From 674a6a26a78c87ffb392b4bdb02069b6ada9ae11 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 19 Jan 2022 12:38:25 -0600 Subject: [PATCH] tests: split frame tests into their own tests These are all copied from other tests. As new rule keywords were added these tests needed to be recreated with the min-version set to 7. --- tests/alert-testmyids-frames/default.yaml | 1626 +++++++++++++++++ tests/alert-testmyids-frames/input.pcap | Bin 0 -> 1104 bytes tests/alert-testmyids-frames/suricata.yaml | 57 + tests/alert-testmyids-frames/test.rules | 5 + tests/alert-testmyids-frames/test.yaml | 17 + tests/alert-testmyids/suricata.yaml | 1 - tests/alert-testmyids/test.rules | 4 - tests/alert-testmyids/test.yaml | 4 +- tests/http-gap-simple-frames/README.md | 13 + tests/http-gap-simple-frames/input.pcap | Bin 0 -> 2818 bytes .../suricata.yaml | 0 tests/http-gap-simple-frames/test.yaml | 56 + tests/http-gap-simple-frames/toaddgap.txt | 53 + tests/http-gap-simple/test.yaml | 12 - tests/smb-eicar-file-frames/README.md | 12 + tests/smb-eicar-file-frames/input.pcap | Bin 0 -> 4479 bytes .../suricata.yaml | 0 tests/smb-eicar-file-frames/test.rules | 1 + tests/smb-eicar-file-frames/test.yaml | 30 + tests/smb-eicar-file/test.yaml | 9 - tests/smb-named-pipe-ascii-frames/README.md | 12 + tests/smb-named-pipe-ascii-frames/input.pcap | Bin 0 -> 3878 bytes .../suricata.yaml | 0 tests/smb-named-pipe-ascii-frames/test.rules | 1 + tests/smb-named-pipe-ascii-frames/test.yaml | 35 + tests/smb-named-pipe-ascii/test.yaml | 22 - .../20171220_smb_psexec_add_user.pcap | Bin 0 -> 244870 bytes tests/smb2-07-frames/README.md | 4 + tests/{smb2-07 => smb2-07-frames}/test.rules | 0 tests/smb2-07-frames/test.yaml | 125 ++ tests/smb2-07/test.yaml | 56 - tests/tls13-draft28-frames/README.md | 8 + tests/tls13-draft28-frames/suricata.yaml | 25 + .../test.rules | 0 tests/tls13-draft28-frames/test.yaml | 47 + tests/tls13-draft28-frames/tls13_draft28.pcap | Bin 0 -> 8321 bytes tests/tls13-draft28/suricata.yaml | 2 - tests/tls13-draft28/test.yaml | 22 - 38 files changed, 2129 insertions(+), 130 deletions(-) create mode 100644 tests/alert-testmyids-frames/default.yaml create mode 100644 tests/alert-testmyids-frames/input.pcap create mode 100644 tests/alert-testmyids-frames/suricata.yaml create mode 100644 tests/alert-testmyids-frames/test.rules create mode 100644 tests/alert-testmyids-frames/test.yaml create mode 100644 tests/http-gap-simple-frames/README.md create mode 100644 tests/http-gap-simple-frames/input.pcap rename tests/{http-gap-simple => http-gap-simple-frames}/suricata.yaml (100%) create mode 100644 tests/http-gap-simple-frames/test.yaml create mode 100644 tests/http-gap-simple-frames/toaddgap.txt create mode 100644 tests/smb-eicar-file-frames/README.md create mode 100644 tests/smb-eicar-file-frames/input.pcap rename tests/{smb-eicar-file => smb-eicar-file-frames}/suricata.yaml (100%) create mode 100644 tests/smb-eicar-file-frames/test.rules create mode 100644 tests/smb-eicar-file-frames/test.yaml create mode 100644 tests/smb-named-pipe-ascii-frames/README.md create mode 100644 tests/smb-named-pipe-ascii-frames/input.pcap rename tests/{smb-named-pipe-ascii => smb-named-pipe-ascii-frames}/suricata.yaml (100%) create mode 100644 tests/smb-named-pipe-ascii-frames/test.rules create mode 100644 tests/smb-named-pipe-ascii-frames/test.yaml create mode 100644 tests/smb2-07-frames/20171220_smb_psexec_add_user.pcap create mode 100644 tests/smb2-07-frames/README.md rename tests/{smb2-07 => smb2-07-frames}/test.rules (100%) create mode 100644 tests/smb2-07-frames/test.yaml create mode 100644 tests/tls13-draft28-frames/README.md create mode 100644 tests/tls13-draft28-frames/suricata.yaml rename tests/{tls13-draft28 => tls13-draft28-frames}/test.rules (100%) create mode 100644 tests/tls13-draft28-frames/test.yaml create mode 100644 tests/tls13-draft28-frames/tls13_draft28.pcap diff --git a/tests/alert-testmyids-frames/default.yaml b/tests/alert-testmyids-frames/default.yaml new file mode 100644 index 000000000..044175fec --- /dev/null +++ b/tests/alert-testmyids-frames/default.yaml @@ -0,0 +1,1626 @@ +%YAML 1.1 +--- + +# Suricata configuration file. In addition to the comments describing all +# options in this file, full documentation can be found at: +# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml + +## +## Step 1: inform Suricata about your network +## + +vars: + # more specifc is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + + +## +## Step 2: select the rules to enable or disable +## + +default-rule-path: /home/jason/projects/oi../../etc/suricata/rules +rule-files: + - botcc.rules + - ciarmy.rules + - compromised.rules + - drop.rules + - dshield.rules +# - emerging-activex.rules + - emerging-attack_response.rules + - emerging-chat.rules + - emerging-current_events.rules + - emerging-dns.rules + - emerging-dos.rules + - emerging-exploit.rules + - emerging-ftp.rules +# - emerging-games.rules +# - emerging-icmp_info.rules +# - emerging-icmp.rules + - emerging-imap.rules +# - emerging-inappropriate.rules + - emerging-malware.rules + - emerging-misc.rules + - emerging-mobile_malware.rules + - emerging-netbios.rules + - emerging-p2p.rules + - emerging-policy.rules + - emerging-pop3.rules + - emerging-rpc.rules + - emerging-scada.rules + - emerging-scan.rules +# - emerging-shellcode.rules + - emerging-smtp.rules + - emerging-snmp.rules + - emerging-sql.rules + - emerging-telnet.rules + - emerging-tftp.rules + - emerging-trojan.rules + - emerging-user_agents.rules + - emerging-voip.rules + - emerging-web_client.rules + - emerging-web_server.rules +# - emerging-web_specific_apps.rules + - emerging-worm.rules + - tor.rules +# - decoder-events.rules # available in suricata sources under rules dir +# - stream-events.rules # available in suricata sources under rules dir + - http-events.rules # available in suricata sources under rules dir + - smtp-events.rules # available in suricata sources under rules dir + - dns-events.rules # available in suricata sources under rules dir + - tls-events.rules # available in suricata sources under rules dir +# - modbus-events.rules # available in suricata sources under rules dir +# - app-layer-events.rules # available in suricata sources under rules dir + +classification-file: ../../etc/classification.config +reference-config-file: ../../etc/reference.config +# threshold-file: /home/jason/projects/oi../../etc/suricata/threshold.config + + +## +## Step 3: select outputs to enable +## + +# The default logging directory. Any log or output file will be +# placed here if its not specified with a full path name. This can be +# overridden with the -l command line parameter. +default-log-dir: /home/jason/projects/oisf/log/suricata/ + +# global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls at what interval + # the loggers are invoked. + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + # a line based alerts log similar to Snort's fast.log + - fast: + enabled: yes + filename: fast.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # mode: list ## possible values: list (default), channel + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + http: yes # enable dumping of http fields + tls: yes # enable dumping of tls fields + ssh: yes # enable dumping of ssh fields + smtp: yes # enable dumping of smtp fields + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns + - tls: + extended: yes # enable this for extended logging information + - files: + force-magic: no # force logging magic on all logged files + force-md5: no # force logging of md5 checksums + #- drop: + # alerts: no # log alerts that caused drops + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # alert output for use with Barnyard2 + - unified2-alert: + enabled: no + filename: unified2.alert + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + #limit: 32mb + + # Sensor ID field of unified2 alerts. + #sensor-id: 0 + + # Include payload of packets related to alerts. Defaults to true, set to + # false if payload is not required. + #payload: yes + + # HTTP X-Forwarded-For support by adding the unified2 extra header or + # overwriting the source or destination IP address (depending on flow + # direction) with the one reported in the X-Forwarded-For HTTP header. + # This is helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". Note + # that in the "overwrite" mode, if the reported IP address in the HTTP + # X-Forwarded-For header is of a different version of the packet + # received, it will fall-back to "extra-data" mode. + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # a line based log of HTTP requests (no alerts) + - http-log: + enabled: no + filename: http.log + append: yes + #extended: yes # enable this for extended logging information + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log of TLS handshake parameters (no alerts) + - tls-log: + enabled: no # Log TLS connections. + filename: tls.log # File to store TLS logs. + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + #extended: yes # Log extended information like fingerprint + + # output module to store certificates chain to disk + - tls-store: + enabled: no + #certs-log-dir: certs # directory to store the certificates files + + # a line based log of DNS requests and/or replies (no alerts) + - dns-log: + enabled: no + filename: dns.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Packet log... log packets in pcap format. 3 modes of operation: "normal" + # "multi" and "sguil". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or are as specified by "dir". + # In multi mode, a file is created per thread. This will perform much + # better, but will create multiple files where 'normal' would create one. + # In multi mode the filename takes a few special variables: + # - %n -- thread number + # - %i -- thread id + # - %t -- timestamp (secs or secs.usecs based on 'ts-format' + # E.g. filename: pcap.%n.%t + # + # Note that it's possible to use directories, but the directories are not + # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the + # per thread directory. + # + # Also note that the limit and max-files settings are enforced per thread. + # So the size limit when using 8 threads with 1000mb files and 2000 files + # is: 8*1000*2000 ~ 16TiB. + # + # In Sguil mode "dir" indicates the base directory. In this base dir the + # pcaps are created in th directory structure Sguil expects: + # + # $sguil-base-dir/YYYY-MM-DD/$filename. + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: no + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000mb + + # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" + max-files: 2000 + + mode: normal # normal, multi or sguil. + #sguil-base-dir: /nsm_data/ + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. + + # a full alerts log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # alert output to prelude (http://www.prelude-technologies.com/) only + # available if Suricata has been compiled with --enable-prelude + - alert-prelude: + enabled: no + profile: suricata + log-packet-content: no + log-packet-header: yes + + # Stats.log contains data from various counters of the suricata engine. + - stats: + enabled: yes + filename: stats.log + totals: yes # stats for all threads merged together + threads: no # per thread stats + #null-values: yes # print counters that have value 0 + + # a line based alerts log similar to fast.log into syslog + - syslog: + enabled: no + # reported identity to syslog. If ommited the program name (usually + # suricata) will be used. + #identity: "suricata" + facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + + # a line based information for dropped packets in IPS mode + - drop: + enabled: no + filename: drop.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # output module to store extracted files to disk + # + # The files are stored to the log-dir in a format "file." where is + # an incrementing number starting at 1. For each file "file." a meta + # file "file..meta" is created. + # + # File extraction depends on a lot of things to be fully done: + # - stream reassembly depth. For optimal results, set this to 0 (unlimited) + # - http request / response body sizes. Again set to 0 for optimal results. + # - rules that contain the "filestore" keyword. + - file-store: + enabled: no # set to yes to enable + log-dir: files # directory to store the files + force-magic: no # force logging magic on all stored files + force-md5: no # force logging of md5 checksums + force-filestore: no # force storing of all files + #waldo: file.waldo # waldo file to store the file_id across runs + + # output module to log files tracked in a easily parsable json format + - file-log: + enabled: no + filename: files-json.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + force-magic: no # force logging magic on all logged files + force-md5: no # force logging of md5 checksums + + # Log TCP data after stream normalization + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per TCP session and stores the raw TCP data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by stream.depth + - tcp-data: + enabled: no + type: file + filename: tcp-data.log + + # Log HTTP body data after normalization, dechunking and unzipping. + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per HTTP session and stores the normalized data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by the body limit settings + - http-body-data: + enabled: no + type: file + filename: http-data.log + + # Lua Output Support - execute lua script to generate alert and event + # output. + # Documented at: + # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output + - lua: + enabled: no + #scripts-dir../../etc/suricata/lua-output/ + scripts: + # - script1.lua + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + # The default log level, can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overriden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overriden in an + # output section. You can leave this out to get the default. + # + # This value is overriden by the SC_LOG_FORMAT env var. + #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overriden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default - console output. + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: /home/jason/projects/oisf/log/suricata/suricata.log + # type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " + # type: json + + +## +## Step 4: configure common capture settings +## +## See "Advanced Capture Options" below for more options, including NETMAP +## and PF_RING. +## + +# Linux high speed capture support +af-packet: + - interface: eth0 + # Number of receive threads. "auto" uses the number of cores + #threads: auto + # Default clusterid. AF_PACKET will load balance packets based on flow. + cluster-id: 99 + # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. + # This is only supported for Linux kernel > 3.1 + # possible value are: + # * cluster_round_robin: round robin load balancing + # * cluster_flow: all packets of a given flow are send to the same socket + # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket + # * cluster_qm: all packets linked by network card to a RSS queue are sent to the same + # socket. Requires at least Linux 3.14. + # * cluster_random: packets are sent randomly to sockets but with an equipartition. + # Requires at least Linux 3.14. + # * cluster_rollover: kernel rotates between sockets filling each socket before moving + # to the next. Requires at least Linux 3.10. + # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system + # with capture card using RSS (require cpu affinity tuning and system irq tuning) + cluster-type: cluster_flow + # In some fragmentation case, the hash can not be computed. If "defrag" is set + # to yes, the kernel will do the needed defragmentation before sending the packets. + defrag: yes + # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is + # full then kernel will send the packet on the next socket with room available. This option + # can minimize packet drop and increase the treated bandwidth on single intensive flow. + #rollover: yes + # To use the ring feature of AF_PACKET, set 'use-mmap' to yes + #use-mmap: yes + # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock + # your system + #mmap-locked: yes + # Use experimental tpacket_v3 capture mode, only active if use-mmap is true + #tpacket-v3: yes + # Ring size will be computed with respect to max_pending_packets and number + # of threads. You can set manually the ring size in number of packets by setting + # the following value. If you are using flow cluster-type and have really network + # intensive single-flow you could want to set the ring-size independently of the number + # of threads: + #ring-size: 2048 + # Block size is used by tpacket_v3 only. It should set to a value high enough to contain + # a decent number of packets. Size is in bytes so please consider your MTU. It should be + # a power of 2 and it must be multiple of page size (usually 4096). + #block-size: 32768 + # tpacket_v3 block timeout: an open block is passed to userspace if it is not + # filled after block-timeout milliseconds. + #block-timeout: 10 + # On busy system, this could help to set it to yes to recover from a packet drop + # phase. This will result in some packets (at max a ring flush) being non treated. + #use-emergency-flush: yes + # recv buffer size, increase value could improve performance + # buffer-size: 32768 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - kernel: use indication sent by kernel for each packet (default) + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: kernel + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + # You can use the following variables to activate AF_PACKET tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + #copy-mode: ips + #copy-iface: eth1 + + # Put default values here. These will be used for an interface that is not + # in the list above. + - interface: default + #threads: auto + #use-mmap: no + #rollover: yes + #tpacket-v3: yes + +# Cross platform libpcap capture support +pcap: + - interface: eth0 + # On Linux, pcap will try to use mmaped capture and will use buffer-size + # as total of memory used by the ring. So set this to something bigger + # than 1% of your bandwidth. + #buffer-size: 16777216 + #bpf-filter: "tcp and port 25" + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # With some accelerator cards using a modified libpcap (like myricom), you + # may want to have the same number of capture threads as the number of capture + # rings. In this case, set up the threads variable to N to start N threads + # listening on the same interface. + #threads: 16 + # set to no to disable promiscuous mode: + #promisc: no + # set snaplen, if not set it defaults to MTU if MTU can be known + # via ioctl call and to full capture if not. + #snaplen: 1518 + # Put default values here + - interface: default + #checksum-checks: auto + +# Settings for reading pcap files +pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: auto + +# See "Advanced Capture Options" below for more options, including NETMAP +# and PF_RING. + + +## +## Step 5: App Layer Protocol Configuration +## + +# Configure the app-layer parsers. The protocols section details each +# protocol. +# +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables protocol detection only (parser disabled). +app-layer: + protocols: + tls: + enabled: yes + detection-ports: + dp: 443 + + #no-reassemble: yes + dcerpc: + enabled: yes + ftp: + enabled: yes + ssh: + enabled: yes + smtp: + enabled: yes + # Configure SMTP-MIME Decoder + mime: + # Decode MIME messages from SMTP transactions + # (may be resource intensive) + # This field supercedes all others because it turns the entire + # process on or off + decode-mime: yes + + # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) + decode-base64: yes + decode-quoted-printable: yes + + # Maximum bytes per header data value stored in the data structure + # (default is 2000) + header-value-depth: 2000 + + # Extract URLs and save in state data structure + extract-urls: yes + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: no + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 + imap: + enabled: detection-only + msn: + enabled: detection-only + smb: + enabled: yes + detection-ports: + dp: 139 + # Note: Modbus probe parser is minimalist due to the poor significant field + # Only Modbus message length (greater than Modbus header length) + # And Protocol ID (equal to 0) are checked in probing parser + # It is important to enable detection port and define Modbus port + # to avoid false positive + modbus: + # How many unreplied