Malware Analysis: GoLo Loader

By: Blake Eakin

Recently the CRU has observed incidents leading to the deployment of Vidar and Lumma infostealers that utilize a loader written in Golang that provides some anti-analysis protection and execution of the final payload via process injection. For tracking purposes, we refer to this loader as GoLo.

Anti-Analysis

Around the end of October and November 2024, GoLo loader began to provide some amount of anti-analysis protection by tracking the cursor position using the GetCursorPos API call. It will continuously collect cursor positions and increment a counter every time the x and y coordinates of the cursor are both different from the last call to GetCursorPos. After it detects the cursor has moved at least 250 times then it will continue with execution. Tracking cursor position has been previously observed as an anti-analysis technique used by Lumma stealer, though this loader is using a much simpler approach.

Most of the samples we reviewed also contained a sprinkling of calls to a function that sleeps for a random, yet minimal amount of time. The use of Golang may be considered an anti-analysis technique, but analysis tooling is starting to become more robust, and it is no longer as obscure to analysts.

Payload Decryption

The process injection payload is stored in the .rdata section of the binary encrypted using AES with GCM. The key is derived from a hardcoded md5 hash. The loader will take an md5 sum of that hash and use that as the decryption key.

Injection Target Selection and Process Hollowing

Several reports that have previously covered this loader or mention its behaviors as a component of Lumma stealer, have commonly identified its injection target as BitLockerToGo.exe. Indeed, reviewing many recent sandbox analyses involving this loader would appear to confirm that, and detections have even been developed around this expectation. However, during our analysis we observed a more complex process for selecting an injection target.

The loader will use the Walk function of the filepath package to traverse the C:\Windows\ directory looking for suitable binaries to target. A callback function is passed to the Walk function that will be called on every item traversed. This callback function will first check if the path passed to it is the path to a .exe file. The loader converts the binary contents of any .exe file it finds into strings of hex representations of each byte and searches for the hex string “4e45544672616d6577”, which encodes into “NETFramew”. It will do the same thing with the decrypted payload and compare whether they both have the same result. If they don’t match in either containing or not containing the string then the loader will not attempt process injection and will continue to traverse C:\Windows\.

Through this we can see that BitLockerToGo.exe is simply one of the first binaries traversed in the C:\Windows\ directory suitable for injection on many systems, particularly Windows sandbox environments. However, if not present or if not the first suitable binary, the loader will happily attempt injection into whatever .exe it can. We do not have full confidence to be able to state why they specifically search for “NETFramew”. The first assumption is that they are attempting to ensure that .NET payloads are injected into .NET binaries, but the presence of that string isn’t a certain indicator of a .NET binary. Though it may be good enough for their purposes and would seem to indicate that the loader was developed with the expectation of using it to deploy a variety of payloads.

An older sample we identified that was submitted to sandboxes around late October 2023 was found to instead traverse the C:\Windows\Microsoft.NET \ directory and dropped Redline.

The loader uses process hollowing to inject its payload into whatever binary it finds suitable by calling CreateProcess to start it in a suspended state, then it uses typical calls to NtUnmapViewOfSection, VirtualAllocEx, NtProtectVirtualMemory, NtWriteVirtualMemory, NtSetContextThread, and NtResumeThread

YARA Rule

rule GoLo_Loader {

??????????????? meta:

??????????????????????????????? author = "ConnectWise CRU"

??????????????????????????????? description = "Detects the presence of the string "NETFramew" represented in hex along with a routine for converting md5 hashes to string representations present in reviewed GoLo samples."

