Trojan.Win32.Inject.vdyx (Kaspersky), Gen:Variant.Strictor.92793 (B) (Emsisoft), Gen:Variant.Strictor.92793 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 23c8a1895cdc7d695103342fba51d638
SHA1: 2976efca3c538d78a04f102d53ac56d98d2c626f
SHA256: d45dea9a24f3093aecdc00dcc38a06ebb7a01b99634dc0916bbcbf327de5dee3
SSDeep: 49152:04PMWYO8fBDRLnMM s8KuqGaX0ToIBAUZLYC:zEWYRfBDZyJBAUZL1
Size: 1773568 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-07-21 07:09:28
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:772
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
Registry activity
The process %original file name%.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 5E 7D EE 54 81 AE AB A9 A1 00 1A 77 6C 14 14"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:772
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: The Perpetuation Endeavor
Product Name: Chew-WGA v0.9
Product Version: 2.5.3.2
Legal Copyright: Copyright (c) 2009 - Anemeros Sof
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.5.3.2
File Description: The Perpetuation Endeavor
Comments: The Perpetuation Endeavor
Language: Language Neutral
Company Name: The Perpetuation EndeavorProduct Name: Chew-WGA v0.9Product Version: 2.5.3.2Legal Copyright: Copyright (c) 2009 - Anemeros SofLegal Trademarks: Original Filename: Internal Name: File Version: 2.5.3.2File Description: The Perpetuation EndeavorComments: The Perpetuation EndeavorLanguage: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 621602 | 622592 | 4.58108 | 428796b2b13125d0e36d4f5c8a3e9307 |
.rdata | 626688 | 1038076 | 1040384 | 5.04394 | 82abb8896e97a0881a036f55678dbd92 |
.data | 1667072 | 251690 | 73728 | 3.59444 | a31bfd3ed38bfd8e8f9a25df71700223 |
.rsrc | 1921024 | 29332 | 32768 | 3.3698 | de76e43af38947d1986517a9f36ddc35 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://city.ip138.com/ip2city.asp | 36.250.72.119 |
hxxp://www.ip138.com/ip2city.asp | 203.130.58.30 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ip2city.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: city.ip138.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 28 Nov 2015 09:25:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 211
Content-Type: text/html
Set-Cookie: ASPSESSIONIDAATQCDBR=JGOIOFNAGOOHNGIFECFCFAGJ; path=/
Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content="text/html; charset=gb2312">..<title> ....IP.... </title>..</head>..<body style="margin:0px"><center>....IP........[194.242.96.218] </center></body></html>HTTP/1.1 200 OK..Date: Sat, 28 Nov 2015 09:25:58 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 211..Content-Type: text/html..Set-Cookie: ASPSESSIONIDAATQCDBR=JGOIOFNAGOOHNGIFECFCFAGJ; path=/..Cache-control: private..<html>..<head>..<meta http-equiv="content-type" co..