Modbus requests are considered a flood. + # If the limit is reached, app-layer-event:modbus.flooded; will match. + #request-flood: 500 + + enabled: no + detection-ports: + dp: 502 + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it + # is recommended to keep the TCP connection opened with a remote device + # and not to open and close it for each MODBUS/TCP transaction. In that + # case, it is important to set the depth of the stream reassembling as + # unlimited (stream.reassembly.depth: 0) + # smb2 detection is disabled internally inside the engine. + #smb2: + # enabled: yes + dns: + # memcaps. Globally and per flow/state. + #global-memcap: 16mb + #state-memcap: 512kb + + # How many unreplied DNS requests are considered a flood. + # If the limit is reached, app-layer-event:dns.flooded; will match. + #request-flood: 500 + + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + # memcap: 64mb + + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # response-body-decompress-layer-limit: + # Limit to how many layers of compression will be + # decompressed. Defaults to 2. + # + # server-config: List of server configurations to use if address matches + # address: List of ip addresses or networks for this block + # personalitiy: List of personalities used by this block + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # uri-include-all: Include all parts of the URI. By default the + # 'scheme', username/password, hostname and port + # are excluded. Setting this option to true adds + # all of them to the normalized uri as inspected + # by http_uri, urilen, pcre with /U and the other + # keywords that inspect the normalized uri. + # Note that this does not affect http_raw_uri. + # Also, note that including all was the default in + # 1.4 and 2.0beta1. + # + # meta-field-limit: Hard size limit for request and response size + # limits. Applies to request line and headers, + # response line and headers. Does not apply to + # request or response bodies. Default is 18k. + # If this limit is reached an event is raised. + # + # Currently Available Personalities: + # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, + # IIS_7_0, IIS_7_5, Apache_2 + libhtp: + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 100kb + response-body-limit: 100kb + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + # Take a random value for inspection sizes around the specified value. + # This lower the risk of some evasion technics but could lead + # detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If randomize-inspection-sizes is active, the value of various + # inspection size will be choosen in the [1 - range%, 1 + range%] + # range + # Default value of randomize-inspection-range is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + +# Limit for the maximum number of asn1 frames to decode (default 256) +asn1-max-frames: 256 + + +############################################################################## +## +## Advanced settings below +## +############################################################################## + +## +## Run Options +## + +# Run suricata as user and group. +#run-as: +# user: suri +# group: suri + +# Some logging module will use that name in event as identifier. The default +# value is the hostname +#sensor-name: suricata + +# Default pid file. +# Will use this file if no --pidfile in command options. +#pid-file: /home/jason/projects/oisf/run/suricata.pid + +# Daemon working directory +# Suricata will change directory to this one if provided +# Default: "/" +#daemon-directory: "/" + +# Suricata core dump configuration. Limits the size of the core dump file to +# approximately max-dump. The actual core dump size will be a multiple of the +# page size. Core dumps that would be larger than max-dump are truncated. On +# Linux, the actual core dump size may be a few pages larger than max-dump. +# Setting max-dump to 0 disables core dumping. +# Setting max-dump to 'unlimited' will give the full core dump file. +# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size +# to be 'unlimited'. + +coredump: + max-dump: unlimited + +# If suricata box is a router for the sniffed networks, set it to 'router'. If +# it is a pure sniffing setup, set it to 'sniffer-only'. +# If set to auto, the variable is internally switch to 'router' in IPS mode +# and 'sniffer-only' in IDS mode. +# This feature is currently only used by the reject* keywords. +host-mode: auto + +# Number of packets preallocated per thread. The default is 1024. A higher number +# will make sure each CPU will be more easily kept busy, but may negatively +# impact caching. +# +# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules +# apply. In that case try something like 60000 or more. This is because the CUDA +# pattern matcher buffers and scans as many packets as possible in parallel. +#max-pending-packets: 1024 + +# Runmode the engine should use. Please check --list-runmodes to get the available +# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned +# load balancing). +#runmode: autofp + +# Specifies the kind of flow load balancer used by the flow pinned autofp mode. +# +# Supported schedulers are: +# +# round-robin - Flows assigned to threads in a round robin fashion. +# active-packets - Flows assigned to threads that have the lowest number of +# unprocessed packets (default). +# hash - Flow alloted usihng the address hash. More of a random +# technique. Was the default in Suricata 1.2.1 and older. +# +#autofp-scheduler: active-packets + +# Preallocated size for packet. Default is 1514 which is the classical +# size for pcap on ethernet. You should adjust this value to the highest +# packet size (MTU + hardware header) on your system. +#default-packet-size: 1514 + +# Unix command socket can be used to pass commands to suricata. +# An external tool can then connect to get information from suricata +# or trigger some modifications of the engine. Set enabled to yes +# to activate the feature. You can use the filename variable to set +# the file name of the socket. +unix-command: + enabled: no + #filename: custom.socket + +# Magic file. The extension .mgc is added to the value here. +#magic-file: /usr/share/file/magic +#magic-file: + +legacy: + uricontent: enabled + +## +## Detection settings +## + +# Set the order of alerts bassed on actions +# The default order is pass, drop, reject, alert +# action-order: +# - pass +# - drop +# - reject +# - alert + +# IP Reputation +#reputation-categories-file: /home/jason/projects/oi../../etc/suricata/iprep/categories.txt +#default-reputation-path: /home/jason/projects/oi../../etc/suricata/iprep +#reputation-files: +# - reputation.list + +# When run with the option --engine-analysis, the engine will read each of +# the parameters below, and print reports for each of the enabled sections +# and exit. The reports are printed to a file in the default log dir +# given by the parameter "default-log-dir", with engine reporting +# subsection below printing reports in its own report file. +engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + # enables printing reports for each rule + rules: yes + +#recursion and match limits for PCRE where supported +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + +## +## Advanced Traffic Tracking and Reconstruction Settings +## + +# Host specific policies for defragmentation and TCP stream +# reassembly. The host OS lookup is done using a radix tree, just +# like a routing table so the most specific entry matches. +host-os-policy: + # Make the default policy windows. + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + +# Defrag settings: + +defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 + +# Enable defrag per host settings +# host-config: +# +# - dmz: +# timeout: 30 +# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] +# +# - lan: +# timeout: 45 +# address: +# - 192.168.0.0/24 +# - 192.168.10.0/24 +# - 172.16.14.0/24 + +# Flow settings: +# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# for flow allocation inside the engine. You can change this value to allow +# more memory usage for flows. +# The hash-size determine the size of the hash used to identify flows inside +# the engine, and by default the value is 65536. +# At the startup, the engine can preallocate a number of flows, to get a better +# performance. The number of flows preallocated is 10000 by default. +# emergency-recovery is the percentage of flows that the engine need to +# prune before unsetting the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing to create new flows, but +# prunning them with the emergency timeouts (they are defined below). +# If the memcap is reached, the engine will try to prune flows +# with the default timeouts. If it doens't find a flow to prune, it will set +# the emergency bit and it will try again with more agressive timeouts. +# If that doesn't work, then it will try to kill the last time seen flows +# not in use. +# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# in bytes. + +flow: + memcap: 128mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + #managers: 1 # default to one flow manager + #recyclers: 1 # default to one flow recycler thread + +# This option controls the use of vlan ids in the flow (and defrag) +# hashing. Normally this should be enabled, but in some (broken) +# setups where both sides of a flow are not tagged with the same vlan +# tag, we can ignore the vlan id's in the flow hashing. +vlan: + use-for-tracking: true + +# Specific timeouts for flows. Here you can specify the timeouts that the +# active flows will wait to transit from the current state to another, on each +# protocol. The value of "new" determine the seconds to wait after a hanshake or +# stream startup before the engine free the data of that flow it doesn't +# change the state to established (usually if we don't receive more packets +# of that flow). The value of "established" is the amount of +# seconds that the engine will wait to free the flow if it spend that amount +# without receiving new packets or closing the connection. "closed" is the +# amount of time to wait after a flow is closed (usually zero). +# +# There's an emergency mode that will become active under attack circumstances, +# making the engine to check flow status faster. This configuration variables +# use the prefix "emergency-" and work similar as the normal ones. +# Some timeouts doesn't apply to all the protocols, like "closed", for udp and +# icmp. + +flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + tcp: + new: 60 + established: 600 + closed: 60 + emergency-new: 5 + emergency-established: 100 + emergency-closed: 10 + udp: + new: 30 + established: 300 + emergency-new: 10 + emergency-established: 100 + icmp: + new: 30 + established: 300 + emergency-new: 10 + emergency-established: 100 + +# Stream engine settings. Here the TCP stream tracking and reassembly +# engine is configured. +# +# stream: +# memcap: 32mb # Can be specified in kb, mb, gb. Just a +# # number indicates it's in bytes. +# checksum-validation: yes # To validate the checksum of received +# # packet. If csum validation is specified as +# # "yes", then packet with invalid csum will not +# # be processed by the engine stream/app layer. +# # Warning: locally generated trafic can be +# # generated without checksum due to hardware offload +# # of checksum. You can control the handling of checksum +# # on a per-interface basis via the 'checksum-checks' +# # option +# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread +# midstream: false # don't allow midstream session pickups +# async-oneside: false # don't enable async stream handling +# inline: no # stream inline mode +# max-synack-queued: 5 # Max different SYN/ACKs to queue +# +# reassembly: +# memcap: 64mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# depth: 1mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# # The max acceptable size is 4024 bytes. +# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# # The max acceptable size is 4024 bytes. +# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. +# # This lower the risk of some evasion technics but could lead +# # detection change between runs. It is set to 'yes' by default. +# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is +# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size +# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same +# # calculation for toclient-chunk-size. +# # Default value of randomize-chunk-range is 10. +# +# raw: yes # 'Raw' reassembly enabled or disabled. +# # raw is for content inspection by detection +# # engine. +# +# chunk-prealloc: 250 # Number of preallocated stream chunks. These +# # are used during stream inspection (raw). +# segments: # Settings for reassembly segment pool. +# - size: 4 # Size of the (data)segment for a pool +# prealloc: 256 # Number of segments to prealloc and keep +# # in the pool. +# zero-copy-size: 128 # This option sets in bytes the value at +# # which segment data is passed to the app +# # layer API directly. Data sizes equal to +# # and higher than the value set are passed +# # on directly. +# +stream: + memcap: 64mb + checksum-validation: yes # reject wrong csums + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 256mb + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + #randomize-chunk-range: 10 + #raw: yes + #chunk-prealloc: 250 + #segments: + # - size: 4 + # prealloc: 256 + # - size: 16 + # prealloc: 512 + # - size: 112 + # prealloc: 512 + # - size: 248 + # prealloc: 512 + # - size: 512 + # prealloc: 512 + # - size: 768 + # prealloc: 1024 + # - size: 1448 + # prealloc: 1024 + # - size: 65535 + # prealloc: 128 + #zero-copy-size: 128 + +# Host table: +# +# Host table is used by tagging and per host thresholding subsystems. +# +host: + hash-size: 4096 + prealloc: 1000 + memcap: 32mb + +# IP Pair table: +# +# Used by xbits 'ippair' tracking. +# +#ippair: +# hash-size: 4096 +# prealloc: 1000 +# memcap: 32mb + + +## +## Performance tuning and profiling +## + +# The detection engine builds internal groups of signatures. The engine +# allow us to specify the profile to use for them, to manage memory on an +# efficient way keeping a good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom +# make sure to define the values at "- custom-values" as your convenience. +# Usually you would prefer medium/high/low. +# +# "sgh mpm-context", indicates how the staging should allot mpm contexts for +# the signature groups. "single" indicates the use of a single context for +# all the signature group heads. "full" indicates a mpm-context for each +# group head. "auto" lets the engine decide the distribution of contexts +# based on the information the engine gathers on the patterns from each +# group head. +# +# The option inspection-recursion-limit is used to limit the recursive calls +# in the content inspection code. For certain payload-sig combinations, we +# might end up taking too much time in the content inspection code. +# If the argument specified is 0, the engine uses an internally defined +# default limit. On not specifying a value, we use no limits on the recursion. +detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + #delayed-detect: yes + + # the grouping values above control how many groups are created per + # direction. Port whitelisting forces that port to get it's own group. + # Very common ports will benefit, as well as ports with many expensive + # rules. + grouping: + #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-whitelist: 53, 135, 5060 + + profiling: + # Log the rules that made it past the prefilter stage, per packet + # default is off. The threshold setting determines how many rules + # must have made it past pre-filter for that rule to trigger the + # logging. + #inspect-logging-threshold: 200 + grouping: + dump-to-disk: false + include-rules: false # very verbose + include-mpm-stats: false + +# Select the multi pattern algorithm you want to run for scan/search the +# in the engine. +# +# The supported algorithms are: +# "ac" - Aho-Corasick, default implementation +# "ac-bs" - Aho-Corasick, reduced memory implementation +# "ac-cuda" - Aho-Corasick, CUDA implementation +# "ac-ks" - Aho-Corasick, "Ken Steele" variant +# "hs" - Hyperscan, available when built with Hyperscan support +# +# The default mpm-algo value of "auto" will use "hs" if Hyperscan is +# available, "ac" otherwise. +# +# The mpm you choose also decides the distribution of mpm contexts for +# signature groups, specified by the conf - "detect.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" +# to be set to "single", because of ac's memory requirements, unless the +# ruleset is small enough to fit in one's memory, in which case one can +# use "full" with "ac". Rest of the mpms can be run in "full" mode. +# +# There is also a CUDA pattern matcher (only available if Suricata was +# compiled with --enable-cuda: b2g_cuda. Make sure to update your +# max-pending-packets setting above as well if you use b2g_cuda. + +mpm-algo: auto + +# Select the matching algorithm you want to use for single-pattern searches. +# +# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only +# available if Suricata has been built with Hyperscan support). +# +# The default of "auto" will use "hs" if available, otherwise "bm". + +spm-algo: auto + +# Suricata is multi-threaded. Here the threading can be influenced. +threading: + set-cpu-affinity: no + # Tune cpu affinity of threads. Each family of threads can be bound + # on specific CPUs. + # + # These 2 apply to the all runmodes: + # management-cpu-set is used for flow timeout handling, counters + # worker-cpu-set is used for 'worker' threads + # + # Additionally, for autofp these apply: + # receive-cpu-set is used for capture threads + # verdict-cpu-set is used for IPS verdict threads + # + cpu-affinity: + - management-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + # Use explicitely 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + #- verdict-cpu-set: + # cpu: [ 0 ] + # prio: + # default: "high" + # + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.0 + +# Profiling settings. Only effective if Suricata has been built with the +# the --enable-profiling configure flag. +# +profiling: + # Run profiling for every xth packet. The default is 1, which means we + # profile every packet. If set to 1000, one packet is profiled for every + # 1000 received. + #sample-rate: 1000 + + # rule profiling + rules: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: rule_perf.log + append: yes + + # Sort options: ticks, avgticks, checks, matches, maxticks + sort: avgticks + + # Limit the number of items printed at exit (ignored for json). + limit: 100 + + # output to json + json: yes + + # per keyword profiling + keywords: + enabled: yes + filename: keyword_perf.log + append: yes + + # per rulegroup profiling + rulegroups: + enabled: yes + filename: rule_group_perf.log + append: yes + + # packet profiling + packets: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: packet_stats.log + append: yes + + # per packet csv output + csv: + + # Output can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: no + filename: packet_stats.csv + + # profiling of locking. Only available when Suricata was built with + # --enable-profiling-locks. + locks: + enabled: no + filename: lock_stats.log + append: yes + + pcap-log: + enabled: no + filename: pcaplog_stats.log + append: yes + +## +## Netfilter integration +## + +# When running in NFQ inline mode, it is possible to use a simulated +# non-terminal NFQUEUE verdict. +# This permit to do send all needed packet to suricata via this a rule: +# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE +# And below, you can have your standard filtering ruleset. To activate +# this mode, you need to set mode to 'repeat' +# If you want packet to be sent to another queue after an ACCEPT decision +# set mode to 'route' and set next-queue value. +# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance +# by processing several packets before sending a verdict (worker runmode only). +# On linux >= 3.6, you can set the fail-open option to yes to have the kernel +# accept the packet if suricata is not able to keep pace. +nfq: +# mode: accept +# repeat-mark: 1 +# repeat-mask: 1 +# route-queue: 2 +# batchcount: 20 +# fail-open: yes + +#nflog support +nflog: + # netlink multicast group + # (the same as the iptables --nflog-group param) + # Group 0 is used by the kernel, so you can't use it + - group: 2 + # netlink buffer size + buffer-size: 18432 + # put default value here + - group: default + # set number of packet to queue inside kernel + qthreshold: 1 + # set the delay before flushing packet in the queue