??????????????????????????????? date = "2024-11-21"

??????????????????????????????? version = "1.0"

??????????????????????????????? md5 = "E7AC5891CEEB81B0BB762A7C892B63D2"

??????????????? strings:

??????????????????????????????? $netframew = "4e45544672616d6577"

??????????????????????????????? $conversion_routine_32 = {0F B6 ?? ?? ?? 89 ?? C0 ?? 04 0F B6 ?? 8D ?? ?? ?? ?? ?? 0F B6 ?? ?? 83 FA 20 73 ??}

??????????????????????????????? $conversion_routine_64 = {0F B6 ?? ?? ?? 89 ?? 40 C0 ?? 04 40 0F B6 ?? 4C 8D ?? ?? ?? ?? ?? 41 0F B6 ?? ?? 48 83 FA 20 73 ??}

??????????????? condition:

??????????????????????????????? $netframew and ($conversion_routine_32 or $conversion_routine_64)

}

Indicators of Compromise

c1a938f8191076645f99e9a5cfb24ba22307d02540a93e1c47bae0c87b1daf4f

89ea041726571f3be3c0dda032044c4b190fbbeca5327d3a52d0f71bb180168b

db027953eb30087f3084e85b1930b384847129a1a4a988e6b0ee6d78be00b7ca

7a0a689448990b0a0e93f4fd2cfaf293c27b268af880bba8b51b96c9e292f2f4

d9ceb803d44986394615a39389aeef8c3d00bd7baabbc96a3806ff8b702ed694

067ce70e0baef53cb7cd38bc71652cebf23ff607f35d40cd36ee153123dec6e8

2a559ce1ff609781226319d7f57d6c8cf32487bd87bb796ea43ee015aa104a73

7373776d408dc305292e7ec83548fcaee4264e5181c9ac5fcd99b26aeb9daa63

33f4b12f6da0b5211bcc571ac29171bc073e466e71b8efad71fa264a838a872c

47fe15bed07d1f77f5dde13fbed0cc34f8c565b488534e4ec3b1724b27c33a8b

dd422231f362813188e4e53d478a5eb0d921ba0c42d0d01c8015464316fefbbc

ccca1b3a8e12d4a01533f22c63b652a01031d96e23e7702c286149f695201cb4

b6f15036c277b633e46b27017af111b035bee09776ce1f03f9bb8516cfbdd5b0

21c11661a983a64f2d79475a8a4bcdef65a1c16f99ec4de730b3bde185190b62

8d6f1ef7ecda3e28fd2472cceecc2272ecb6062515ba60014951e1dbccb0aced

012635301abf846f4480100ad18e944206d359e66abaf8a8842767e5b710ad60

b5975c9eb7e34161ae63eab8518b130d4fdcc1526ca512d2e5452c6d701fe912

3d05df8bcd445360fb3bd5b8704243428c550573f2c4dd33b8a338de4eada22f

2c14fdb7c1f33470c9c25d2db06dce80cbd52125bc107056cb0b93158efcb50b

c351efd9a6f2c28d5fb053ce8c10e015c2d311a76e323033508089c4445a2f62

016e7e88586f6c7d53d47dc6007df3a48932547ece8f1d3f9f2f893e1b7b8b03

52d6508cc82d8084af7ed3097832a425678837366b171945a47b3d6a76f448ff

77df52f77a6f0c41f7f6c7dab4d5421eb459ef47b7aa376b4cb445270e56b4d8

786788c0ab1d43bf1ba06ed73bc192d063c88d1a87a1a29bdab37c6390b48517

b158a14692b3e0c72b5d644f292a7919f921f402309b24ae6b9434645e654e77

4a21f1f8cf454c0b971bebfbf498f5c0dd97db2da01eb7e633344765c5906d2c

a8ff7a7be4ef0f2a5dad299a95adf651bf0d33a711d054b7471968c955949ae2