GET /ip2city.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.ip138.com
Cache-Control: no-cache
HTTP/1.0 302 Moved Temporarily
Server: Cdn Cache Server V2.0
Date: Sat, 28 Nov 2015 09:23:32 GMT
Content-Length: 0
Location: hXXp://city.ip138.com/ip2city.asp
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_772:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
WinINet.dll
WinINet.dll
wininet.dll
wininet.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
{A0005538-9391-4dd9-B4D6-8EB7B9360F08}
{A0005538-9391-4dd9-B4D6-8EB7B9360F08}
VIP@VIP.com
VIP@VIP.com
BDE.exe
BDE.exe
D:\Program Files\Bac\BDE.exe
D:\Program Files\Bac\BDE.exe
hXXp://tool.chacuo.net/mailanonymous
hXXp://tool.chacuo.net/mailanonymous
_s=
_s=
_t=
_t=
&type=anonymous&arg=f=
&type=anonymous&arg=f=
http=
http=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXp://
@hXXp://VVV.ip138.com/ip2city.asp
@hXXp://VVV.ip138.com/ip2city.asp
QQ.exe
QQ.exe
taskmgr.exe
taskmgr.exe
i^.mL
i^.mL
1501443635@qq.com
1501443635@qq.com
.tq8*
.tq8*
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%$%,%4%
%$%,%4%
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
b%c%d%e%f%g%h%i%j%k%l%
b%c%d%e%f%g%h%i%j%k%l%
W%X%Y%Z%[%
W%X%Y%Z%[%
Z%T%i%f%`%P%l%
Z%T%i%f%`%P%l%
%$%a%b%V%U%c%Q%W%]%\%[%
%$%a%b%V%U%c%Q%W%]%\%[%
%
%
%,%$%4%
%,%$%4%
eZl%u
eZl%u
Q.YeY
Q.YeY
R:\Sg|p5rL
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe
s4s/s)s%s>sNsOs
s4s/s)s%s>sNsOs
qq!r!x!/!L"k!^!-!y"_!`!!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&2&3&4&5&6&7&8&A&B&C&D&E&F&G&H&I&J&K&L&M&N&O&P&Q&R&S&T&U&V&W&X&''!'"'#'$'%'&'(')'*' ','-'.'/'0'1'2'3'4'5'6'7'8'9':';''?'@'A'Q'R'S'T'U'V'X'Y'Z'['\']'^'_'`'a'b'c'd'e'f'g'h'i'j'k'l'm'n'o'p'q'W'>!=!B!F!G!H!I!w"x"E!D!s"l!m!("n!r" ","*"-"M"N"O"_"P"`":";"]!e"g"g!\"J"K"A"@"i"j"h!h"f"b"b!a"e!f!c"d">"?"(9(4(((8(=(3(*(:(?(5( (;(@(6(#"""%"$"'"&"!"~!{!}!|!~"z!y!j!i!v"u"t"!!"!#!7!9!:!;!R!S!T!U!V!W!X!Y!Z![!)"."L!M!A!!$"$#$$$%$&$'$($)$*$ $,$-$.$/$0$1$2$3$4$5$6$7$8$9$:$;$$?$@$A$B$C$D$E$F$G$H$I$J$K$L$M$N$O$P$Q$R$S$T$U$V$W$X$Y$Z$[$\$]$^$_$`$a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$ !,!5!6!!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%&!0;e>>NBJ$PfC%Pz6&P]40Cg P52e6p8iL&VpM}FE5,P-P;N=MhA/Pv;sF2P>1_8^8f0KOJO3:!03P4P5P4K6Pr8g0rK|5}5~5bDP