inside kernel + qtimeout: 100 + # netlink max buffer size + max-size: 20000 + +## +## Advanced Capture Options +## + +# Netmap support +# +# Netmap operates with NIC directly in driver, so you need FreeBSD wich have +# built-in netmap support or compile and install netmap module and appropriate +# NIC driver on your Linux system. +# To reach maximum throughput disable all receive-, segmentation-, +# checksum- offloadings on NIC. +# Disabling Tx checksum offloading is *required* for connecting OS endpoint +# with NIC endpoint. +# You can find more information at https://github.com/luigirizzo/netmap +# +netmap: + # To specify OS endpoint add plus sign at the end (e.g. "eth0+") + - interface: eth2 + # Number of receive threads. "auto" uses number of RSS queues on interface. + #threads: auto + # You can use the following variables to activate netmap tap or IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + # To specify the OS as the copy-iface (so the OS can route packets, or forward + # to a service running on the same machine) add a plus sign at the end + # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0 + # for return packets. Hardware checksumming must be *off* on the interface if + # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD + # or 'ethtool -K eth0 tx off rx off' for Linux). + #copy-mode: tap + #copy-iface: eth3 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + #- interface: eth3 + #threads: auto + #copy-mode: tap + #copy-iface: eth2 + # Put default values here + - interface: default + +# PF_RING configuration. for use with native PF_RING support +# for more info see http://www.ntop.org/products/pf_ring/ +pfring: + - interface: eth0 + # Number of receive threads (>1 will enable experimental flow pinned + # runmode) + threads: 1 + + # Default clusterid. PF_RING will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + + # Default PF_RING cluster type. PF_RING can load balance per flow. + # Possible values are cluster_flow or cluster_round_robin. + cluster-type: cluster_flow + # bpf filter for this interface + #bpf-filter: tcp + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - rxonly: only compute checksum for packets received by network card. + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # Second interface + #- interface: eth1 + # threads: 3 + # cluster-id: 93 + # cluster-type: cluster_flow + # Put default values here + - interface: default + #threads: 2 + +# For FreeBSD ipfw(8) divert(4) support. +# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" +# i../../etc/loader.conf or kldload'ing the appropriate kernel modules. +# Additionally, you need to have an ipfw rule for the engine to see +# the packets from ipfw. For Example: +# +# ipfw add 100 divert 8000 ip from any to any +# +# The 8000 above should be the same number you passed on the command +# line, i.e. -d 8000 +# +ipfw: + + # Reinject packets at the specified ipfw rule number. This config + # option is the ipfw rule number AT WHICH rule processing continues + # in the ipfw processing system after the engine has finished + # inspecting the packet for acceptance. If no rule number is specified, + # accepted packets are reinjected at the divert rule which they entered + # and IPFW rule processing continues. No check is done to verify + # this will rule makes sense so care must be taken to avoid loops in ipfw. + # + ## The following example tells the engine to reinject packets + # back into the ipfw firewall AT rule number 5500: + # + # ipfw-reinjection-rule-number: 5500 + + +napatech: + # The Host Buffer Allowance for all streams + # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) + hba: -1 + + # use_all_streams set to "yes" will query the Napatech service for all configured + # streams and listen on all of them. When set to "no" the streams config array + # will be used. + use-all-streams: yes + + # The streams to listen on + streams: [1, 2, 3] + +# Tilera mpipe configuration. for use on Tilera TILE-Gx. +mpipe: + + # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". + load-balance: dynamic + + # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 + iqueue-packets: 2048 + + # List of interfaces we will listen on. + inputs: + - interface: xgbe2 + - interface: xgbe3 + - interface: xgbe4 + + + # Relative weight of memory for packets of each mPipe buffer size. + stack: + size128: 0 + size256: 9 + size512: 0 + size1024: 0 + size1664: 7 + size4096: 0 + size10386: 0 + size16384: 0 + +## +## Hardware accelaration +## + +# Cuda configuration. +cuda: + # The "mpm" profile. On not specifying any of these parameters, the engine's + # internal default values are used, which are same as the ones specified in + # in the default conf file. + mpm: + # The minimum length required to buffer data to the gpu. + # Anything below this is MPM'ed on the CPU. + # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. + # A value of 0 indicates there's no limit. + data-buffer-size-min-limit: 0 + # The maximum length for data that we would buffer to the gpu. + # Anything over this is MPM'ed on the CPU. + # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. + data-buffer-size-max-limit: 1500 + # The ring buffer size used by the CudaBuffer API to buffer data. + cudabuffer-buffer-size: 500mb + # The max chunk size that can be sent to the gpu in a single go. + gpu-transfer-size: 50mb + # The timeout limit for batching of packets in microseconds. + batching-timeout: 2000 + # The device to use for the mpm. Currently we don't support load balancing + # on multiple gpus. In case you have multiple devices on your system, you + # can specify the device to use, using this conf. By default we hold 0, to + # specify the first device cuda sees. To find out device-id associated with + # the card(s) on the system run "suricata --list-cuda-cards". + device-id: 0 + # No of Cuda streams used for asynchronous processing. All values > 0 are valid. + # For this option you need a device with Compute Capability > 1.0. + cuda-streams: 2 + +## +## Include other configs +## + +# Includes. Files included here will be handled as if they were +# inlined in this configuration file. +#include: include1.yaml +#include: include2.yaml diff --git a/tests/alert-testmyids-frames/input.pcap b/tests/alert-testmyids-frames/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..8fb6832de69b21a5981f5eab3f5820dec990de8b GIT binary patch literal 1104 zc-noE-A~g{7{=f314*%Am>7vyCtS!JY-_tOXc$5iK?b^D4cE0hj3umH+729lfJ9@$ zohZaa5(ytSMx!?-P7`i0+&M3d8n1+yC|;^}dQO`KSe7+;o1XXd{PLXVeLieIUv+^8 z4j&INtk9b)}Ad_wje#f zv;La?{Mcpq9?b%{Jl+=`S2N3+{w~^Q-0l;U{I|so{bWtcVLE)9%mWO7&?IS;O6icU zY%T4-KS${0!l|{4_R1kwX~~mrh!ax0o=*SblCAS=jm|P5cBXx>cfsr2_6eaZ5Wqq` zN@?+dO}ST>(hhrP-vJB{$ta9QWH}ucLITH*=%yv1xw*NJg-t78%4N)us^>ZOhKY^f zU>0j+TP+$h;Y27J3Go~|sH(U?nt^bDV>y<}+WhW?KBB0vo>hL?pjPd>Ypm*=-`QwQ z`5lIlFSj;&+Br917bqGCz+7scaYq4#_{rJL&~yE`COOMMkpH& -- " + # # type: json + +outputs: + - fast: + enabled: yes + filename: fast.log + append: yes + + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - frame + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + + - unified2-alert: + enabled: yes + filename: unified2.alert + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For diff --git a/tests/alert-testmyids-frames/test.rules b/tests/alert-testmyids-frames/test.rules new file mode 100644 index 000000000..025811af0 --- /dev/null +++ b/tests/alert-testmyids-frames/test.rules @@ -0,0 +1,5 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) + +alert http any any -> any any (flow:to_server; frame:http1.request; content:"GET / HTTP/1.1|0d 0a|Host: www.testmyids.com"; startswith; bsize:81; sid:1;) +alert http1 any any -> any any (flow:to_client; frame:response; content:"uid=0|28|root|29|"; sid:2;) +alert http1 any any -> any any (flow:to_server; frame:request; strip_whitespace; content:"GET/HTTP/1.1Host:www.testmyids.com"; startswith; bsize:66; sid:3;) diff --git a/tests/alert-testmyids-frames/test.yaml b/tests/alert-testmyids-frames/test.yaml new file mode 100644 index 000000000..96ed7f0f9 --- /dev/null +++ b/tests/alert-testmyids-frames/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 7 + +checks: + + # Check that we only have one alert event type in eve. + - filter: + count: 4 + match: + event_type: alert + + # Check how many lines were logged to fast.log. + - shell: + args: cat fast.log | wc -l | xargs + expect: 4 diff --git a/tests/alert-testmyids/suricata.yaml b/tests/alert-testmyids/suricata.yaml index 96d5f0734..c9638cf5b 100644 --- a/tests/alert-testmyids/suricata.yaml +++ b/tests/alert-testmyids/suricata.yaml @@ -31,7 +31,6 @@ outputs: filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json types: - - frame - alert: payload: yes payload-buffer-size: 4kb diff --git a/tests/alert-testmyids/test.rules b/tests/alert-testmyids/test.rules index 025811af0..9f1307bdb 100644 --- a/tests/alert-testmyids/test.rules +++ b/tests/alert-testmyids/test.rules @@ -1,5 +1 @@ alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) - -alert http any any -> any any (flow:to_server; frame:http1.request; content:"GET / HTTP/1.1|0d 0a|Host: www.testmyids.com"; startswith; bsize:81; sid:1;) -alert http1 any any -> any any (flow:to_client; frame:response; content:"uid=0|28|root|29|"; sid:2;) -alert http1 any any -> any any (flow:to_server; frame:request; strip_whitespace; content:"GET/HTTP/1.1Host:www.testmyids.com"; startswith; bsize:66; sid:3;) diff --git a/tests/alert-testmyids/test.yaml b/tests/alert-testmyids/test.yaml index a7b2a4bf9..b6ce41dc8 100644 --- a/tests/alert-testmyids/test.yaml +++ b/tests/alert-testmyids/test.yaml @@ -6,11 +6,11 @@ checks: # Check that we only have one alert event type in eve. - filter: - count: 4 + count: 1 match: event_type: alert # Check how many lines were logged to fast.log. - shell: args: cat fast.log | wc -l | xargs - expect: 4 + expect: 1 diff --git a/tests/http-gap-simple-frames/README.md b/tests/http-gap-simple-frames/README.md new file mode 100644 index 000000000..73de7efbc --- /dev/null +++ b/tests/http-gap-simple-frames/README.md @@ -0,0 +1,13 @@ +# Description + +Test http gap handling + +This test case contains a single simple gap in response body with defined content-length + +# PCAP + +The pcap comes from running +`python test/htptopcap.py toaddgap.txt` +With the attached toaddgap.txt + +Then removing packet 17 diff --git a/tests/http-gap-simple-frames/input.pcap b/tests/http-gap-simple-frames/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..5edd0f198d51e6a6e2a96f3aae46a6253d3aa59f GIT binary patch literal 2818 zc-pm<%Wo1<6o)TR9~n!uCc?N7raMinFtk<6#!{&@!A6Ss0NMh@5lBXc(82gf)PxO5 zyJ%OWabay@qB~;ZPLn34hAyyCn`#;tZZuu?FK9iNJJ5myy_4vKL&(hV-S7P72k$|l4r;LGXgb@tl1p<%y~xh7=p2^lBnN=IV}!N^>c zQYj%OC#95=i;2=CIVD5$UH%7Y;K{;$*_M#+iaQss2&uT7aB{q(n#=D1^<0#or*+8X zt6DDYL4+ zsWNR2x@kKQqMo)5SaTD+SJk`+fb$HIQaFW{92PiJdraHE9HevhYRkzG^`qL%mn|M> zc}1<|g%Ir^Sv<9t8wSZ$cVOy@HoHJGyTYg@P8>L&)HpZBsJo1-bZJ)a^6{7^yKI9U zrkXLQL~oaEVrTx_?w2;Z9N3lB>=wqU?Q-;XpT{-X%{H^+!_-?1;jqB*)^jRbO*h?E z;|B2RF^; z%T_%Eu&frqqX=z~R(&Oa4)q}CwD}kseAp`I(1b=#hdReSLEV=DSjQU%1asIw&5Xx0 literal 0 Hc-jL100001 diff --git a/tests/http-gap-simple/suricata.yaml b/tests/http-gap-simple-frames/suricata.yaml similarity index 100% rename from tests/http-gap-simple/suricata.yaml rename to tests/http-gap-simple-frames/suricata.yaml diff --git a/tests/http-gap-simple-frames/test.yaml b/tests/http-gap-simple-frames/test.yaml new file mode 100644 index 000000000..0674235b3 --- /dev/null +++ b/tests/http-gap-simple-frames/test.yaml @@ -0,0 +1,56 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 7.0.0 + +# disables checksum verification +args: + - -k none + +checks: + + # Check that there is one file event with content range. + - filter: + count: 1 + match: + event_type: http + http.url: "/1" + http.status: 200 + - filter: + count: 1 + match: + event_type: http + http.url: "/2" + http.status: 200 + - filter: + count: 1 + match: + event_type: http + http.url: "/3" + http.status: 200 + - filter: + count: 2 + match: + event_type: fileinfo + fileinfo.size: 14 + fileinfo.state: "CLOSED" + fileinfo.gaps: false + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.size: 70 + fileinfo.state: "TRUNCATED" + fileinfo.gaps: true + + - filter: + count: 1 + match: + event_type: frame + app_proto: http + frame.id: 1 + frame.stream_offset: 0 + frame.type: request + frame.length: 40 + frame.direction: toserver + frame.tx_id: 0 diff --git a/tests/http-gap-simple-frames/toaddgap.txt b/tests/http-gap-simple-frames/toaddgap.txt new file mode 100644 index 000000000..c6859edfa --- /dev/null +++ b/tests/http-gap-simple-frames/toaddgap.txt @@ -0,0 +1,53 @@ +>>> +GET /1 HTTP/1.0 +User-Agent: Mozilla + + +<<< +HTTP/1.0 200 OK +Date: Mon, 31 Aug 2009 20:25:50 GMT +Server: Apache +Connection: close +Content-Type: text/html +Content-Length: 12 + + +<<< +Hello World! + +>>> +GET /2 HTTP/1.0 +User-Agent: Mozilla + + +<<< +HTTP/1.0 200 OK +Server: Apache +Connection: close +Content-Type: text/html +Content-Length: 70 + + +<<< +AAAAAAAAAAAAAA +<<< +AAAAAAAAAAAAAA +<<< +AAAAAAAAAAAAAA +<<< +AAAAAAAAAAAAAA +<<< +AAAAAAAAAAAAAA +>>> +GET /3 HTTP/1.0 +User-Agent: Mozilla + + +<<< +HTTP/1.0 200 OK +Server: Apache +Connection: close +Content-Type: text/html +Content-Length: 12 + +Hello People diff --git a/tests/http-gap-simple/test.yaml b/tests/http-gap-simple/test.yaml index 8576dfb13..c47eb7973 100644 --- a/tests/http-gap-simple/test.yaml +++ b/tests/http-gap-simple/test.yaml @@ -42,15 +42,3 @@ checks: fileinfo.size: 70 fileinfo.state: "TRUNCATED" fileinfo.gaps: true - - - filter: - count: 1 - match: - event_type: frame - app_proto: http - frame.id: 1 - frame.stream_offset: 0 - frame.type: request - frame.length: 40 - frame.direction: toserver - frame.tx_id: 0 diff --git a/tests/smb-eicar-file-frames/README.md b/tests/smb-eicar-file-frames/README.md new file mode 100644 index 000000000..4ac0b29d7 --- /dev/null +++ b/tests/smb-eicar-file-frames/README.md @@ -0,0 +1,12 @@ +# Description + +Test SMB EICAR file rule. + +# PCAP + +The pcap comes from running Linux client smbclient against a Windows 2019 Server (with a shared forlder public wihtout needed authentication) +Command is +`smbclient //192.168.1.3/public/ -U % -m NT1` +Than in the smbclient shell : +`put eicar` where eicar is the name of a file with the EICAR contents : +https://en.wikipedia.org/wiki/EICAR_test_file diff --git a/tests/smb-eicar-file-frames/input.pcap b/tests/smb-eicar-file-frames/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e97b433c4805aa28ce91c18d15fabcf6aff5a4b0 GIT binary patch literal 4479 zc-qZadrVVT82|2VX|MHxC}?r&DsurOV0nmOETgs{oj^NU-$p57j5GM2b2=jeiSPHT zQ#U{}vt>)|9%eppBI;(0f3dkZXZ&Z;EK78{Oy^_c?mORYYkNJEEc<8o=G=4dx##@O z_xpXnb9&+X3!k@&poQm$7M9{Q@x-{^y%$G1TiWKV`TKUpRZxU=iDoBYt)L09jr!QNcz$Nf5Lm!(54&1qfEak2fu_ zgW}z!inkhZ1FrsXyRlQ@?U*9LQ-pY`!qMat&aZ);3@7dzE{+jyH|-@(U(4=_3Cq}> z(RLZ4jxL$1Lm;|rrpgk}RA<#BldH-(vC3Lu%FZ%_SmCf$Io-}uPw2IqwdZnQ`*7Vb$jb-ydYM3g71}S*<*#toRytJO2jXb z;0y+OhM%QR`~xUU4XP{!^r@#(Tt-vkieWTvU04YpUx|cXpvggatyP(Z9e@2S)Gxg8 z;O5IWuL&1r7zYWrEw}uIvnL%e?r{I~XMTKjnogIY6XN2;mf_~1Ekn#kodKV^5 z93F9RU{vy#@XaCA2FmHD0Hyryc6OP+b-#USuBM($Cx{lI)RD+O$efd4=2U zqOnO0QVkoM7KCTDP63UF$*>3(z$(0VgBR+c2CoXwqX#AE!fssxFZIGb|3H@dZ;PT+ ze?Awvc3|oUUc5rXI*8{WfOa2;r-Uh&p#!Ig7Y+!m4MJ~ogP?EG7zCj;n$-FS+V%HB zv_u>|9M1xxx4GtO+u9qZI$ncECRLsmGsD;JwHY^7dW@sKPgOzkOK@N_~hC*sz zfmvfcz4)dUTe4v+p81gbpHT84ix8L_wj7ekG-RB})gzGW9|iW1>%UUDzQZDRJVDn# zY-*vzT#4y=NmRRjRoL}Apmn8r#gS#&B_R`Nf&-_;s3kmE-5<|tW|qxR6Y~D16NanX zk~aPAJuu^UZ~k|a%D{;tc;M2*LqivIuBj~?vS4#vXTz)*Yvk!M2_ED9W7YOJI+0ZQ z#h*yqqb+)kbUe|gp5DpU$h8z2*A`aA$5#c{NE<%%f?d$6H^;H{@xOA%hL0s&aX^K$ zCvFVvrM-1zv^!4kw1^i@p*y;oa)|6Kro&qtcgQl+LBn(a=!5v#*cne2TMovNjnNcP z&0?AbF3i~kTu~0NF%8*4ahm)Rtj3nrs(i^w6z7}%B+6HNbiOW}!dUNPz6M-srg25# zIMw-*lsNS=6hU7&Ck&+07p&uO-FtAIyMu}qI(xX~#VX~}P@0DS*405=8@Q^^CQ!1`zf&ZJw!i+Ld>2O~~tBYw1kQaCs}13tnra&efF z<0#TvM&t-jN%BS<80mwjU%0th7!cKsZEJB@im{0FZN$7j57+5jT6^qZ@qV!#;3z01 zQuu;$ig%BHFbTgeTKJ2381pVB{LEuCZhkmkA3xp{8RoNaSS$rw7vEyPPTkce==NYC zcWwu6suDt}dXFStr;>OVhTR;Qsv*1aa{`pYNmU?lkbaCFadB9xW>82?jQZ$qQ>BA` zl&a!rBKBYdPBd+dbA;>FVykOr-YnOQX=C!zT(i^1+HC1#*N!Z4*sN8VZjZInZmqIs zS}Q${DUPbi?o3aK+ml)9C@&c?vMi%)6yq~vAHYIT3TF+?^cyLaS5>KO)~B{5V=5Es z*U-4pVLm=SADs-NF@9Noo{|y!0llRZj+B!FhbSekXery0ar#asWut{0|u;qXoKCllW;72i&rxYX6(l(0>RbXDp`0ob3MbNFaZ{}4j^fs2Of zefA-ZdnHW4$EOgSE;&Ptz26)r#okpZR*F+T37I$ any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;) diff --git a/tests/smb-eicar-file-frames/test.yaml b/tests/smb-eicar-file-frames/test.yaml new file mode 100644 index 000000000..a6b45a922 --- /dev/null +++ b/tests/smb-eicar-file-frames/test.yaml @@ -0,0 +1,30 @@ +requires: + min-version: 7 + +# disables checksum verification +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + + # Check for something in the files array, which is an array of + # fileinfo objects. + - filter: + count: 1 + match: + event_type: alert + files[0].filename: "\\eicar" + - filter: + count: 1 + match: + event_type: frame + frame.direction: toserver + frame.type: "smb1.data" + frame.stream_offset: 853 + frame.length: 100 + frame.payload: "Dv8AAAAAQAAAAAAAAAAAAAAAAAAARABAAAAAAABFAABYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKg==" diff --git a/tests/smb-eicar-file/test.yaml b/tests/smb-eicar-file/test.yaml index 8d0257fdc..ad7a26e07 100644 --- a/tests/smb-eicar-file/test.yaml +++ b/tests/smb-eicar-file/test.yaml @@ -22,12 +22,3 @@ checks: match: event_type: alert files[0].filename: "\\eicar" - - filter: - count: 1 - match: - event_type: frame - frame.direction: toserver - frame.type: "smb1.data" - frame.stream_offset: 853 - frame.length: 100 - frame.payload: "Dv8AAAAAQAAAAAAAAAAAAAAAAAAARABAAAAAAABFAABYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKg==" diff --git a/tests/smb-named-pipe-ascii-frames/README.md b/tests/smb-named-pipe-ascii-frames/README.md new file mode 100644 index 000000000..915aaec4f --- /dev/null +++ b/tests/smb-named-pipe-ascii-frames/README.md @@ -0,0 +1,12 @@ +# Description + +Tests SMB ascii named pipe instead of unicode. + +# PCAP + +The pcap comes from running Linux client smbclient against a Windows 2019 Server (with a shared folder public without needed authentication) + +Needs a Proxy that sends the connexion smb packet without unicode flag. + +Command is +`smbclient //localhost/IPC$/ -U username%password -m NT1` diff --git a/tests/smb-named-pipe-ascii-frames/input.pcap b/tests/smb-named-pipe-ascii-frames/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e0dfc897bbfc9bf782aace52d0b0ecbc84a21fc2 GIT binary patch literal 3878 zc-qZYeN0nV6hHU1lu{TJM8NN=GeOD9Yr#@YqaYu`pdX=Zk_?4bm~)FbQ0L|{t;K0J zohUJ}iFHyx$dpu#82=$C!I_~m#uznVm&Le%n?&6bozp4Zx%W||(FOT0Jl-TUsl z_jk|vo!>j}UO#`z!+{iD7Ae%>{m)w~mhFutP=fsuVVHmn__SUpCHC~e59@61%JK9aBH*@vMhJFA}8gW|6$rX1G%q*beL?Vf#*i(`T4TNI|4T1$qA8i6jO(odIZyp+nef( zq4xe19b)fA#BH%Cp|9bZ;P)xSd4>?r#BuKV-e7(gisGa|-BzFSY;_SFD}h7sx)dIIAc+6so82SC=0x{((w$@7a4RxNsh^w zV`6Jdj2gAJoaeQ`<(aK2;f+?U2~1*Lt8JCt2ArvE=)JHleKe|gwMNUBFij`Wj)u02 zN2%4YltoD&5~UV*+p+DI6jkD-7PfBFFcU6uCgP(&qD6RVj<5|a&wn9~UT#yr{K*aS zy&vYov)1IO1Gl>uef7K}>F%SG8>&)evNRcqh~S#1@{^k<@+mR}K1+!+i{qw_=qsoz zwbR3hBbJFHDmbXewhwq4XQMdo2gETal|T*X7{pAaM+-#aM1AQ1~ad0<#ZL$7}n9QwxD?zYx64E?w~ zBU{$R{7eGqbcy(>#E|=;3%7_Pdx^(MqIoBYY?dep@dP`y`48#l2LZP@Ts;-5p1Jq6 z{qV`pE$h$JbOexHSl`7~0n78Ln@gYwOz;*Maa0eBU@o>rz(WD#U~=OSY3vy!>W2kk_%OR zEEiDyEY9QP6ugs@9dwchQYX0=5QBuGVJ*itlVp;Qu}#2w7$GKOJwvFGa=3=A66-A@ zd=r6hVEw*=>yDV;Y=<<1drlY{PQWY5#oK4|H_WI#*nUs9f8OOCH;Ax)IAn&z{uuwn z4hwViHI$SL5h(EabQ_;#$Sbbrm0`z!C6F;wR9o1p!m*cLaU8R6JY&))ii1oxJY|;7q>j{yFe&IGf_CY4)-OkFH<~xI zVL9V%XE1L~I^0r6dHXv%WINZG+pWay#$+jpu|z_=)8Up&N3vwz76vDo;eaSk{7akz yU&&wrLM#w>Kh;pp+&>-S{!+xsvM5!`6^?