c1594165453361c7c1a65ea7f1f42517a091df150a7a06b0b6f499e0f0c6c58b

0b3141a9351839950d7f55fd1cd10bd5127c84ea0c0106526edf27a24ffaf38f

ae816596e63968608d17cdd2721185f5464f6cd13ee125a9ac8e8d665542a510

1ed77857300416e4e4ea9177637598e7000bf53ba8c4194aec4ccc61ea29106f

3a72867af7656ca501bb2af16131e737f3e274f20a47b9337a9d3d38d6e906c8

883170fb01d121dd32d3de0c16f987429da0cf1d137e3ce6a92fef44947ae53a

50f7b508bfb4d6d74f4988f1c875b9f4dc2b63d8a2f025a059a71d84f5be4d07

ce5b382a28974c9d244d9fa72356d1e0508f75be24e7cd4045b40db5431bee54

1d884647909342abccedabdc784eee5fba6558c8d82d9b9e44640e022aee630e

8184a6dd62658bd0dd67d2dbc26b11a9488b6e1e3c68f635e70c3245d600ff8b

f6e226cb135651c0b3fd86b7372851ec7ecd2703701f1ceef54cdc24764ea015

cf26257f22c885aff41bec8d0c97fd4b7ad54f8fddc502c0a6e0c65259655e63

40fed52e5934fcad07361ef15fa31a9de473e1ec40bef353c3e69d2d22785414

110f366343eeb3383a9c2fdfa3c7b4b5cec9919e6440943bbab214e558d9af01

aee3a0df3d5cf3224740cd48162e4a9e4c376b6fab453a4026d0391b210e33a5

d6ab05beaa9bb12cb60c1e587b945b5429e393a7b3c90b2cd924ffbf86326802

cff415ce3ab0cb3f4b48518e677a7b7cef9f1655a2fde6761b6920d61c7b8f1f

37e01c8db92ce438da12bda5dd0123056b9b66124ee696db53ce00c1727bef81

8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576

4fe91123dee562df8ed7025b06d764c296555f1fa8130647b2e9adce4ebb1079

0b95d5eac59b31dc21a9a6eefd127e03fc8b3e77e79f12aa70512381970c4e78

9907b1f942e99aae391accb842a6e6b03d57251f0fc89e2b78b7c88304aa3268

64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3

a34d6e9743d028c4c7f91bace1a4d1b0b75d71774af8215c0819d84e29a89ef1

3087108fae20b7a43c9a4479af8ece396217207e6de92e735d4edfe86671b067

e5bcd48bfc0158c5cab5614ead3b50bc68d618df3037880767b9e55b3df565d7

b0c82088e01df86ad67c8681d7b605711fbea0b1e52e2a0e66e21867e2ae9ff4

00a9be49eaff23d0559e1ee152ff449c475f570eb8b0e4b3ca79cbedc46c27c2

131caeb6bb55eb238114cf1641ae69a053f5bcf1da1d3ee731e47265bb019e9e

0138222ad8f23707002270f3b0cad9f4b229d563876269ad7ab17b64958413b2

624c18c86535bd12147f839b0b40e68d1596d12e8c20248bf164f331319a7edf

dc57cbd9944c022d2f626e04c18b6fed08839e6e3b22f8b6d8608a9fb667ca15

0938a8affd9213e131c01d9a256acaf21df8b846fc13f33275e29f5ce8d75323

923d7a5f689c1847ab1d9b0b8fd82152a0662e91789f7e50f7656583a5f1362a

8aba1f5d05ea09a5af34fdf2c6986163a1f5f41f13f35e97f6627d76d68f9856

6ca110eb18de0da5ac4084c15fb0c67809fb04edd6f332dd262fbe9cb26dae2b

19d73a16b9bd156d818ed075fda08b1fc284917fd0839d9f380ed47f71d2e211

fb3bab1243a0823d8180574c434caff8269e99e558f50c8b05b9d2718a9fcb07

