688797e72062db50bb3fa5ee870501868af69
    • b65ddadd1f89643fcf8305c00b9db8ff9b0fbe3215e1670b5eb3d32c14e1fcaf
    • b6a415bd6f3ea1e803afd3cf820f9e7815e8a9b38f865062a3a7e3d56acc9f68
    • b7d30b145b009083ac8683cfcd59e4d8769cbd305d1f321083bb3be2f17e2857
    • bfc272cd9aeb9cbb5ce595d1ab889174e1d4407ce3bdc3f0d9a1a7d1230493d6
    • c1291c0cf1b22ba9829a932b0a112dddc99a18f93a712e4db5fd8ab98082d063
    • c21ecee9b6ac835b87f5895febdf5e40362419b85122510905ac7c898625dbbc
    • c668b0d251628f1be28b716e8584bf82bbf8ff09384d01c40755e333f0fdf89d
    • cbe29f9b03b7da02e266c6650ed92fe46ba4ab9d1908bf0b6d55f599d58a7f39
    • cc5059f9db19483b1d4c5bbe3af86290dc5222fa359785a145cb7d742d3411aa
    • cceb073cc5f696eb3b785490b708076b780f6d109d98c0173d1822d514751cf0
    • cd7f283a0766e0ea5f68c25eb1aeb01cd3b8e469d2ad9c586260398af36ad94d
    • d93f1d423add887b3bf4d26fd3862e54bbc1c6007dae7f4114ef82f143635716
    • e0665789f79e5db45653d78373dfed3bdc231490f399257c83e06270f8308457
    • e1e277ddbb659a28150d4af6a6537cc74eb0044e90fdf83f5362bca85249900d
    • e30bf61d0991b041bdb725847f67acba8c32e1ddce0539fa98ad2bf3cc4f79a4
    • e32601feb6e36035cd3ffc420d489c9ecb5999b65ee20dc07df021f8031646b1
    • e4a959684cd6ea7248dc4d2ad0d5df2790ff217685c2a341d242a85b5808d720
    • e92068587d6f3619f71575d4500bdee9af4511c662dc3c44857981e513d419ff
    • e974c3f5b8aacbb599bc81407f6171dc702e3e3baa55fa53647a395c37f3eef1
    • eb15567067bcec7ce3d2cf34cddb654230d538c6dc03955d75bcb1b6b8fa8f11
    • f17abd9afb7abb84ebd75cd0ea12c7831a30e1226b48fd4314f9a5b64b29a567
    • f1d38bb02a5dea271fe7f8db50db348fac3887af26cc7be3054920c68227beaf
    • f39d6a09ed5720e0d125438d3f1ef27b305be6d40974cf9d9131954b302d7203
    • f6b01cc5ec897a40684d53ad4e044750a5c1848293376e950fc3f35a28dd8bfc
    • f70b95b502c3d55a4c8a8565f462239b2be3e9ecd90fdb4dfbcbf93c900e4156
    • f8ba5edc4be23a37178ff4b60bc7904e60df1f907996a8b1ac795a58db6214d4
    • f9e448fc3d9923187c3a4ca7e91c02f15ec4c4d30301ea91f0014b80db88d415
    • fb682f79427c475cfe2a02621b40faf4a7aefbe1eab900a83ebdfca5802856d0
    • fbad24ad8e25e4bd3b4e030a085f11caab6f068dc3c85edbb9fa0720c2c30708
    • fbc964a3439886b66a78c5351a15c68fe6ea41741d2b32c12cc9af23344e0eeb
    • fcbc470bdaf3fdcb0a40508d04beaff0e99087c151bb21c2889ad4f6cdcc20f3
    • fe7aa22e1b9b83661bbf120d6e54c68c8498df61aa76576ccd6eaaa7a7fd8ed2

References