+T6s`7~FlaRltxXgy5n$Vn0NOtWbCoy% literal 0 Hc-jL100001 diff --git a/tests/smb-named-pipe-ascii/suricata.yaml b/tests/smb-named-pipe-ascii-frames/suricata.yaml similarity index 100% rename from tests/smb-named-pipe-ascii/suricata.yaml rename to tests/smb-named-pipe-ascii-frames/suricata.yaml diff --git a/tests/smb-named-pipe-ascii-frames/test.rules b/tests/smb-named-pipe-ascii-frames/test.rules new file mode 100644 index 000000000..b8d6203dc --- /dev/null +++ b/tests/smb-named-pipe-ascii-frames/test.rules @@ -0,0 +1 @@ +alert smb any any -> any any (msg:"Ascii named_pipe"; flow:established; smb_named_pipe; content:"IPC$"; sid:1; rev:1;) diff --git a/tests/smb-named-pipe-ascii-frames/test.yaml b/tests/smb-named-pipe-ascii-frames/test.yaml new file mode 100644 index 000000000..c50c51d0c --- /dev/null +++ b/tests/smb-named-pipe-ascii-frames/test.yaml @@ -0,0 +1,35 @@ +requires: + min-version: 7 + +# disables checksum verification +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + + - filter: + count: 12 + match: + event_type: frame + frame.type: "smb1.hdr" + - filter: + count: 1 + match: + event_type: frame + frame.type: "smb1.hdr" + frame.stream_offset: 4 + frame.length: 32 + frame.payload: "/1NNQnIAAAAAGEPIAAAAAAAAAAAAAAAAAAD+/wAAAAA=" + - filter: + count: 1 + match: + event_type: frame + frame.type: "smb1.hdr" + frame.stream_offset: 1098 + frame.length: 32 + frame.payload: "/1NNQnEAAAAAGEPIAAAAAAAAAAAAAAAAAQhkBgAQBQA=" diff --git a/tests/smb-named-pipe-ascii/test.yaml b/tests/smb-named-pipe-ascii/test.yaml index 88eaf0537..54b53cc40 100644 --- a/tests/smb-named-pipe-ascii/test.yaml +++ b/tests/smb-named-pipe-ascii/test.yaml @@ -13,25 +13,3 @@ checks: match: event_type: alert alert.signature_id: 1 - - - filter: - count: 12 - match: - event_type: frame - frame.type: "smb1.hdr" - - filter: - count: 1 - match: - event_type: frame - frame.type: "smb1.hdr" - frame.stream_offset: 4 - frame.length: 32 - frame.payload: "/1NNQnIAAAAAGEPIAAAAAAAAAAAAAAAAAAD+/wAAAAA=" - - filter: - count: 1 - match: - event_type: frame - frame.type: "smb1.hdr" - frame.stream_offset: 1098 - frame.length: 32 - frame.payload: "/1NNQnEAAAAAGEPIAAAAAAAAAAAAAAAAAQhkBgAQBQA=" diff --git a/tests/smb2-07-frames/20171220_smb_psexec_add_user.pcap b/tests/smb2-07-frames/20171220_smb_psexec_add_user.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d0f5196fd5eb6aac18719b8611a2e78a3da4e923 GIT binary patch literal 244870 zc-ri}3s_WD_b`5D<^ZD(%%~u!sHk|$ODLisqM!_7fexZGq5_&q<77%OgO(zfVT|E4 zYG!7sh1aaC*GdI%HHa~2rg%xsOHrX69V$vv(9!d)wa=MhAba2U_kaH1_dMV8eAJwM z&faV9z4lsbuf5jV`y4M;ezr|a(UkL#<0wi5Y0mrCQiASKR4K*(LPH^2ETsl?$w*m! zV=jW~I*K0W^R>Nn$4s_nN#N@c?L1Du}C{JiJ zfbyq0QUeg*(BbW=-O#{pcYN~>Fao}rE%<)>(S*W*y+?iYM0_*z|0PNgc_6;xqb>Np z`W4?A;_K5I-)>Yp^`iOuMK2CjP5d8Wy$rB^?^}wRLh(PIB78qmN=Z@C{(cmd-*HV( z>z?+#;Me|CXDW;u^5X2p&x?3Q!5_UWbKZis{Q}O|`tZvXwT9w<&UX1ep!NI&Sv0gB z@C&w#Jy2oL{^IOui=Q_cN$aA2ZoO@mCj$E@r~#4%^M_l5+iRC*>tCFgtzVdB4ThGw zQ&jS+wtCyIQm*ByF3EhQ*Zz0_Kr^#|8K`RP9^?#IQtWvYyW$k=gDYl z0_0A3l8lY?4*)6foHD{GW7a~^F?LzL1KY_L2T>Ll_(pr|7fB>yk%$&!i>ZoMEw+}c zkqO?|V%I3AT#1fZ3oGXxoCB>s%I_3J`F3`-D0Q~@60|r9S{wBw90&S$B{)X4!SNBa znyOMn4;p!lqOg^%(8{++`zN(x^Y4bOByN3TD*@4i7Q9D@x0y>$oREcg0m;>FyaVmX zJtjBHDY0r|&=lo#&D3en2C1e^oir^bF=#l1=ec2MZB;qw44arm$iGebf~IID~pHk=YqnI4po7!)#WIAjA7K_i9{2>y2b z`0-?rYdX=?2w*h++7e$BoZy3l3`l50{8V;X!4_43i29O@jB0uejYhl4rHJ~U{l$PL zMA6=R=)>=O_VtS?dGTaw*`;-}y-2CT^&4DPf3ru-1yOZf#vgu=<^%QcZ*GpK=U`8f zhljXyafq&TY{(eT_V7%L3P+2@Jw4k!wK~4=ekYMwOm0{6x9wfG5;y4fJDv&|SlYjP z@RFta^aTqu7A;x0Abru2^l5PuM-Cqy9-X;(;k@jH>5HCUvNUTUQg9bga690z{Yhf7 z!M{5Zle4YGq+mKj5Z+R{!Jb$(|&&yKSWrb4Y`Ci$-=lOq&G4fpTe<{yz_|nu0pacHe z@?7?!e;`sY=C9T~FO*i!E1v;8|LC({5r0_>PeGADwO%gDi2q9pb_Gx;wP#YdJ2>;_ z7IwJlqD^6k??MVYd|Mh4GVGsd;zl($nrtuZ@E%>*VKcP$mK(T;T2k0yH8fdR3M$-V z8(e(0dr3T~An18VA^qjNLi$KZAzj87%e#9|oH}Lt)a0qd5~fa!N!T77(g#b#+q#Ez z?M}~Ml#$)NBdqen1QTEwF#({RWza@8LUzI~B-;z=g>)f3@2}XYS4UE#URbf1y))%t ztRdv97xq8Zy`iG{R=~vH=graG7|?aqtw_sLeb+9i%aY%VPJijusNAt}f5g9ZMKk-k zJ<|?eH@Bbl$LpN}wpUjDl76wDJmb%HiK*Iafs;x;51TD|cjnK!1HV+g_}Qrojt6n; zJnDY?Vd=*4Ul=^zd**|C_cKRtT+@5Zy4dmBiBFA>9Cp8V_QZe(f37NMcjU8aZ+kyh zYS--;)$}+f!*+Dd;P~wuj?Xq%jC|$B5+8cUrKG19=guDb7u#HOXWFiFAC_KOyKY0s zU#s=~B)d0M*g(7xbaX*j>qTQ4qekzH(x(}Gbt&h zY4?N3$-M_Q91j{dMN*QmQYH^+H*|iF73=h+8Nn0Mhd4G@zcKaRkWCj(Z~l3}i*F|_ zUwrJxFK)2G^ZS01=$Lfu)x#NoeQ@yMZJ!TkhNQ2QjTunt8Jp_}|FC-NqW))p z>@eoc3Q?81on+O;^DCQIjPcmDJ-O4R%FBb#=U@1I>XD=CSMB=rP;HeZJhotdjyLmT z__~yhTTXPaz1>`PZbd@C&P)5g9K=M`Ea((aX83LV-RzTJ-n?)voIHjyGeDXY{}RwC(tI z@!+X{ozLH34*1=$eQHB$a<3zwH;){&Thr97?`ys0tXY2lP@iwAu56we_9>@)_04B5 zpX)iP=GS)Ls@3zG&W=32_+giKLuamdE9d;xwK}182jnSUE!uj8iJ-0Dy(x+>Dca+4XJd~(Hzufh zetbHn_tq~OH~sYayA|s?j7lyVbavA-2}@(=pYV1KBI(@OG{n$CLAAW)U;kmd~U;I4K_wCGW;r4elX6+%b$+zE zTg}3S?~MIou z^^@Bjja%}jY`IAKu7$4jFifAa*T2sn=a*NEnM%FsxYa-VqppT$4$W+CHYc3=^wI;b zked5?LCkFIh5%luy_rL9a_)(4h z;jr}j8pEnncT`V*ViG+v&2c<@D?Qng)UGVM-;_lU^w~ePyV_s9{%Z2gPO8wvUCFnY zbUON&}Ib)pc_^aRi+&`lCnb$2h>L0(CHQX!l z^{%^CG|t#{<3o+I>-^h6ALpb+jNRXJMPQ$;SC)qRynVl$F+Non(cw<{v9+J5u9v;u zzf10)A9vW$DMfk5KWIsr*R;d_Geqxal?}Tx>d^A8yL8)5mX25#o;igzlt*NY{VU*3 z^v?%8c0d2);ro^K?>~F~-giGOcywst3zJ`&G$LoCuP4p*xbwpMp;L>*-x)u7&^s%q z*Vg=b$-l3AuYJZBv1?zi-4!jp*<=_veuiz&u=qE8zs%_O%TI53KZ>@{vv#kjFBx$r zZ})`Ll3O?aGhb7sx^Gim~}yB}*Db*oEoh}t9a>xqB9 z`^=4_&)(W|=>(OY%YOIC>Vf-yw|;O;s}JXj9?E3(%ALcz4b+94{N&HPC6V`2OlnS& zl>Po!)%R}g$)EFG=8(rxlixa)`W02J(q?!kY)-z=qu14{>>-;5|0>_Op|a1wsyAlc z%6z*y``*!>8!MUg?1h%WA2Bcev9|GWe%dP=PVOyVp}BtX%V!>$QM~_v7Jy`R8@VPnNRgCVBfa>ng-gJ0esD5kJd!mCkR{Sdd z>CTLwW9YGqPbXaZc+v7c)6VAmdra80f6t&R=SzZ_%0Hf;xFx>&$`HlmLGQ;c{^qUY zo$p^AG&Oh2+*Pyw*g2>)!0XxPJ8!=9%giC7dTZ^kA17F3wf2It8w;Dm=6A7Oo^6DH2-G1-1mI_J5SMY`o*zwx2z?bGpp zZX5A!@w_7C>E#1HI`>k8agonEK}(*_dw*BwE^CimXdbiYsoBSWnfk%q@A@SljfoHL z77+j8{9)r$*AF`Qen)%CuOF|Sz5LG6FQ2}%vb}hc_w{Y7rw-Dqb_M%B9@fj?Dg7k{Be)PmH|!bU%XCaU5W1AZ+`RE&*|Zs z?NweCfs4MApYgrac~Rk^&5n~Y>B%|0K5RF;asB)^&PgsE74M$;?3|Bwbn%e;6}|dW z{J4p$DBGjGqdxz-#}4|^{ou#nl}_j}VaB#vsrh*M#*N!X=^cyCf1vJDo1Idz?2{?a z4$S*=*@pvmH@(~Mz*ig3c3!e-*;nCv#MKk)OZLZletqvbbM3zJfVXoxZXP$Q;@5%C z-nzc;>7rpj%xV|3@{bpD{Acw`7#BCwbNNDiwrzJ#vGYko8}7EJH4Pl}!lOi+;M zNnC4Zu6zc&Y)zs{A)*$%>vS5hEr&l%jRB8h%#$3$AqgFcV;J+qw!ksWRP&BZTeqg& zKe#oMDT)TamFgt#uyLMdx!10cF(XStc2psJJXKC@D>x8R@L8#(y@=Y@!OeHsUa*xe zcxP^byH_HnmKMAkQc&dbN#xs?hve{U_)_{s*;AdzRPR~vH2wR-d7ieMf1PXm{5NTo zPtw(?BWGUqIhF45iDQa>%<(1k`d5Fee=7R%gt=?HJC=Rt-=UNl@^I~fq%mhd&CU5F z??V5%O=Z)Ez8n8~bdvPjoANJXJ+AiYml)@f^4gW3jt!ewxT2{2dL>eFSpZGF1LJt- zNkM_v{Ckn0z=hTh;+n+Dd5174p!<`L`ptExqy$o_KtahrP_pamefqBaW8ci@7D!6o zoO0_XPsspk4*a)(nokXfG=_?$5~0QvsDPNR>Pk~309W!P`B|CJiSWFkHO~*F0JfhZ z&qZ>AfT}H~?Vf`xt0AW5!e>e?jh;dAQM#{s+toZ*km$*D;{*&^P;ubA%)^X;eD?aU|glv)-xl~-*#Bp`Ad0u$6=?5wOMR%Gi z1R@kZY2ND-IwPh1@3)bGkJ)8wzf}cLoUw*bI=(HX+x-Vh|8#Q62=tL+TZS*-sPf%Z+cJHF3Jwd%v$<<*1Q*k=FeNQWT`&rxrISlh9yCZmITF4 zO%8f->4JsByuI583vE2hMEoMZquKBLiOUb}A4<~V{S-;d_7_3wx&Fld00N`lUk_>4 z8wdA$leBEVl)$~V--nc2Nt*SBnWWPe&DUbPPMlSsB5`}~&l6c1XI?EO7IhHGfCxaP zPQ2uF*9y_hAQ4Xu1-~46xXl(`inZ&GLT?s2u(G3 zxD`AQQKjRsE1J@G`p>lAb4JvfM}X%h@jt^4(=S}Ehx8(b9}yuOEB&|GF?U$jf_eIR zaC2N3`w0~P))N@|jUL8>QP)GE(*`K_g@@CBgR>6H%Fe>6OU4RgraY10PiQY|;o_wL zNX8B{Ano1y8{7oy|NZ^{`Zt5AH`XuS*3b|`g??pLI+E|omwE&h#ZYPulPa|+ttuw! zN>B`CQC`Zr`Adu+<<*lvbRSxb4?lvaGODUb5W z6;dR>q-?Y)%lWLme6o)yx66#uYF2KrC~H)tA4#%Jxrvnc)dCWXp+?Pq8A(yb6SP@* z!jf2%q*ehCU&Qii^k%Z^#hk=gMH_80<73~fYfR#aP(c24geXU6 zd5N~{Br1-H3_Wk+^uf@CU1FI`F+Pz}gOr&(%y7I``A4x>B`)gvz(`Z2i| z8M%d?Z1H{75+j04vlmd;6KFPpX5ysg2{M3A@R1Lx2&`w~7eU>&Hc&Amth4Z`E8`#MC)j_i3 z1c1XZ$5;}}lPrmKNn8y)4Plh!D&Q9`k7ngw?y}J;RaumKRl2U6;R@$>op7QYSkfD% zW$&xL?gajBv8alDHpv*ivp$mO>SavYM|*>pV%(QLL)G$c2E6Bv#AIUJ@It zq>=_TyN_>*Y0`<+8qV)D!X;LRT0`$;M8?qBgDuJ}Ds>X)N0EXp^0FAQDoL#q18g-9 z8wYuGWJA`sjNu|Tis*e(d?EAO`q}m)BdN0D@$O+O|R?rN`D4R5#zJYd%bsUIuq`{H(OFCz0Vr9@`8aCYyZkWp1 z1jSZ=1YariDAnkq)j%{Dv9{3&7g<|*Vw!Lw=xD&&rXOy@+U{CNa@BTTnQzn6Bx)LHMAf(32*sT=^Y9a(+8;G>MLq z%Gsgcq_K?=0`FY-D%5Uc)GjZC+V^bAMzU)Rt>@d64Y>504NaUM%VQs5Q8oZC8wo$v zT1O!YjsplM49=L_L>oGkBZ?6q8?guVHN^@gN8}=YRj8Y1NZ>K|A>7ha^77~1A z$!hJE)iD(N1;=qrsw|nkDI!7)LoV6~U22$IDKpv<*I5N5W1~iaoO8>hWdU(dRi*TD^jvcNjy##l~vBNu|z!Eh~gCE9)a(>eRpLD=(B=Vq9 zO$Mdnxz(F9C@|NdRb=qMi}?a++CCAH#IzCCzeyyF2StSO1VAqsuofv4Crd*Ln3dAh z+wozPI|Tqf2`c!)2o-9bNP|=XL;0v}7Vz4zq|+`f5OLU7DSq_Qd(a83GVe#uG)4~uiIEJ?*Kf#r#5Kt|m&^wTNW9V00q{!(SVd6E=R06tJQFH`_bm2DDD zZW0~oD7528^Fk}oOJf{I$xY}4Gf~Tl-qQsjqhK-uAy#NJafNWeh28v!D6bfB>yxwG$wm2MD#Mr=?b=6Vj(S>4y9==1Qq#H7I67 zcc7hG`g!7w;^49>`IEV{{wiN8OFaob(zZ}7L zQzcY%wq1;Ehw+GM*tgq2@$;EXS?C3D3gj067Y+6hP3uG^*VmHhV0z2}ERy(z7|}B4 zI=BmDtXU&)DjO6GtfVmnGle;~37Q1SRY6B;*GMivU!Bx!J072w;pWN!n(2Yvf`%d5 z9cBeU>(Apdj<`91iWk&O6MK3%KNy=(*(u*cI8^HOD)xKeHP))PDK7>P1LHdAM4bq< z;zhw+QQ-n@CHl1%9U!np>Ua~9#e{u9L>9qGY8}wS*P@i^q$+KAv@eCql{W$bBi2`h zGpFFO1X6>Kjw709AJWdyNbZS_uS$D@elga^wwjMHe`KI(5_s*@3vFhg8O-9>`1L8C z*CySeO|$|Cn}wC?P$)kO`66PhhFg>;RJ!(HH8`zWt5CUjo60L&Dnll4v4%68)`q_d z;k=a3$Z+v zt98LQIN<}I4ByZOzTOE>KN-Hh4Ls|Fzq0y?@N8>%-D7R$SpY0ekERxEBQj&GpF>zS zT-k(NtAoh{BGs^92QkqTrRKz=j1o=i(0gV>wb`&292ZnOp`1Cl+-$fQdd-}=&!#*< zR_#;=`X|ZB$S5!@SN0+7)$zPBHoYP@orStUcAb<7(<9d|0j4W^<05epSJZvZVpjok z1==@VlNY@yLVK@9MVNLGdqA5}=tEwV1I2bvzEzzF{GRY2z95y<+XRE!qe2TBDsz4z zLSZx%f;EXo)lOP_m2G%ln|Yb_m&zZT{gD2nWm^jvY*}sb&%z z7MQ(}k}0Um66;_-)<4ZpBu2T{3=p~H4DgiGcL6=kL=ic-tYX5J6M?YH_&dIULAlVQ z+Xf)qB``Xr$-?~;>^YEc)!*cM?thT)aw6X~DA3@dpCG~w-YWdRAB7t+Mh1bFJxYXJ z2||8arBY4P~La8$a^1LeG>Pz$a`{&ynAAqa-UP)F?QyZ z_Zp|XpK!_h33K8)koQeQ-g&ASb58&+uTgH}!s=}%?jD@D?~q817u5kHD=yFs^CU5t zi`cW;GD)fuN}zHyKU*@0|EnR0Ghx-lw}tGfRg*+CRLqmeDTKhN_>f-zcCXWy>~&6P zy-#ttnO(Mf7w&aV-tHb@9|>(;8cLC0+X(y6YXAP&R?xcE5%%4?oDufU3``UrXM$}g zn0Go6`26Y?EueOZBhdmU4?DF0uUYoD)&kZiX@TWK1TB!e2ecN#KV>Ss}r&1ia=t!gQ!?YnJSsRahF)G zHd77MspiSI!E_xSIKOX%+^VWp^gI_gT)8JU4s{p)6RJYt1Te#YW6M}xi6^6u1;G%-V8?9!v;c;+l`>v zv>0}`nCfvz7@4TXAQ^eo%~7$Rf@5v8igm+OW>W$ZxfC)&PlCmkVU~tlitgiJhofRW zpoL=QKmtK#F(LpIYXrYZyArxovBL);^1ghY)9m$&MX4iIc}ZwfbsedCZy-8>V+mp? z4$zEB$7yj3iCn<8_0;0Vl+ZYLnF&)7>mTfNGcP%p_+EteIRQ`7iIsHn`al7{A%x3q zn-{w`FEl*&KQ!D(8V>&-H4Hu;xcrwGH?D%e2)rC{S1_Or-r9jBz{F9%V+MxF4v-Q0 zmGUlON1oMD{=gNvsUz`UxC3+l8RR##l_N_OWFkNvnCRtzI(wT;Ek&{uFPu><%~uCkxSg8)g@0g(xG-TmiBZAn zC8+BNr=3qm4pL+hp#~^H%nZH996f+U0>$d9<21bIreUIpk8~N#2XYr@d@RZOHkqeE zG6s$v>1m0hh%1@J^Bi@KgX|?>bdHa>5~p|+t0Kb)K!~dt zAmaUCu)Hu}Cb+|mygMu}+D-A!Z3C<@=wk}mYjG{kZ>GYWr+Zj z1la;aH{$mbm(|b&7>)bQsf2o928n-R3qSWE>UxAVeKzrFG4Cv&=YmV0y-y?*x^gh6 z3OPdJTyFv=19?7=bYE}4 z)?%tV2y++|!3yWN9nu$1BQB!jKo&uMS4{J`_SJ# z@oL++c(vI(0Ok~oq?5&jLswahqv9|aPI2e>TU;G(qJPnZ!9Gr}2tCOcWSHefo7gV1 z9Kk0Gp{m(b4%dhS*pyyYUJD%_!tGakA8mLs4*B^&A-Zeuu*7@VJ6Me4;wkD72EOx; z^g)EprqkGvWfNTGMH@k_MTGeRj`E@sw3j~*0U)-MjNipERhN;e*+=Kgejda}Bw=b} zt_`hO${a`A;-r9rRXe>Hsf75kKX!M=ZedO70W_0U_n07nk0S$U11b( zL=4Ng0|5_mirOt+(4EI@J_sN%$UE8DE1mNd9WMukMtuQW-wu7%g{83 z;EIbEx#`5$B4+*s<1x&X7$V%jrjwh_ZeZP8b;KM%2%$SqhNSsN`tnm5eaj3ZnQ!QE z-j(N>h7jF`SKJoGoUtS)M9_AIYzvtVAXLXdi7@IZ*>dzY{r>zw-6P^F>I021I^=!+!K=e z6+veVX$ocKx(Dt-J_B9A0&EpnKc$zjO-HneT9ANmenPwV$n=Ha) z_v{iZKpHiB-|ou6AfnLiq3h5|c{yC=v9CSR0l>TkfQWqn zul0Dk+%5!Hlp%6qGa>~km)_Poa2^Jl+s;EN(M9@p7Rx|@O5$pCBA`ugBtsBkx9K&J zYYC8>@-Pw+6;C{Y%rdg9T1O$(B3vqY zqAI%K2A-5L3_*^ov?1f7DRa0vQ^r_`eGyMHiDYNW94}?xe+qytXv^pnW)XX_D@Ei) zB~&=-tl$g4+RUhEQp&#MUMq%Xw>qn7*Nt^`w%=Jd(An7-S2g2_>E;-zy*-aTc@UgR z^a0#~b!EI`xmQTH2=c|N3w>vpJ&XIG)xzr%R2v0H2FCFx`wTwdcA-?6e&9VC(r;u3Jli={#~&;*Dd=L#)4)w zSdL($Ae33e5OW)HMlfUvH;e28o$#(QPa8Q|=c?^|cBAChj`)ltAfYX!AWCt|Zk4+( z!g4F`TP^SEzMbUqugG?#u$f5W5a1&)O&ZP++;WH|(6yVJ%o(KY8^i}62p~-jAL4*hwBP zFiHoL+eBh(8lJW$;%{C68%(0+F0^b^wjR&O7RLu&J^mEQ-;T%OF|$USvYz7iDI0j_ zvQao6*F<@6epg(FSJHVRhX*)!5$bv4LV4Y+WYKFx-|@6?ybkkEgLP(8o<=dWDQm=} z?TdUDLioFmKgtrw_pwC{_IYPN!9Irp_R@*e&gin=RjYK;(>6T)TAz#KlJ>lM%!*g4FSDOR)IeK91b*3K-! z!!1%lcd=HaYg94H;fX*Yf}>Rops1Drlos{4&Qm9G>N~%&WOZbCs^d~wbPdnE;CVCl zKnJ2wKNk^^7J^0IZowi$S3VMR8LUBVNZ)9RJ@6E%V$XLUsoHg1iJzZW{Qf>ab&s`* zzwIamz?5y-RBG8y!tJ73b7~!KC0!?*p>-;aMki(rQZ>J24TwJFwoz0_b|UK9IB2*B zaUCYx^H?8>p#@iU{WRP@xe_@#d-DC*`?!Z=)sN-$_i273!VERqww5R}ix2{va_v)e zI6}P7)Y>@vK4<8@8|t~rHj#UBT%?vE2q`qkf1z!R&R0HZ2QK7q^z!{DdI6nk&AD|r zr0ci~7h*OLqN&xmza@PF%?vNO(~IeWBLrR501d#joemxe$r32nx*2^KH|j}by1kCoCA>q-~4x9_@+XKkl&~eVW zv5!~>fYCMwf6Nt6i|v2%c*V3kxg46DsAjR09>R6(;Cddr@t;z2{t1F$s1yullvxKZqD z*GX`-ZQuI0(r067A9(-iwSn4(&p;AEoq5z1l9 zm-!K8xni0QSZ*vzDPjXycwQ6YjQXjJHw~=F0H$Y{=|rmY1S-Z%vLq)9n(?KH>}jD^ zRff3$iv*?4H$-Tl_i^t~zwwEq2=;LuI}(tOA;=5-QBV?!?K_~=8o>16gTfey<(A2~ z3#5IyX)s*X$dm@o;l`B5z?5aQ>!_DAEYA{8=pHeSutF4mHAimrgGRJ?TUF$NbqS9h zxZxnQ#c#N5fF?4GQ8;k$rHjyZwji7(Nu0rmj1}Sx=<2V*r}*0Enhz5ajcjN9jm`>i zo*-`@DK#jJ$7!RLhWzZ`jgKArp(X9dNDZTmk00s#lsqFE6E89hGCqE+_bYiuJSJXj z2sA$C^wN@NBxB+w207T{JFw*)$Q64x?f{O&HE1a}njL-BDO4?#D!L3BA&n4)aATRk z4Gp_d<}Op|vst6uB~%~u5%}VMB9mYJk6(n<-yp-)e;jA%Zo`w5l+yUs}>y6`&8R(1YVU-2)dkiFE19W4_;8FpIR~ zDY>wBSQO-pgly)I!h(9OeJw@^f%096bP}C{1Pl3=k*q+I*PKVGL-_1E?68*DH_~L7 zBs}FXnJthmR6xKDVLyT}ZGo!0NL59fIv9^=Q|Ct!))|X+Ug{u-tOC!xU68e~2KkZP zcA!_lu)*^lcytPkLoy^B4WOHkLsr%V&=(mlWw`@en;q3*QKN)fv zfgA$j%X;yUPXtp@E{4>S=$Yd0uN2^Vlq(f23*zz2$2LFbLv5_8iQ~w5U{p1r3g9Z7 z;0`;=FH$7RqN9YJJnoVTcWH*B7Zgq=fqtaX>Jy=qtsFx9iD=$54n3b?o*v@>57~g{ zY#iDxYjD-E^Ele2kPSN2>&Y!;inkyY|Htvgsq!3f+@ zPg2E>CS-Oqt@k%Ji}angU2nkim5>*`18?o^Z65f9e`>;dF3gHoKdB&p2DvsKr_;R$ zeE6X%Ewz%TP-QFs8%YWtD9SK+p!?#YovxWcsa4P84k$B)E)k6#s;9?3ZJ1$+5vjCw zxbr(S$hlwCp0&VCzx^4mOL26xN?VWR-fra|JD_~MtGp4*f9>UrlxC!99jI%i3}g@U z0=XcM;rQ6g^|$~Z75G?+cb<568t)vQWY?SQq59Fh+3c;QkN|%*69VvFAt+0!%>$W$ zq+rdw+SE~OwMU!Pi9dm#C?&z)PFxuBiH#smqYTAMCt(NkPwa)iIF3l%-|A~Kfu2M^ zaDFntY6tQN-570o2NL)b+dPnYcmUt#(I7CCJx>-H8Ja-k_`j5`Z6t^qqp$&r_~c}v z(uvqzj|7~g6xXj9gFyXWBiH@7ob}sBu6xOK4_wK){y#wes^Vmn>7*e;!=4_7`-kRL zQbx1b+=ZE{HBX@<{fZvOQ2LJBq8&iYNtp&Owi>Jskn}h@JFmU%spa57h|>99FqzCi0thd5mb$#u^c23h(%^YxhKvB12aQvI&bi2V?%%p zR2L+{>%A$e9Q=+vj4jAaC-pyJpeQC?H*4^@+43^FeMY1$%R3{oa+%a<4U(5N*u_kP zyiA1I9WdLIWLt?Tbx-e+5!s-xmX}qh%gd_L23O2ZtrT9Zkg^z9M*>#z6T*_%kc=na z+4C4iPnE**hzJ$I~tZ8$h%VBZ9XXa^|Z+V=Ui8wsa=wVp0Ij?`Hv;p&5}C zh~{wt%_cyzNnYlO*&Q(3iDng`$?3;rL^kQG?V<8A380arV&%A5od^TNN|xDT$Z`;8 zUICRXIi!*YR{BO>b{Vn;*QDp?I;gbSfOBG#abD&l=D6^7KoXi3+I?&IHx-AFQl)Iq6czZ{8NFIeexO>P3U>(0Vh--!gJA!Q|4YFy}maR;L&lNX&N`XfP5Yb8p>_IS8A=E}fD z*@DYmSPc+>2@6KWa0!i=iy+o|F6=a9Lq?N1wT=WMt{Z=+;TricOXH+UgqQvfJWt|A z17L$Q*X+ezYTc??dBxRU;+2TRI)g`qvR40zIkArU4mva|Yndkd7Hti(?kKYE2u!e) z6zvtvxQH1ak_>0WA&49lS5SsQHjiLoXfXPvIC^B@98`Qzu9re?3ZWQ#445S_nMmky zL19<&#sj4v$`S88EYk-U%jLZN8=z)S4#x1Oa6FGa15YVt&omdijE`%VElt*J!)kbh zhCK?VgRUprX#~ZG@5mcNq!^_2o}OmT*d?JSW0G_&VJ#D9=&zH_j_}X}l-^s-ri><1 zYWTqJ#ZHDE%>nELk}$UP*>+zw8;$_%u)(NwWaMBrV8nP6bKYt^DT?r(iAOIsSSxih z?LL%{>bsV>wSp_GDM0nPid^-sCfRs^2#sOIeR*kx$LScAYgXFqL+lgFIvV4o8* z*+bA!3b;W^nF?QhV<$TcW{)9@MQ$BCO2|^Pv&pNr0ZztsAfY05IOJ9`0O;MeCq%af z(LEXdBy^)%&@JiiM7LV%YDDZp_j4hWZQlmncbo+QaZYq!l{(Sg8~!A83&RC;)7tjL zFAPD+n$T;O+&Z0CsMVZWn{xLfuoeN^wS!#PUhl?ZyO@u2)v3)&7R277RH%|+v9Ty? zZOZxy!n;YhcCarii82StORQV&!z9)gcZExgIkDC*$G23I*-_IF1;|7Qy11)d#^?9s z^Q+R*-CqB~aJ`Y07KGop0Sl3riuHgwl9E~(No2+#zFT>FKqsf6qfs;ZUPtF)^YB{#kgVE4&;@^TYep7*QxdpuY#Km3b0+nez;-li=%wAss&M?;n* zyW?H?Dj(x*sU=66A-^QI6 zCQD8ecz^$~ZE35vrLEhRy0-?{zcleo>$mf~sA6j#d&j=`_uw%GWS#Mms&dg|^jF8EC>UB}oC zV<|M3B{SAaB-LE7X-g7R3$|>+a!3O)-3xhF;OBr}-*Y9N#a<B|9C#RG6~Y*8A}lR-ZzB(q#qe7Izd7)m4!;EW z#lmka{FvA^b>`T$b&#@4i#?})OzPz{>4b=y|}hg$ft@N0ly6Z|MBlESb1 zbi$iJpmiXm0gwhj>I#<>l7dCMR#FE7(_5Y@lsOT0c~*a3Fy zROVd89olqW?{C@6f4~L%%kzS{5A*&R!|%o)<@%?X3Sf!eo9SZqhuIHvf3o2&Q*HcF zqL-rp#!Z@RxX;(0*)lY{1XifS=ob&J8GI@UycklWT}hW>e^LW%ZTB|g4R=#+KY;bz z-2-Q)!@8Cbj2Pz055@*dT}zrbWXm+L?n&={Xir7Bf(JORm2Ruq&?!jaX5#}oYxw=| zuy@(ub1>y$vfmaN?lILBwNgn1CJIPS!3@E1dfxpAx@*tF-9b3$H@y>V= zz9ep4PLUVdBCB$}n5rFEqN7#pJ3}aHhZP=()6-K&tIc6p#ul_H@X&RenN}Hk{!kOF z>t>nQSP^8IMi(?MzZ*m4dTm2EI}7GwCA$X?ZbikDb8;SR?Eja|}ck7GlO4S-`p+)^jAE>sg$J@#1n8lx*$Wtim%{==XJ>#g3n-W?@I9ae{tk^ICD&ZjqeT0S?H+YrQ#H|{p;c}#E zwm0OasMs-6h=&!gmIeV&f+SF(cLl2BiFJY9|+47-iTa#KajPbp3j82OcOz7`>x=iT7 z3SvTotVAo&71jpS;2S1G`IC7zkO}6#@m8;jTb`1UrhJ&oq1PhPq=wnO=_2KlRjZq3IXdFYY z(368J^on@BG~UoTN!MtXCh7jNOOkZ=IKOBNKG3ADQRc~oTJ2rfQ$3I-_+>tpfm>q` zk|jOODf`Ce$3VE3_!4%j3)nuvbaHwBNN<8&Po~27V=owI#gEQG-iwt2ZXOIRO|4`{ z2-VYC`ufO6puaH1$Sj05e)Kd}$b>c|6|T9J%v?`OGS=a_p&85zw0Utb4fURtg1cml zT8^qVgGrXHjF*=k&yX*%{wdG2!YYwjLopToIABmz16-Dk1DjElA^-hkhTKpMKY+DE zdbt9mW2CV{VLz7BcA~^bX;M-L!$JqFRz^CKxg@~*6yy^;q6UP z9c*^xy*QY{5o-4Nha89B&q&l@bm~I~9ymHZgSeC?>&qU{g1xhGRUoDJ=5hkr5`1kb zBalilX2>Y~)K&f{x=XL(PY=t|xf4`3&@biPhT{N#E7tpo(3^`6*{ye|Eh4HUwv!oe{Wj}YeLMjsEw8 z(g!=oq$OioER2Z@)3%JL)@>Ut$&wH(9Snw`TvE~fWQU5B+gCmCtt}zf%b9yZ*vuhu zn*fkBnOak&$4ruVOeaY{6-kCBK(b}6M?Q_au+$DcN$DNSX*{7M-BE6tHBDO-LKJd0h=d^p#f;L!xn6}9l(C_HObFlE@& zxC_Mx_;gZY9tva#pHN3OA9aNf`X^feoJ zn}jUY{GOXPipDt>vS3w6OtyzWo+wV;DvBS_hd)MQNE2e~(Q0;W5O3c1Fg~u$`C859 z;WKOSZ3(5%hUJf4;OidtU*t=|{`Q~PgjV@Ud_GfYKgF+HQZOUXQf7mFT`Sj19(?du zt8p$}XL@4nIR%%QD7LvHS-LdrvQ9Wj6)7ni9j(zmUO-kUbNY0(dD2XNrD7V)%V-#9 zA7Qy_(6DEJ!R6|n-b>A{>x{cUXbaB9{cQ4%02=V;nJT*-*01Hbeu=>iVpn%`U%yiR zzJ9%{a$mo)Zi4bwv)Ycr;?>2tistm~+z#7uV4SDm4p4$~C-5^lt|sJ+b4`lryrDO; zYb(h-VmIIgw-j+&hwT;1Jzzou_BbD|&Bz;Th) zS?!sMlnpQjI=FHuZk?Mb`)#Mu#N^842Yuo!F<%;+x-OG|Uo1c9Kglvdcsw2i`j`d_ z@9N-F=}ZN0Z8`U$2N5CkXQy^@F?EZ?wGEBCY5Jd2Z?EU@g{ObBcTB$KHUQsO%*8iy zyDY8L-d2j=6`ntA!)4_}+Y8l+fO(+eGy@)*4f?iK4Pn<&_m-63%Z3zIC<}*Se9QlC2E!KjPx!mnLhyEwN2Q+`DLfo8D+^0!w&O`@y^N?IL5%$0H)m|0LWX9~{d zUA3S}DGSl4x&(YnJ?2+@1GAQV?N4SlU2))J$Rm7#4ObttsTS`o*YW!16})b}h}Q!( zkI1W!aLst_%_fpq>PfP-nk1$ZB-v#p$;U?_*|OF|RI!pan^?H9;0>N-w2>}xkz=AA zW>Xyj0(1~Bw1No2q*}cL-$BB4ooTWVbXBacAHToZ*~A&-IA(sxMx;17nwQT0bSP-B7K(Gruz%Eeh zL|^#BlBCv&*=%5jn$`J|xsyh^oFNT8nXHb{Fcl5*3Ne$l9A=a!dGKUD!+40I6So|mW<~@UrZcPa`7(ca>a1e-fz)vai^wv>?+eDQ zY$;veQi@Y5C56jb&gQmcW)YcXRu}Va#zL)VW;GsE9Qv4iBRC0_+3F2&PlCULZ7Oyg z$=W15g^a-BMy#OD(Gc z3-Wjp_F%m58->Pj${<&<=Kz!oWlxbB7-Gx=ns#9(;h8%b!hkyX7z?qik~Z2D@z9*% zGd24b<~k`$jv2{|@ZY>nRvXW78m5Y{{h8(XrW<(>F(rhuEzi%abT2G!RS0Z<2H5_x zlkE|N$5n*KFB7)E>~PDfAZ#ze(HB$*d>=jqP3Ysq^DIYQ9glm+3+pJhx*e{=j5j%8 zH6>Hu$GB=Sr4MBHVSeUfun(lVAeOt1!>(f0Pz~B(UzQ1HL%1+Jz-5VBtYUkUGc>3R zT~0aq>cdgSPzP1^c?-cUTs#5YNPZ)Eq?!qdyssaqF^97?4&MCeu4eb+iHdPlia}oR zxEPO!fk_gFyUdI&4MU~ruu?`{#Hg~NlkO3l2#PPo=7Aafr{#pHK6ED(==&R4THnpc zdh31SVKK6%R&HCc9^*>e=JLrLKAE{*2;}l>td3%B-(mE6Kd##(=KR>u$>xEN#DVk+ z!j~+D7@Hoo&JM(W>YhP02)1~sF2J(thaghfyF*?$g)mUQs4WKO+yjGbo zJILNkelSTSKWMdkN7}Nzt9a<3=*Z(azZ)yWC88p$;YKnvZ!tL@;CF;9q@GGAN@i2k zFg5t1M~H;8Ov4?-aVE15rlaLJC=t8aBhvfiC-`(# zloWYm+jhksvEC1Jf-nbKD=zXuQrW$Vw~(8d$g^1$_7vTFmW}wxd_8mUaaehvEy+0v z+|}XPO=}R^b?r&ZmY5)WXX7!<@4C##Li^;$cMY<{)E0~F;^J-$smiy7O&@l>`1aBd z{2Bx^@CwerDp<_%ovb=m>4^rsFa@V(>H{N|E!O)p%e2DeEBub1eBX7!$>+^Fr06FY z8~_2;Bg4ok$&oN`0>EC!b%IQqzxYYxxQ6x%f|w_183GHHLaosV*lM1>j`P%;m9{5a z0}5>uVj0whMC{mY9uzs1UdxU}D$;_7Zrw7o91Vn|_B5?s*{jL~_$l=mvVTm%RicO{8~hf%(Twl}(B8BFZ6GJJbzCuGOiSyEEajPotmyCk-2Kyg9--54wZ+7&#;iINK< z))Tp0yt=qChKjS_Bt$lzMBJr@&g3bI=YopOxr&tPfq4S*tw=u{|0xPpYo=&?S^dHCA*i*iOo#_63dOTAq1)r83^$^%}B?YWfA6TCr63_Pb z2Y{~zDxYO+FhE!@0Uvo0+SM^eYY1dT;oQ%Q+`Jmw zGp9-I67wo)sMWFx72|FEmp&q*P~+-5sM&V`mKFmiNOc`^*#7DrxBW|ua*p$uYcnIeNlecgU&Dm{Y{Tc(LK%p%KV@l?Yf zYIgDi!Yq9CnJA9%YcAup9KXe2toO~pV{Aoe7OC;TS7JTe^8&uxRL`v5L#!*9JBd>8 zPBTz%(HZEUmQ~n$k_AF1%7~aD%^rwzP@Y6=XIR@(3{rWS75=wBB`>Sy%`or`rS|Ul zTC`4N0f%~;iXE9m4z)oK9iWm>gO-;m9r?LUR2nXAjn1WQTWM1aMK;&YfhM_x4nK+c z7a>E9tAZ)?`h(e7mocorY6y88!amDCjwFvG*|GfNSn@cQ9m+pOlgDVbC;u2r9%ETK z{}@jm<5>zH3s%j^+!;f1=CHqALI=;AJtPtA7iNkU3@t%%ia>Gl`o=4Xtwd1gEX9AT z32c}`VrKCBoXo1lV8!&+uW zbNFZpB%X}sWIO6@rB$!qieJ@AZ)q!nR&XZ4d?1AosExwas8r85Tn&QB1Y*u_t+mfg zCScq9zW==UeV!i=le5p-Uu&qbqRSGQ%M&BdH7s;;-hcI%5` zyGYHp_yLH+%M+^iTKL|InCSz=XA*zM_wMOLBsr4mRiFF|j@ALFVGmiqhw7lmUD)F% z1?usRLh1my)(Y%Rk+LO2*|NsBsIpeMA6@XkV;_*Sqp%JMFTb$I%;#@ZG3Py0SjP_I zoEjtJO}sA#aQRT`hfz{2ya#s#wqqASSX+OO>i;r<@RRTx{CB{n4G`cYztT*roK3xy z0&0H`q&sHfTMO#D!aNRGYnas0^0n;xgw>=?!7n{|p!MT(uF)9OTu z!Q@}lrds$V+qQTYL)Y#{Lx|%LpjCx$L#s!HBWMdlO5T$JY=4^^wDI#6ywQofTZ)x- z+JNDvHAKn7jmAr2dF(uoRX<>L1f90GUWCHMt6Xw)_S(~dg8!DI6E-CI##L6g1sWIQ zZqxWGXXn)5j1Xk2Zey0Wc0`dKhTg2h-kdz%VAzL)JD*s7@oFI6T7%w6-a3S-SKx53 zdKSYm+M_;iMAQlccA;_ ztDr3%)<&%koetVeY$$F5s^RvE2ETombOm$T%bsnlvsf&SBu?^$MLSLGCDelkVB?CP} zCckLl#bp_H0+l%gj{t)=wI^Yur&19v^*?P$@HEwF&=*woH#jUy~4ROGsger^p+veO!E}h7#!qu{P4wb#a9hFPn>P@(*m9 zx&2YhIl%J*b107U;_3#2EBX`3Sg24!N6mL0D8gF@r z7gP5%zCDW+iGyAwP);J~6#~sl1O*9nO(N(7f$|bTrwBAB5oGu!g61WHG6^(45tK(D zS0ZRJffgr%RuiZ=5ww{=wEj$Fz|^k0gR@k0a>OM0!1j^vZfXkzVsD)sqRSRz3SPyw&J>Qre`9*hffjJEkYT z=>|jZi2?Bt1=I741ofHKTNmK09W{!R;N|88eCC`MyFoO$4iz%h>kP5^>ncM`J0Z4^ zR6dR(87w4I)}F@Q6j&=(K3)(zF+}cYteuJqFZb*etwN*kn~bQxZC2l!&(RQ?1msH1 z>MQd(D&urixNdXf$S_#~L~*e$`V5X1SY+!mA%$8{#GT(9$IGeL8Fl;CbxR?xtoGUE zX$y7b^L^*}%09L3nr91OvBCtZg=faBq(e=>TL9<+tmdzu%K%M!Ipf!cXj^pg@7R$2crg2u7>ud9~mWinajYD|9VC|=60lx*H z&DG~U0YAoj)Lq4RJy3u1a{J{gV*ZytKE#EJGW@4r6HYu4a@Xbxz89oO1apGjQbQb zIJz3=q5V|h(GUyafsCHq5xh7TdmJRk+O$`qA7W1oV6^?=U@n@iz zTOPLgHECvkk_$Mk^_P3qCz5-?N1hJ9^}_dG!OD$zUpzuFiMc!~}%y{<{dZafG~3 z%B%N$T@cf5ydT5p!*gWT+E0j~RB<4@jJs&pf&{}{cos96#zJ=_1z4Jd0jmzd)N`;d zEW7mLo?Q%8@?)*y@d?LT0&z!l3z?WAT|*U5!Z2O@N1VjkeWt41ka#8htnjPJ4N1jn-DxBv zBm_E6#@(5JF_OtRtZF;{iPUHtR(jP^`il6z3Nu8!tX){kaecx zZZC*NkyoG$L~=X+iChM6i1&8<6S2V?;=X+)-RNBexO#X)7552RiH`H#lN4Bu4(ta} z>bQtn`|ON<@lYPIifPa+F-ab=NLj4tPQ`spzWYv$kZxv0s}*;5N6~6L(?ZB>HqQDy z%;86r@`KxL5Hg3H-Ss&?JYZu*E9KQzt6?F;@I;aK(#NVK%uLRBFEx4fw_+s>Qz{!9XLug(V@cNh zwH9&Q4?{M&)n<0voZV|b|6!NSTw-$`S(gfNl7+R7-cQE?v6@DJKELx>U7JhRf)?l4 zm3wmR0r=(ijZW~xFu^N$0VK-EH6=DqaYy5G{uqmBd~PU>Ytw!UZ|UIOdAq?NW_s1X zf`r#tYtuf*S-VOp%v6$H zcfotDLo3pfR+<+Ypc?c&CEYI1-&=;Jp&Bf{A?-H8d1z=!d-~7rAg0Qbu z*w?TJ7%RC?K;pB#SeUTyjgDRbvJQpb8Bs74weY&+Xo~OvYAtIye)rE^r~(~8Lc+Q+ zmWshq>grTSx`yXNR;XE4v&BMLHH-POY89_7E*39`H;%60zZ`Xy-?s9MVS(N(`rCO_ z41U`f>2G`+4~ZkH{I)6bal^T*rE6J=++m6Jc#!v(@;0Tn4E82=es~u^e;B}E8e$Xb zHiz_>ZC3KVMWZA95WHZ~xx8os`hy%zUXh@z!3sDH!mFv+-m%3}NjFhROGJ0WxjJzk zFQMVwJz_?~xebE<8i;Lt8+nUx3Y60@?;gqK0swqk;Q>7BecK-XoSxa?vt(Er^S2o0 z-vHC>UMg#=aSn|A4moIod_bA-K1es;kr01RMV^b9_K z#O=DzmxQLD;d7(V)Pm1Sq3OO9P8b{oI9zy#2K@L5dW2V7J?a$&I>$3FKsRI1u<+Mp zY#+a<*U%z;pr0E`X)zWw`}ff88HAu4pVcYkT;-yCjVZ+RhtawW5;eM7c=*p`0j(4_ z1*2uc!+7ae+$^gFq8&z(w;1(1iUofrFtQD;*&Q@4aZ{RqB8++@unX_j$Zxw|!y{9D za0K@2qvm=t_m1gshc1jW&tO}g6*Z^P8y@c~eMF+VA&-=7i4lyh1igkg%;a;LXkrK0 zcjE(eu+5I8HI-TL3Ja`2bDx7Rzk_H>`{(WcE>UpwEUC@6iz(1+{x0cEZu^mFcs}yM zDs;$BKnj|=MpjdVrmLVDY;z9Aj;%z@6LuF3dvvp7WF0L)vxrAM?$Xs1#AzM$-D1^| zi7iFL&HB}&6FQKSEBuz3ZY9SmKu29{4O*+cMtBp5fQ=V39?xwZZ3tl8Vn(B^N`NMS zdMsh?(_f=JcbyXkO!