396a4573ea8f0876745235147418a4b1e38446314c9834f1b61fa815cfff1cd2

c78263527e0e73cb4bec06b98392e566714e25d6d683b599ad9832892841ea3f

e2797e8e1ba9b0d9c9b73966e925331e09c9178d399b20222f34d54fadb91ce4

fa414311394cab0f96cd31c46e82c5ea6f1a5e6ab91a083cb102287480ecb6b0

b1f5bbe4b645577f71bd32e9e47dafb07bf8d1c83f6ec38ac243940b813ce9c6

8ba0468886223bcecdae4375c0d0905cef418a4731e85101f0ce6b3706742325

e553b3465ebc1bafe83013fd7bc37e96bcfbcde9e6a67aabdaf239bc7ad444ec

3bbdf9007c2f59726c339e01414c29afc18a623a99097aa4c974d2263cf7a535

5fb103a4b2f40642754b111df13c12b0aea216686855a06838d8ddd54f44d35f

4909a146d3a06b68b7319d717ffc4b27e6b2b56ea209c96ce630da3a2154af9a

1481e5c24f1c5b119255058d0c3b47680badb194adf7e4282285c88366406a28

fc21f03e31c10580281678d9a3147fd6e5024d0db7cf29403e48093f862ffd7a

0338d4d39cf1eab4e6d60fc7862796cefe5476f25ef4ea5b01d95d455eb756a7

334a3b9b6b6a37cd44f53afc65c1af5c47af434d537b4562bc01d3e0cbb65883

980c859c851203ab6d047e1ead1a8fe763606cb2ca35c8add2c28ff586ccc72a

5a6a8f1f66ac75a76e74f6b3f76496140b4615c5fd35d2885ce6e801a021da53

3c08df75fafceafde75d0a7602b22feb0486cd430abcb22ba4b0a657feb13f70

959e47ec654acce16b8df4466da97f8479d65b9a69a2c3603c3cb6856ceaecc0

42b12020901f601c31eab03208d021286283cc60b824db119670b972911d03ec

be7118d0dd4d756b92ebde122be7a52ef90e1728496a8568e7e8cd10a5b60063

c01cba2baf9208294a1a41ebdcfb80ed376dd72be94f697bd4d6c45fc5da88f2

abc690e51d7b1cab10b3b6228b390d11a53c06f90a6c7638376929876ffb1f19

bafd8e82044211260aec42e6f5ce14d7f9801915890b9b697a59be04fe8808ba

49af2db202e69bda563dbfed4b22b8473d127fe2faa9a2c2c668699f7d206e01

84b18f80144ad0b22c006e7ec3c8b97a5cff23a0b0a0b3dece65c938a3464ab0

5007844398837d0613ed31c528a429d65fb0400992cc4cee754498cd5240a21d

fc5c299927789c2b931eb3017be2a6ae37ff90827ba7588c6aa1b5c5c9d7c998

a2e23e596a49a2232c0e76d901adee78d5fa4d6c7bff0985c2450f2924988c8c

b517e7666448981aad75ee001af1b503bd79aba0006a1c05a3df1715f2997ee4

03333de9f582b2c5e9ffcab876c482b975baabfc927d018927f6eb89e7f4e8b6

00549ff6c3f6e0e8f55581738ce813b98bdf76dad1158e33669aac8b69e7ea23

526e9be8378667324f3f406d49fa52a5b26bbb717b333cd9c94ac086753ddd14

5d92803ba5299d6ede3c20c952fc5c336534c4798a41e25ae3b778c7ad351906

bf4f608b63f631af1e8e841170e440d42517bad8318e8654a9a108f49f6dd6b0

9e30674a4b54733aad6f0bc5dda700324cf7ea420f1626dce6a146e3252fba70

bbc65a4622f0419ae8277dab8246380443279bb1dd755336e7c7a737931d4dcf

5d3525b8c5f02a28caf265e55c8f4f47bf72d648ac0c1ef0d7df877c4f0570fe