B?PUIg@8!@PBPeBaNJ0AP>2D6gCo7CP$Gk4DPK0`8l4zI2HY5q2gPAElGFPMEPGPn:HP$UPPSPQPB2;JKPOPs8H;&4TPLPcNx;MPRPUPNP!6M0"6A2%UyKnIt8/?7NXJ87陆2S=YP^P\PWP/BZP]P[P]JXP.?sK_P`P$=mPPG6IhPpJ62lPfPoPRAD8\GG`nP]EcPv8u8aPZQ~F4A@QAQ,Hx8;OBQ&6L{Qd3uQsQOAwQvQD3`7|Q-NxQ}QzQyQONy8C2tNu=XEe9"R#ReN O%Rz8$R/3&RVK)RgJ-R*@*RP6 R 4.7.R/R0R1R[)6:R[H;RR$Ih6e0?F?R==i@AR@R#>a8CR>HDR\H4BnB(6nF1CnGNKFRj@57GRHR,1u0m4(BQ5qMKR72JR*6LRqLMRRN|868NRPROR_?91^1QRRR78SRn52;TRtK5:Z5'MPA?H}\RZRD2fB8F>L!9yMGE~8/7gRc6JK]HfR^4aRbRdReR[5a?-JcR_Rc8`R$OrJhDb8p9hR]FlR~Si:13yR%Sv0$S%0JI"S|RwR}RH:&Sw0/S'S(S%>iK-S,S/E.S S416:0?)SbE*S"04S#M'>:S9S0SCB1SoB6S&>3SdL31WS^2bS|>^S\S]S_S=19AYSZSz3aSo4dS`ScS.JUF8HfSeSE3gSjSiShS9GkSlSnSmSpSsSqSoSrStSuSvSwSxSEQ|?T@T>TBT8Gh0VICT}>9HEf:NT=J]Nt2JT:AMTcEIEdE9HMDI:ITv16EKTGTP?OTN=-6PThJ}AFDRTOKSTXT/JWTQTTTVT&:IJYTECu2m>[TZTh9\T^T]T`TUTbTaT_TN;Q?TAcT~T%C}T3Jw=[E!U%9"U!G^HQL%G U85EM/L,V#U&UEB8KJE'UeKJ:*>(UP;O;90H8 @Q0,U-U*U81/4)UEL1I(0y0Q;R0#02U0U4U,OLG6U':9UXI:U5U;L^G;U2IUy7LUEUBUdCAUCUDUFUGUr4IUHUJUn>MU\DE1KUNUOURUPUQUR;SU&9TUz;8BUUVUZ;'9RL(5I8WUX3XU9BYU#VZU[U\U^U_U`UpB'1iH2bUFMI=drUsUS0:BR?tU3F.>/>uUm@0>vUwU`LxUF6"=yUzU\VGVFVEVAV@VDVxJKVHVJVrMIV?Vs?LV7:MVNVQVPVOVhE:VWVSVRVTVUVXVfNYVVVZV`4[V]V\V^V_Vn@#=d=cA)98:*9p5`V9:J8aV&LCGbV 9,4'CR6T;[IAHcVu4fV!DeVdVgVkDc?U;J@SB"5"DhViVo>9KlVkVjV}IsVZKmVoVkKnVpV(HqV>JrV34?J/GtVuV,944vV88DM)Mv4xV#D-91>_H2>x=lDyJ9E.9\IyVYEB:K8mDC0n=/9GMzV{VQG|VwN-O~V}VG3!W$W%W#W@I3>'W&W"W(W)W*W-W W,W.Wd1nD/Wz7v26G0W{F[J1W.O2W@J5W!P1P0W@WvEAWBWCW4W3WDWA7'IL:7I&DKIEW4>F1FWGWrL`HJW}1,@IWHWB7TBNWLWKW'Ne8y=MWLE>=@FQWPWOWRWf8SW|I[=TWyHAF'D0EUW 54?,Iw4&GVWV;:K;K~1[WiCXWw2-XZW0GYWWWz9]WcWiWaW\EfW]I`WeWgNW;UB^W^5hW-@e1bWx2gW16dWjWlWvWtWqWpWxNrW2619z=yWkWoW_Wz2sWuWQC(:82mWxWwW36)Bf3C7nWzW}W!X=/XWFGO X1X{9K@T0*X(XZA|W4;FB=X[A8X5X6XfX?XU03Xr6&064;XCXBXGXHXFXIXAXEXJXKX@X|;DXVB292X5?XXiJNXOXPXWXVX}K74TXE743QX8NSXV0UXLXRXYXD7MX]M M\X`X~AyNaX^X[XZX_X0J4FF7bX]XcX{712kX84iXjX):hXfXeXlXdXnX{2pXoX(DsXqXgX|7rXvXuXwXtXxXyXzXjJ|X{X?