$ZB$|<@=c=%)LRdf|6NAD6ItRnc`!b7*<$dCR&TrEfM6=%xP z9|`^iX6zqC4mBH^j&E84l#lmgq$G|Z+d8a%xQ|cWCOoC35jN14Ehg0}DG`&BGTQL) zPmp+TyLchI_%!NV{GecsZNm>zXnM#+eDl-*HB>R<^5TWpW+NEPM7y$dV`dy7v$CE zK9Z2Os;XfxVtKce1>9&tq6fz&x@orHp9Nh7Jpt`2)W43&xOq!W!JhJ^M6zUcozV2b zFpbxyUtr&=X2Fl1VSQI|qNB!XC113gjtk0WNMk8&_v78Vyk`GjsB>^-!Hd}88Z4p1 z;uzpm!LFS!(B=}8g*S_aBja)GN2~})1A;xyI@!5M5?eORMi7?e9NC(=+2TC3?vlZG zCyoq$z>(*;Lw`R4ooZqu{8RS#Y)W$UER1Bx9}n&s9c|9;Ehg5@Lg^h+va$>D3P@*I z>r#Ft&>!5IjB(-uMs0h1xu>F3eP98Mv{0V%R1sUIFsH3D0&Z1xz^FE@Y|##KV;GG%zO}qd6&wd|qV?v{}W=2ihz+ z;Kme{r|u?OMs|5GPACRWR$Cn&%pH%`)y!@xB{7;?woG0C! zPayHTIy#BBxLa{%H(4SSzNl7NH&qdo8#qKv1_ zWPwq5gYRjnU!9E0gbUw+6rEb6V?A>jwkR&cAK;hN;xd%M?@svr27ad?j*CPC3rXSZ zCm?iOt1Y!`9M4QGCDvxEW)fZvMFil;mkaxX9`*5YB$Y<-vW43&TTzqLZP(&zz&8KD zmMbcNQAd9LHrzINlD4XB^39qEtI5_+SH;DZO!WQEk`;I6KoQh#m$zCCQW`7C0CwMK zjNB%F%TPv_ySKQQI|IF9-%=sGYVfE_kSTR%pwg+^D$moT4Ed(3rHP&j-_7dmc%1+E z*0<%G3{nzvgPgQNueb43v*jXLW9NAdt(L6F{)ZM&CX)pe*F_dkHfHWZ3n+j6w?qpl ztD&s*D-86z&;rVex+(LqtS{dkV*v%qiCI9|eJilxWxC78MCm7bJ|_M2lPAgN&U5MK z6uouRUzPrzpuaED-yr=xhA!e7{s4bgeT?rdxn z@Rh`x^fVG{=045E8l(`3HHqZu9wnPjP9#{k8^xO4t-kC#a$CPqu!)i@%-_WX8_XKs z9usWnEs*+6f{pL$%35c4T(;?tBY|A%9jS5IX0&U=i&Ieu!C)GoqzfSwlatC>cx+i1 zg)F`Fn0TX}=i&__%j*)9VG?hM7U6ypZ`83RQ(*_J)P6a-M68gbbz-sao;#ea;$?Dl zL#*w89F=i~NrXW#aJTSXlFVX9|2PN>|CcWD`~{xA?8@}s@VoI0!fxORZ;)oNy_8+v zYMLWWMzO}i#U8zgCx~TqB&NGQmX5?9J>6P7D{#_K6PnTiH+X5Lmyr~Dd5m68qYM%S zp-80wNJSs;=tn5JM;DC_lIv6);vFz$-*;4!p`kz@9FCEPNRq*HB*}b` zAj$L^sN8gY_=G!01)1~&INOG~-yD@=&aquMHsp4TLIJjZ7`QH>>CLz-gN%oxivh23 zaugX&c&Hmvv=~s@Ye%oNIHhXBtHDxOWF7pf6=kRrjV?x+Tm^|mI1g_Qg&&N`KPO23 z5t`8SBgsJjJ;G%mA6mfLjYE308)Bc%)8{#hxVYKBpJvHs|69~+JGoa+d}wRL0L6NA z)5)s;hL}3{#15JWh`CRxRVd!k#k-&&{Mo2@)KBymZ{Xt5wYqFH1;iv0k79VS&hQ^~ z@d!b}o7V922@=wFw5SJZ{w*dWMY!$nn2fYFCL^6jUl>2YZ>|=lq^o>Cg0SFUMRF2S z@IpBWdsdf|s1HF-y5$dCPI7ZO>HLLqQmoPX!poEYM1f{=yii41bfgjh5xS)h%0tF?^!v!U(hYLy@Dgy~68qJl0Gl(1p>M30!P6ifFFveFfavJ!oOHjQnp&sF!ffB7v!#3rw6ge_vd(#l$5? zFp>fS6Rf0BE;2<)Wa=c5DLN`LVH4saQ9r zk-tT`iLXPWauc?b%S|8V#pEU$4a8N%QA`1`0($mL?x7G3u zICsKSz41CKN%22Q-L&QIF|~ozgd8NApJjoQguBfgc$8X8okl?D-NzzclrU3#xwO24 zd?_@2L@WLswaT`!6bqvQHt?35e?)QXVq$nzr!H<$B7blr(n7qD7TG|HPjrEcW)nOD zgc*K^E@~l&51tsqVdn*oa;p9K~iJ6+Vu>W%ZuKj@0* z5t{yT7AuM63%A4T*S~Zb+P1k2gYdic7cRq7@cRw?2H|(*V=mp$EuK7p1hx?*u**Ft zINgN{MAd6}^BE1F{7>br|NMU|Z!H^@w+cq(t=%ARt%%E1vfFC9K;XJ5QQ$govA~5$ zR(MryHy)_mW`mg~be}XuJ@F3G53lW!u_h2Mrs78ya*5;AAjMsYi^oT0j^hI%qc~Bi zu?&RlVm&Lg${&s>$qE!zXp{TCz-#uMCZ*8!5*=S%tzNlHKkO21>f~LqgRb-n^_N%k zYc?rfH5~?eRm{HBPng%r#^)YTN^F6JXh*v+vsfv#_`9}DDP3Nn-en=~j`c>0aba_$XRU@Q+2XLlJUCvt3e{?_7}hA_hxNqJt9SS9!|%FGtuadK|YlQ z1Y4APIoeqBrKuTfxMtI>Mq)%R$3%{x@Qjzu#S|5R`jhe@-~g0W7G;@LsjxBkNmkOY zxX(78{=vO>En)6cbMF=Jx<{ep>7C52&Mms@UManE@LiwrvaZUJkk3#hJd;>L$tk5I zDlUSOX7=B#2@8VBMuRwG!JWw_gP65o4L&9<@FbfJ;&=eUBL#qF^eegmjmOD{jS2YdL&!%ji>q`M%OgdQ!btSWQj=oZ9QHrgsB&v7-arGsd`p3zKO?m+!A`XVoS)f=V zAF^~LkzFF>7%4YK8LZ;<^t6jt%ZIEyi8-F+#cXk+d?=fPlj30R+z@5~ym4GBd=ZRH zK$}Cg!kzH@9{kn>4P~Y5UHN0de_Yzg-jhGt8j7TdXdTc9zXG%lSb)|63lLO*mH-RT z5?}#Z0xVb)P>?CPMd}7A`@8JDP{bk%$~*v7Mg!_&lRY$_ zQJsDaKG^B?!#;CO+!R`US%Mj~#boHr?onUbt=l-Wpp7$mBxCcpW68LkIJ`j|Gi9a@ zynuRH_$KGCG1;lw#a=(aczaF{1LAlOT(yx6*J;x zwiv}(73zJjKom6Kc5Wod8Z#IHNTAl4`tcE1Jn~d~91r=BmT+MyjZS+a)5+=S$qMxe zEUr!c@JKAV`kgjf{8Xh68V$WrhYkHMyx@J3lXR721SZR$Vm+Dai}8%%S4lrwX#OR( zcP?))8Onb@bUulV#0;-Jr8jmSHdabguZI%kY(vE7Re$ye{ceYzY5)?!Jj<^Yd(|3# zGnz#slhwRYgim)<0o<0=n09tVX2pz9{o#+)&bPV=>o2?Gxo>Xe&3)nnesgP2|78G8 z*{5j<%KOhR{u{C}ZZyT?g%0=6gZBy;mVvy#p$5JS{^m<|Da8>Ck3+BBUD7nQ3M!eN zr{3QkUzLxBsIKs5csSY3Iz#95Sz6gP3rZ+s8QZYgN+1W`T2@ZTF&*zd-*DapeB*he zlnbluVE2ngDN7wWOhxC87QGRQ4mV@DgxkR42{6+O+$)hsozEQzXuB{@y)uUu9ihpC zvY#KTW>jT-tQjp0LeuqV-l^lyC~-2^J^9U~V&>2M8?kAaiTuybzc9Bp$EZ!3b0yb7 z`yA%B{9Twvw1U9U^gb$#PCAPYOSU2D99`1`h?C;C{JZTMBxi|TxW5s#G5z@J z=ux&Il{@?yf8+As^u1Ut6za#ruogQ=41`9*xisO?phAf1jpK+Ze$0@+**H(kYFTWY z)9gOW2-IBumCrOC-~snpPvi~|)jaBhGq^FC#mtX*GQugh)eHaph$+W?29Sw)r%tLp}{1;lU-? zX?u}=;w`+u0L7p;9U~Oo?mj#29~6)05!6;*i@+FqCQ)C;WwQ zWS5lzV`;+4=T5r?C6G&|JC0q)=3?a~HMy65qI0 zwaPpo2G2q*&%>4nq2({a#JV=*7zhNO{8H1r-n#N}XjLzORpf>q&uu*t^{|k~TZj6_ ze8x#^>*(xbz$*z|O29>9C^r?%JVXb4Z_%{@$1puV9qb9LT0maXw802yuqC z{w{Kv{%H|}MfG?>!5I=Beu54vX#}3u$@(QHyz`83-+mx#cmwWK8g#6Xk=TXFv^mz% zQM~{S+EAxCv~UrglB&P&1a2WRpO^V}R!Ena+Hm7#lEo2>WU1RbaU^HqNdA{j&W?bb zWXV0v+T+*!ANrMUbYOK|GxAg)gGlL1S8we?rA^?ihJ7wy_Nods>nQ1{bt)w%fRC8! z8$lOWWUf!m=5inM5Gzn~o|ZLYEtBY~c;~w7YC8%nhBP@v^D-^*!eDags$+FXzW z@R@08O4YpPsyTAV1%+=X!LU8xeh}EnXf}GMtlwu4nyw|~{~(ek2ZL7B%nw==cdt1F zY%9N%-nlsmF+AxQC{(2Gd@?>;pY3y1sMS3Q=nHW}$GRxo!jEAMj- z34ymT`g+uWA!TBY$`ZPE$s`tm*)CG)?@3^2OTHK8B2-WEf1p~Yty zwg3B77i~Cbg;vPVN=||ha17G9pbc`XMJex#$ck+j7GfmoF$=xKh?sLB5icfQi ziVho4SQ%M?GRiSoGYbLa``IAkIafzhzDW}=$-hDzFYGI{*ct%YFkVY;FSIoJH7UtA zP#H-J6lrM4Qx1OR;o2ssyAA@(tu)4zQ9GZ=eTH=78A`t=pU$17hxtp6?;z zb!(;2QWLuZj#?JC=h)feoD6nrPG$iHzp^;Tx*9F*(mnA!R%wOQ z*ElX^Yi#H|)(K_Ik6dhaX!Kx4fnSI$b9MKTl1@W5p30Fn&8J5=-?s6GQ)#hr0K{wEIPmXnYsV3%RsJlku zKK4k}`<)=(YCww##2|WCvI973^7F-Ua>y3A4;9Lsool~{h1OXh%H-&RIk3r&IZDYA zRTAzRpG%T#^7pKG5j~9RZt^)Jd`>W_hsipNt&G*&sTAHRZ?aege-QWZb5^m!mGbHo zt3mFtHELMJ=KpTYf5>16vMsA6TSwt){M?ASZp?@1pp*)*M%=HI8uR}x2Ef4_S>2fb z^BBO7fU?H?Kn!pnSrl)~e>euXpNyh3=Km}PXhA@BWBx9a4!|p^5uq{v6$GRJ0L^V_ z>sR}%T2Ga-WpyM~`>_Svi?20zLPO)%@8y{Ww1Ue`r(_07)UpaR2zu`$(mv62fZg+o;MFq;EAn~oS_{_^oQKh*;+Zi*@qTWQl zb#u@v$UOI1q3NfzRZaMXe}qFiYLq4-io&bzs5nzcGm<5|S{?<^Q0OCTdiU5Sw8q^* z#jILh!VQkZ%we(+cYSD8w~cU9gVoO`$XIYC zKE^FDxE?o($=t`PDgmc{ux`#CmqC5tEwYY63U8$`6JSYd<145pQ9=5jZ#E04-cwQ5 zeEEZRRAtH|ow3 z%qU~kncVRD3SHx6U&~VdAaR||L z41|o*G`T+0Ald?j#)f%UN)}jy#=#8OlkY~QNX4CbBpgX!0<~M(Q&tuMo?X)EmSjM% zAipG2vO?wa=BJ8tpth^&irtMdC8-sEKx6iE(H1Bgh98io;4JtHyzjO^G!}VPVZ6amSY_@<;of>G0v)T>*vtAb^vO`D6=s%?}CgT(2dj9H~L z{3o{vkBV8SI6dm7ZR2!c*tU#AMr{fkhvq~h>HPUD{=tt_z2lAehTgA#OFW8h0xv_p z>#RY(E6P`IZ^fIped78P%v>Ppbco~p?PBU+_p@k4I#P>!KiZ^z{LI`@hx;t5oRZa( z>o9O?It2pmQ;q) z>cJxlS*u=E6Z0`zp-nnV+aK_GXrkn0gSGi7q8;6v<|j*0{n=jz)X5$692qI}R(L%6 zCKkC+{;o&;al5VxDqf9*)TH6E(Nxe)sb%W&he=F=+M-xnTO?HvqFLuvIx=3}sL^NS zbJ*rgvW#$>Um2L2722IiRvlvEkPK&%O^5V9M378pl3jjKCS~c67dd2}GbvAp{DMQ~JCo+Uj zx<-fmC2&DCLestIf_%M2eI25ZEBymKZR&66X;+`2XNLL&Ju}sx;qwNS(QCFU(=$i? zDLrSY>*#rn`a^o=so$sP9CZafv(z$r&Qoup=X`Zh0NFDa+MSw5pv7t)J&V;@^t@Hg zrl&{Er04Cbot~Adm7XhA13m9lqYvV9wc1b5I#s3TJ!&64*QmYp6xD8eZd5zzxmgW9 z$Wb64S?V7ij2l<|^@DNKs83SxL2_?QL1b0b`zeSFiuzLuqV+I!4F$Rl8>8>#9Y z6nu^>xl#~W33V|A_mF!}3cf){HxxvMQJq1-{TR%oU?({fiJ^QD-!z61xU#5cDR>Nn zVG81HJ@tJGo}i-(3ie^JlY*#luI{CvO6{j$H?^OFr>OlD?5Flq@GP~Tf>CNe1Kn2s`@i>tR%1fHs^1r$WqTD^gS85qo^U?v8$DVT-9NfgY+U>XH+ zV?)(iFgOc?XDN6M2E!E0!{GZAoP)um6vRDWwUdJLF}Rn4E)4#Gf{QWu>lPj5Vtjj? zB5==LeTae{49XO|9fKPwSc$=ZrQk{o{tE@~#9#%Lm&L!o($cZkLo+M<16!uU%E}Ir z;)RtIFXS!_J$My6+XHKin@y~rmE^zz+a--7zK^*qtW$C4pbyqrctqsYqzqwOFkpF$ zZjqL1lODxcwo@sILMA-c`Y}XosqpnVdMXD`!%DXH7IRmi!0HUGzZuqrRuFr%|lxed?BBT4YbaU8%;l%m1J40L~y z!|RV5K$W6|WEnpRRIg9sHV86tQyD#U47%-Dvv>_F$wqQ-uk~JwCFoT5DT-srcdevKCcvh9Eiy4{M z4cv7K`Bl=WSjI*@C!B(kt$~t$)h)v)k!A(l{a6Z>m}oTHqaGkdlALccb(=7dSV3)9?T!aD-&VMu-UQ%=Dn?MQzfs?&&AFMWH&vTC_kCy90&$zw=+iSqt9QjTd%zZuh{d3F2sRBnyQS zJTkMwUydH`@y&1#3%i4?#3tu&#&7V8z;$3ESe9Hh7F&O(-BxnH7R zE5$MyO!X~-L@s~WScx4HU5ZsDt1tdOR@J~WSQXS% z!A5e2&_S1C5duqi(Mz%DRe<3Km}wm^yNk2Nwah99AsOn6xvfW{+~|m-hqdOrZR;n1 z$W)s@K}>bYA(PW>Tl=MM*gFFvyinpe9JKi*HtAc?6AozD6`n&M9f9?P`pjk0=aKB()6k(;)GFq{3W6pt z!!|{riX{ik(IV!+7Nhh0mTnX_QkdndTVE-N?OAcV43}fJ z?Hb)z-e_Nd%k#QaW_fGYZ_yZ(Zf0crBcs;ZraHPxOG_^p_;K597eduXHNLrNNN})d zNAqlA4Gh6D9FD$%6}~&}$Q@G3?GZDCfMi0gvu*9TT4(D9=;Lf*cQ<_5-Q>KjZLO`= z>9%i3CU_7!_ck%D7RFant+QJU!FMF=Ze5idT2XU>1tZ!|43UeioED=TLesFfae(v% zZ9MA!MD+(VzOIdoY%zDs{hFgy4q09@7>$jh$_j=d=k-k|#hjObl{JVHU&3uG(G>Y} zpg_Y~azkx_f{}RW>v(8b57A_jGe&W%j9rd)L%bD=`=nz4#(`IH_i0Dbx(YCszehtG zr}F1M4FaETqY954ymgQMIp!*hJB{aC$8xkn@cUqD@m`ohXevYFT08!X7KU`+T0+y! z=*Ln!TDJ$m&pu82Ehotg+0nXAf;~3|c7k9pCc>WGX-7L4Vn$tbv}}a$KpC}Og|oN{AU{? zdE2pNP;L&ChdzL`Ztjh3`->cInZ)V7DeBJ(b$1ylRe%1r&saCfU~u`&YVW_(Dhr|iuGcp)xYNmTYU|6fvy;d? zf7iww-PvT;#m**$eT%IYxzAPIrUv4f)c2mmvx?Ex7kg7xenNiMgjYM6yPq}ao4Ca@ zQLW>f)?L1Z`I;8r!i1vmaxh*Y1~%jpSPjQ>KL%zw8%ex1_GZ<*jT&kct)HL{{w6m2 zy8)?4CF)H8GQ*o_AJ#FDPkXh}zrZ4&@fsep!Lq*I3GAr=<)>G8%hcRvqLcdD-(dT2 z>sNgSf-G+=((N^TUly_^L)KNzW{%Fge3vnDBv4{gBwMMsq6{rMXOw!iH5Q!_guWN; z`I1d~g6DZ&u|~GX=7gU}O^N6{`2a`f3T)Vw*syz`BWW*ACtAWR-cD>yM&gv}#gn4+ zpfn36H9R$fm22=c>%{{Yc=ofl!PNloWbODgABhw}cqKs4(K4ht5?nH|>#1qA8+h*~N;>GN0`G_m{u@Y5XCW|jf5JP>bYl0N3iY}cI=veaudGmKBDdFH z5gJKSFGJy}Z(3ETFWJmbd8=RzYHM-jEH^FLj^wC87O2kGg<53%~Ic zGBzHmf#E6jZ@FGuX4!ZN6IvF}J=<(#DZ;B(my!~(!?!p0Y=uX?>;3g-)q| z^C4teBh%y}%LoKErZE8+5;?^b0Twg}Io?Vl^LVkD@8p(5X1R>t=@&CuHGF5{1l%pn z;NvpM(N(Kh9YMaQj$#6SOFP%|GY#Fx)g;>V7L$cnfv++;w4!hmord�OCo(gp7?s=!=pEHPO@8m~rQ0Gb}wzuU1NY{#nboY9Xa_QgbbC&1jAS=Wh2;Md^& zeY{iKix&|1z28jro)_o@TYc<>_&NAq{r>M$3HN{hZS?-{$&2s*X43uNH5IDzK!HSGqF|M?LzmR<@0#4<|u2&n;fuid=hJY!|FWC*C05v^5OW_GB*O|-G};pUbSQ= z3Uwt`r2t1>s=UNzReqcqnE(MxpdbUl9R-!Z#EdJV}>j*Jm0>aj^2xh z9i8gG|CG+R?aVW4IrHQ!S2L*3tQQ?`3Xfa4r_&NRJKU&o#20gF}SD)R8 zwr=E2Kd5&ES2KEV++;xQmd3iO=~MF{nHu^4T0+chIQRyRTf#4AKJ=G zJ(X3}RV!L82CX~cL>DF6r`FPeZeWpd0j_=ZLS__ zcb`KK^p39P>S()r$WQ>K&`B%G*`@px5C9%^az9D$F!Jp4+-Kt_z`zq^pnHTFZrhk6 z)D@$Xombx)IQ3&Pa?nzeA-vkp+-I9^&AU{Z=IF^Uw+*e30!>2jiW)1~Uj_C)O_8vEgI$Mu`~w#W6G`YzCK+WOD+ zn-(^V>Nnlckf7hR`zy}0rg+s{bWju1Z>mq!Z!(d7ldPH&G@Rta+?(I1hLiOFSi@=Q zIZcaeI9(5|z^w$}q^`tG2L%tohJ7YaMTgsl(}rq4Ove1<>Q3o#Iz`OF?$8Q8FU6*h z3-q0EYtLtf|8-E5tL~mdD6Kt)E)Ow1A6(arHStk$j8<0Ek^|WX*iBdyRPjf6>-!ii zVHNPti+2Wy7kC0)LiEb}v$@!n#7b1fs!69PG9CTvR1LJ5rSWJ=dLrHoo8Ysc86BfE zh_-ahKJ%)E`aT-+Cv@#WG=qw({lNN!)qd94-DP0Zd%2+xtNQM}h+41XxCiYNkD{if zqboPW1UL!0&fF>QpT*p#UPOF`jN$}&$Rr7XPuhz{Df%K|v!bE?Bw^DR!={a6Q#XoD z;xhcF*fM;OrcPj0(>rnYky7E^GWa3zjAer#>TD~ppk^NW(0p_SXD3wwM?UV9B&k2Y z++aBVQFYs%Yfib)i7kwq%&%OAXVC&|N0JDCU-}9oHbTfefT7J0YKG9W4U`0Rwo52) zGlW8v787botuqOE0NcR`xtI2v#6CV@w(4=V0A8b8vu;sTc3 z_?dPyQnjBIm=yO}VYe~VXIIMm6nC`ooH3|r(oA-SwdJq$!)NA_qvp+L!>?ITung4q zzx?vcKGTZu3%JM7n+`~rOILd{U_QD_E82;2HuNvF9}Dd}}~ z;)T$+ecGzENltg?x@1RJfl_izfh0>eeg}BRt0?u`kUg-`=tN7ktYd8wjP)@|H~j^W zWhLFLd_Uqi9bkclMrV8d1Rx4K6qx@&Zl@!7=4DFNmtTEMG#0Q)J8&Iq%}qi|IXmlx z7zx>#@T)NBoCk!5FNOIbxBNsv0wQ)}S*_1ME`K!5+zOM>^NM>vb9X0dwyU zlt)8-CdYA~DVK_K@2_%pZcb+=WpMzOr2P?#vNF&we`Z;-=~Gs6umJiKk>cHXY)p6h zrd8&K04vf7t5BC*ecjO)hR{rRx z&@1&P%+Mu$&M0&D>3w)&of$iZI&c9gB4x;1Tb*U*;Z& zb=b}9h0;gM*`!)=F1mErl9FXWht{ELbdF6JX zWXTB}kbN*-q2mrZ+c*Cecw-%sE4e8+j z2t79U4Gohi^AIwLxMHl)sNdD=F=QuPEAGX{6>NjCD|G1>US%1+klRUB@lC$ zPD~uZ9h`~)D+DCv5i?*}PehbDLEaff^zb(#S|7v_nnbw3T=2%xPw<=sFQ+!7_ix_= z;B={9j=H2YV8xUT7LayRFx%((mY8MpKQ&ba@- zm~jvOubXj$2{Z1&|5Y>YF@44jCd|0U#?H70{};`;2fum7?fxImxPS7+XWYh94TcMh z7%J`tbO`5u%n<~U(&bg$kKz=nR6kM?sP9v%Us0-`R;r&DsR2k_I_Jw3MSDaQ{ERH8*M`*wd zCd|lheWurNm8euo9*I2dGgSiCk;ia~c0Wz!u7B~u5-lL%>}VLu6>}SgW{cly7|IiO zH4H5h9=Z|AY#4HHu{DHOHw+nt2hb3kFFCv!M#NHIdRT-fl_}isq3hsd$`zW>vkH_Z zG<}~g)b0#_W+Ws56##F(nz>(L64ac(b&4FlbX{sgIM3BA6h(}MKo>{>E0MH=olzj! zg+(u+qH~2Nkpi=YrXQk4qMLlMUN%)w4@bdq2i$8-T_gF!A!mS zNm#vAul_c@@=s!wQ$4m=J!T3l+A;|!BRquW#&zo4k7jw6hEu7HSQelFJuW<8LPaY} z_*#e#EF4kXJ9+=6_)^1DN6^9+b>)@Nm3HdN9yIS`C6mCu6uC=-u6#7ygZh9eVdIG2 zz$YVSj;9!H2w&GQWECDjn+1{I@J@afVj{2PS7(b?1{P{ir(Vk&X!-5OD3g{v3guOX ze}d(vRW6mIX@dV>(MoGEO#Nr5hG|F}#}5ys3Hzj%<@Rp#>BbRHhQY9P93Qtxr4x}$ zT1sBtR|?>W71LXF@|{_V-COdQGJ%ymjdz>=N=Dc+*I(M=9-N=FIcX%=>>gw#JC^w} z3!sTRB4&8O(_nPBy=>kzDXq8w9^w$h1xogpg3#XQQFo6=1&T-UjzQNZ)8PAN=p^@( z(9dSGl*!!BVJKJ1;)n_lFEyj{r=1a0X1x}|ulM3E$Y*!rP0(@hzA5eXdB%l?!S?}{ zU!5WN`{_HXg{3LKQU7K%QJAs`J z)b9zD?1A^^pMPE}d0p7ODUFpMVjYfFrMii8Zq>(NWbQ%6ZAQ0J-8&q@2P*_d%Sd zp#*7)T;FMsCdl>s4N^Ka(G^Cb`|T%&%?T%Sv{#`p202LAllBTE=Sv_|KU1C@VkF*lr2} zwd;>5gV7+lnEM^vtDnQ%?_aheg z=H7$FF_Hp-caU7=J7`!ycdwo12rAW`wfQiyRqq!b4Hnaimt<&wu5=%a+z4gAlP*17 zODtxu;%-+;4%8~rp-4820LXPw7AOr$f-0Ew3aYwKB-bDZh213pY-iGekZO-y@6cf3 zZiB_|Xke8wGK0`Ty`u)7DPoUBMbh!E^!|x&Zeg9K3>xG+Y7hUd2qEmpZ z*hMrsdY8CLj=IG=&U%R}W*U>S5uISTs{=Mj6LD82a#XXl0t)q;>KS1I$<<*?+2PvU%34onfd!-5;HZ6P&drUuw9 zz(3L^N6;CRB)L;_c8cae!HCaL;R)23%9g7^6Tf!~6^qvPWJCCIT-lwoB};qq>_S$b z>DS1zAB>Wb&YV8W#^yp}pwQ&I%cBlV(DleB`q6I6NLRy$eGQ>C&DM68+2GK^%V@rA z{FoT9HjxTM9UfMlIkw2b<4`DDYMFXm{#BbW}{Y`=6BCN6}@!ps(0 zSlUdOuMO#)cn=Qb*oYnIIATUyqV0vI>oC!wLZ##^>L9lp4QNvPSd2MnF*F;Y2r58v zs~b|~8x6w!tvF8Z$}qeJYXYiRDJ3?T;>v)O%Plk988eQ+2nC56@(6EssaH+{HYcyD z)*QkMUeWyZCUYAru>tLylM7*(2|GHW12UkTP}m}?mSs>JaE`V9;HH=0&&Gn)R9oLHDVrd zX@Ihw%oKXnRkhq?;2?0h=;PeP`jP6tp94t7NWP{ynGjKzXW-s8dk^~QLmVnIdUH#n zQ+qcGTP@DcwW;le#$1@CBjX@28v=vxPV5~#-kzMtMx4Ey3tm^vWQF_de{9iv3R(2N z`C^OS>%KyZ-kVDkEqYIwZZQx-i2TJ-;Gc;TM#7hT>c&SFNw;491 zs(T)w?>!5I1ej)9{XJVvXn8p`-))0$|A_};-@dvLzWopA)IZB0X0wt^N6_CR{3_^i z1m*nM(A(xVkNQy(i5pc_%$@0FXXJUarQ~+=?7%vszh}#&mO>*9-Ts8nB-s(1=gz|H zt>%81HP8=T3Tw-4H@j_h4TlO0FwCAgNy7}7s`Y`}O!@U0qPacU&B`;`LR-VUJaIM* zuce!k2j9b?<6FJLc@%`U*2f3W8({WGOMEpOyq1BaH|z@y#u_oBAwN$Nd@xBFJ*Dbj zxa*n=FE#M18Te2AY6HL5b@5Tu$ud@*L3eC?lWV-CFvphSy@@<^tDU>l#6#TM?kCe? zzuJIDk`a+#s!dbBdp{jkMot2c?K~|`2EO-@Tz?EHin~Al<3Quw&Vc)vC$I?cbae5^ zkRD||Yz}$UUyYCXhDmBqq2(b9a`+4$7#Oe+s9(`N_N@2{cywjLULQ;$8G({hct1Rg zxh%!dDs}JekbsU?`9R4~ANC`jE0j$2zt+Q0cpUHH9mmUK^Qtq&%b;ZEVQC^O&w$}@ zBMpa8ZHFZ<549F?81OmXW$_2M+I>c^iU;>q@O2kfMNH;?m{XP_^cghr<30uBCt-x( zWJftSeGBVKX3@b9BG$oPXLPfPMJv4OJ&+4#B(M6tf1&$Xs~YN~)QM-Y6VdZwysa1a z9PhOiWeL63HGZ_$9%~}=2Vn{5(H6PK%e&34HgNb64lm=KH*QSl!I;2q15OA&4Im4^ zOOY@g9`y^`nEuMZYjo6K*jabeVO?eow|uff{nmMc zhS5E?-iC?l8$4V5FIrF^hANOUJZ0*&WAQJ8 ze8u^Y z=lVLa=3jNkm?KRq`J5lU!&sr;hfH6N(!G_{_qU`$)sxr*u@Q7*rCe$Y3tzu+fhJZ|Ek12*n5?xQfjN7G!MfaNByM-7mg zg}r7~b(^;iBp~#BYcx0pysBwjOmEm!)8@s0>N9I&Q)(7Wp>{{lp4(goy8b<^OjOD& zN|`mk+$P+Q>SFAGQf>!+ODT`C^0R^ZlfdA2ko8_k)lIB3f(u z5Ja*=<{t9^if#SMMCLwe*3yTRbry50@>8p$OL5zst+@SrlJD%AN&lhU(G^%@1aT)x z9?`da*I6LOQUsY;IjqS6+hjn*d1x)H{*WN(Qf@(?zIp;XYh}_|sJH%DFpl$rww^#DSUb`+FCKXvr6A#Wfqpsz67FuWCyt_y*u=|9l6I3 z?MeM852m9+@ql<7>Aud&%B+K}WFvkKbFy_7*1--TwFmTu44Zq>k0gYMMQJM%m4@guU40w5GbVc!lkftB&w>N}KaTSYE1e+FDUZ-hWEFPX3gizh z`iiU%%+LkK8c@Myd*(1#8It=fF{qDeeTljZ+!O_6_D4C!ACuLj5lx-bb zwl%SAYs8BM4+qu{Gwq+2YZ+6nWo)^Y#Bwe2kbU#SGs2I6UiQFxG_(u!vPV?m^$#zm z?T6n)TV@F~54#LnAMYk*A^LD3QbUMa}kPD?ILj-)i`+gx~G(yA^(m;WrXB3`Mcn-sJIAB35GzN3OIjUF2G;H+K@Y?~uAeEhCt6A0d z2x6ER=B?Kufa4g706Ai51LAeVfzA2DdMD(JcEY%?&pba2_2!IVy@T%prH_40?Tz)x z5bu**?2}nvQ=eesN9I9zCH$J;*HUPnaiqD(EPqba`+}(VhlHXLH$Ba0UwsZKsTZ0P zQa+N94ib&_+2>~Y3q)DC4+JS~Y}vhlLm&K9`1Qjt3O@rxS>ZQzg!(26Xq^SmOn7F( zGXtI(@U+9z4o@3AZSb_h(+W=uJS}7UhSO*c{GAWKTj6)-NJ8HfngQ#CzM%K9{g4P7 z+jm^!tAe%5eF82ZXzzy|kw4rT`Yc7fOOJj8KGS6U((!xs;>TTsCa+WAw+uhd3bcZ~ z3cvJP7k>F3__O{___JjVMBI&*v44b?u{WS)?5%48r2ijy6aOxio`q$089NgC4A-_P zfqysf=_(m3fNvkZ`=!zs@`r+WHLPM`lQ@n|R;Iw$58wV0=?v?XKQxO14#2{qCDI_z zUpd;ei22~bgRi3(j@<6t1EsJ|Q;yV@$<0$JM@Su0X0ddpDtr!>(L@b8l`aVZLg36;a&Pf@1tjjJ3?Fa+T@09SyU(KzNz0i0NZMw8C z|5FYb2j7LyuElNp8s0jL^HM}q?=`WGVW@~}ozg9M_7haynyk*>5WA<_Qinn@X*Qs^ zx&9<8v9~81{9RitEQD%hF5HhuRns=mW!-}yIFj2dHLeth@s)8>!c)Yp(S!jnYy_Hnb$I} zdUTL3NjictM+c>)XiW_7zHCfJo%jakv9QC;(D*6xI-#(IZ>sU_Ea1b~Y0g1SX&ga_ zXbm*tK2>BU?N~>q`+KBIP>lk3o9Q0QbbGC`(Hf}?G#cllEKN$y!|ZhE^GTtP($l{T zeVCqp23R>(ZAF$U-9NDLTP(^Zng`f{#tvk>kgYu(uw0^;H>pa!4cK2iFkWX#kJbVg zIJ!S{fz*h0o9tf2eFDUf3J*wM9#tT236HjX2Hynvlr122v*G8TuYF#93ArHYgt7?u zRrg1VS$Nakr!2Ar+$T|F^QuWlNktyoHJKl6E9-2IKi8~Ke{?IC+hVqTUajTdQH8hM zp*jAW>rK^9DstmZ{=weC_vBuK0zieE-^+r?j3S839F5C@xJ+HyDiaHcD_hy)%2t`W zvQ;K2TlG@P+ky9kG)E#w-X&$L<9*(x)xY?YxaTiLm?Rp!*&bFxU;iqx)3 zHl2P;re+auJd%=wU4)-y9>u~oT zJb3rjWrewikJPtS2}tRB(7JFu@hr$`)qF;^}jZn#Ar z6ZSJ2Qh~nFu;42mG0DUF7`;PWWuDr(@d>whV_slg?;2s8F;mdld80QRFpD}j(~Z-S zd;%^n=-i6SP1QNe&ul!>dq_ zJ)Y*g%)$QFSNqI?-MzbDJht@pZsAqlKR8!;pX{sOYOnI{*;Ky=*SyNRmsWYXU;90; z_w{aH`+Mr?V$b#ogfB3+_j&Hk-q+W=tzqo_5E1tVD)#o91AR-^_bolvxAd*PrN{ev z?;E>rF$()PUh11(zpcN1>)3U3c?r08^VrW;%FsQu;(O$%hZk}OOeh%75njmcz0dpv z#M@YKhg|J_{b&ItTGzWxm}kzj)_al6Uhn;>T^%)p@fBD$^v&R1Lc>kRD`<8CpG^V^_e;;bP8&2~+IL!y#w0OU< zZ_fK*C0h9H=jZVxooRh^gv_p?uYO>|+c*9g4eU4X?dP&-F}T65#)h}Yeqkj&*n1zm z&b9k^P1rov=NSlW_~3?$4Fj|${8s<7{rh*ne!jIP{B|FrJOkMSede*zyLo{%`&~TJ z=Q)n2XifNo8&}FTVT$O{`j-y$?|bL)lwU&bXCFrofjD#ed)KdTJ!WLh>#u*S|508W z9(XD|aGGZTdDGhPn@_zl`p+NK-%EYwc?)HkPcFx39@s#&z1kQX=-(R{{YZc|Vw%Tz zZTQ%~$uYUR`(tZghLYiP&i?uOp`0u}q^riOmc`ap%}wz2D`*nECz z5}%hapC1^W&p)mP!&yjl*h(~JUGFo(JY`+)Az}Qa|LINjZ!I6$*Lv^b{$m>kZdkmj zcW{&E@TST|eV)yIz4wg0AClwLu|GW2?*?Pvwy83&;y8HvJ$oYPw!R*1-YwX>9Ns&249-YzK8Hgf9uxe;%XWKR|op*k10{Vzxxcbg1}bq5nDm{ zvT!GU8oS~999HZ#b_4C_BNqENo5gmU*Kh;lwM?dw{n;+Egpx$piWsIa-OxB)&F}bKozjOuZ|?)P3e_k|UX^&tazCm6566_KeT!ufL_=v$MZ< zT%a$@DBDVVPIrQqlleRoNxtcxH3?PeCOdbdTV#pYKbq_3RPl@MLYxMit5z*fQTT&@ z2))KGp;>;`KX$8CEqNnt@_7|Ja4gx37JCXQNa1gtJ6gKFMF>$r)cAnkw@>L zuLJh(T>i<$6~}ML?xX4-+5M-ywSW4@Y|`?}bNhO4Bd+gXdgNNzKzn)ql_p$Y$bNhD zuSOrD!Myay0`s^1y|?u(-6aP$*aqD>?VXpQnCPUVg8rqu`X77hO-Q)koR3Z%{byKZ zZ;U>)0FNRA(C9aK7K&Jk1(V2#p1Eh!4LK;jA9`>HeFu-uWP`5ge+=3XRroGV1o!ts zs#2vs7<~xBWK*f=-#7ZtG!gt*_6J2Dxt_CWPFDXfXfoK^ z=DXoQ{~^dABWrHIXFm{ zDMPJC@9qaHdXDTqG9F}I`o_jAcfaSJ`F#|551ms4i3aU|l)tow=Jnq8Irj(9P?b}! z_q=i1n(5Qc+`U;vwG~h5e+A^Y10S67kF0*rEtl_TE#Aj*g)Hd@s;@Y0XF0U2UIUF=c>WU>v!Vd~>)#57Vc% z-rk*Sj2OM|?cF)X$kXXus<(HKpinM_vM7{Cn{#L$bT_T4Bk|t;ryihBa9#AYael?K z#+en*8KWznHa~H?SO%|X%;};E2oJi1Ad@ir+KV2$=IXWY61y7X8IQmNkC`7oom#Q< z(RKT)mOgrV6^Gfo8S{-_^}dh6`u>yyJF<-I<#|hXPr{>Lu*g>e~3MHN36 zSXTTO=9x%B75^A8ih6?{p~}C)mCuvk_cZCQY`_!LfJE(|pxRq=9kTf_qY;7cVtC${~ncWk-q=X1JwJV_hqPri>v(} zF#^;3Ohs>^tgJTEe0kLb>h-HX^Qdu7!N84__%n}kVpN|KgL`B*h!Oq!F6zyF=g>vF zNAIiHJ$C(1=-jm<7ytc(59srJN9bd7&bYJCD$L4|CwaDh|5-YK(y$RmSD(X6_t8$MU%8jE1p4Xw7}2u;23sI!_yp z)_^g3ZTY7OXHOY`%UtznzjkEZ1b$+jmisWJS7$Q3F>2l5!+oAyiaK&03VQT|3Fp#R zdne>w;1>VvfF{5!z$Jh@!27?>5`%y}fbD?IfSUoU z0iA%$0W$!T0OJ93-x*tuph7! za2wzjz#2dda1EdiPzpE?FbeSA^I76`z#w1`;0J)Mfc1bbK4U z1LOc+9Ly4nf$sqR9N-2(9MB0^2&e)0asTFDWeEeY3{V4T1h@c&fLy>^hqJ`;&upd>!z4!1aLDsP`7Y-GDuSmjK5Bqh84pX9J1=m4HUTLuh9i;B3Gp zFCz??3upl>2dn|y3b-5a2;i51R{+NWrwmFO=e#WOLC|9t;2yv$fa8EO&=2{58r2_@ zP`^sRLcq9Zv(k99XknH3RJcm~Xl<4F${kh0+*xJcyJ1z8xDj#D=c>ea7FMM_dtF=H z2o$$@BYKek`C=W#B~we<{8}JT)E0@FL0>c+^BNQp@6Gut}PIa7)E;tfugp6 z-W}BSwm>YtvZO8G>-5HT%_wrUcsrwEZ$&TC6t@K;!I0x#wKo)Oj|VGydr`hG8j8k| znX95LuKA1FI^voZDQasEnOe!zsp*kL6}?>V%i21$h!*!6(YUKA=ZwQDQeTb z^uJv;u%y)0yrj9dp~chG;I38_SeP1jtZpihec8(KW9yS#DD<&C(!)XcCJF2mL{B91#Imeb5(=>d}DVs*c8EQ4l5=ja-Us{jQ##hBPlq zjB8%M%jnd?h(cX@T;5m=SsGD_bWsM~R2@9S)$*gPP}J)WMmk)9cr;8^GVD4Pf;;k2 zE70E+jQB#PU(-3Cu!f4cq7ikEa*Jy|E!c&62aSAJFo2r%$SPPw2eRSJ*Atd19yXZ(!Nv6mC=lX zb`TQu*Wz91Mm?X2EDK4>1$=EMN~(jSSXTi2Yjg&6oAmiEGZNBt-4z8P;}&szJPtt= zqce(L3>sQk2l;9PcrIT>s-#51LaV%X*PJD;Rxs~8SIc~l&AR!nB@0?z?&@k!V+-A| zn3%Gh%lB#)xEdC;IFi)oTXC(F+L4)6Skm}1PCUM-_QV;~H1v9R(C8%QNgW>foT$^= zr7>&8gB_iQjv*3?b{8g(H|pD|)6lo{KbbG4l<`Q0h$y7~kz=v8p}ECfSLbf2UC`ii zH`H*;nri3GZy`cp$hwxG6fl)HP<$h#7822Vv~_qOl+tAEBf%1olVG z<1W9(EKmq}ViBs%=Z)#ILM4t0H6tgD@~M*q;ABOvLaK@!D|Y7K7)2$2zAF+1r$s~l zLZrcsgdmAVK-dlpJDrKBN5eJ&G03PT&Kjf9NfIZn5&LR1HbaUX<-Zbwn!XxuIeQXvM8m3$rwhJyx6C)u$?-qec7dV6)3wkn27=(vc16@rFA@*^TM zvRg?^8-b)E8AYRkb2W7%iLrR>Xui$}Y8!G?LYMhD$~HQ^ig0Llw41Y2#0nae+NZ@0 zFL1ZFhbZB)xdh#y`uL>eRC_|`bVuVWAaA24`0IoIJro|NjHurhW%VrF|N zsCOopO){Q`505%juqW-gII58Ek}4XhLt4b2sZ;IrMjYl^fb>Jsu!*O(N~u!B#{Dj2 zVf0iWRYDHgx-xYHQk}s9VJ+?pf(`9>Xc~hDno?|qDf~W+{B4&4Zwd=MS2Ikf+Lqdd z9*E(&3!3U#3Kz1}wQQAk2wHnc=DT!|J>-p3o1`%EYwczSE~6n`G8M$7VIqB7$lo4X zX-3guv3S%+f(r86(Awg5JU9SN3@bqt0H-63w@dbZk`$ErOD(`A4zZ{n#XWFq&<`qu zrI=H!ZU%8+OB;}d&Qe^HbQ87^q#B5gtixnF#4xZh`28F-I+;OaWuWp=Z<6jbjO?3n zts|%#7=70LOAB3dNP<$Qq!qFL8FIxfw<@+wi{j0h4g-^e!@&udCCWwGf@*rz>ZF-HHjlr25~}zP6eabTC-+B zb!)w+p+$0#)Rk_#y0X=sAbS`54!@!s)rE^8F=ra2$Kx)m&s{L`SRzxW({Q!*KGnt_ z^_eubWaEf7oRRf#KB$L*sYQHX6ceVn?oj;>ylPrWv8!{V)tLu6_KBY6(3AS`3q8LXxLB z5Yn{QHTj%1aN>>zl6mB(LS;!90GcFnT$ZD*kkMRX6~8~IDwH&Ebxm`@iG-7Bl0O>M zLVofM10g?|Y}d_S(&%Zbt8KW#)!p4)7`B*?{FceGVKi)d$xRKxS`8W34U?`HKUI`; z4AFD0%Ik(L_QFoXh|QQhd6;Z3bQXW&q=0e3~EOqB-KCk3)hY%rVyAWe1i2k|I)vZ}}jy0&$9337ILBnb6CfBFj z$@h>UD8p@Aa%2;!Dy5jRQVbflyGX@2T{YX=8_G@N=hJFyi$t_M-z9Yo*+E>dgc_Az znqv%R$}G(fTA^vNh_t?nNGp~VWzdSgKnZA-pwDy%ecTBvq|V!Ii-eQ5@1&jS3n<^m z>&QAuY$z$C{4uX@rHSSz8z7ePne<$~Ymry)1XCIq%&cLh7Z8PM7?CppEKFeADRF7* z8=JI5Nw&5$X&r^ULDjwOam@>biAQM40CERym7X!VT#*1sV^EkyOe_u|69hZxYF2?` zEd|0=>xQP0GaDgNQL>f}-$oXlucQ?T22~kY<)qv=6BMjN{Kshkz)I&vQBmZ!2fRV4 zP&6axxFKaK8W*>R#R>Y2d#l~iTMJA>r_q+y11H&Y2~F#Rj{)-`pOYkLM8=c6V@)6= zkKdEA?-D#*T;!;G9Xc-L@&p2))-VH{lz}fEYzG@y4pxYtv|Uci&Ely5r#q@T$k`&L z+qp%KM|qNopI1+^1|)MwX;aEW8Y4X0)!m7ILsGUdy$w-RpTwgN?nZ|ut8r45q$#l> z@A;!r=CW%IckDBv$342Smcevb1-^r$q(62p&=(1So#+r zrtm^Z#&*pcR}(S%3d&NNoBK#p}NWtdUU53NaL-#h1%>TE}q ztSu_UL$%kHByQ4Zo>r;G8gJO!p;;XOiqVWMiAXi?>!bloG((pPI7k*7yZL^M5DX)~ z%n2Hq?bE{MLf6Gp3yX>pSyN|NxhF)EdM-%-qtCUKCh23ctV3``Ef`GkwiVj9p z$!x>>*f&Avsr=IEm@dFS71RcHV8{2F@_+U+MANw?UhZxHqgN!BEX zenmvbCo ztXG;EYMbw>_C~yZZ@!#3R&)T9pcQ(CDKyHroSI0zV#HjBKZQgXwm>lfyiV7c{g@^i6M)s|Gb5*F1NVyP>7l zBTcb7M+>@wI@cMQK((l44b%r-FNhgHozX~|%tKnVpPJm>UI^`kZg80fxKEc|56jQz z$d{f+#zn5Kr~#7eni*nsOf-aOh*6>OV5l&e?IROu6)BFqyrz$;<2C8&4zJW)mYRls zTu3yDMa?d4wX2;nBg#wgSj9MM8dLP&GNbootrUujUCbg9>AE&EL( zKDaj;h8M4yafmUhxuc^ZG{=UK7>@dBx;9=2_s4}1q=k5zE^0{$>SQ8rNOP8{(L}0l zH%ymW+D8JDYQNI-Vpwy>fbU3A`|*T-qSsGxxXZO<`kE0~HyBQ~$|eGU!bse%b65IR zrL};UxQE;zsvVDEhw5?qgGqYFRaaYI+hXxjv#Vx7eZ700r?~*ime~ydye-WxPYXD& zx~{cZFgXl$;15CS4u$RWGU#_Y7MMbWQU9HWEwWxb# zg<^3Y~w1_Pn;W=>d|-Fp}gwy4^>r*fk?f&!