2656d38cfb6307c3fb33781d67ddc2463c73ade752e2b3f2f33b753a6ab683fa

2fe7af64cb888ef163b6ac05cf3c013b2fd935a4873dddfa3b4b054655d26144

62bcca6b82bc4dc9883ac53c61aec0dcea710037925001e1007c23c260ba10d0

899770c38faabfd9da76c2e2762fc548052b1ca71b459deef985dc04b098ac2b

994897169a4721bfff73b8d03f5ccfa4cf84fbe01b1f20d06d642c839510009d

25d463ed9d1e7fbcb5656cfc01f2639f7970cbd6391fb632fce81ad82e777504

3b563d19a0a77bf36e498433380333d1d686494e51e3d9acf150e0260c212053

a320d925690b7190c2f2a1ae27edc0d480a4dcab424057e184dfdc167e16f176

4209036f5f98e658e2f62066c77968ccc0937064ca9a7869408c265bbee43b99

8406950acf16053b17b8972c02f4e9e525dd5babd234e53318403facba055a5f

392f3152cedc335056e2c64df1294d88823a98167cd1887114dcb42c30f36f3e

e13ee1f8dd928b0ee9cd7a6047e31cd903f8964fe7d3f72921c0c5933c2a5389

ca08b6e6d7e3dacdf0e5f63a120aab1813ec0f3400c5791a56472b5fd2e099de

0613851ef9b119206a8c7da8d505cbb9475ca0d441e9ee4a10e1992cd091cee1

0d072464344350e7b8320b6dc1c9e75d98c38ee7334ec0abfae97fb589205da8

cda497a1eaf3cb9d33c3c6d9077ccd423f61607ad7da1180b38f72b7bd1ec1f9

8a58ebe8dc98a56b55a41eebe0768796b3051f5f727c3a8a19c319aa51a98c37

b344aecf498d82ab3285acd65448ea8c8110b60f2242eb6e02def5404f86219b

25488be2e8040ddfacb0885c8d8fd0314a4b62ed032e91450a9d229f6abba5d3

b5cf17828776fcce0bf5176d61e754a46b33389172772b4df00a1d9e8d83cd12

2e5af1b65a69706a4e39128341694d13a774c1dcd83adb25881751b7fc7a6835

93f5a3fb57e057cb11483ae3fce086bb60ff46f127c58f6c9ba0c2c27f2a089c

ec44351037605c8077ed86dedb036e70aa34b89210b7874bff024d713b454231

9f9b7881216018d56857b05348b142768d36b289e951cf5ef357504718fbc2e2

b3914deb205644ead9376815f4cca416d69251c7d9e24672a03cb52b22087822

d340cecf28d060bc7098227c8c213c739f1a4050a9aa9481f137d82378d2974d

b7e0ecfa99b98ef72edd368d484233456b0174180731de3b6ace299b32d289a6

23d5d2532d745bb0257a4e5c89a322673990e43268fe2d1dd836a319477d4f48

5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717ceebaa28e2f865471e6

605e6112ba033f04c225280ae37b57fa12aaa4a355668b51b6d6b9e2cb14e25c

ab9afd4f9fb6d5b651a9851538b259732ac339642650e393cd41241a7e4af8f2

991b3f44ef041029371773b8a7e85bd0af23a29f3cf3935602b0a8c18d075370

1e51284dea11cfbcccf13a9e13f70418b811d4722ef4c077f590f2df92d49a47

a6c7b2f485f0ac41699d3c7b3c6f82ba61cc246d89135d6573b1699d4dda0e51

4a953c73f7c7f9495740544765051dced3a7070c00e2361934f36a92b774a594

b859ee2487646b1103b5917e8ef554ae199d90178910856334ec84a230e1ac77

c6c9ea5d69c5fc71ae77c0af93d2f7d99e34f6c2555bafeee8876a5c9d5cd57e

316f810411d65ef8ec37277aa80e2e63a4952a59a463549fe34d85cf9b773395