=.@f2|2}X?0L@~XCl!Ya7"Yo@#Y$Y:5%Y&Y'YWBM8aL;50Y7Y6>1YDG^M3Y4Y8YjE5Y39^@FY4HrBdH-ZzJqDuK;Y!2jCDY4C>YEY@YGYCYBYoGAYRGr5H3g3!?IYNYJY}7OY";i9&==Y};LYX;MYD0HY)Ds546KY'0C:6?rDTHQY^A*B ;RYTYPYaJ=D\A{JNhF1GWY]AxVY[YSGUY!7]3]Y NN:5CZY\@59d?f15Z9Z7Z8ZpY;Z:ZxYZ@Z?ZAZ~269|J/@N8CZFZRI_5EZDZTGGZ56IZHZ:46;XFI7t?JZ0@(E_IKZLZMZ8J]UF@LIX:eHCHMEANOZP_Z;>@L*:W0N@fZ1@G1U=fKr:'@eZcZdZkC&[jZ~;89hZiZ8?gZ/;lZkZpZqZmZ"3nZoZUHaIJ7rZ2@=>RCG6sZwZK2tZvZuZk=HCE0xZyZ*DqNC;kJ=K"[{Z~Z}ZzZ![^F|Z#[l=$[KMxG%['[([)[J6H199*[ [q=bAXR>A=AXBG:rPn7-M~J~I,[s:?D-[/O>K D.[|4/[0[ZL$LvK\K%;2[k;[NE9[ B:[r>]L>DHG[zH>[D[C[O@mKSNgKL2^;HOF[u?E[@[O8L[J[M2H[N[T[HBAJV["IU[pG?K;4w@@=SD.MQ[P[R[O[W[M[K[S[I[lCxLF<::oka3ndjfi1r>mTh8|Mh[tD#3-:`[p[a3n[r[nE~42\ILw[}4~[@K!\#\'\y[*CoE \|[(\"\9?,\3@*\=4POv[&\X0x[:L}["?GDs[%\z?/\q3!81\z[0\)\{[-\.\?\NF$\;\=\XDLMvI8\JB>\?A5\B\A\oF@\jFD\7\H6:\]=`GOLx\k\"8#2_3S\A>p\w\y4=]]N27C?]?4A]@]B]C]D]_;5@!:pIbJDOu;P:rNE]F]`;G]H]J]I]XK^=l9SCi]q]j]ABb5r]h7%5p]n]k]`M@DYFl]t]s]#7-2;:m]o]WKtBwK|]}]O2(J}L!^#x]~]h176u]z]t@qGgHw]!Ky]$^"^{]"KHGc5%EmC%^#^YBv]K1NM0^/^v@,^lM6F&^EDL1?9)^'=.^-^(^ ^h3*^IG.Nt>u@6^4^MI1^3^:1@92O=3bIaM$3;?5^:^C>0M7^2^8^^NsEBF63U1>^A^CNdMH^B^?^TNE^J=G^L^qEJ^D^8CK^@^F^M^|0C^N^=^B=L79CT^/MW^P^rES^Y^QO>_<_ _ioe_i_g_c_d_h_f_nin_k_j_m_tfo_ucmb>3AF>{Nj_y@f_k_l1i_aGe_h_H>QHl_Q59`:`$8HH;`86=`?`>`@`Q8A`i6@A}9C`D`B`m7IHc`~`i`=8e5f`}M0NvBh`j`VNW6|HJGk`m`p`l`o`j8M1q`p?n`\Nt`$tr`u`g`s`<:v a-a.a0a h-i>aVHAaBa[0v>GaDamFCa&5JaEaFaIaHa%IBAAA?5KaLaMaOaNaV1WahHQaSaUa>?VaTa@YaXaZa&[aKD]a!N\aiAbadaeaTCca`a^a_aaahafagaiakalamanajapaoaqaENtarasab4~LJJvauawaxa|ayaza{a}a~a!b"b#b/HPE$brG4I%b&b*E'3D9'b(b)b); b*b,b-biH.b/bis0b1b2b.;3bVG_KN1W14b6b5bpE9@9]7bAL8bF4WH9b:b;b\LUL>DjA=bb=J>@b?b>b}HG4)8FbCb??2LBbDbEbAbGbHb/Dc4eCIbJbMbg?DFNbSKKbLbQbPbObSbRbTbVbUbMJV=FNWb7FXbYb]b[b\bZb^b_b`bab7LbbpLcbNCjGk6;Cdb:6P@eb=:fbgb&8U:ibVEV:N5$KKGWE\9kbK>2NE9'8#Hmbobk8nbvDqb73lbjH01l:ROpbrbKJY@tbubsbN3{bzb'