+hOnXLp%{3WLJN%znwfTzJj z9A-n%l6ltHhc{`iN=#o+gG^;Sn661qYAE|55bQ8%9PmIS;mC$V!j3Sc`DRLCNePq< z5hkmLZ&rX%A7%ZWdW8EI@;Iz!3{hM7#&I4vUBPH5A>Y){r$Qod@T{fwHKmPQ2= zM;aP5f}!6i#3(pMK7dGa z=@Z%DASuQ*@P^c!RT!6Es7^hYJmApU2sDlE4XPG*#VN?qctoT6h9**8Fkp;?z@qlB zx=@@>K37nwfta_4g}iJLU8A8B9oB?tx7((AIyvp3W{)L%_~a)I9@$Z(wy4<=FE6|( zIgTW>$pg|~337^0E}UxPsGL&9QaB{Y8TWEC9Li48H||&Cv)$#HI~T(7^46x>n%XN{ zl@=y7EM<$%{-0tlmhiqfQCb=dx~0pOoAIEZO4JkTFCGs8EqzUNsJy#S%cRXb>&J zBbtESq7E@GzydKBv5OGXgnKT;*NSR{8gP%Uc)Ld_z~8HiM;4ZKY+@WDFXOk&ozwWO6M3Vw;G|ii1B|fVuA=o#HFgPlw%KKOi?Hr zQJRKW*}6D~{oKw@Zb_k{Mh`z5!=J33f#mG+GnDjd~Rr-7$q*lT@z3FxeqmN8^!7z8{?j{ zc+I+3>&QoAUMOHblsznYiSBkOzP6sT_`=GYILFA4dKB7B_aqgA+{)D6&*yqaxPCgP zh$@=L)9B+X zszjhXmmsbc*p2Z+vY`?8ttV2Y1l4D*p36v1*J|gRxmMJMQL5z@ zKU(yXywuG!>a@A~L{cl?ky9tA)urxts_`GhsO)5ZlF}>0N3D+` z2Tk!+U|1<6N40EkoTZTF;AKhOX7tno^c2y50rzRLZWv{c?DYI4|0h%1&oquO&&y{* zh?DXmsCYD8Q$%^ZP^&wXq|qHcrE{OB_mGq%rrpb#>sdIYjFHmK8snNRvqC9j)>&#H z`q??Qtr15w@S?XuiUYkUKXYrsEJ4y+Bjs~Uje4hqq1?k9pU`IcNjXZ+IuRwDboO%2 znplMr3vwpvR7(4OS@UpDp609Ie+L;oRET+Hk5P?4M7Dx zscxCuZ16}oQd%EUV>?m1WNr%b6EbffQ-sP5Dn03Cjw(zW+mi34?&{`#UZJdjDC-3O z|CKgYaEWmq-BeTA0*!ki$eNI1^A(R-v=1s?jVjqdJ?mvY&{*z-hUKMv#XUru7}Ls< zV+krJTS=7Kut$8NSB4)!C*n}uZr90=9Z4_hvlYq`vPR^GldrN35xy5=%92eKJn1oG z(LTYA^2zojdovSVK5Cm|Y)OYWUFWcEv+SIN985@DNu?eK-$j&7=(MKg^C7Z;?!%zLG5UF zhq@b8S}`#;eawXh+Yglgxvm(?GM}ygbj4+w__Ry%yrfb%MOOusyphj%ZEvD|ST7*C zUQP=t;nP_1K)O2FTQwN$ex|l(y1szL9kf zE1yDg8Bs`T0ly=bN==L_hyzLT*3oOb4kEokY#_?6Ej^^ea{ zMl$WJQe^*qwEAVT=1x3IR+uu=XqA;J-Q%hiac+mR)Tr_}G+WC$Yn88TV825~JKK_c zuMqmy8o_?HhLb5Xv}V)U@}NHG=DC6s&D=R@Y{_KH5@-cqCOA{hCoEL{cr(xFXsnZ+ zqbIX0w|MkIHQIxUA{TN^wKSh4Ro0z&E-W!FgWN_rvKn{<$ysK%n8zWHEvH5eI}ebb zq$$$p6Rq-wngL9oFLZr`89~=c&jx1FhO%e!9eOe0|4990Y0Gq*)j7AAS?-){&17%5 znVaN%jvKsFr{@0MViE2REvE`o=G;g-tVBrG-9Ky%lRed;%ODCZ;$G-fqrgz(Ibl&c z=TV}{w~ZvtVJBpn^bwQwM!FS}PIIsAm0RAHmgMP#*y~T`zjn1!Agw@IiZv@PC8U>a zKIaUuHG4-=B%~yn6`zoOF_v->_9|lP`NZ6MB3-JDkf2z%vO1ir5Fy*nandpKT$i)O z`6<%al2*x7k@FgsZI!5rPsw3Zc}kXqF_gZvddX^)HE$l^yq$K3#;G$u;nZrf*WyYV zEns^^x8>Q1dGbHc_nE9epPKuTR(if8mrVWXwY7WVnbdjxQ9P38@m#bEp}F|;u5L9XjG@rp?c`u4-GEhOxj0+ptaEgFkY+F35g zQ`U5J_C;iiou06?TZW!{aL(RGxSh$fkuFtVIdf$w-I32vntaEra<%3Yw)Am}GVw2Q|Io9&nbs6ezJ~e3tan?p(3w`a zgUUm)W@IzrI-6ux79fwj%W;YryM}CPDULtr@pu?=zvRB1(@H*nUM^ z@uYJ-Map>^L$ygBzAI(jk-S+NZ*ra2N-{DeQG{C zuGR^Q=zfd`zzfd_V{R@?wYv~J> z*Z$r4h05*2=XDn6H8VZ0*G5uaqukECeuTVU`?g?6{o3WX4}Yqi^7=t_^4Bh38_8e0 z%$q&pSwlGH>V{jvO5Y7)^}Qv#CJo6S)NhyCvk;kA7&7^vy0SiHY0kBb^rt0%b+F7L zYrDc8XR?P+-aoNg73X;At7J--EF*h{&}KvHvV7$Q#BCoZq~>FjrD=q%%n<7=YrZZ& z<9w}Qd%4Dk)G#MrN0U1{jEsAgg7%zUm)gH3ZK)-kDb;mKZKs-&=NDVbxJy%Q!~V#wMh^rmj#Nu3i)pUvxWSX$1RsG%*% z^gI)5@6NtVt&6pOn7IXkAtY%2u+lpdf2B*@yMC25V6Lq~_iH_R36<*VvMG zQe4UPk~GZc9gAM(BdSY&(vFwpK9}R&RI}M9x5jMMD}5~^vBSyAX|6qc-pQ0`;+!Z4 zNl8hAYQH z|50LY&E(Mj3*R3EQlO=h)`4 zr{h+$p|q2&ZU~xnao$I5xi9VFafQ+k}czJEr zqJWp{9al3~-XzOC)fXcV#3dHmeHh~qNx{|3=|}P8QMS~4${w{^@8@x0S*@wwR)lGh z;EFCqd6S%`iN z5@*WPseQgCwn@UPtb2rjThNmBnS+Bgx8fD)SWikuLa@a^J3#DiPZTOVEZ!?@>h^ zzmiCUY4U2gw#6JX9M&q6CEfH4?UZ{l5_8~j+Xu{?UV5HKmFH=KPc!+Rx-A2oEB;ZH zLU%}TDdn7FHCcuxR+$nbpqigHhOs>52=m$g5ZM!>*s?U$jFKf4f)4#7z1E<^hDg;_ z`RdN9jH`53i_H}8&V+Y26pfR8ya4+trY+kN(%o-UKOx)FeLf>;4#Z5dT>Q4Qb^3Z? z+ncwZtWdo(%I1MM_jgFyug;ZmuiDWXwDqU#!!Aw}%4h>5>lCY&nRIV{3Qg0?N#4`r z^!|>f_=lRkm(j)CmFg2FYBDjST@bLxxRa(*=O%bC@l;gx@==GTNTiP{zKbYYb+A-1 zS%=E??U3RQowbPNDO&pZs9HHmUegYX*OfJ|bN)liRG+dryh?t0mA*~%Mi=))&|W2y zso%8e5kkF=Dv#Aj(XJK^6Bc8#6e;Ao1yiiOnA+`ZS!_-!YW7YyS#oAS&dksw=^Qvb z&!o%GbP1R)?ed3_bWRSpEN819UqFK*96>lrNeqxPC~A#<@@F(gala<&(0d5-u>gcH7s)OosN?mt;V_*weIZC-SG zZF-try_~5j-{4zm+fS*sNSxD1o$KWmShmQ-G=1sJUDmbB&dZy`DRNxv4k?(<-O@%r znRZ9)J>v-*+c^p{)z9LHF1x+fUVtO^{^<`_UrUzw9M*h+;v36<)Erj5rI{^T-)rk{ z>+R9xd5pFUdmP)uA~nXMYUPNm*EZ;V*>f`Yg-TyZUT#Cq*84T_l&d;5w??v$ehn_m!mA|BmvO~Ou`;eC zDXxZdvGx+_N;6qHOO{LNl8#kqiuzWdTbqm!*xc|Mrrr{*iRzwsJW8WGl7YvOwl)$p zS|dR^FGI34%LijYOpDA7hBOM#)vM{<{b-0I+PHR>)lYJUBuI%oAtL2o9ZQHX|IZ|A zT9B?i<46_aLgvy7nJUDs4H&t4vpoC5?c)=ql+~Yk%w5Y~`?caa#Fqg)7{AjYwWeb< zm+`1B;&ELrrtvs;^WM*Dj`MJeX~?q-et#KwqXgHzN_NUOZ(I3o+6AoBX^%zXUh-~I z`c=m@uc28d9BYsnE3^o$z&YMgEyA^w`qJm3zNTL?$EQBirmmBpNllZQ$D(L=S!qpB zr=!IFtX`ZJUZXcZ(UQGu=g|ueqBGA8<34;4qnp(Vv9 zAvlkI>dPG>u7#sr=q^4pp3>@2g3Vn%?oZuSV141k{uxpGs~>!5pB#3htn@NJS5kTv zmz12+%5&-~V_rI%ZBd)b^ck5SDQ zUZD!TaKmXVeNG^m7blTW_;po<;Cr>Ap1>cyC=Y$m7I@YyCLFO zO_ltY`eyqCd#Ba}K0CqsO|ZSSL~2d>CM=g6`YpL+R|?-J=e>YAJHq?V>eZ@JM+OR| zKG)3kk1_ws^?fN#=r>B$R=3k6YHHofG#0J&R+}c+@0*9!>TIIDH7wDz|3rIF{+Sy4 zoxhHh)(%gLQFa?9L3XcVo8VH!g?T?|RINHDMt*e^5+!I@rmQ$uoQ^-_a_3YrSw1= z(@gOhx?Yzna>b28eC#wK#)>Us>`Hjm9~UC88&dL9LVR3Bd`ReIHthc^Tjo%feLW)sU<$8Ewtj<3puNM>x3^NE)*q~no zzH*Ad5QT9Ii|SSyXpk>o8u}}jgBu1vJJ>haKX~)t#=*}G-qI8$lQ`%N1y{2GmUGtD zdn^vyISRAckusJ&M+^WuZ*>a;um*4oU^$*FK;JiVA9f;KjUEypTomCez@1h+oyUUe znh{YCBdo=Q|Eu|-+e|Sx9u&=9gYNmgJ%a8tMjD+0NEeYI(uHPR1?f2sHPZoQD(-S` zM9kINMZGsJ+_5-tkGLFVUT%hj8`eRy78476hG>X(i5ksE=}m9Ehn|UZfVzN=js(W@ zL81koXIdc-zK?uN9esqn42?b%M&0Byq7*{DRutuLhu!t)LO^}}WWRrM59i~@FW*&< zpNj%L_=)-RXN1EubY03&lWoCzW%;)7><`&V8f(`Up34xt+ak#6z05kzYELZ9@Cf_) z#C40BH?v}7evza&nRna~W0jM*ZnkGP6LFWbzNECIAEX~l1aR|wn7r=cbh2%iv(--b zNtZ}_BgQ(($8Bj~EhqJj&(7aer*~Q9#2qnKnPk;i5n`F+J)J zA_RXkc&>T|d(8AByk(?2#g@8f5DV%#Us{M7if&OYbd zPoHw*g}x_H7R6DM7I*=O<#3MUs8mrN<0S~jhG`izRonX_hBx#v{Zc;?QVUwio# zb@dGk8n0|>ZfRY(Xz`M(u5Md;&9%$C?LNO2=;#bCUl9sNqOp~6-7velSM{vE?)u&v zZe;I$DBo&sNOy-qQJ)IWjcXcV_z4TWA(O++RyZN0s^bX37;cvCn`f2sH$8NGBKsQh zx>*Z*W1Z2s#&O7~rIS902|L@jVxD!9wMr{*#iG$r3!R=X9O)gAi(pXCjmA^rt6`V7 zducMFIuzA2WR+G1S9qVWb(2_f98qq9c6A^VjWTPH>0B;FUdzN(vb-j` zIq#E8sLGT{8@yp2w6*#|`pi>OWLZd@(Ekay$RTJY~djPJ#3}eM#q_khJb_ytA)6a<=lF{t@z}6kWXX6Xkh2 znY+we=35M~@|F8t?71qp5b7f6)E30_NLTtnw_uI zU90Rj(WF-vR5_By}i zai-^6B1%63U9VO1-m91@lhq8sD*Jsit9F^nn`)OAv)64U4_T|=RF26jInMnkk~32I zw&Wx6g*6Xo&4mQ*eaAtJ@5JhFrut9&2<6GWyC1E*@?rZuJvYt4Q^{j!ieoHRtCI_? zHe|{tll++iPPFoHtCh;II#+DC8d>|It#T75c_q%~vUVILze{8774SJu=kT)BFx9(( z$!8}fzeQkCwlIwrB_FXLt=*JEoiveJ&Xg0-%i5P;&-1T!j{Qu@r_LsJjyq3&>rs1C zS9`%yrAUIF-i(xrs2xwH@%3;X2i;)w*=PO2||B)`N9g zlI~d5cS=vG|KuEBfqm9V7whcA`A7+kE%%AKd9FT_&Pbdgn|`kabX$NF%^B`mY2xag zkf2%@O{8*tArjwi& zGF>gLQ7t}$KUZ1}>-f!vxWj*)6fr}gOM%(brT(<1%V_TH6q=aJ6WOPTQ%219-XE*kJuK$)zpZ~()*KT zo8S8Ow%hOc&i3!#dDo8b-Tg23eE$bOy!S^x{@43{^3(fw{@c$U*!AE;4-f2q}JoMBrpMK`wpMCD|ubzM5#b3Yl^5Ab?`R%K}d+ql}j=uiJAO85} zpN{?cFMoaOKi+=l_`C1@?ft+1s7$Cdc6jiR;@PzPb4}3lO?(pnATOd0n;kw4&Z#E12C;> z?gXApbO5G3rTc-W5gmZZraTNho#+5e7WENeTD3g}Tt##M=3^Wlbn{N1T;Lj_1Mpm` z?}PLf8tCvK`5B-C@a04Y;46p@54w2`vI=+s(cwWi+s2K+3yBU7x_K>f*@Lv03pxPP zTyhNfMyl5>Zjl8BScU5m!0Umtfj0x^0MokXNZ{LWeG2dn;8TI`1I`5=06q=)$d|zn zzz1A8-@L1sYf%AZK9|AuB(;Dj;z_iBt3E**vA4iMtz@G%p2R;+H z9C$o%4e(jOjlgFEw*j9+`2e2_Yyf|n@&i7P>JNNA@K#_K@OIz}fbRvq5O^2xMZo)k zF9v=FcmnVs@Fl>10GA0vfUlzZ0c%7*;1$&Gz#*y^@LH-Da25%W-QXu+T2ChjYz(eX10D}N3ix8+F~CK@ zdBByxp8%c@JPx=8_)Oqsz-I%8fIkhq9ylL(GjIj)4&Yh9_W@S}4*;(KJ`9`%L3M=c z0sI#5sU)}_K|O%S0FMG54?G6=V&JoZi-0SD=L4?*ZUKhDA^gBOz%k%cfv=~0fHzV; zz*{IE;BAx-@I90d@J@Oj0&hP(5Bv;04?IZE1OI`Z2R=^E1Lr)7=YjKpD}W~fXF)KQ z1D^(513U`25qJ!68>I*Cr1ZdRC_Mz_W=aoy8>I){LFs_+qjbOrDIEmniwj z{sOIK0Y6E)0r=mEbiltPodEnj;1_}ajdTI<9^kitU!(%|N*yo;_#nxC;D>=P2Hvl9 z4(X&KTz`XPJ@5*p%Sgv9!?jQ8cGC5sy;7H~0;V0$>w)iAI-hKS+i>ksI-hKS9ebs& zxexfW$_5~tU;x+il`TNF!9iT#LAni?w&}dOSL&u?!2b&TKJdRN9Yd7M-RBnl%7!4D zV*Ea-!|qkK#l^U$O=m^GkJB6#@IBN%-~%*Q229(3mI42a+6DY`Y6tLr)Gpv>sU5(F zs9pP{ZrlMpKsq50dUR%xnm;__@}_<0`F2b1KBE*aJ^C49%R#$9*{P}A!YMb9gw!ipt6DL4!C(& zNs+SM7UTMdG>#5P+vBjZ5n~6WtwOdG?F_vB0PU@kHX7M(8*%Mbwj zx8eHBG|qspR5m5qm^%-+c@NehWt;86bzIq6#T0))t|61nL_76f#Pvf^O#(F-mGlKJY07un~`kEb8#IYx&eP)*@R>>mf|{0^a5U|Y_pj} zFI?ZOY_|%c7p~VU8wKsGel?gp+ur)+Yv_1EKijk3+j z=HHC#waOpAs=Sk<8Iz7=K_wByn0;ve3ihj5dQ(wyzye-+lk+Re@y%a zd^hpit+Gl?93Ap0(vF-xb^{!SBpSEU#ngI;PUcReW6K*Qv_Um4B?Ot*kn8 zrQnq?iDf!d;h@^*->&MX+wGC%gw*pPbsbRk>{9LPRBIky<|4uGJ`3ItzCy(ZRJ*+D z`KWp>sM6``{tAVAR6V*?Jy)xG8>;;>pAJ=yp{@;8{}rkq!Ztm;>N=vH3)ysD!S{PO zrJq;oBtI1JyIGPa3Sd3WQ+!dtC#OhWAl|r2@k0SDk}DKX6sR>7;)?=4_g?Zs0l2PK z@dJgM6i*cJYNOZc;o_ zfY1WPClqc~yh3F)DSn~$UZHrVKuEnyd{e;hib>un;P=TS{}k|7G9(XCxmPGYD&Y6W zDSid-X>=>TD&Q|rO5Q5q6-3Ej1^i6_$zug5b)n)j3b!a;E8wpPNPa6oiU!4V1!`v| z@m&FL>Mr2-`3!p;ns$GMxjyw=PlMM%uj0C`;&#dKYECc1#Isg-1=nF7*E7KMoXhm= zxQfV}MoXGy3!<2CLr8B+Nevf(w zPPWs-ydZVXe1|NNwvTMHw2x$)CGBOKtC@DrHl){2w!td9QLXyQvg^2~WZBJJ4_S7d zDlcM}AP9y{Mgjt{6b)i&KS=j%;tM+^6@=8z#W-x^Nk%qzJMWM0X2T)^^6 z=5@IW>n!6u>KWbcIqR7vsx7il<~ZoJKs^&ldq$2#`OF*#jU^YzG?(-9GEIx(Ih}c~ z$-yUc9Bp6Z;Kgb?%@ry>!uij4)UVD?<975%E7#4d=r-R`w?zDv4m!_K_0+jt3+?cH z)h{~tSgj+UrX*XgMfFGAwoM9nr;=5cm#qjHZfA>0hW%`X$gswiq6`Pw%97#bY}v^0 z3btNkIK+0Y74EUaVMn=9_N8Qar6XQX3MZbGTq?sos?Mvq{;PTCQiAuK@gWC)OTFCA zc}hD+TEJ4j$ak3Km}_U=bv`R?A!+IQ)OjPTZ5`3U?UigHze&R z=>Y`P7}M;q>@O?aX@>(UpSaBv0X2Snwk;ydl{S#%U1?j(_lBgcX2r)9Pg`N>IZ69l zdS}wU^fEt4yHto3t@xJ!M#Wa`Jt;z|C&xof@j=A)QKT0uZLfB2qYO*0*0N99m5*p$OYTox z$CR%p{Tt~COaDfC!@8qfY5z$6lVMp;8P+)`=>zG?9}ICg=+N7i4{lxSwy!L059j^m zDfc6G=?R^lxL(P87P4&zDQkU6wnIFl4AzxSh-FMK<3nk-tVM?|N87uZ$25oSt}7qh zaM00E<0)eMgK|c}aL7MH>87~tv&jCC{-DWeq|X>*TFc%v({z?I-q{A}19tJ1^xb5+ zQosB7tEeLB+DN*N*x^ntUxvfndorx^SX-^y*KPZSvYb|Rc8Yv2t_C(uo!mRB>AJT= zn-g8NNZ5yFEDA>a(QbZU%B!om#%Rop3F{rH1?|f&-FFfR4(cm%C0` zv*zYCYu5;omwoe^n{Qe(ZsbUh$FpI>hLJ)P6|HGpvr*)VNfXN(7p)Pe(&o{|MxN%L zv}WTPn!j7txvaCZGdK6tRk2uiES9uyw3<(mUBG)qY0mfJUsVb1Get!-Ut4@pbA!8q zaBV}4ka#ZRD>;7te_}`5v14v=>GrJ}zP$3)L*K7mTP51o4&UB$ZW{Xe)7Dps z)7K~8-<9(G*qeu^SLb(!=c}?ihkyROyOQr;pK`zL$HPB=#=lk#J8p}AIduEip5YeX z1c+y|Y~GI{y#B&05ql;P_pM)LiML!?;>CYY#I-%2C6*!G^-m|_-hK&Tq$ zGXRqS;{myVw_nT>uL6Dv7y$eja2sGfAOg4sPzR_4Tm~2q7y)<-^?DJoAFvZ}8{ihe z8bAzi4WJHC3OEli3h*B2@j74-um|u1z*fL|Ko_9%c}au$zsVA1fPBDtfIL7B;Kf1E z3HT1+&jD@#!~vavg@77>ANOxYUl@R8fEqv}zy&A-wwP#t_Q3}y|)1F2J8X61UL>D^-7jF8&CwO1T+F3LOaUZ7j5hIk9r4AF+={d*s61wK&284JwN1Y1L9E@~?G--p0ALlfOG%Y43jO6$A`6R(6 z`EI{zm_{dSMv#{3=5Gw5>0*|%t^Dfw7Zl~^a_4kp*P9_DIH$+ZTB3`BeyzIG8y5rF zO`6v)PcPi#XpKBXK!`t$sHH;_saG_AZNwMX!d&w=obff99e)S4exVlE`3!(xjF_)^ zWAd1WCppZWCN3Y5uq-K7h#MqzImR6b&|xt>^l|Vgc#)} z`ylD8gWDCQWl#J@)C6^3Y6mrp41w808X49boTpCUdYihoQzP!0EP0H9vgZ*~K&7kW z@92;>S&_K7!qe2?shd*5!$nLQLFZ9oWUVlwu|;$?33HB$KrVbg$(~u0wNmy*C23ro8_qW9%m;jo@xp5%PFeA%29Mdt#vY zN;4RzQy>j(6^)%=$oM9W&n;B(VnD{uW9AV*kykYun#Zgq?zduC0a4V$GRCti7L6O6 z<}n#l8@6M9rqVzT0ts=Sm5aLmS9vW-FyE_piv2Q%!ZlvQD~v2;2U!x0IEQ<6D9Ff)`8P3px3_+rg<8Gog9Dcra#=-ubDM%Mv$gyx{8j zPM%D;_eI6WinI6t=PxA3DGhnOB?Xlj*A?%)ENaXcc$JQ^p+?csDtA(CJm8(6rq@Q$ z6r_6roD$bMf;tonOUCA?83)I#qmiE)OZpA*)HRkA-DszCoP?=_Z!`$r6Y zaONW6u36}AthHp*DZ*hSv_#$UjxIVGXuhY;61}erFa{~4C?7No{sCh+uFuMH9zOV~ zR9l24+Q&y)s<|a<>uYh3v{6{{OFi}`%0iwg#~BGRJ-bfxc4=wxpC#Slu#A3^bgqyP zKTp&Bbh7H%Tw^PZ$gb6E_|Q?Z?lhfPHV1L``9E_tIy+6X?){QAev>Bk|II0OmRpR< zR%h_A7Kbp9TE$)6D8w|P&H_(8h2#8WBTL4olr%|g;L|y+kxp)#-?Pf6#V8W0o5(J{ zOKl(W_HRcFc{&snMRP0|;iG=U&vRPr6Q}l3*gk1$KV8{pP3@&CHgkN^8U=%yF{=C` z@pVT(Qp?8YG#R1RNH-Ly_(ZzZ38(X}Y?g(MTAW9E1YAnBLA`gU+n(sM9xjuQQKFNO z+&bIF2#M#}W=dGv@|YtXJm+QYm+4kewt%k4z9t(a+i^w`u0NN(z%*i}!F*xIKEplV z%xC>|k}Kxqv(mU@r2QhqUwE;#ELi zt$ep&Jn*=6Zczyc0X72;u9N%tKTz{M*015Ust0~_*26UepQzz$!dcGgnY?rwjZp9Z z4fPwL;Ge&L{{H)ac|-ox`}{-x{#TJ<==Zth{h{AC{wII@ujY^c9gLARA}4p_f4If= zY$2B2)N|7XD*n!wCBFT;60iOCARXx_s%}`rcn8w&{?7B?8LBha{zKv_g@1CA>D>zd z6zQM5FJ+7{LEAOQx;9&3diQR;JXeU{k2*!2<8!Jy+b37y(-a=1?u~ZbJ5xPNc&y4dPsP!@O=l<= z!E@s>eyX~5tLtiY-Kd^vQt{0SFH-q0QDuize3(yM5xkG*Tp`aOKTWlR(yvii#-)f4$0w-X)~>8^5KlZ&&r%uFAVh#ow>$_k_CtoVq{$R7neqW?8CDTW@uX+W^}D z+W|WO_Wi{i)Hh>=x1FQn92W$px0c-_q2kiWk+qTj6Abb$;4B$n;tAIZM-U7T&_1J>4 z0r`L`KnuVRSOr)E*a+AR*b3MN*a5f~uoEx<*bg`aI1D%fcps4aWtn~)unUk6s01_u zmH`aFM!;rD2e=3D41nJK-}pE8u=b_(JNG^Jf7x|b2AlTy-xK%q?nFKBMnBzy_N3&K zx?f`44!51B$dK>J#t(J>!=@kV{{PD#$+0m9tHjBG^SA3e7+(OQv*pjM8THZYL48c` zxxNLwC2!6N;YRhF{}1p3u7`p`#WQE@aHsi3|C@d%I*(~Y$}d~}tmj=LzjRin{YKW$ z+$w~=HEjpejil(Z-v8i(sY+fGmwb>d^}|}^F1V{G>-axbKS} zyYmOz&id_l=AN#7YK*z|X0z+S{QAXnUcKu}(<`R#{P7=~>+kyA(wRSBTG9WlTd(?H z>7B=JcMY_B_m*kir~cl5RsZ1$OZ(n^q2ul^AOGvbhws?G^w(=5bqBujRoCZ6G%edR zfnNxG{NUpUfinQmWQAH{p?5n{`V)m>p$Lo z@Lyh?J-P1c-_-AUXv>#hJ23m!J>UKkr9RZkc`YMSEY_ z^|Oj%Z~yAq-qt0%Z}?I3^=CYA?d<2?oV@9jhi={Q$-mXizIgU`k52#Y#Mf`!aoOzN zdv1Sqm;d^?hko5U%Xi%=2QO;rUiZNl*UtRndo#{j?VC_tJaA9t1$|GI-!$*5JH_9h zt9Wta;@oq7bmX@;-+;3AL{ll$9=M{=pL~CVXK@&h~+q9_jttk-g`A>-QV4 zTJ*)rha1;jIKJTut^M!ozVO3Sw)B4d)qZm5xu31S;J=$NHLS7X-}0lYg#<@%f=z%w`GW@^N)6>OIeQJKSVs8BXVp? zj(THPNywrc=@eM|xJq+GZzd+mrnkNq!Y;p--+*f3_e5!5>b2^-aq>N^2Xp@P4=Qh* z(qI;zt+L6%UuyQtM$i+@>TBb4+V5O-s;~8BGa)KDO_BPND&clMuV4nO^DJ20@+@FF zBe;jZPa9TyyodURH~r?qYss?9s^Pa33T_Nl=v+Y#^KFBbYTeq(JCx5>&U`MbLG zqut2lvCRiHvXZ_!PjyMucDQore8{N!f=U-WmMs1%ul$O6HJ|_9!!_?vyQkjx1fBYOED6^D+#c$2A%loM zbD|lK%+P(ETG*=>goD0#RF4LX0$(&d!>fl2yNV~e!rn+Qpy}48C0QD>a=9vvxT*7& zc$M3QC&+Eeh5Q_z)YV$Lx<*V~TWO*c&7as}Vc&G#_N>CAwD?%3b!j12i2l!<=+$c@ zUC|X-hw#gRVaFKC(P>50pvQvvb zS#)txZPE9N_7xQrPc8mq@n4HamW(RNEBRE(xg}SYTvZY-*;KNl6kL6w6V0c^s3Tjr5&YrmF_BiwDfnSXHA_jb?Q{#)U{K;I(6IBho=5%>S<+H zmbH}y%5E(CQrSIagJqwbRx|A@)9#w~iSmi%`Q`J=>&t`Xk@C-#f1&*G@}uQ{Eq}NC zlIca$%cd`ze#`V*r$06QwdwO`oL+HO#k7jcE7~f272yiKVq?WOEAFnix8mm&PgNYP z7+3k}$_pzeRZgxft*oi6uWYJZTzPG!ztX7et-PsnW91hrw^VMg{C?$+D|c2tT)C(6 z*~%9xU$2}qvu@_HnZcPi&AfBwPiH<4B)Hd`9mgFq9Diix)sZT_?c(^gH}GVOLy?D1)DO`BR?Sw6SC zx%{E>x62!*cTL|o{Rh*R&*-0V>x`W<_RM%;#^8+CX8du+f6TbDVrj+KDqgA}x>Quo zsf<-VS?Qj6<;?I*11;V*bJxt>GxyDWV&>B`KRK%qEuJ)c$?Uzj{CM%ok_Sp&Dk+=tl_~d5$toRP zT2NYB8Z6yXx~=r7(!Z9TKXv=myQltkYH8V=vMb7#lq~}vT!%KkS=Kb||FHKb@Kk-@ z|2Tf{bs0bONOiAX#O;V{;3Q-}VQb>b}C?!dy6e~R z>bK98Uh-~E7{=dGT$KziQ<(zxZ+H0@9)^k1AK4Cpr5hSP1Lj025JZOG4%^|I&BsWrkT)^X`5*K zX@_XlwD+`Onh0H*K9f$Ro6_gfed&et68d#|EBy)Zkhk=Y^sjUth5$o~A;(YzHqm1c z8O982#$1LMV+mt9BaX2L_(v_{5<`z^z_etpVs2wr0I#TL-evN!#91uX99BGQJ*$b; z!urB;VY{)@*}K`d*}d!$vg8SDCI%@$G~g9>z-|j6FW?*DP&9NBIt#sm-a`Y>FeC~~ z!!+0t_JRZ9)5hl75eTbWhM~K&mkBCn}l=cz75_w3XBsr2c2}hbkT1`4e zIz_4>T_ClQI!U}_39<%x78xRw$PBU(IfNWRP6biiLN=w^P@SnB)I{n<>Q(9^>MLq5 z6-5)FNzxQ)GieN(JM9ZihOSE2r8DWqbSDtI>*?EpXBN;e(VOV)^!xN-x(&mT;mb&3 z>|>l}TxJL|WthsqGnwoa>}>V{_Q=HQAhI?JUIC}V+u>|D7cPK{;T!M(JOv<>3Qhy3 z1?&dl2sjFkgG<4s;?i*GxKB7m83e-6;eB?izGm%lFdLgt{~@<-6$N& zCQ2y5Rz6-qQCHx-#3iIPca8kfBGjSx~P0lzE+%{Y$ zZV#>icMw;GI|+R1BCZM7g1d|B1epE~H-y9D1@Yqesd#lf2~Wo-;@9D~;~RlL850}{ zi-9lgAiN|D5wwXA@iK8Asfu)obd~gw^a7w1jm#!nlGl(^$Xm!e$U|g(iX?R|)s4EC zDn;|BsnO@r1sQf=eD^R=%&E*-Oef|-=3;=miOe+SE@lz493YVl%Z%m4y1{l)^$Uae&M9N0WR!SkI zoYF#R2l;1^qCh26nN)MCJ2jM=Ox;4wrtSy6{go;U5XX`hOj|=+Puot*q8*@>(@xUr zY0b1&+EZE&KwW;iBwdbS&J|0N(3tYpS86PPK?P0a1gY>*T7GmijYJq5<2p4r5_#k|9O!0cweX1-^B zVxm}LEJfBV77UQkoaN8j$|_(TV|`!=v!}3OHigY%TeBV5OW0BDB=$!3HuhomN%m9r zARDRrkUa^_p?c^FbRYT*iNjOi^YA6$v5#RL93Dr<9Rfai3V38AP69sz;M!t*9{vRW zI{r4ul&`rFs!hNXsDyPU^DHZYDewb}aYdF+Mk71W= z2FR=p`amaI5+jL4#0$hO;Js*&D>DEWXd^8kUnAR6QYkwq6_gp&_f%Do`x1Z$`q7sI z@5-bv0NxS8jAHt*j<8O$9pdO>u(LT}m z01tDfF9xm00lz*$KTEHp_t1qHvWyuZtI`=u8DYRnPXcdz#~5ZPG4+ApIWm2jk<9hL z%MOE_dV~3x*$-lVCSY50SZ*w2vq@y1y!WsRt_@d@rxT(8)(8`~0q$^>{E@6o(WT%i zAruaEEA<%2Ggqi>)Nbk<>M)guCQX}4Q>JOsbZK}Ron}Zg2MFv+^PnxEh0-{*U9?;f zrKPk}fE)4CmFX0EGCh@k6-3`dx)zA14UFr|SIiF9FiV#m!9IszZu7`}wH{~&z?&lY z0`St^xFXznz~9vHFy0;?h`)iqkDo^f0b25qg#eF91h|(CvO)>jp2DCSQOy8nnM<8V zT?q1`FExM~Obw?-QCCwrfUO~%b|S9f0r?C-& ziA<~>g-%0@aeX)xK)0Rve2~4E1Si5~f-EtDl0q4#qZnAgXhawi3>k(zU^OZLJG79E z1A9^2eei_g#c(0)fmb1DQSsCj0LKnc=Yb5I3NmmuJs0HQV!)pV=u>`NtHXc*ho*2@ zb1EYZ@a9hpUZx6Dlc~dm0EWzC#sj>r1njYvd4bsgP@);&#B`v)7E1^8VLuzGQjvKh zXPg-UOH?B2fVf->JQ^i2a(+5A59f&s#pQ!&Z$=7R6*TwWX91`$N&pTV1JQB;*8s8; zIGKj#*1h&PC!8zJ4P57ga|0PS5ZE)0ngnc_PR*efP)mSUR8cQbo2a({KYT)cP3;4| zfdwoCnRr5T_cGPtBA^N2{7y_arVld^@ZdOR5;K*V&dgyJFiV)nK(8)vaj%2<1fX6Y zbC`)`iLhi?$oS~62rLH6gk{Zg0v_wb3S@<|;#f(nR8~4G2Vh|dK*K851;7t)u{u~! zSg%=qz^kxq5w;9lk*xvpJAusr`Q4iB1h}IQJCGgDjssYk3V37=yMSE+Vz!EXf!)Nu z#qMA~VZUbgArXv1m7!5jFenrj5`knOMNp^dKm@?eO+apRg4`euM zP>Ga4$Dk_c0@MWEf;yllfVuYp=81(xU>R5u)_`?j0?YtB-Wp_7H`oU-(Qr5pP6Es- z9iT!1Tmm11tAO7(0fgv)pTMu-K6n_$0!ASN7=;GlSp*ydXM(c^qv8feBoI_LakwPF zxzcetfMJw?F{}b(*o3A z6p{hSf@BZat0&2y6iSLBC6H1`X{1b2E~%JQ26${Ose#lCnCv4^TlSI$Nhq=aVD<83 z6|xrK^%SxJs5R}$u4GTLKftsoaspsbawOlmH*m|8}yq}GD!ubJ8o zYK-Tg#ux-uh5${1CQnnLY0)4Wg=PTQw>`jqPry1uX;C0YrqI%8nIHoc)5<_~TuW;J zOsySM$j@oLv_Tq*E8^B7WJ}rF5mbr;k^CIg#ujXUb_%0xs2S>oBwz@{mn(>@1i)6S;9B?*h#wTFQVals zC4j1~7WW851b1uHUNkBRnM#JRkN}8q2_RD*M7auxb1e|*5QudOh;{=I?-n59?Lo}D zf~fZdaqrJ7{Gcaz<$=if=a~ylHtIXalo2Mz@DkVqUpejkaC#JA83};rl+dd{z1RVmm&lJ?XTk_%h5{Uq0!W?! zusj8zc^crc1FIJT9J#lNfb=TZ9b2(Eu5C>Za zad-~p@?g*yj5HFWSqCpB?oG{KwSlW)79{#ZF*GkwA(E>R&pa%jG-jS7EDcE_2LjSU zE?z7A1A>=?hXlhCkQj23Uz*>+*C!|>*aw~tDI#Ztq^H=7PB^O=hlGWOgmIUB!K#ol z@;Q&R{2!kq>pgTG!@Yt+RqTxoq3Lp>FbTrrA()DTag+t%kPMN2972f|{}atbAz|cm zVQH+5oxKCB3C$QeoE~f(5bEz6refk~s$%MBOQTZEOmvM&u&J&oi2%bhAoY#4~z2g0<*{GAP81Mx@E%D=9EbiTK#aZ`l4+iG5p2{cnH>j!h+gC?iT|9rN zTq)c2^ldTx{jb|shoCyv;Gp?z+2k|wwI#&S#53-+YtGvBmVG8t^h>Vp=X+(3F~FnI`#5MpU=dzO37Aw#3@eM3iD;D? zJk9IeTYl;2`5|wW+5RW7l3X8BQpd_evI#Qkguy!wW}!lF3_eGEu9#g`N30NsoRBXl zV{ITS$THVF*EHGKKRi5?rmycE7O3~*R*0T=NRWQ$vH;|)erQ;T&r0v`75YDh5gA49 zAOf${17Cq$`2;`=^78Vd(O7F}4rDQU3}KQP-y4XGjGU+e->^v}heOhczB8~QkkF_| z9)WQI$%A-_>{ZV?-HyzMkl>q50_G*J2LmjbJ?7t%a)_xX+mCJyIMi9NFsf;*)yb)^ zzOe|trJw4`J1yYlv+mwd{x&Q2&Wo5ZK~sK@j-cL-2$x9gBgL?6& zD*E8G8#P9sWUKE-`0r+j9|$<`w2ie`<3$uEr}blT%geW4K4+P9m%qzc_3`YUyqxgk zMzFtFppCcei!H~VeYEL#!T9z(wD@vp!mW7HN&}i`{!zQoeaa54shRx+E0(!7JTAJI zsn59nfFhxJrL^U_z}Ra5W4Hc*F|?3Q^pUpc*!?BQt!uQWRpMZrrq&gDx3S&R_ z@l|mQSP~4R{s1x}M1lw~8DZ0FCTHf;xXhgXXJ)?kIKs@Arj2Fh4U@}K?K(3ssbZYNI=R#2*v#wF9phx;~-L$JSUVQ&uV8PQz0lQbbS9t-vZ13i~gBRl~}`8 zdw$`F3ExUVovoK(WNI4v)9uA(Xi0{})O5``3AX z@%6to=FO%4g19S$(%joKHrwAaLrQ zS`Qni^-pZ<+c#a!^D2y#-lbUdMl^h&$T|AC)_~*9@)++&{plGeU*9nw3}k+oky245 zbP-#$Ic}{*grb+(!KoKw7H>Rvo_O%HYsf`!;q8`C;WPyKYQc$<~P?i`!mx%o*4 zpX3xVTle({$y*eEDz`1n6tk-7mHB{bD6?o?_?6POUQ(C$v@ym`4YhN|;Z?-oB>zJy z@)WJFiun@dg`-K<6IjG;qNKw!CiAZUDg?irdG%S)rL9{}rKjf0dyxsyT;yX(EXaKY zW{}DF@c|?aIpmd|g@=h$;%rdmk*RnhqzjY$ymSfPBuIBLX|bO!)d#m2_V$5@R0`pz zWPU~RdE?DvvaaaMWIepB>?!MALduZyNHVvBKswI_={(u=KT75RmjNmRK=yzrx_DR@ z2f+|Goi7-Z&TT;vI%iBeXZ^i&{tMaR6Xovx#g1Da($QbN-1!!~^6M38AGnj$f|@HP zaiiddoK|-#o-(`LxSnU@%2)VpeFwUhe8Jo+RI)WTb)RPW_>rA#@9HhRDUywx!v&xB zAMohU@N9^^P!pFO@J5+)?%mbRQC5rl+e8)H9Hm-!I`j~$r*6(Q*q$d;s4JUu-Yi_; z)xEyjqprZ#N z{gLd2Q!iH#pS$#QzLKqzzrpr^|60K>ymks4^sNx>iE0_#GvM{q&o4_t5v2?5{$1}eahyO)EC z;mUA-?k+pr#0)_cJdDG^R6GuV8SeWb4mtccIm2He*wL{0Zc`zj8l_#HDk?@<5srbZ zX{{kmSKhr`_BBIR;?YA|_!@|5nA7PM8&eN*T2NZYExl# zwAJ!#bN;(uW<1=zGUfWg6(;d*iT6HKzb6%3b~EiLJd zu-w)NkLi)7Yt~X^n^!F4J-x(XQ{mA7{kv0zzitcH?uyWNx-SFGAH2C~@s}%?JGKye}fJGKS;s`QGqtV~6 zyburgZwz`(h$IMDDT!mTzyp&ZDL%pP74;M}mX|9SlyX1LVGt=_ZosxJGdJw$%=Dxe z!y)?_RqeXa)E{4x!C*zE3!xlQD^ZJ)eg1#KGO-elr-8F(#?u+n!?QYt9CyrrQUKYH zV3{Rk4w>c}=Ncxn|2~%e_&5x>HUdFh6muGbViphp=xBw&n3r2ZMdFlf|# zDl2}bS?Q|~gL2&QrLV;FgNrQ(UU{s1V@=m>Gd?W*^~wufc%OPxoPB13s(T4j-}-cZ zv2)Jj&@+|C2BVK#h7GV@8pbzvipT|ADa=vP{UmIE!TGB0<2g60Lc5Da^LYxLA60I! za(TbQDCgaWp0|&al?jYW=Uu&y>T72ea1^(9rSmJj@3I|C&1-xvUAWb@VcN|tVLN6m z56V^;RP1$ZUDBlX%}wcQermPm(P(dHll-|?hhFS+b-tgCF*VWm=(~I576%tRT(Cp> z$*X|w1Nk~<8)i$0`EJg-*Ps7MYNntsCH-BD@|-g_I-Q?4N9~k%yG)ezxW8S=aw-QqnQ117M3stXWUJ`t}RxH&nNKD$68K-TL6L#Z6VB@*hq5E96xvWaxlsnCW zXTiYreM^MG3rTNu_2n9#g^{KDLdqFSI71FcH{oS{r;Ba4FY&;qFXWoptroc#(HF4C zT0ZMMRNkKVH+xyVxEfy7n64d$ngMm&x9qsQsXbfuh^SjmZ~l>F|1}~@b?kbLn@N5_-{Mym|~ee&1l<^ zOgCueUDUGYvDL5F^NSCNVKaNzHz{AiYpmP-zHf=5&TwpZiqgw&+kJWG)Eyf)eKNf+ z*u1E;xy%TgKeRt^`;s=T4l~EH$#(M`M4s^Id|sNC1_iJCFdy3eX?1Hx z#dFn+)q^*sKM0(3401STnzq*hHOJgfQd8TnIO9nRU*eqnp`;>7a~VO--lRA4qQ0Vc zDcK9GMM*$rZ%#f?H#>7d*J*F*^e96(vMKu^ea-efFU)Zz(emMe?4#&wYF19)hIs4F zs|b&x_aR`BqRG&E!bzQ<&|6|GdV@14C^2&cd=t~4#7z^!Z=QF7*Z^oH2KE2eG!(G4M8<|XHy#tx{TIg$N8Y;@J=X?Zt{1+1VUURQp=)Pj zw^ZuglFCmFT3qRZxnip#ZJ%{N#-PjPOsVTG#ZD!3a><#f_ZypE)6s9c&TbLnZP;Yd z)$2IrzTKg1Pr5fPy`6CGS^9fE{k1$Vw$9Q}3;q0Y_(@cjp6CF7S7?>I?e5LXgu-@I z=23H&=w6&F_HwZsTQ+l}3cHJ60XNhH&xwGUv%`cNUWPKitre1fcwWeBb8lOv+$-CS z@fV4+7wxNgRkcdkDE5|PnCe@o@l2Gj+d{OQkc`;PyE2*mj8lHD6}tM}Lu-?p<~l#$ z9hx3kLbbm2F}miUe9U6)p8RZW0$-%U;>*nGLCTz7;Y&Jat{Yc89eTa$_~U}&aAKwH z#pUW!Gb4l<4ynr*m>J7dRaBJOENR$l^erJ;HDS*b$nUw4)FOq3J!-1W#xG{SIMZj* zq;snsmtZ|}mW77Lf|t%c`yXWOZlr}&Cu)ZCNxqFxt;yz`({wsfzLdE>FT(3saGv!3 znuF%OQXyY9-~x|+eK@xvRsFJG^=_qgQa%`_Zt46jl}}Wk9xrS3J{IM~d&^MIz9hY@ zFzQf6?#`78cebsQUa6*!D;5aOU6?wfCbuW4QML8ebi2#D-da8yK>LQQ7hcs6(C{qy zWl_d8So@pU#f5I|Hq-LjKk4sb>&=s0c3FDg7nq}!0dcgpW6)>_gxkNzmnWVA{Nsj5 zZejsK*S`C&AP+1u_QncO;Ey9=SPUBb=@f(vj$Vj`0Vt&j1z636-4lo3C+Ai#{Zdgj zFjxly?~hAFU=l>gl}eBpzse$SdV=DZpj;8Xg1fg=uvg#;Bra9PB@HYGjf$j(CAU}H zNqEK3=m?MB{_t5}Rbr@aVT=Ms&DO&+d1mkxp&^w@21!Nc9saCelZT_7@>z^=$eX>4 zYx)PAKF!I{w%L8F^p)ko_O#MxIwq}Z=KXDK4=eT5qc3JFT3rgv#|w6yBG;^JW zbhYf|M$MX|8n-1Pj-OLKR4g5nu!2>5aq;no(K)cS=JoC!d-g28edhx|%SO&=K=}DL z%R7%8#iH!iHGkOBcs?{qwUB1%!t}d;gK@V^seMVBMR%{*J>ThhQRmeiWr8Aarql&! zi{@3qq#MVI@fxeAxb4xf*}Qvy<+X(+sj&}Eok~htS=?f|5yo^R5bGK|c_GE!d7PO9 zh=bAiV+{CU4rU5CCCT-=&Hq}KpZM8~(WBBCojGP$PmtFF!{3u%^ z18SDHZ0L~7P_;kmBy_n>%SDpjlDE9RGH^-6+346|A#I7<$$Q>*?{t3huDa{yd&pi` zjc=Aii`~jOg8L%^>$_5=?|-~@$uYbB?d>-6EMvtW5nv1d$5&jQ1(*{D47&B%SbujSge+& z51*Pu2r<%l)0Wi66+VZLF3VZ>SnJ-N$Cr5H`n(IS2edp}C?6sm7&2F5Z(l>tHC{p9 zBe~TxA1>{wS#s@;ZK!D8n}u|;Am{9=sYhk5qRw^NS>0*1gE$%je}o|x4Rh27A&z?A zPj_0?pMq1J$emVk#Dt#77HD4{ECz%dv?ao1v17HdT>Kf3$)+SHdr zdb=wmlJ(L!o?CXel*BJ;8BmNHrsQ%&w*l%b0jTrfn7gk&=1J+v_Y9{}xc=iac2tFd zN~`}T&aDN_9C2>tUqh-24uav4dlxW-qu>CoCXhyM!ooie|BuY~Zr8ip{*0A*XPUT= zhfT4ojSPJtCTW-<3DbJkpP!>^SZLvXUusX!AwMm`?Nzhp#ai2JcwhVOXp6&?jVCGu zDmU5--;e*iR4}(=3HHLfhgB=(RSeEX>0~+If7`EjpJg<(Kp8rMmf29oIX*YHE6Dfj zfV|KqD9DCZbnyd8_pOIc?lx4pqIK7mfo~c!;@h^=-p>fWc2w@fB}J1WjmFi9&z`}j zWbe4MZuq}Fd)1;jS?5THnCiLO4Rvp)ZJ#gwv7Vj~CZFQ?