9ca1649e55fd9c517407900b9f36e4e1a079cb52a6329c87c875bfc0ca9fc6b6

23aecd0e3f380420984c57e9b21c58e77340d445f07460971406c2e4cf81242a

294e15282aedcc0e5da1d23550c994628624776a60f9686c1699e93fbe7ef66f

589cda427d74dd565e1719f86260f7d82b01efe29afaef45982291ffd98d3d62

0a64ec8ac294e8feba01306293974a105b7abf93783db1a813239055e5812866

cee3ebb7e1f0dcbb9d34e16e7a7aaf40d8a20ede56a9435ee440effe3e2cd4e2

4f05a7585561eb31272758ecf586e5dcbe1b1064a4f59f9e1189b5a6dbabf90b

d9d131aa2975d50a799336f85999e5b7eb9dc3badd6b09dc30611c00a1d96167

f03e4cbb8a85d32fc3299fcfda69869b3331b032b19c9e4f892903d9c84e4fa6

96e7fe2d69bd0517c48e6b1a710f5d50500a662a9f2b3dc1dc1530ba447d6794

83c3de1feb52ae0d9b96e4bdc97b61a67270824df06147cf9997ebe312f52b06

9626c48241f8022c503c71393744acf25a61b2e1fe3fbe06d4f07b489a261493

868ffbdbd26c5e4a46bb167dc9d82ef288592926608508f2ac85cb8b9707b114

d3bdd83b9fe90afaead22c1e6bfc2051e6cfa6e885986cc4c87708415d0484f8

18a19ff258dd8b7dcb48f1ea37b94129d06853d3ba8ae8b902fac237c108a8f3

9fdc598dd676125e0a98c9e48b5028263b05aaaa69b219830d63e4c8ea05bf9d

c2b7e6349a6a723f25ce5c2672e4950c00d6634bb62f377cadb8c6e4f7b136cf

5b1cdd437d0049352c4b41013a94f6dca91dde7102583dda0d32a22213ce9e00

467af926472622448eb04925b9fa7351e8542f277f489ae792288829efa164dc

ec754e3fde515d50c4b2544588f82d46f669d8a629b0c497bf2af627a6d2faf9

ab6df5056616327642e3e84553c3b789a7c75bd9ad4b3354ecff4148a85907b6

8b70d5b9402862caf75ae3e8f98843cda41b24ad456a5f1d188b04cb661bbd7c

b87ef5f2289241d1f437924bee4cccfbb16554a6a71d23f6fd930ff5c7c30dd8

4faedc55d411a22fa0b364fd0bc43f7f6198525665cb456d65486264b63efa42

cef24501f390557eb4dd01b93d2fa273d3a0170805deaade53bc832b63adcd74

f194835270a81357b06e41c56103d7065107bad719fab220f518f07138d33b87

e3a519c765257a9c6010258cd28ff7a6500429ac0767b63f9c1c582d937131a0

f06dfaf71001e7b9234ea3d8cbefd367963e82e7ae62d0859567be143fb00142

2fad7f1752f7c3f57c038bf09359093471523172c08572117eaba2556e859509

ab1056137f6bd63c2005889bd3643fff3e6958a039c4c5563319a8de6cd6bdec

18be3a5e4fa3620da7f9807d764c375b2b5a458020a440759f7808ef1d589a98

90edc1463894f7b97ce661b24bff4db9414b32f92113b79ef76f15d2aea37f0f

149ea47b6e58c915f4ed35fa9253d966cdb16cc3877ab4de197bfc8c1b1deca6

7cc7b64b9d8ec98659bc74cf61e627c3f62631e88ad8441f86b8f299b25f4b90

9872e627ec7fde1dd2a2aa89d288257ad2220ac5932434d1ebc24925c7eec278

3891e331a2c9b9269de9935eb065c9b70cdaaad577159f798a14c147693e5dae

e748eb9edda2ec9503bd01137e398e447294a6796d9c52618d07c03601822b29

ac60496edcaee40a98a428f397f6a7a01c9f7ab5a2b3c611f9ac26f60b027387