`A`kS%8jgcNU4cwe_poz zaNe}kTdVg=*h`%4Y*6(1v`+8y1#>^y+N4-gsmJNHCV?1n-A83&)ACs}M)`I;ut@C4 z*DZ4sxE=-N7D7eFZR_Xc~iUzWFqWMSWNn9zQiKf=czq!3+JF5nXGm^sJL+@X2-8@ z?#5ttO*5qqakJVPAx#f=r-@^ieOmVcF@ zi`2EePpD+fc;R`pciyQE;v8PxSHVlXtB7Z-G=^&LcVFn?QL~rfJ>InU*kvvB$Au?q z1PFwp!*sRJk#Z+zC0Q+_JB1ZK_X;*j+mc!nU8UH4aHrzlDI}ON-PJ=wkWnDGSQ#(e z`lWft6}!`S@u$)TQgg*R{dN>*4Pn#GSKdCIVX{Z)nIA9u8L_|P`j!mekk=nBI>!0# zTdBImP51P6qYo|z_DSYxTFtFIX|fdh7Ctll!uqb53oZf$oJXM>JES$OcwLTdQ2&As z%XEgs_m-fuOHH*jW~=mkDt58iJE7H2v7NJ$WVT=4ck}t|$1}E;iCfy7I_M(y_T!brCtaD?i=tgp-x{{; znz9f(oNuvb=$#eu^6kVY%QhQ`t`S0AULAMR;$TqsrGpJ*6Q5jYS~Y}nTasr#TOjW~ zrBBqcgA-=I<4wma>ByD4f~C-I37PTIDs7f`1D4?CK7O z{D;ent_2+RDw6Avc?m%r{uqeEyLfauMJ(;+$Xf34sUR`se*(2Q2pYjw?Y~ph{*e`6 zhzx-=K%|aLypXtuFoYcb>sgC~`Ex$NAo&0T@&SmsL%pBEBoy@yw+A2ONZ1fgzdzxs zy4PshtYt42*dMIqqbOi4Psi7ZOutWFRxi~q+)Fv1#aGrqy^WTEjat@=M*FN=o$jd- zSh~kD=Y{{Gn-8-cj|%D3mEJip`$&vnY1_{Ejh+g;FZ?2&;~Zv6>31Izu)khma?-v1 zf*#MxL;fGG1bv{n<;nJ$oqj~|DGBx=M(xk_7T0Yt*gp990l(;Nx9CDk?QYStxzdqm z)0sV=AJ1MOp={%_6ft31{H`Fgt~h4*>-^Pi;A zb&ud(FP>z5#kExMFw2jYZlkQexjR9p-`07nDse^~HP|QK@pO*(;i>9LSNcx#BySq< z=xuhWNljl@RjV34!$V%{M3bf#Wkx1-4(WPa`L-j9>O}|qUVAAo?bNc|?UB+o!@Wh- zisf+OxC>i@r}sw8LjBw7k3-$X=bA-U45B)#N-!Lcd$m(4s;AwWXVp#36Mvy@StVa- z5@-74TwPeqqp)s`hc#wd7kkbty4+i{>9vg|RCH+b!`BPO_#!6+419cg#Z9lKa|_@ujKDRK|?*!Jx#t1`qd4_{0$h4e=P zoG=+pGV%Y@+|-{Yw#KHpFkKo3PBT6w!)x35vgi_gLw!8~S}>C4Kqi9ha&2<0k}dzE zTbv+nLDYg^{gH`0AiM_-$4z#N#w0rj$R4sClkANC-c->f^24FTy@>KE*u)GdF&#?W z`ol}Skrg}06?MW$1`Uie%#VMfKMe~@0aKP`OCroJmP zF=n&QZ;&`saDZ1N`;Gr6f4v>Kv)HqixmtQF3kC!)$lUp4O<(Pn4`#C;4AYydi9NwH zjyx^ZeA9gYgIH;nRz{|c7*qJY!1`9@I-Go0??v5f3-=teqzcswov%N9Mh^Gd#eD~G4J1kDFQ}QNdBtN|SVeq|d-Y(6~tA!cOZ{58OA1~z3S;yjwst1SqaL`DD8{o z*@bM=$mzuToB8>BV`9`kS?o|g^x0fJp?}X{&9akL8C|bdMk&00NzRIvxBAvvq3*x( zS?Q&*`zt_X|2)a?1+Uz2^Pz~MDIOU9Tc?mvcn2#(HQ%yFlWkbh%@B|cP?Sazn!># zSrU$^G;Vv7;hi^H(91X)i(WbCo}N9caet|> zt@Wzqc6>2!mY&(A49b6dDvrY>CsJ`Zeuah^$N2Pho)s^IZ8&sni6XJeM?Cdv+c zT$AGJlWm+2{Bx(n=Wjgf?jgX$3z}acrXh@eHSdbgoP9w{6`EtjyykTmcP+`HIN&7| z+&?$>tl>NF-;5q~QM~g7-J8deo&#~D&3>4dhX)OFq)Ff$?xz_HX?1W)8H48e^9%+D z&Eyjv9Zm@}HkX6e0k+iwA7}tC`7SzXz7P+3f+>s}qNVd6;j^Zd#IW<`7tJoZ8rgPS zEZ1+VcTZzg%+Aog7(SPPfs^60tf&*Ist?3%S}90ka*%>e>~gB z$kbRD4;dTk;!KQ8|K{V_xg4>p5QlF$#KF!VCFFvMvqpCN`+t^@L*JidL1t!PJc)=r zmWLyb91@U2DDHov=}bstL{p_-&5@31_gB+12b4ssA|*G_R9+8DXY_xH4@h4Y?j&)$ zPzc3Y`}s|rzm<;1#k!|n=Oa$C{AMrgo#Lp8g_RAbDeO?XCMdl*&I_7f4w;C*^Gr!{ zG8SpGsiX*07~S7q(z*h2naSB_D%$+A-#qbZjfN-A)zj>~t9ddmX?nQVlC2(zPUY9P zTW>peVZZwgFX>>ddWE6ngfkDlhRx1tDrqc{3R6(sP-^9~-hOep`4lY^(FY}uEz4>_c61C;NH8od|OYX2oRq~DVDv+y2|L* zH#uF@*WpuLfIg=pxIOCXa8>PP6Zb{3IcQ!xHJed7`V3g4Yf?IT+neUL0Z#j192;jg z?IPZP!P=mCzlV1hkwuI-Y)@ZUah_k%7XR1wmJNV+)u?|S0y z7qS5j&E?Wiq?;h2CvJlhxBSFJ6CvgpCJO(uHG3<|5gKZ2@2KzN>*uvHF#K=uQ2U>F zsN>(|q5RKM=8AUJKgwh$F6UwH-j}BuQt@hkQ$Kw6I&as3ub*6kra~3xFZx|x`mn#d zH>&zl@tzrvhpOHzb8-=wJ(pu5_4$-zYEz%5)P{&A0|UeC4mY`PZbOUYh?yGBR^dHH z5)Gv_@%8cV$*UHy72jt?&)MpLDy4|a_3K9``rbKkeA$yr*FHAJphB!56Ad-S^*20) zJGac&t~&7r+ZnnSH%If!yi)zIC!TJ`pIPj&>z<3ji+9(u{L)gtEnOUc|Kc3stuwo* zucyvg?!7x!HK;CUUq0hg{HmQx)1vkV-R#U6QW~bTr}xzt3hhiTsNSP+1Z%XW@_0hF z8b#&!jHf=Y2l{GOd(WRC9-~KfiO64mkZ*(ddfC%nMUq!`wTqeWO1Rj3wWzsg)tcT; z`f|aC?%|ng0$z8^?5BrRzw1Oj?1uRZw$lcD&7+30e%ZgdIf-dkZQ}^YjM|eFc?fzPQCr#CX zh7#MmT9xGo?(IBUWR!pT`cy-kN6AC8cI}h&gIdmn( z;&g%2cS-kJJhnUtPqCB&3Fj`v;Wmt=jtrRCg4sFzXjP zrd6qw=2zJdD%k5oT0v6N9uLrnH`FdSEyLciofecYPin;0ZmWH5>58lSavkEDKUnPx^*P(wX~GtZL(g-c`JJv~x8&~*Iav&(#T z3+iL}Pp|r#*4Va5QAW%7#A7AF(L^;3SVRt4x$tP_r0Y+Vx$95J<5p(mJ&!&IBkND} z0>`eUU~5jg%0q>_%A;#SS@LL9{M5-;dHiY>#6kYFlUtgd7pv?qg{bzNz1&qE5bCE@ z9vgsWbATY^XZ-pML5AE$L^G3$>LM@fn$nO^ zaqrpH-uN@?oRIYyxyYBHzqdYP3~dl$ztl8avCsSQqVAik4{d$8z_%yn=j=ZbulO&s zKZq|7UC1->BN>{k3&FoD`~O1r_}eXi^&FG%_eb)hay~koU<+TroOiwE`tX%AK1|gk z6l*O%Tx4|h5!GPl2X%Z3Us@WS@g3KTc(Tr{EpHTzy$Q!n@jE%S?<-Sa(bV%^^(sbY z4`lb~-f7(aZq=fhmAkI1G%w%Ku-|I`%tHjN<-X-+M^&x)Ns?$3&99(_{4_mwsKi3c z$3Z@}!@Tg^watNf7qk6W$&{xRJUFEPIOCverC4@dTI8jkVcfg4)p6MmG#&Z|nipK2 z-6?V5sn}Vb=9qh>I?3W$LAMew4E7nWPK=U}x_)NWfuZ!G3K8qHewEKR(DA#hXL@f^ zRla+!deyqn$BgXb;#IA^l1tC`_$82*gv)nh94hwMq&?D0wV!*bGV=OJ6&o+)MUg7T$Qz8uJpqE@Mcq@HEf1;5 zi~lIkNkj?+E%rlTA$>tDAADGpsNB49!!! zU}ztb`gCb<8&Qa`Z~?w_|EUk#KQ-MgJ+63ZWnUZFF_da9wMIT7K<80b^(Ro9?gJuv9bVnxs6KV789>bcYxvl(G!-gL#kzS9g z-^11VdF?jSOiXKcmdtiomZCz#D%dqUS|2BCt=M=-+}tPss_%}rm8ScL3QZp z*YaF>cWAgFQK?6W+}XFi*=YHr3zfdxg$^0|oA2Cm*zwCn*>^dsgqL(3+psQjBb0Ik z_5Rdcmuc3+a)ly?hCggG4>tVBz!)ViU7%d5Q{YzFuk&RQ%)#`7$a}|)yzT!ksrx1E z96S5SLE|8Wv2%^0KTSCOX*w}E&0@-MeN)q^96b-$ZMWS%TQvAmM=+J{H zP-52@0T>ZD@g|gb9ZGD163ekN6U8o+mg^Gg8{*?u34Jsj z7*LqMQ&U32WcHpu@>#B;HR^_! z@3Bw0-3OFqZI}z6IZHgda8>Q@!}R7w&>JBoqiHf_-gd4w&Ui2H7t-FP#cMDRw^%2J zK3cb3ks_N}DVQSFJY|GgnQBeSA62>hkvNX?^*@hpG)4I14D48zwpMFW{;0;~kB=sl z1^A;^>E!(JS1iqW&BM*oyr)m!dLod#(C;w|;g7ijKl8^EK(lS&_iYoc5>Ara#9bvE z^fP~KG_CWhvb2{s(7tca734ZrGrlqWQScX<&DZ#>u-VM6HZtHt@$i=!zVhF%9nTvP z4FzUlQ74c$UQJ}XVrzA-?J9n@U6m!!G7qtxPCHj{+;|NI|3bqLcCuc)N&5vwDZ^$m zmqlY3->;p0^7T_C!xr?f{vX{8KbJDXgjK%xV#xw5%80uM`UG|+$Zh7@x$1|V*Pzz* zWAnJL=}N$;pcXGcp)gq9V`v`ah6)ygNZhpWCy77XgvS|EU$EtC5Ru{hQ}Wy34Q z%aVJagL4uVo|x}%KbYvdI*KO)r7{gndB(i22+@4rqDiB42G`T>kFzKqXkUbQTF?hX za}loQPGd9=5kOoD#uLZ9m1iPtdB(m*0rhi~t^k@LkKWvz$fg(MwsLK%JEH`=v{Y+q|VlWY6TakdA&%r{1CKfDOh6vORd z=Jy^XO!hXR?=6r1&hs04Tr14&F{0{^@k{ZXH2Sx3$FK6o_$Ac}A1~c3JsSP}Mt_dg zs8C*%8~EJq`@5;WeH$auR&G1EQZjY-cZuIn>%m`|>BC2d&=R9Vu3~0kW@u_;YHDma z(O*MD1ia8lTkE&*PlgNWTS+8s_ z!G4=`9EFMkQVia5-)F-8!Q(++Fe9>(?|UMhS}KYD`hDOvRDy}T>%G5z!~8Vx7>pW5 z9ktYO82yl}4-~u%rFF8gNYlHrW+AJ@b z)Ha!1+bsUsHX-6bqf3Zw_I&=cHkdKC8M{vl>ThT>=kTPq;YO5$-#FV`0vfq+N2+3C zZP5Qvn*^YZJNVswBHP%>WpQo8`C*$x)W+`kU3S}d)w?3vkn*|0)V~33mZP|@wEX!6 zLIOY!fdusT#x8)y#=yYOjcLj4;x<-1ZXjGvB}ay~C}UJGBFnjKQhVocmES+k z-mXBNguTRwEJTWb`A;VJStCa&F0?o#jI(zVSEGV)8s!6d zhkzkJ$F`10`79y6Si%k}EM)f8@$_rX$jjTq*W*uAGVzF!Tuu2-dYX{*Mx7G*H^nND$@BeO1^5 zG{Hg+d6${wrj4UC;lpke5k=U-aATlavT&Mk^9dad~`S0mhERdD_S>PXNfn3>4opcQMamO&_zZpZM73tqJ zhH*&I`sVl0N`t^rT8XLtU(rfLU!Sl4WNeTt4dq0Ci`7;ESq%E5<6Ouc=j8upoRL;; z)Bi~{AXmnk{vHomjZC-j{1YvZD=UnDpB7Vfgi!mD*UyjjQ_$*nKMnoEPj4SG;%KRo z4o&E%p{ur_tn}9`HS^AIC7YAHvpO5}6eMMyXe)%U(w+39mID(unu#87KZ?tEhRxVr|IfkrQo`9$B%6Kf;*7uwXX zN?GF8+O1L)Ygr3_l-WJ1O~jE&ZF87w8?SM;c~R$8Eom>$9uV%ExZWSNjqtd7e^eXq zHqOk0XU&)U+s^L0Gb2BARGSl}liEg$Ynx|3+ooFbdGr++6m#FgZcVI>;9qDH($rKi z+`sf)euIUG6jLd1RGZFHp~>b2kNh+t@ZC07V4%@_dl^u}m!VK=fs_yuYAmw-+$Rfb zZ6HN*D(1)hF%e)JLF}{}Ba!oWkqv3Znj<(_^;XKQ-V(=EZx0@o{HN7hGHA=Mc+wf( zGHzQ5zo)G)k^Fx~Jfy-Mi&Eeisce6s)C7=+$a)yf|DU7h^oeEV$MAFSr8tdZAkR+; zd-`7{Y@WvtWL}}B*BPF3{$qn=Y-FgH4|hzFHbP_hxo>_p5%}yuKO*nqydivVQI6_ACAO^sB{QbTV#rl*_H6 zM{%slAK_L5vePpDKDRCJB|`VTnO zdL&B>3;e??Z~Ugo21Hha)uf(sjO!_p|Ba_?K<)=6Df zT5Lq-Gt+;ctR-_M9fK3xFle8ouHKS`T5xsMB-l7q|ctr=01C(JcdE8ja&Um3`q4uo;}H}`FY9{k$9Xn z>9Z%NxH|40r=uT`DvmsRaxP$`r!RmMYGw2p3ycJ}-$Mpi6b^hD`5A9Xw1%|~my7F- zv!poC`X*AR@Lu8y8~j;g^q-#U_$!SKK^Z6kSV+mKgAb;wPchsOblLr6YuZBo(O1=f z|G7tA{vLVCso{y=yD8xR1XL9F8=et-eB6iFF}Z=z(p<)mM|e483}!m_0YlD!6dHs1 z{;VPQSD_!j@{IYm(7suaR_@Gc8o?pq9zMQ)0l~gL9s$7~4ray#m`pJU4fOR|;p-8w zBse6@7qMWd5f-%v6dijedIMmZ+!^j00P*9-{AS$h&%*W+?3d~95dB3A$663QX3Wul z(}GjMkdA)W74>4Y2ts*sgrEMf4M+G6#1X!o3qg9nvdI{$jj>5SM|dxmBb*JSWsLbc z8WqeDP6i@5$l5I4Jn)ZLK0gmH_o=ge9Bhpj2YUwMU{8*GEIv)t*v{6;&e2ZK+RoU} zI$r})<1XsTn+8pthV>5cTQN=2#~arBUi#~COMf6I63AGAd{YW(f+wGY^~G|qUi~I^ zcL^xcve>}qFKthltb{HuJ2q=t@42C8^2R-0ZcFcLPF?+szG;^F7M~|!;vWq>mak*3 zVwkWK#^9$FXBgEVf7Q^mqovRzr$WP}JUP~=gLDni<$ys8%K~wC~nnhdp zaBgOp@ITR8$&*@G2wi&fU}MzFr?V-NmC*}wYwNdXZ`&-ppFP8kd|YFxbD5L7r{yvR zkNWyv(Yta!cjCo0=gNt6wq4hWX-KZvd{C=AB(tO^NxGgdoA5yHK&z~$zYx3O;?);2 zNom`J%j2BOKYqq7^(%d_6s`DnzRH&5M+%p6rcRkbKTLToLN~W`!8DiJD+k!HZ3Zwa zY>H*0*or(1QI6^PUW1*vht`;Otk3yIS#xTB1aC#&se9q5r(2tz&Ye4daQ`Q|rK(o% zc@>r|&j#x_5phUR*IOwzEj-sx!^lHtIJ;rH-AA3wmZt2-nn77}qXMft&)$Eo;jMne zX4t%X-D$u61GgHn3tkSr5Ig7!dBlm(G;{e(Rt-}QHtY_VdA(DZb}bfN?<~l(`qs_3 zp;#JkVZNhOYhByyn+Yuyc4w-#tu8D-^{9Rm#U#-?LUdy%C2juBoD0I2vW8CHh_#k4 zXf3PJ-pFkBk&-{T@-6$ripw=mTkiQi7|71oL>t~L%h>S6iW2Rd z-p%4!%pX60gNbawEl~sVH^UC%F^`#HtRt8BtE|;JlH6OjJQYq_c8c=u?mM%mn(-3r zl6JRmq+)CD>_A&=NGj%ixl>8)zLEX(!%c>&yU+Gzc2(>-mnKYdOwzudImbH0#QTB_ z^{9SwcXQm4ia;e*3(}@K=xgVS_p>lz)0QrfI=fkj;kNbkGVH^}W~}>mU=WF>qj&3{OEV}05PUG+b>DF91LQ~vX zm;3AnlKjOO*522af>mb0J4B+;0(&-L>v&f>*_Ozuy}KE8j%J72G5l=iibGRZ&N<~e zG_>BjvAp#YzheQ1uNdO+abL$FmCxbJ#&Y;F{B3dtx)qOv(AUU+6F8=6DL%X-?R3KW zork+z=6;fmT$H#s&bd2u{Zqf^PZ;$dr?sA}(hcc)2IuN#c^VE^sKj6;Zhd-h+}V*U zW0;+Kyi0w-rMaHy46pJhZI2_L8$|@3cd_E9ZumN*CN1shuw&xsZKpY}-n>gbV$5t6 zKhY3V9F!)rE^Us{>kq-kE1OabW$jue;0A4m@*eHTb;G9TH|HhSJIIJ-c<;JWQ`-45 zNNRh8+M`XHJtek)+c2l+%a{s1`10P*dxP8ihSvJc>lFh=-DIqwo33r|xenT{G1|wi&fLsY9M;I7K_Ie|{RLa`)jyL(lF| zvyRObjJ?=;;=~mb?ZIc;_#Gn61x<`TYWTe2%=NmPcJOKM{jPI0j)!cTTI;3zYnft~ z&U)EvE)}7AROH;=RCc0wZpSO@OJ#Su?Yl*K_aAV5JI|rM(6m1CgMS+v{r|Cc7EpC9 z%euxjxVyVsAh<)Y;2t1&aCi3vcMb0D?h;%A1Oma`-Sq)`@AHzJkaOO&O%0G=Wc@}Y z&cF!|gv~0FjMJT)HNdjUvjdQRh*l;?@>?}TCB;X9>@Xnvcc^qBq1Dd!7m`Y2rZvbW zujoi0q88e+iN>M;FJ^&n^asP0DM|T5`g;w@q;>sP^#(nJyGx53t7W$G=kD0=qIp2F z#@Ko~Kd$ltA1kqA#)(!JqtR=Liio$q#oX|c5`VX|?bRJ5Zfg)@H>3+SRW?nOm(x^0 z35L}T45LVWuvr@(HCpT6kR1j{@=nNc{TrlDN|^vQ!nR=ER+@1xGKyn*U9yU}F@ zXvbGzT%8SbFiTdJA2JMp)@GYrd=d!}#NQv(`L8bXC7=(R=Q4p#rwC@Fdi6EMv3wF& zKK-0e&0W+9Hn}nnSY#~?nV&2$-6&(0bx#AUniCM%Lkp()dN{^Ixa@76k-c}@U`lyiJI~J2y7Vy(i1m>pQ;{dP3O1U252(BH1K9CaP(DXo} zUIi2=jh2IjO0_jY&Y4Z;3Tu8O8(AQDvY}6-nz)9hb9vofL>*w8nazH<0xIMR^fTdc zjHsGw?vN0Rw$f;;M1J<37JQ(6B>tq(&_H|5=Mu112VCDg$!7Ehz80!+ZqWjWl9qO7 z?Z3oasVGjaHCEs0r(B;MLEU6hCsQ(gvCX&sm8#l<2j zMSnlEa~!F}GU(j6o9!>B9LwKhm}@TfJ*{wGZ*dmaCD85Q6UxmzNc-8Ky^!(+K3B^a zxwhVmGOwhm91**g)edux(rw$NV$rY1v4Y_QrGg>v6VL#nOlV&&VL&LKL<8Ikj;3=R z+iB3z!bpd<(L1|QRnrQZweT}dRHwhdI=h{A3CCSjNQIH|ih5yPo);O|-V%aOaua5d zQER*EZXxCb(1nEomQ;7`XWv&_{c)pDPPhMl^CkF8_e>>1TAq%n*-(gL;F%X+O-=mS z3O<8>A??13!Eu*PiC=k3M!Qs2e1|JL!HiwLFnAywkG_2%I}67wdQaY9+|$FI`+p^HOK8g zj%&pq%0hYwx{(0?J@N+xMQeU6OQPZD$e)h=De_0>*+T7l7?;;5GQ6)}|Jr1Ax9@_1 zve_yyf68>2eOU<3h}KP+kO(JwW_|}}9Xpz$xg@i3(Rzhpd}n72p~jd`1?dN(CM+~_ zn$?D6jcXmT{?abN^9V`}Foq7|uE{zyY&6}RSQc80X8hf&5QQ+U3_Gz;pNM5IfiJLy2vAsMzn6tR-n^v7F|ykF1WkL&hN~dQ zIzgTp?BCqvmP}>eTJrL}&=}1m4)Dg8`9vu3 zM;BcPg8;BUxQG3B!%J!j+Na?q@xQy99_=yJ(^)^#ad{2 z`cTb=#?l!m7mw$Q0@MPec~;STmZt(k0Rp5!|1bhd_xuFnnV{wQ+xDEkxjy?u4Td^Nn}AhCUvX0#TqF9?lOZA?05K0bVtzNZ5P;V5G_}C`b7iAPb8)+Yd#G%A zRPIj>QvcDDz(1t$fS&QB{CW!oFNiTLXUg`+?30|szdVTyp#JdC1<(Otc=-DoKpH^c z;p9gvtwjI0goW;j_t?+8Z{Qv*wSVNjY5(sF&47PM?E(Fg_WZ|6TOj-8l065g3?Ybc zrGX+W_=hw9*{9$h5D)Otvf2mBnjhXb|IUA1pI zcCTxoRF$88^z#n~{LgP6^G}azXrI}p;ZdQe*dM3T+J0Gb^cS!D2bB*Bc}y=){(UM9 z{s&$l&nUDEv)=k5je$&r!G+c8yKPGG(2=7*7W9jtUoC&M7*ZSrAmMST>+hHZNiaMy zY5RrAePbAd@go!3ziOD)uNFi82aE5hfkHnczu=D-DuMWD-Yf_C&_2No`|GsAG`DJ;(JNI|X@*ce#Ps2u02JYGv(D-xIc4blzXtQ=7A#*L&H-+mOoks@dHP&XDs6&X9Le*!Q1phZsOC>yp&>i=>LCQ z-tnI}{^e9j5P-FZ*K5CX>Ng3dC#PEf;?$Z4^LrkhN@Vs_P~oqpL;eTTU(@epBk0f9 zl&l*^E3{*TAv~C_{!%rm8VI8 z08Br;pZ*>10SV?O-flnhzB6bHV{&<1!vgx(FMFr{svPn^D8IMG5Vekv#Q4?EjG0_q-0mMn1>9R&5>H)^{Bw*Uo>59CgSOT9Nk0qrtx4q)dxFoO7|;9{ zjA#B113Le;F8<#Y|G0)-8bI#B7UhSh9Dw3OIQUP%_MgtV2ZVdNQvK6rFn{<<@^GHx z(|*;Ddj!e?m_Iyh9zIq7w~}c8-e336$0MB=pFjW}uU~V&tA`^JPj|wh1O8kO?;i#v z%;OLB@Vdn7si4f~>fv*A*w%@o#I&f6up`P62k8Qh{+oKp{F{2n{I{pDe^J&XlZJml zt1OfmsRspjZQJ~h+Pt6D{@mY;pnZO-iyJ@JMdtAb#T5^Av6bo5@6|rHyTU(ei&M@< ztqVsD7eUI050^go{i!Ze{}*+U`tN=P`45Vpa+%40>|>tp6M+7>mneE)!eh z&wb2uYP~}OKzL22XSU~6jYuchO8zH(49G8i%yYGvBL(Cs-3RoWJ_g_ft^0{<$Io0@ zTwL4%lpgcUa-mNJ^*qNF>KUcY8a;7ul6X#8jbSfE9|xYMtbbudh?k-dYOf#I19S}hd*lTD z%)PunDkY03LnMEl{0;3w^lOqAgZ`h`GyfOtng5Q`{_4q)o>lyhYMdSrfX@%FKmU$z ztwiY)U({dtUOyP@Hq3Z^gD**5@nBS(Jp^x2pHHH#+v##KtB3w(jxachR>;`HF_~u z**^X%TIe{(*^bxnzhTJs8-{FutHl3dP6OyS`+C$u|6ji2T3~qo_SMmdjsimYg$2Y$@$j8nG8H%e@h3$=J=>9N$8~Tzrh#sm-y;;e6@7J{&bD4c;b8i z3*Y4j#RrdkVL1MLjeSmSVw?kp*WubHlu)u{M~v94|H(BL^1qC)3UvR-b>NBX(l1;O zT-<^EAGp3vUHLOtxM!4Bq*1lK-0STvm>J$~6=6&K-{1=M3)f%ct4Fn4dVl0v`NZ|^ zXRg5hjbX3i9>?aYZGYzaoLbw@%URIP-F}&{;oio6g%SS~u2BCaS6+RvKkYU*_%vZg z^E201aW3v4R1aL4gYN#k+Z_BeO1EbThylDO+%+0M#=Yq(bU^>ZB(kjm*q?Trt9pua z2!3V(LiJ$f$s-Fa?LY4}_nd_@1-h7LSIt&<pdt@e?>sW`qWN>e0Rt?>`A3nb3m8EC z!|VFr`Myx%>7IUc%wK%}&>lD(9_L!rvi_=;&s{T~Q)GwYS&`inQhTzG>6N0d0nhM^ zq93mrKjy*yr3C1J2ypq@?omlgEEquX!)L|6W0Q*Z<*DAo{LF^K!Nnbn?r|=q{;!oD zHqRx)ke^cmw`#xl)y2epEvX>sJ+9(oG7RJo_5IgFOYAQW$nju*N=`kkTR?yPGY2rb z2L%UD>x?`9oSb^jdgE;zdg$}Ia1~R)2KwG0Vuas}ZL1$FGb03edj9HHLM^n>N6V-r ze(~!=3zQaw7Ry+H_^q4HW*B8A07lkA8jh)qm^PDBgL~ zan%qg5$=A(j+%q}sHiqXWs=_kP+>Re}sGBQG}0lD;$3rstx8dl2=_ zX*Yy#X8XJSPJ4wne9;IS>t4I3C8X7Rga9dk#9eIzK;9dNDhpPeAm(OR!9J|$+Ejg5 zw4{>7CJ&LbjdMuftE7T9jZJmT$$*ya;prVarTWYhjSQ++pfqM%@DK(z{s?aaM+jWT zL&A-A$Q3YKxq`MbkAn$z&$JB6l`84`BiCQSpeJ`Km@dpVgtoaS$=0XT`)#v-7a|cP zqEkW!Ks5W3b0XM0Ym!Vc5W!czo2-LNY>a!;z^6QTotmFl;iFq&MmdOCj;BF)gC2|B zcEF{y&ekovD9KWmX?2?QT@clsWJ-|LgiUrgwZSEH;1XTV((3fnD~4+N6NU9!3Z{6?g zTnd;t?R&!_3XV0}By>}6yjW-X9rp9btPB~GDrQ8Gzn3s2!#}9 z#8d;a>)mDhUu1+SXGCB8GCCifrC(bEtXydv^}!y& z#9#JMts(cL3$`s@#rQI4_D<@%%Mj@*SGyItmn{i#g}jm1!jUkhd@^Au@#^{aPB<4< zo6YL)0u^DA^a>+obGTHEG$?~bP*}MLBCnAU_#Fzs-k?)xgol}c$ARAqNLzd%JiPJk zMT&@ogjtS_f}HD@qN;4Z0N(J1hRO7bt(pVIKOXZ_IR*lbDA%L4=cKf@v=jV3Dgqv_ z=kSIjo-a0?*Y02iWQ4o==7WsjSYU_7Rg$C(mq|X#5hLXp{Aw;?Igq#3(Mo$)<%E`|=9~k^1t44M#F&*v zhejKU?PV}QzTC3;tV5t%*s0m7e-mtS+NPdRxJ8wt++YxG5}|r?qxE%XLxiKDiz_yv zIY@78Ju)baM}%M4`W*^ILIe9G6-Rzc3 zctyMq=fOu2eF{1HYz2AM#m_N@nWV4YxxHQt80?>K=rIUTS2Yaoy%o4;yz&#ei)Iog zZ4#uA0E2Go9@&Bn?BnYJ%TZ2)qVI*+9!h1#{?5j1&#E8@AZoDWPRT08#p5sBA&w^@ zo-m3{z1asSD%0RzdonT*cYB?e1QOwn8fc9=6X7NH7 zAFq?jw3En_dQ5V zf;uo@I0Mm}Grl!rF$VH)lLb=-LYC<_OB6SJdUd*;bf@_m*ry-odwBd(ngnB{Q`aGp_eb~A26SCe}hK*WK0>H9aP-HL=bs(o;EIz^_K?`OnHsZj4w z32V6 z5%%9fz5}5>t+VDw#+c{JiJl90PS47kM?ETEMi+z!ZdMVR=}hq@zx_%k{6hL|sJ*l2 z8Zgj1);As?foUW32VSNxX0-fRKr*>n@jP6=U3;7D#9vhw$Put*VpHx{Y|nWnEm@gP zRHya(z>1l0C8dLmRVp#qO}Cfn^6f0h@)tPLIo0vhs$K7;*cO`Rqe{W|P>*9I*LEjE zv+=~;D{@+F#hjH-)_hjGAThut&{Nvh2Z0$WxBIl~gNBLDLep_x5!Z3ee4%-(&c^eh zV>$3%aT(N~CifNTat?al%6@r>dZ#9^z}?W{1uMLW@H-E9Ag%)TG#(C8x z2Eryt9G@|S3{Fr9pr_@MBpsr& zU26v_>UOp`?KpP>;Y$_ia8_i~J9m*uTuu$2zP)%u@mjQr9nNM8xC4?0o*f%Pa+Th~ ziN&MaTf29|IlRp|=dBXMyo8tqnhUR^Pr+TPx>4a6Wfba~a&LWt#8(_zr7JKIM5ZQn zQlm9dc5ffbfXy)L1UiJ+5n$rw`6N$5ckJpmIzr(|VU@O6$}7;Rp?yA3if`{}?2t;| z7LSNhz7WY@!^MMU+rRM&c!$4Ii@h8Gvy5KG)n4OPe5iF?g2UiZQIQmeCR5WlHteEL zE*w3v9BuYxm9b2RfpILGqhp@jT|W5CTo&gLswB3GN$4%9!JGX78Vsyp#$BqW_a?!{ zJbUqZ@J5zKKCPbn9|MxK7$nCLIs^>Ua~al?x}~P~SlK?j_5+Dy%^H|>eK8wf06(!C z(lfS3S3j|+(9U;~DJ^QiSWifum*GhPdZZhAil$XZnTM()w_mi2McoHK)qH~eX*E8K zbv^IOWMEI}?zTFzWK`Ad;_l8%VCASjN2QIHS3C_B{ad;qYP555liX{PiT8BI;|o&G z#?fJ<`w>1CpLADd)1WE7MglhbeV#&$eQQ^$`07NC1{KM3fyrf3q*0S*ihi5=^Q4Kj z=f{lHm2S;L!d+;hR%dl_f=Y*J*Pt8Q5`vSZ?ArJ6dC6m!`o@-P()B#`$H~jLrHWR4 zxmtJ!CTvK-%=m{dFX9KVt<(D1j0$vDzmQuCN`;bPvUIW;#11Xjv?Hv0Si?2$V>v0$ z76rIS!P&xTlE4))fxNM93KSA|>bRf4Gj44b7`3;fW|9>r>fkO`d#@^Yz#%5Pw+(8+ajxzXV(DWTj+8dIA4<~6aL!d^|klst@f1EeVB%=IS zntGfuF75uJQl&=2w&g7^P$@xr)hE>ag5LA)17rnk1t&Z1F>~_;p5}5QN5)I~lE%Uu zv97s!?1O|)cjtq8mM;grF^yf(Vxl3gbw36}^UFEk^We14PSCxYNFnun$woM|CG2Oy z?To@|tic)PyiO1irbNx!cqkOEht`kQW1sy-pa&e15?7d@*po)n>eiM`9c@G2q8_Je zIKd&uz8ym3#e!!s5^|*u!B6`gP*TMGw6z7-U8%Kali|w} zdOIwx87seD5jtDfG+w=-S$Cn+JuruYx$H&i%{QEIS9JIkowi`K{ zKIslc)+o{z`NwrNp3P+YEVpSM1oT=;bQPit(pKUe{x@lT)9_sdpN_pIgJV> zE;+F%9Le@)5N2*Z5TENaOwRFt5D=e~-bSG<53D**Qx8N%eF>WsTVEin3$i}!zN)k# zDGU8(I+{6QGj=67E~t@V{IiSv4%%esG?dJcq^l(r$5OtIs>T;RwEAB02COgXIpr($ zlg7U1A-@PsY1RvKyJhG7fQs0!OHc%BIqh zt{S1?%Z2s6;AXmy*24eDipC>-s7zuA=u=-uJ!!5~84ien(l~4RVFC}`zKR3@i8>St$j>wO~tk&o80O~!>3erRI&0wIZrQyw{fOOD$H zUAZYS(`r*;(AqsycKHJ^?btAwFER3wXTZhZ=C<%PrtQ6DcWiB9a|cB?Jy3xFW55h6 ziJDFwNQHDQ*369^hq#HVHxdwST_o}ICc`G+e-$iATjC&-(=M2FotFcs3)-GgxJi0% zF(}-uig-9FKYQPSh=DK;(d=WFRh982Gs#+!*5Ai2v>6fW@CBJ5VKLf4CnoC!87v&3 z@?v8|ENK#j;;v1NQh#3zk^4t>;{{dg{=rXuP(7u=nVVCcC9@xOxf5mm#|5Hs7-aSL z0x$@8$7_~lVKaTSMHgjVKLHt{r{&ebmwJR=MO~CuCqvd*m@%KEcVfv8|S3mcpxZU*?Ut&sl1(S{K^-;LyD8+ z)421B4xFx9U!0{TO=-#2DyDI??NL0@e8@_I@(C6zqul&>@{_+*!E~Sv1W}Z}&hS>x zddWe@dxC2j#4|_n#`F+UqFXRCOintH^b@27maI9|Mt2B?21af$LOpQ8;HKRaZvHKp zvs^mY6$Nas#!}#9FnWm*eiwu`mr123#PaSO&iEABtxE(bdujxY0aJaVym&d}-jaro zohjb()mwsmAHtxvZhl@eRk$sNoZ(%h_YzYW@#3IkOY|s*`3oam#yDzx(c<*=$~|K! zb!=vfv1a>jqQo((byu`PZ}eM%1Jfk|kZSfx|hWM{f2vm|tzI8T<96gkP6pSiMq1aEHG1I=hH4>g~Q9oJF!p)>P1X$@~Gu;@rXE1;yC%BqN$z>lQ4*08xH~z-%;(#rJfl z=*^*GH9AZccngh#RcwW-??wsrfn*$U#S$moZ}hEJ6M!(*<0<_KF=}G_2ERDMM4-gs z)W9)X1d*FSf!m3~H^#C0h$Y;5TnUeshLzjz5hZ_3f6HS>v)>LLA`LU}Y^ECvhP6#7oX5VF^Iw2>{NDF`TT!R0-WgKLbx)3u8Gl?{}WjmcXB zX2^K`ykfco%IjWw;}(E2a#JMFEDj}Qilk4z@KN>TJTGYZ3nDvC@NJCoL;ZsUX>CYf?H|&UQrw~k8~Y~cMW<@8Gs+o82qHDd*&mgR zRtqLHquzd2T)*`RpZE9Wh=?Ev8A7Mwgq@zyzthq4#4~pR2sVVcXDmvvL`$rwjoCI> zG2?RqxbBLU0W_McDE;zv7O?Rwd!dNSFGV!Uh9ERFu^o|8w*)Rw%gs#TyOff8zBIT@ zrs55(6ZW1QR{9;BHCU`oIY+5Dz4nBeO^a7Sus8_3T??=YJs-v4! zXhy=aU(YHG#pyW&A$4Go=jz$!Sqa3s`A{R~ngM7#7g_~{%G!kXbYE^Z&T;jNlVnF* zr6!5x47^1fvJ=i9`X;w)*^IwpRM~cv?lI2{>*^H8H(UBH!%2#>pIO14vS}CRS2az0p*A=lexo>Yh9z9S!Z9IwYFy=meLwAQew@jbJUp1O%r`&oosE@vt z90B!s0X|f*_N3*o*tK?}GUm`EGs0w3RXdqj&4XVpsn>AIu`@zRZoRtjnmV;D zCjaxonN6Fd@Yhv0f?==tnH|zz_u?Brh6BxU)6pZa&jZZZb+Dc{0oO%2&P^)t_7FG4 zB$!=zl#PbGq~m2m!QTV}ifYLL(W=+pog-Vwx+()p(R|lw()^xdMdKSsNS792gp~z8 zSZsuB8J=2yLq3bZUUEu;TbsHbC)J3$z2l6tF>P-Ke!p^k=S3c7gBU)@<1O`)oX-xt zj;=c~znXF8^fKPOQ{qk7Li@Mq(ILihmJ*Bn$i0CHl|f(&<&``Qo^aDeQO?z3L48oL z`hyg^akL1`QI!`reg?;52j6_K>9Z=emcxX!GA4v8N2f7cF3zKRcQ95(&F;_D-7u19NE_?{B1HX0DP@&?VkgQ8 zcBLFzPhnHJd?9VVkOJ)bx72iw467@-^St{PjFTNC`KIH8;2i)H?Itx=1wPlQ& zzk365(s!O&Pdw;Jz}AY(Dn%+er=)xjt$Ha_Ib>w8h0}dnyGZKzc^lIvO|jUtivl7U zdFO(gLZ!Jg3)RUHB>XNsnBlYOu*t$?M){XD?cg`K)di#7UH9FY*#rM?zH`iAXh zJ%Q<#c8cO5kh+bj=2!rcrQ1Tw#7&lv-3B=q;2b4fb5E+uJs{a!k|scU-sAY+*U z_)VCQ3xwNffvr=TucA2C$xI#IaRu~4-1&3-!XwTONv))8(uOVYrn%iJXoPVRX6%#s zjY9&~fnD9hS`k+^F3e2AsUHHXV=E|*uS^G|KHH*Iw`GW1!A%Q&)a+MeoYM8bz#!cM zv)`^MR5X8qi;`GEJ!iBIHK%UDCm-5#Cq1_t+Te@#N!_h3#5H&*6VvwsTm`KTjbEKE zjf(HS%DvgJ-MvX;sr)Si-1cj`grXOq@pK*g(_#zL+CV7ipeOkrZ;DWlbR)syo#qO^ zp^~3sgEb)O9%?BN8X4HZ^_d3*m02IK#19}Vj5;!>a4;25hDE-a+h#Our3l)(20?V< zjEk@w3r@Y@I~hPt^kz#(qJ7((sCi=Sn%-p{IKIwqWUL&B&3!%-6-y6s)zCkz=nQs7 zzh_wK+)t2s$aO@Xh0q}m82>gv4K}lXO zu84vB>9?xj^jC<)d2NQ-@1C?DxiIjVcls zGrA3-u3Mij2+GTGh>oDTr!)?^v~X9xIo51Ww#@IftOR(?mdWXnRxWN@);p`Lp1raj zfZxE{87>ZMl}e>n*n?@i2SGm+t7!O_{rHkSdFEauEoC}R0?0j@F7CxZOp z8f9jkcu6-!srS~(ySK;4iLp_;aIi6w348Abftn#c0GzTc4`^mgkZSqn4jH%%mYLmT zL03^&ajA&qc>+KPgNo~<>G3#w_!=U8uoE@zHTwogF+Eb=FsihrI8zjo+qs`NDeSwIoPNF%%SE>NpI3YzDHLhDD-9)4Gdw4hhr zEl5qldUS@MN^`r)C9tVYuXUvI=!WGs=wLM@o6HM|le5AQ+z07ok{12l1YeJHbkv_4 zb*bWjpEe{~=E8C2HLHD%tj}Y>P29|bjl6^mN`Zbumte0}hkla{b5xEpd>~)Dr-#lw zCNAgnc2!nF(PO|g%_Dhy>&`Y0<4vq0O8er*i!OGDuTuf(P#>z*U0)@2`2r`-qVg@3 zc;+)*@ohP=x{)O0$9f>j@I*I-&D*>Y3OUoc*p_n?I)XGsDdpv~_`=BTb z9Zesz_F(49*rcVu*~Ji(ve*_y^pE87e{fllsf|vrFOfGDn~`v-j4G4XNf43lbF9+z zF(Q>`1GPRJ$(y=`$|wP_v;4T-4(zo!@JW~vY5$#6U~iv|z2}j92xE z<&k_5kFtM-@_{(Rd-=<85H?`AHds<^wp};?T(occ-uJgf0AGV@VsF|8uZ6{3mDEOej2nMnls=9V^5lD8-z|B4Oq4NNzSJ!y{lvtV6I^;B7*D^LI@l^8W2oGe5P8h8{`g7X|`QjP^(zgzqo$u81XX_Bv*0uZy) z39?kFL~e`Ku|*_g*p+eA48N*XVR7*A zbTgYgd93$Kgz&FNj7hQ~d#S8->@vmA_cP7jtpMF=%viZXo_6;5JC?Ex?T$?E!j;{t zWBH&<5%t#Hdy$9>N?$K4$$?jSUzxuR<*a4m`4)as_R-AFz=E#BDA1qNkP8pQKQgTx z2KM+;3#a>aIi%VOAEm}?LBN)ZqFOYI3F$nqS+S*8XQtU`-y&KF8yTBD<5#9|mCXds zlt%GwwpJr+5!kXiRxB0y`~-w`Nd}#r${9~l`-3xc=Vvc=wulT@aLNG977)@<$NyvVHVD7<*rclbB}~+SYGscUqV*081dx{(AET zPiG7SwlY6742!~BXLn}El(!HCA-#JUA5(Vi_bo4OLDXbdsbxQ`j2Ka2aMOctR}76( z0I4brTyOXBrBrwcx1^4I9B8cfqlX`zAtY12cUA$i#-;^!h} z9~OqPZq^5Nv!P2wVJr_r_Cy_7po)91MK2KV4)ZR;ZiT=yeQ)+zQWtOZkfRh)%G zwQLE&N&brS*NhVpD=;^PK>l^t-V$e;HNCw3NlaVFF=B9LVz_qA(13w8JRCq8(4z&0 zSgX(gduJ8fG;Ta9=sFZ|#}d`@SjIh$DRUlm4S=5#yN8^&5-0(Zc`e=_MX5@n^v+n$ zQ+^tDl%#PDYTL(}BjIgM?Lfz6!5BC58mv~~OnUKF0KaZV(ljz8kBa)V4GON**79O8 zY5BGJ7g_`p{|~ctEV$4erw74AdB(0Dt-1P42CIPKkUa`=a+Vh_msZlJWW0b9e5)#{ zDjldWd&Jpi^5W~lah8)~%-9IG5I4H5kv`DPArX%_Syh6_w1;6Duhm{z9==BZWB{O7 zXBq}RfV`R%iHVR3r1=8Afvc0F=-mh~Rd3@Jr#=ExB1=;6_ADyOFq5sq5dmat*!vLt zCh-zA={_MxNSz|&V2&CDihK6&P>t(JMW&%t$&erdWX7}rBfXk-Eci?cO@tnA`eX!U z7nWV4+da==QUY5Ab)~rB{aFs3|};*Sii07uD57ycb-Sr4A~#3oLWY7mF+%uQBCak4RVgIfL`e?!`Rb}iQl zw3UDpRM@;~xi}(AnTa{_ZYYg-RKbWT{GFeLHmE4;ODvOlH^a0Q3h*2;@^>`Ia#*z3 zo_^*5VY0p#Q%LAg)gB@mDpH!xfjcOrONe&LBK21(yRVv8k^(E=qDlaF7)rTp_4z{j z^-i5~HWb)@#o%dW6W1%(%7%KA2gw3hwe&g}-A`drr`>~-Qf>v^QhlR7APTLYw<-Hz z5G#tgPiwwUo8IhPY%Bw<-cEjA-e|mlE52Bu-7v|eJv95P0gpng;TO8Pe7-Cyuh%j( zXJ9yr_zRsVgn8rx_lIz&&0qHJzvNcUDvh|KoWf6+k3}b-(*n6LmDYsjOuQ(0O^(pn z;#7k@xCxyCe2O=D4yngVTob^JhcvQlvq`N%f{=xq)zs zMz_=l2?lnWv6OSY*H!l@(#0+A-Yel%?1Yr;4OoErW<)D3c=uss&Zjn)V&DJXrllk~ zxP*?o7@i;d?J?~*?XCrk`#i4F04VV~j~apMAb~vRPE{IU;s=%epawsFfBGVRI4_gJPOU z(jaxhyn>KkU{*vMxCRB~<==uE05PDB$GU*bs^B$ozdQ=d?0}YXm(?GzTw;3ls%HnMBqX!wI_hd#!JSrJ6G(;gS@7v-F zfbu)SHy<`4IFtpf48x9rRFE3Zuj9G;J7XE}u_N!i&`I#r>!I;f58DF8rM`6%*0qn* z(86+EsxL?>UgJt5W3p^&p@)|_p0Ze+o-qp-Ah&*N-X@UkyEqMsE%ECUQz^QZZ}#f+ zyDq~_uN>}QN+xW?&>=ETpI&d{ZH^Cl35q+?ZjLJ>aBAGOWXHMvtp}|ZxqatN>jJ1 z_lBl~gfy*b-iuGd+k*kEk8K(yvgp8+n&^NFEV>J(r9_$NE9B8QK_8`;I`11H_nI4y z-Ij)re5U)-viKtAmK@+6S-T-;W?@8&nn(rou#HHmbuqZV4hW%)diQ`@QyVb(v1Q4n zBi8O9q{W)pyoXawLN$)+w+q$C@ecYDDwnzPpww3khWc}^o*_XbY@v+_a24I?AGl&8 zzcSoGMdg2!9Tl+LD&8rLBJXofFyrUM=xyUpPZw-T`F<&=p1!iWCT85F4+Us{R8Z3e zM>pqRqtW8GKLb^+wW_LRX)Ayxr_K?C0veKSIxL^A+MYWQphZSPIcrgXhVMOO*sJT* zUc=6bv#QE;a*jSU!YW=nNdP4WCGUD`vur)mK}gafUe|#j;H`F>rh@*p9I)PTM;<0E zVQWN>+g|gX>b)|SoPgC{RN72k7Ve!