f04c874b64c822572bf1502083ec75696a63c929acc409de351b11282d04bd60

0cb2445335b13ef63b4c10cc81716a78e2aa01d364242ef1a5452653ca658638

8f37465d74be6e785296584fe6d4e5a8bd9f09c6a9db38c9a377c28ca25da986

59cbdbc57cfd1a2b8014a0572001ee5583856c7479539305110dd5ee09d77d7f

c0faa9469b975c6abf8305f713c91740a455f7e17f49cb4c21c801f432bd5baf

2f9ff65ac28a6bf56d69fd669ca4f8f3d675e617ee4c5179a84049d7a4e5c97d

6275fdc6cb613300c08ef09917a6dcd2da5eb1fef5e20bdd214fd9fefeafd8fb

247ffb9b420ab92c1ca5f650b792d1b50db34f14812fc0e0b51492cf2e6cebff

8b5651b08acc15b5b7b9a794d3550cd26b6cd8d800a7e763afd8bb3dc883a89f

b39f2bd6899e91129f949556d452e3e87d12c62fb17c7409ff2679ede685377c

009a220aa4d13841b9e09749de6bf74d689b01c9dd87cf8dff1c3913bac2469b

7261f0cedf7886083943bcc195f12f846d18f0e5c97122a0b3ec7c25c7cab765

f50b4c82ea900cff610baae625067fb3eb2845be0b3f639536064b536085191d

3135c4546a61cfd16387ae55439139c344caf8f4126e4191c717b2c90f4b3e08

2d72e4737d9f26471ff27b06e57ee0cdd897e5746a6aea63a393b173be0e82d6

d29b96921b285df8ba3210670e414fa348ebe6650929b68173b9491599332f31

395bfcd38ade674aff23c27726607dc7cd94eef9369fca7f45d93216a96cfee6

5c0fe8629094ab64ec4af81fe0ceb6f6d3a603e44189a1d3264e99fe1f76dc96

6014a1292ea7f2c9ae0188c9b6741380d7d48aad79913fa1530636967b69ab7b

8f96d1f67c72bf89b1b57433e52a1b193efbc243ee14fb716c7c9b0aa68a3a9f

1593930a9f7895cabb573d3d508644360e60b344404d0d3b13fabd02d95922d8

c2588125970db20ac97818d2170eecec857f578d7bf3f24ef8f6a3f303798ac6

62b6764125325e11d6153aa58e30a0759e1aa25bdc60c5df99fb00f7eb46f578

ce5603f299264cba7f7c329ab9cfc304640aeb090e73131c190a78a2fd6e7693

ab9355bb39e65140e33baf36f8d379b67e83d528f629a11518680e7c51d8d7f1

026cca3e498fede43ec9d253fc4417e23e2b0c4d8c2b8309783e00ecc4a6c2e5

000641fca6019acea64dfac5ae8349b6a17276fcf87065550791915e1d99caa2

3ed56c8065bb54a5599733bb4a6cd3d172b721af15647b55fcf125ba60d37d40

201a98275fc0d09d85dfffbaba4fa7100d29d406886cba5b6c713ec4f354b024

78c9b9ff2baa00a98e1a16132f9130010506c997404c8b2b3c3db07971b7f790

9dd83e60f712bcb6dfa97993cdf391b2cc372f0b8b3790979a379dbe9f4ed3e2

1e8eead1c4dd9a565c40ea41df83813b090dfb18c257497f17c51e13474eac40

3172bc2b15ecefebad067216cd61cf54dde5a364682a0291571d248a62443d1e

0232004c361eef7863da759781213ebc4e2d4a245e1e1a3641d77ff9f65ff13e

4214843adc8ff16b823b932f433bfe09f47d51c23c10b22b274748eeca332478

5d5a917ea1e2edaaf5745b37c743632d6e4fddd968439473e305068b95c42212

2a20a67f4a237e2cf2016851efcb41b1a85ae567d46e0223f119377b9b372bf9

4d979b60e53900a415b545a70b70ead546f3fc45ff0ea05f480664ce8cf7c9f0

20902f148eef05a086c4de9d76fbf90b6031711e54fc4b86b134bdf5972d94bd

f37c412bd47fc18d4c153664b116ea18c7d251eb8cdd0af8f130010958a93353

9ea44e272e05cdba2837442e5988252647e4fca626664c7c92d2dc3f9e4158d4

f188aaf2e67a048f1cfa0ab7758ac80b0e4a1167042f55176e4ac0d273b26744

369b3485f642259c61779e635bfd231fa55a5d27a6007db9c37f6f604f2d9d07

c35f09cec4fa7d3c1982d148defce0254028fbb6878d0e8fcfaeeb6c5eda6e4b

7d495821954e810cda305ccde3d3fca0fbdbd3abd437694117697a030127a9e2

07f1bea29183f0dcefde5054d2d2d8bb85c5cc9c1cf0a83ab7f3c500ad45cfea

942570b8992be2befa33dede316f277210fe4432abcada30efe059d674b9fb14

bdff85a58d00c17a73ad130e9d0fdaa148154397a46910ef240d27d15b8f39e8

4a5901134dd65e02bf7c9b8333e96330b438915e869fa5bf3805c89018afba2c

8e2edc7f6b36d8712db7da7d3c091c5a5e857256a8ff6d6f310fa79a7e0f4b43

101ad11f6ffad1432278ea32986e18740aa67b4f36e75e8aef6adfa383b933bc

28d8b2f2db8bb284b210e8c0b9c8e74925aae88ae0d5f63aeeadba36a7073a34

385a1723b41ffd7112b842cd08a3d8a1ec1c584c29672f577580e022b6ff4f3d

b73a968e2893d02988edc48cd1f1d1a971ceb24cd7b49728a1a8b898d44471c4

7395ff97cfae2f8197a270cee35ab3f1e78f845838677238cc9924797568e10c

fab479cc1e503225be39c710a3555db1ae1f6d6acfb0504b715d2284f75e3527

bbcf22aa482ee7f3cf7d9defdad1df591e354264609814a62d4b3fb42bb5ecbe

f3546a0538a7b90ec1383c4f63d995ed9a725e6b791deb8e1a00d79ec1dd5203

ab3d176c0a894c8e76d54245a3682c5d8cbdbde278a8d709e855662847de3142

b914854c22b8a3d811caecfc5c04454e6c9495a1f494a21ea6f025e58638ccf2

b39e101c631a974e259ef2e2ca43e95f6bb876b1635866ea459d8b01bc2aa373

1c04af2886e53878670402020e36239bcc5c186cf57c2afb30d32a5c603a646a

5ba736e587705d4870400ef7678ac5fdd6b39fabf3f7befaa0cc3ffa22de1f40

93ebded88e99b8e7c2753b0dc3e87814e5483c720b146a3820ab485071d81e28

00ee6b76a64afe899283330c1a285b554fc82b4adf4bc2e6271a4a8124310cad

9a57566f47c110950e92608bb7e07d227debe12c5247cefe395dd4101f653f92

acdb6a7c475e2abb67b750c6cd0e8794a2116601df19f439dcacaf8ad49f5683

653d40e0e9493f76c18b9852a30c7ed16106fb71854cb4f0f11953d2d7e8e43f

b97eb3d11c63f9e78ec767523b8cffda5e05dc0edb66248c7350b2222848150f

5fdbf483a19b07d638f50df1c9985f596a40d4a3869522bb25062da8b5030af2

e256e71340c2d28a267a681ac09c835c963d75dd93e4a89b90966b92237c3a25

15b42e675e2af6107ed84bc1522d1732e3dead4663518883b0135f67084e0273

131092084e4d4fae2456be1d7acce0ca83c684da83af066b55584efd59ae9f4a

295dae741eb90b081c4f99f82c4d8de375896ab507bcf02cea71cb9cb401a375

44d0da69a6a1e723b6393a5bc21be27552914736ea16e292262265fb7839db66