}*8!YRoZN=~dWm8BNzs0Zm*;T?A|P_(yWMz^ zvZSJM4Y>-bPy48hOqeyIh^EQkzhBDn6^?{s3+At;=tSLQV0DaF+6$)b2xfF|h;OMn zr$TnKfAY%As<~3(p{pAgxG7!U2y;mnGIS=5)6yvm{*gtb_hy~QpJ>7F$&|NyzvfQtnIm0 zF!wD21V-0{yUSIVo3~Di_?UE$eKEyBO6k=l$m!nHn&AMjr zVvTg@v)ya0nb}{LzJJ@urz+`nf%5C0a}6ofKO9_EJBoBaY|{tJhp8bB6j)R4piiMk z}i`9eUlO9MI&z*`h8Q~BQ0Ksdf?`~a1%1(AI{N;pRCx+OQYgfes2#dgl6HqO!f z(QDtZ9>RJ$d@jR{D2lw%{wnmeR-Qh~YnjfkEXnu`s$Jtds2W@z27*n0_5j-*8@wp` zecr_8?U3^XL^+6`=iWMKzRLmn4T+jy4m4ExC9I@X6D$#?y0;Vfiww(-I5ixS~`z4P4iQ;6v*ykdwaEv^-?WWeTx z-Mb#Oc;QGayb5IB$fl#4o{q4rw#1be@=BJas`I>(UYDpd(C95mb*-uWj-Y`jhKB+2 ziB~SC3e1PIoeR$7_IgX*K!MnNEyy#l0Ke1SF20o%>JbEkxPUgW5YhaMD!3(IynX4R zxFPZIVmZ5|dCC5=V6|IQ+pVf11~I-Jb6Rx=)#<({YgZBmSt^{tL2g=l4IJDh67ghO?Ng^+5dRIEediSz{z6#dV00q4WruNn{vD&d z4}^8l$ZyZr!0)S%rj8>Rzf#u3d+YI4f_}1sWahpW<*bgxi?s93vmB5mdLs;llIO8U%W>kIjPK6J znlMK#LDIJ-GP2|MZq)sva_lapGzyGs;$GBsf@0D<5UFnsMLFB1wU{Jb;nwXUGBo7F zWuXo=L0yo;OWS&N*1IUr*wbJdAn~im_{)Omd4zr0a%D%lfL9XF^dg{2ov3{gyp0yK z1<1NLfa>t^)R9!)Qt4oydcB%6URyI=#m~#rztZ%ND$8i=QfibI*SDPPb+;U5O)ho` zf@V@Rl)=)@o;=|XPNH-$N1I;(FBS5z;;*A!(>qgIgITZfWYZ7Fqr7OuSI&70z0 zeLp$IHa2B4XM~gG4APve>Fi7~1g=abV2iRyr$>+Jt7xt2Ac8{E(1gJ&2abY=iZwa= zouPP2YdL~)%lTroy_wDP<5`R;hBtt18Ay{zP_u~qZoUeRC(9t#SCPbP#P8|OXF$F()ln1JtWPz=gmJ8W7g&z(=V97y2ICd~=| zL6{)kP>mv+BH%TPFJ1q@Crvw*MzLZZvi;$Ynx}`8*Cx{opzNzVO8I4%9o<_FD(1z_ z>W&&tC!Bu2ygmqZ>2&_#Hv z2l{Yo_}#sboM@|VW+kPBSaEv<4uhhSIo>a^?S?5uh60yV0)3q&z^jo(Kd-+;5c4mu zp~v>=*_h7Ms+57Dz;wswaC2Rg>G;}@vSO7Au9u4gEh>`UG!n;sEhZk_Y-nVwMQD&S zbdEQw74(+rE72$rU_c~fN;&ooZX5yOVrdITUnuDk0g|=O7_TzY_er%mQ4vEvnZRaG>ynsq!MKmk*JL9k@%f+ z%JXnP?(^*_|Nrmzyk2;f`^LG>`}2NZ*XMIx=N#ADoP?DZYzj}E#$^K4f;T7(hcW)i6%Myx;{bW<=6VFqY zf88O}_ADXZkR_R)koQ{Z} z?RZMkhFbi^6QVk;Al#@Sn!SR38khUE{LS1BPf}cA+c9sTK`!x`rf-fwU8#Eif$E#L z_U`zONBt;E`BWhD2gR2!Dk8}YV?9{*Oxr%ja*?qS*8lF6f!o$;L66(=t$}rTK4ku3 zsxy&bgpMvwL)aso(;5}jT)H0}cSwBQD>tV*wa`d|h!Xf-LlB8WZb(~>$=S3v3jyVK`m4O6dHOAMu!NxZOE6nD7z30H6m;}zmvE-c!qx9`kq zrRuP~z=7+YFBS{4-B=ZiZisUv-ZgQLQ7%zE|#<@+EoHRzF zP07WB&F8W1>jpdGAu1~!=8^N)k|btvh8uH7%D%;yC|_x*(+(P!3ZSU`&e}OUiuFD) zl7epEONDcEFEw`?>g*};5|%sN@Zrd(*Qr70^Ja`#a-xHO^0?v5sTA7iob=QO*_FtazUwQcr(IMTd%=11r>(MBO zvcJ^r>(|*?j0V}S32EBh{D`HPh4C^e`DmwFV5!?hIko4@=^xsk1$#Bh)h04kTXJ+Z zhCNou%QQ>APAtK$_bEBEchqwSexKmcx|doSf*Lz?afU?`XvR6mtI9+djdi?(UEH{p zNZ2k)KW}(;(b0BtPl2CclG6~i=%r{1QY+zu@hX907yL24;u_1}TwLX9=jm`25_&qp zpMpg^8D{p#sZB{F#!u{K$>XFUf+WibmW$F%w*@|4W%dilv8)=i2#c4jQO~0eAmXd8 z#|!T9AAKg>L0oHFni@wpf>&GQ7-3*c#OknXG~#ZGWO8(rN0cdif%j_a*OgJbN)f9(uU4NAC6Kf$LRPuOc}Ja~~Ov z6{q4n5lut%Jw5xJ;eDWPD{t5Sm+!)x+ng}XJIh@Yb1``8idlT6yWjgoh95)>ZHwi+tV zCQWB?*pUaM*XB!=u%AD8SSsg0;Q-?vZlzIv%()A^DF%w>3_UrLOhgz0#k!-cA3y6p zqAY&V9j}|WkTnbQ|j@9i-0)M(Db84wSs)XRwRNGMTD4 z9ly`j#g{X!i4RftZrN(?oLA=a2f2cH6vI7Ln)HW8PiO5SRrK;+VUVNl?6=JF4Aeia zrTWtOLD7T52TH}-uzZe*T@N{`)h~T1$p`&=FY`Dum zPK&B82=8!J^P{D`jB-tOhrALK)xI`$xO3N@?mbFbmSu9S`gmLk9%h0Wkr?;4Z{w^t zZ+-|)x@1rgtU(=W-sD#}?{WL}@cvX|^~dHyl&!;y#mhXaLsG;QZ8&jtRz9C)m}<0E zy^1j=d@Z=clRPS$BLxMpwRnUcSh+cNp6%4bAgdm)A5}dmgI!cKPIvCm&Qexg+*{76 zVx{cmTqOK_65RzkSSeo~8toOD>(}okJn(ilv{@E+kK7H4vKL3Y-`UDZ>NO>3uup9{vw*AxfbskSht#G6p%`MJwe(J$&bJ2#qG9*&F9W)x0eB3@JLAd1Sp- zbZ2Ph9oeCWZ@80k(dLlsHIMkRu!e=~ai-4uo%ru{=Re=VAylB@6m}bv%e&==hfx%5 zMn>!3I3Lo{-_;XYRpY(qjc(bMC9Aq6&nKVqEjXW*zG{n$#;;S+_!j0RuCQ0rD2^-8 zpMICQ-bYKExvR`VLxPU9!R+o`ny$}oE|v3$m*;$6^8bW!i!%J7+&hnA9`UP`Ewpii z*zRABMQG<&_q^ve!5;NvOh3d(b9d@1j=PeE4WqzCC*=bA)?(5)pC!F3FZcD55X#{9 zh2DL2Z>}tqt~^8_^=9&T^BXxOuT0FO3;6}ij$PM1F+F*tS9J^acgJ5lCnZ$+Q0x2+ zo@tY#pIP?>CdKOve^HdkPMwJlzNy)HZ(q&9??|>bb9^5q49qC*MXXs zU)omV)l{yvdujKsj+i}~VZ|8rFS*#CXt2n`JO0Q=V@LA7kvQthCi5)L0k(VSyr|v5;Lz(oJV*)zH$QspNb^;&RK;U0UdCr_q@`pIDBr z9!gqht}QoodWwwfU>vZ&@wS}l%@I2``8LKWy#tH_0*tbukB{fQ#}L8D????*%X{4} zI#Da^K0C#eDed`EVCDXsBsbI5nXc4+ogxjYJJdFcCq`zg6{2R9+4+2VnCFkEX77}t zyz?&hg5pG~&zs9HvebA+#(J)vCuJJFq*o@+&2pnlrEARb)!}rufD#o-&iWR z6ROCck%-cKC01{92p+m?cCJd`y<^uc3=Ws4=c&mqKGvFFnaQ|bDS-4ceY_*|x|t)P zIU&EHim}V1NK$Td_noI?g4#Li2l&;`(R<6@P!qPQ*%wYiq4Al!)-=(sN;x9e67lia zcpMJD``{4`VLmzrEgj6r`@}<-ghzvT^C(w*GCs{a<;}=6C(5UjJ;LNO<8$$O z)yaRR+;BsF>6!XK>{q%ZcML0=@hKg()(WpLr?U2*><{|ER^Sa|3Yc(O@^;q?U-*6 zSt?O6zW5!{+}>+MV$s<x3~_O&z0VP8Lb$_kR=_Z44%DxYt@CIjbaOe%@5&viPGz zCNeswD?ewv3QUhRO0iL!aFaN)Fvvm1Ie5(dDn}0T14(p^{~0_%HWBNSI6bPpT#eZC z`Cm1)RjpkmhDzvT+mlK3GHA0dh<)c)Z?@MMyx?EQk#3a5FeMRp!eYjf&-im19;fEl z3FKp|z~!EyyWz@xwK*%X_951nMfOdN)rb?vDmI!3HEBGO9`p7px_MJb-n+##;90lZ zeI2Q`yVy8`l^WBP`;un}D|fIzKst+?-CHf6Dx7w|{YeC8IMO@$uAcwmMAk&$)4RjB z4VuNy)O%8Q^iy#i4Ja5gZO|Dk<;?J+o1IfKB0XGcrxqzb-QoPDJmanF$co*kP?F{z zqmktkID~YXyUOFUAKuDkU!h7Mb0=ye%O4y&Zj>C~pjwfLRdU2BaX}`@e}V>!y1rPF z?DPo1BjeETSExIE_m73-MLrmbnV~6pytAU7^n$G6rLehp8u@m`xd&v`%Q7b(2< zUalM;x>r9!Bs_u1dP(be-gL0zywlvoOL6t1->vtYci{fMTp^w;7rcE@7h$kFtNp9SHFmmU?2kubwX2iEF z_JSQ6W5jn)?FK_JSKZrKel(@N3TQ03@&;d=N1z}I%ETa?od9Z{%j_F z{Ot35*1&iMUTyY{>R`&2*~uI9aRk*iAMvmHQL`baohc_}SbW_MTvc^{RyG`eCj7AE zV0n?blx!=R&hFBgYcl@1oy7weuE;qFh#SoYkxA6&3cjQ#HJ_+&)U=pY3KyU%pP%>J ze}GpxNv@_0n=;XuFWxq*We0YIEA0#w-b`svTW-Z3b|dXNKg#wU?+pBc(y{E_mlzCu zFSx`vx(~#ZS2d13?@i$#Jbtu)Zt6)@>wEHqTcv5U9o8q}IVvY^y-JH_mIPPVCP)lc>p(;fgrOvQrn_x%+ab%T#xm!sH8m?ZA~Zk`4=x%Xvj_?IEq5Y z*l(~(e)Pm1A0Xo>uRf#@G4VuwVb2SqvXy|d{yWFzIIw9IObwRR=iB-G7cP7hec||( z(gLG(DqV-!wJV@~M?*+wyeNeM?qIS!MdInEtdCZ4&$ZOr&lRM^86UV$6MgOBp!urN z&1mTy4_-b8D>8bm&S%{OLyLz94W{}RHGH|^UlrG=ROt{|U%!X_-224oLmw?dgK?*V zh;?>je=o{RYqY+-?_&>H0lRlcVF*+9SeS9S^{M_M_4|}DoI84aZlB6su2mU&*|?DP zz=_0@M6oXGp>-?$DE|F>|N^lnevL8yY|UVpRU!!eL|{+708?*Q{(fAbpUyyb~Ly>nCXHj_A;@FJBM6Z z8@GcUUPKFR_9M>3K9S|voeasl@A4TIXTQY{pLW$cNB&4nA=??dm%M#U-Qyia$X#BR z%W@52}N^#-*QO$Gq<| z2z74BkvH(B?Q^wS?KSMJijToPgfD1h`yzxuSd_O<6+7sHK%B-@J)&zgKRuj!*Nlht z+uk!;VhQaXDV}F2mnwPnWFZy^oYxy4!zvnzK|_YbV#4_b9dlLJL!4yL=6Ulr%w)IAY)zc?g}u{ z$V@EqSy3~aDDk?w+N9mtvb)bUuS})i3Xiz&^c(8*^uD&1=rOZUd!O%*?cWYnP;!uZ z8`k?}a80fRSK`;p>T?kk-qyT-b$HHOmL@*qlL6P4R?orRmZT=5U&mZX$!6adIb9gk zkHu7er<#&T(8<*ucG0--kZI$cE9OJeou^|yHcp+N$6FjIU^4RDX2u;whPnn?ZJdxM(f`aO@9ev0&RwIO6J$EiZS3Xa5i z0a=E-PSqAsx(oYhR`(Dm1sCfqhCX;0L;jHPA`6>u!|nTd`t9ZsnA5v-zrT0qWC`Oc zQhr{n_b~SJt`>4kADV`nr(e~D@7i1O$<}66C@}a_f4JJYsXOZNLIY2qYn>7~F#Kd% zoPu7-EB`_KFdwztmr$xz+Dn0R4AplULQK?JXyuD2%CJN2TKbtRB($57COl}fD=xFY zQ-4Cg|Jc)Oevc|CB>TVIEI4yr{P`_%A0GcFbB@Kf!`+N_CZPxPMR%Q*iwGdjRk45A zDkJg|t8tMrgg=d!vO8e^G3PXAHw+cwZv@hXjTW{BRvwmwPx%UVr8MDopR5kGxs*B@ zsfojOj}7@CBK7b|w=z5m^5ETJCkq9yUeT-FTR=Nw;5Dtfbj$?gi zxT@BHRbA!zwjDi_Z(|-9RD80Dz40*2>5dQ+->j79)OYNXXW`FJrg1jTV;!u25fsX~ z=k_9(wRMBr*L=PQU1{x~y;>4Trv!+XXq|#NoKm#ZYlkEDlP1NGp7g(4_5Ff|*FNtt zEX`-%$J&S`{T*X%NlfF$0++cGZ@V*db{3xO6*ic&`z%>bjcOXCucrWGo%wKl|t!^C7EBS#$E^ z-=@n4R`O(Sn~1RM;=H(#Vv(E~R2K3iKDW925hLbvS$uu`JGym)c*DZ@+Uf55qy7HCnBWdGY>*!+5ieGgBJbD{cl?2=)pcZQpsNFppYV?_T;Vi=gxS zJXu&DzdX4-i!a@*T2*stl=_p&TGcC*+!sl#)VU&*?bLZ`vUX5U|N6_v)tXu~+WwK{41Txs zue=}Z!*vBPVDiZ&WaUTKrYgbLOA z*fW0ZNna5Vlx9DL!zzlK*;n_CXE!5-zthMbpCeyq)Lm9b=j!#p z-bnv`R9}?-Q^Vu@t0LlV_>m5x{Ojt$97{j@k%UnY~#y2aeF@a17FZR>yIB7eT8o!q!E9>B&oF zMbD<2meF6Y8BB@3x$?#fe8N#J8TM&O$io_${LiN)gX_SjC8Mg>KP_3A0=pww1=N=O zrfnfH5KOr6JCdQ>_bam4GZjzuD;xf?j$J7jYSQeR(rd z&ns3!q#i*b^>sy5h!{xf2VbZmO>}lS=%Cx#-doZ<9UwWHkbbmq0wF|!0-gLPy1{F( z#125)8?J67Hbl(Z504KZ_LFTXJh8NB(22zPP<_lU$xu9FkV8R0bQC0({NEBAbscsO zNyx(yDZG(bJU#$^A-J!6&cT1~A-SGdbkMO9_2xC$aO~zLrk7ODspe6jKv&o~dQ&;6 zhn_-y_bhh&)d>)3UKZ^BoP$vB#X}*v5I`FPko+9834VW0BpRe~#~63}1XD92`VSuG z&{|wZw?F49$_I$pFdG*U0Q@XqGj3fKANIFs9wK6 zCpyFhuP>Cp!K#mu?Y2~)5@d^6`~5SJi()n`i60;maW|3}N)N#52S}`NE`cYJ4h^Ki zvlTN-at~hDSYqz)R};GQZ%7o%fhDnevke~c`T^9z;HLQ%U*SnahuE&N3;U(X?jGmU z!Pf+9A9rjZ(G-BR1iV?=jKopeA!xW4ppY2s?T60;T2W3VLM>IJ+s%|74I~VyEIZ7R zp4;qSzUugiEP0ASeSqR0qkMe1pCotitDLr2y{C%U)^+v=7VT=X#RJqDdxfMz|hYjDBSgEWiZ2FbGoOSbIxgCMH#YExO z7C;M*97U==cy5`{?H4@5>ql88bT)^xj!pc{SNnfcLcZq1mJrBw5GjYkE!f}RfZS5I z!lQ4DkgXq57KOy|il~dSAc^lO;7LS>7=wcDQ(L!1yepEV zQ!}pX;RX`h07%Qgo8`?&9H;#Z!wSDphb8`?4m%)Rfv+GJ_64w&7;?HpGH#TIP`o1Q5+S%3JjW7z zB}T_Z;!@m4dR})L1&)P-Y*mZBzf*}H0LaII*W;V1*iZWfQn7TSikAoh^hJP*1T}(C zLwC?sViq*WdnhG7U${%j;T0iEI4*LWA6+F5Lu^)wCH}Ay|E-&QA#5#%oa|_)QFJQ; z7^ndkwrLpfwHRIW=2A<6w@R7ftY7hq6b5E3|7k52_*uzFHmSv_g|Mk^6w-GEMc*24 zKcW+=$U_5PgyB;iE1C$skYvxZBx8;ExyDvmkE<%8OLeHoLBt1&U~4htFo)c`Q4^vQ z6;Tnqpe9Fm!q;MSh@;bdx)vt(aC2QNx_sdHh3;Re#eqez+>Sxqe&5J#1TTOV7(0iW z!(8FHWkZ9Mv&6{BWFh_d&b&oAd3(Che^W-7i($(M+rj;M#P#pt+Di7Rp7X-c?>a-ROBGyiuE8}dF}-d!`EVTh&!UX6ynd)={3%u<5@h@NB1kWxUdZNCcqTL?F0(9 zUjek>*m*#u4u2DX3k}lOt;#9y*fU;ZO<7dvP`&p;y}N>LX11YQ$d|)HpN621Z-gFY zz6QPUEvT0@4S^bZhzw<iT1NL+tei~b8pw*W}{f!F&t>nyuzXP`?LCMcby8-S&)N`Cl?l#Xg56+kjvYkRA zP>2O4*wHE=v4MpDG$vbrLk}JF8cO>LDYG_soP?p|hjz=2mVih@EMZArfJpwdk>o340NM$F zWNv$Vc#^r%Ak_<)v%e)ycc5ITG$()ff!%NQ-j8;8a8IywY?hnJCII+_;PsDD!i`U` z6eAGT>vJ=@I{0Kivzsy*PuF|tb3zTLUOfd#MnyIZkE|0y#=Q|4xy%}}%-qe8{VhK_ zQez}dXe5JaLh~#$>dwDT=-CX}Hvkz-Ra}Isq5+EBg#fyEpekZYRR3t@kUbupKkw3J zPw4z?1$h{gOBCLpmj_LJL1)gfNw~D%xg6g#b1wBEFA`=x?hB9b+h&it#1O6_jAVyL z$cqMHHdUd}z4P z9nW=1s_WvuN~Ugum_H!)ThFbzJHk!`x;9(BQh=SY2b3{p0)8TZ4*F<#ls?}LgmJUR zg)_HYEZR^f0&C`}IgYTzu0X^Nq7d5yAe;cNd|qUQCzc-#I(Mdhcn6`POoA&2%WMCg;=0Q#i|19zEuq9N|iz}I%3g5kHL1O z&=Eg>;^|b2fq==CS_%~C+wQ5`?y1}EsoUCB2kW*6>$V5$f5(IM7cze@l=&MrW_~8^waky-f~%7w3hj~T@Z+EKiF+Q*lj=9Z9mv;KiL0{A1s*p zSKu@MJ1FzlZOr_;tJX3-n84^wA zv%BrHyX~|4-|^Y~h0G7_#!p$fG4m_TuVwyZI|O3et#{k4ciXLZ+pTxot@pp<*82;Y zAM)^^tk{_ORrA*}e|H;jKyFD@^X0xdFynx(R@ecdmW6I;sAnj$sg8=3pOcr~ z)7E6auON(m(Ial}v;7}@>}wMPnw}hw%X8_fJobW$+qTV;*@P%m$5Wuhxzjafq@C@$ zXv8PQ;3yWv7?bfQGf^@J3<AF6Kp70aEco<7p#q!~3sxVi_6YQpPG9-O8FIao6CPv&PmN zF1wfz-9@HpgApH^>ga6sP(gr=KsROXE#E?9M%QWH9-2eNA{9a8BN|$HbM^r^6rIWg zI#CaVHA27HwscD)UfsQ?T}r@K?zQtR1_O1&)2k_go!#B%NJ$nSso9f8eH(E1w;7ol z#Ms>$YVoFAnMZM{`79N^ziaL1a!uXU-V$csfaaM9x+?+kyyFVW=O)Y-4!YkN_rm2H z-RpWhDUCIw%0t1IF}J|4;ezftg%x(Yh4j{?L2(<|gX+_{O}f6!gp5oEqX8MaElT=0 z6_<`G&Zb4aW>89hY0#7^8cLU=5;PNjg*8uX`E5k@t1oJNZkl#|ZI!C!>Z86^hhI#! z)(okzUaFDk@aABCT7M<^z})+8L!t0AA&lWdVR?DFt_%B4-LIW_#+lpqg2a}BGZw!I zd0ENOH;HmkssV})!)vVo+JC>->EKkWx7oD z5&^R?Rck8#id9=kOi^83(X@u-!<-hCV?ivfcbu9e>STizqk1Hbqh$FPuJRtH9Gg!z zVJmA@^`9hIrf4+XmFr=c%YSet)4M6n%3{CAWLN+RQ+Fa!z~j@SNV4QygEWRG9QPzs zFMpzFUSVaPyD+f&g^n|*fFrq;yG7X^v-+lLNr73^D<Oj7h`5VA3S2x>G?|~xZK1Ta)W9HYVf-*l6 zu}V&fKui@#Dq~ZXc&zY!*?sXl>CJ%tGads$8IO0oUpN$t!GEc+Y`bvy6L($6K# z)fE9gxiRT<#^ox#3u;+j@Wm-ULd7H)Qq20an!(`fO(8~&c>(x;VIN(sFl9)+CT zapK3N<~4R=oE&I;QFmL`VcLsT*+uZ{LaiQFEzih&!NP%F& z*8>Q0Eb#l-2BG0!7@H|lNAMB*$d4IeLch8B?{YKVx1~&wlEYfZ7|2$uC+z;!kQW+~ zW}~jBfw6Wq6x^JjV*%b99vxdvcD|2OoSQN4)$k~_`>r-o{EU447@7Bk+X@zm1L@ei zQOB#H06KR-$2$e8@LR!(ph3nV#u}>MN=ud?6YA6@81od|3U>WYwf{>;2>N3$Jj6%f z^~cRfeWM7OpwT`=A=Mp#{~aVXG97B@7P_rq(LrA@$Gil;K->iFK{pHm0&!{JXs6p4P&zlL>i^PQl zOFwk{6i?vWa|K` z;THDaDIS;LNe$b_TRsbFauKiT3J5~{2YvY(HjrZ4ZQE(Oz##&$ghnS zWlI1vT z;geCQ@g{T{i=v4%{zLX@>KG+%xfmiVk6U4Wa2l)rg2t*)PhRT}%uA2m}Jvv6tt9pHZdM(9{dBWk=+$VDHKhYiw zMf;bn!>=%scPOODHVbD;6+Kwfz6pqQ0C+vH+4z2i#D}!Mxl#KBA8$V+2SEG%WK~e( zIq0-MfNq292;_i<#KgTE<0F0AC(D)KwCDc??fHL>W8^x!J=BQTieub`4H0kD_LU-J zK1W-&QClO2im1dr;L@%?ZS#l;{zt?MG+#2KpM3AJt?s{}C|3RTSF}B_iM9uRM#{2o zo{EJssl`Oe;ZK2xK^Nk8n`!(UNdRe_xl!Z9J>GuC41mT&qCYma&p@ZK7@CNu@WvV5 zahej$Vj+gvTq0xOH0J&Vjk$j=@^<`OkZqDY^nC$D-KdH@)c>s*Uf+Xg zBKEzAAhUaaqq0a|Md*%1Bkfk`i~E;6hTG13ovS zi+1r|+Q9Qm7VZ082#U>*G1~u0ZpKB)&FFN!5Dr_Hi6CA5HtL#m&fCw#2E5SH?+#y= z#nD8Hm6=V%cG~AjVXB}PRbq7iR@7y@Evn1q7h$!B90X}m{_w)YrXng?4qUKu_`++C zj*+sHVPi*KJcvz~^fEojmzDlRdps2Fr2=)i^mfsnNTpFHTnsuNvZg)5CD<`dyjfjN zmh<*AB?Gia7$(AxX$druUOj{y9QEZn(mA=iA4_^*Wh=%s{$FDnbJK{yX!9aqFSkNw zf3z<*>S{^`L_7xS`oZYOkU^&_x@ePMiWeH)E4Q%;#c?9izEANhx-xE}E91{7u~EkF z+Xz?*Hz>__2vD+S`Vnc1iWh-)MKH-55rmwE2^%vhzlsFCobxo(E8P zPW1LOw*+{$rpEv0WoN8)JWH*MV!iR7+iP#KUb&PG%I+oesosObVASA+XMN!F$Mqk5 z#1VunLJ4skp$r@VBHa-Sdm$BaS40wSF69NMb|BWRE%t>6U?wqq;Z)9ZGwo!D~#$U&={-5fgqv(3M64zU2a2#EkaJ)<_61N+oleaSa`;N|!?}IBV^|Ol3;P;*n zSz@LwtgZ?fqrU>`9fyZ70fI2W_-7x$&{Tvh7ik4h`apR_R4OZYEeJy!VtO~a8&~L< z9yy7WZ@P$8=;(d-M~9e>v}2(AijexDN7{iOUs={&vWjDrW;#*Ju+rRs;qKc(f53 z2BBey7mtVV26O6W3Bq1+X|p>m7C=Hy4F)?$L*EZXs89+12UHf$g-6ePwRX#o(Y(2M zWhMj@qV0G*Z26+v?EYhFu(zKjk1F!eLRT()`I13{WtX9C4Zh+VV~HJsp`ETLwUB7& z0uk;>ge_l?t0!&GMz$<@0F(pZr5WP@`0|AgVVUTG_jkyzpZ(mZby(Omw%||8SJHLZ zrzmznPf6g zno>UTAR%u5%(JSoaS^IGPHp7UZf)+l``DK}A&BAyBP!TX?n5 zA*3H0q2z9Vmec!4s-Op-_WPfzMYW6%Ia!1MR-uodu>fH35xCgk|KNKth95@(ub?A+ zJ`lp`OatjGwNat8L*9O8c)+J+I-P)A1+-F-@?!xivHtuwxJEXdA9xS6vGecq|MLTE zOYSDdKidLvt#1o>590Y>ZQ=bEFW`{}6Nt7XqRZfvdy66h+oBgBM1Z*;{3j#?bSlgr z5d^=5Qn(`p#>)90zul29?Z2CKfBuHK3-J4xY?$l_M|TwrMGPE3a!g`I;Jc*Y?RQqI zkoq630W&yaQsCuZ$8jO(5dz*o|c z*JKgl&LBh( z!t*o?@fd%t4)M(#-0f{0jLk^gt?Yr<&aRGT#xCYqrVe({V+i0`XvmIec%$ zsJQ#&AAL^lM{Aq(IXVRX5i>h0`+wWzq5;skTa=Q(wxn==M+Wf7EZMD*0c`8~77d~+ zKwEcWwx+EZpsia5B+!!?`l#%H15z2u01n7Y)ISI0Dk2Q{JSg|JzX0Q}B_E6YG5I5M z(sFV#M>hLBas-^hW5fdIqS=dq0B=sFt?!Bee?PmT_1|4_7mK|JPMGP+rd`omln|p& zln?5P%zt-9H|HO%fnAYuV^`dPz><{__*cCU#7ks}yFOWMoL(GL1h-0xC)|HB%*9^7{K>~naEBZOu z)_@c4Kl>BdH=+JSnG5!(=uog{{@tG(tM0b^PJiO^B!KI?Oi$m~b5BK^%qrIY;2RCUbD$INAwuM7cE_MbDGK#gz}m75wLMT?HSYzOglWfNh0z zW57*Hn4w7t@!AL+Q~)O>`#I|~e|=H{o&_hH5CPua^WE$$jz|`0IW@lNWF0BBCsX&w znq>WA1$*6cN)FA^lG^GtpRZyDv2GL_F58{9aO|HktK@7zvoW_hDnSq0BS|+doz4IY z-LznE>9iEKIU0ihfyN*soDX~AFn$Pz+CsGim-`x;^c+}jSRro4P`C*O5V-=}&~jZE#XULoPs>9bi^8(&Rke-pg$i#lAv(o3Ltt0-oHOH2+s{VG{tXD zVmLQnG*|L8PUs%}8nT9lG!K>=Hi(;16mFgYh$;bYaIh!;i3W2WH%HN2iw@qUM@xLx ztj!oN`QDI=OW+!spUG3vJ})2939$6%KfzW5);r5f8Ky(TVXJGeq#n*Ia~KG80Px+B$t3 z0W;fB!h&l3?mwyZ;8_B0Bj9Em9N=u@($Z$Ljjck!ZTLHEgGVyY!scmCC{N@3NuCDJ zB0h<=Wt!IblWs|sN(7&S)cGCWz$2ZuC?c>eez~n#6D0v{>A~0C-H@JGf1)RNmZ#mn z!y9;{rTo^#YOrf-GDR}@#}oR$6A^gik*Tfe2`OM(2ET&>Jd$d5YfxMR+G01rgUgyY zP|o7~J7)pCNce7gede#{EbuHT@Mpn;&a&%I&oTs@<=-<39=YQ*-j*?X2cHlz4ZNO4 z?e$=+L&poiQK^UVGuBl^IPm#mnT-N7Cj=S?;fQizk}fAFCo3zx`79p%1b#zSPE}4t zUQSL`9(aZNb7^J7DlkXjfVp%|fk3eS^=9O+dwi^bNLUc-mdSbzG^Z?@M+@Es z!%@mnf-U1n@-rzMM-L&6Jhq0Tr&FYG9PvRMVf;Bq>A<-tx9CDR*j79j5!|GYAHw}@ zZPK^23{Lv0s5o$cebSc!oTZ+AYc7$4ZJF*O`iwkF?!ZM|N?|4kIJl>~5; z7h-7g!u%(b7w{|(fwRCYECr#3<=CbR%Pm51Y8PzJ5`ucx!k_f4EZ{81wy45`ZAq^F rj;7hbk>P_|bIBfTi-%=v#tPWhFbAv#B9I1if1&|+7B9}<8Ik`73{79+ literal 0 Hc-jL100001 diff --git a/tests/smb2-07-frames/README.md b/tests/smb2-07-frames/README.md new file mode 100644 index 000000000..f5704256d --- /dev/null +++ b/tests/smb2-07-frames/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap from the ProtectWise blog. diff --git a/tests/smb2-07/test.rules b/tests/smb2-07-frames/test.rules similarity index 100% rename from tests/smb2-07/test.rules rename to tests/smb2-07-frames/test.rules diff --git a/tests/smb2-07-frames/test.yaml b/tests/smb2-07-frames/test.yaml new file mode 100644 index 000000000..01b31be2b --- /dev/null +++ b/tests/smb2-07-frames/test.yaml @@ -0,0 +1,125 @@ +requires: + min-version: 7 + +args: +- --set stream.reassembly.depth=0 +- --set stream.midstream=true +- -k none + +checks: + - filter: + min-version: 7 + count: 59 + match: + event_type: smb + - filter: + min-version: 7 + count: 1 + match: + event_type: smb + smb.access: "delete on close" + smb.filename: "PSEXESVC.exe" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.filename: "PSEXESVC.exe" + smb.disposition: "FILE_OVERWRITE_IF" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.filename: "PSEXESVC-VICTIM-PC-2412-stderr" + smb.disposition: "FILE_OPEN" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.filename: "PSEXESVC-VICTIM-PC-2412-stdout" + smb.disposition: "FILE_OPEN" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.filename: "PSEXESVC-VICTIM-PC-2412-stdin" + smb.disposition: "FILE_OPEN" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.named_pipe: "\\\\dc1\\IPC$" + - filter: + count: 2 + match: + event_type: smb + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.share: "\\\\dc1\\ADMIN$" + - filter: + count: 4 + match: + event_type: flow + app_proto: smb + tcp.state: closed + flow.state: closed + - filter: + count: 1 + match: + event_type: alert + app_proto: smb + alert.signature_id: 2 + frame.type: smb2.pdu + - filter: + count: 1 + match: + event_type: alert + app_proto: smb + alert.signature_id: 11 + frame.type: smb2.data + - filter: + count: 88 + match: + event_type: alert + app_proto: smb + alert.signature_id: 8 + frame.type: smb2.hdr + - filter: + count: 88 + match: + event_type: alert + app_proto: smb + alert.signature_id: 7 + frame.type: smb2.pdu + - filter: + count: 88 + match: + event_type: alert + app_proto: smb + alert.signature_id: 10 + frame.type: smb2.data + - filter: + count: 85 + match: + event_type: alert + app_proto: smb + alert.signature_id: 4 + frame.type: smb2.hdr + - filter: + count: 85 + match: + event_type: alert + app_proto: smb + alert.signature_id: 3 + frame.type: smb2.pdu + - filter: + count: 85 + match: + event_type: alert + app_proto: smb + alert.signature_id: 6 + frame.type: smb2.data + diff --git a/tests/smb2-07/test.yaml b/tests/smb2-07/test.yaml index 3444faecc..849c9dcee 100644 --- a/tests/smb2-07/test.yaml +++ b/tests/smb2-07/test.yaml @@ -74,60 +74,4 @@ checks: app_proto: smb tcp.state: closed flow.state: closed - - filter: - count: 1 - match: - event_type: alert - app_proto: smb - alert.signature_id: 2 - frame.type: smb2.pdu - - filter: - count: 1 - match: - event_type: alert - app_proto: smb - alert.signature_id: 11 - frame.type: smb2.data - - filter: - count: 88 - match: - event_type: alert - app_proto: smb - alert.signature_id: 8 - frame.type: smb2.hdr - - filter: - count: 88 - match: - event_type: alert - app_proto: smb - alert.signature_id: 7 - frame.type: smb2.pdu - - filter: - count: 88 - match: - event_type: alert - app_proto: smb - alert.signature_id: 10 - frame.type: smb2.data - - filter: - count: 85 - match: - event_type: alert - app_proto: smb - alert.signature_id: 4 - frame.type: smb2.hdr - - filter: - count: 85 - match: - event_type: alert - app_proto: smb - alert.signature_id: 3 - frame.type: smb2.pdu - - filter: - count: 85 - match: - event_type: alert - app_proto: smb - alert.signature_id: 6 - frame.type: smb2.data diff --git a/tests/tls13-draft28-frames/README.md b/tests/tls13-draft28-frames/README.md new file mode 100644 index 000000000..ede37c84d --- /dev/null +++ b/tests/tls13-draft28-frames/README.md @@ -0,0 +1,8 @@ +Simple test that tests a TLS 1.3 draft 28 pcap file from Wireshark issue +tracker [1]. + +PCAP URL: + https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16519 + +[1] "12779 - Add TLS 1.3 support" +https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12779 diff --git a/tests/tls13-draft28-frames/suricata.yaml b/tests/tls13-draft28-frames/suricata.yaml new file mode 100644 index 000000000..e50ec41b0 --- /dev/null +++ b/tests/tls13-draft28-frames/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - frame + - tls: + extended: yes # enable this for extended logging information + +app-layer: + protocols: + tls: + enabled: yes + detection-ports: + dp: 443 + + # Generate JA3 fingerprint from client hello + ja3-fingerprints: yes + + encrypt-handling: bypass diff --git a/tests/tls13-draft28/test.rules b/tests/tls13-draft28-frames/test.rules similarity index 100% rename from tests/tls13-draft28/test.rules rename to tests/tls13-draft28-frames/test.rules diff --git a/tests/tls13-draft28-frames/test.yaml b/tests/tls13-draft28-frames/test.yaml new file mode 100644 index 000000000..456f2dcef --- /dev/null +++ b/tests/tls13-draft28-frames/test.yaml @@ -0,0 +1,47 @@ +requires: + min-version: 7 + +args: + - -k none + +checks: + + - filter: + count: 1 + match: + event_type: tls + tls.sni: "localhost" + tls.version: "TLS 1.3 draft-28" + tls.ja3.hash: "d00857e0c8e7a7f35e446508c6233460" + tls.ja3.string: "771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,5-10-11-13-22-23-35-51-43-65281-0-45-41,23,0" + + - filter: + count: 1 + match: + event_type: tls + tls.sni: "localhost" + tls.version: "TLS 1.3 draft-28" + tls.ja3.hash: "43202faa1c8c1760d6f7f4bd9adde4ab" + tls.ja3.string: "771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,5-10-11-13-22-23-35-51-43-65281-0-45,23,0" + + - filter: + count: 1 + match: + event_type: frame + frame.type: "pdu" + frame.stream_offset: 737 + frame.length: 37 + frame.payload: "FwMDACBUkdn1rkU9Kp35Pqj6bpO9i0a20Tj7PKooNVCpa+3I0A==" + + - filter: + count: 10 + match: + event_type: alert + frame.type: "pdu" + frame.direction: "toclient" + - filter: + count: 7 + match: + event_type: alert + frame.type: "pdu" + frame.direction: "toserver" diff --git a/tests/tls13-draft28-frames/tls13_draft28.pcap b/tests/tls13-draft28-frames/tls13_draft28.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0f4bf1e0407bd7b36fe36d62059a636341f45afc GIT binary patch literal 8321 zc-pO*1yoe)_xI1t5JRU7A|OiF&@Iv((o)h55(0uCB?=M}f`Bxa5(Y*Nht{h zq(edJ`pz1-CFn|I4b6@}<)N8@Mg^~Os z7GQ#UZvy=L2$?d2WLyGRuq6L;0rcPVZ^7;8{^PF4d`ycMT&4bEjR=d~&fG8Q53_=DX!)WB_DQGNi#BF46ENaAQ z|2#N#6z<@xpF;UBdVq!wDKu|m=78V2y0z&`_)GQck(4z()pa96B&ZICj zQ+@ImD=0*DhXyE`<91=C^fBovZ_aJ$C31*Qu)7nKfSkyXo{UDq104pmf+WJUbPMDg zsWtK7H}fmz28&7nJAeZXpoTyoU*C9y*Nv76$*sV66wxmtz|7Op>}Mg-HMz>b@%|oxlOqDB=H> zeflq5BV6R9e0+D@ZT)qGMZ9>-nfGsYp@yMZgyTuegZs6urghx0hD0m48ZCn}?=NE< zi%kcGlJ`?XO=w5^CCO2I5D12Pg^3qxTih3{%IT7!>mcD65xcoPlQ?bTin@lAixaH2 zG%w#hv9hDWLWQ|go+!8IiBXyNwp%p}uM)SbYH`u=MIfzXP-2-Z%J?Q+wk7di z635ddUc5h_a4y%5QvGZaLW+o1FCgW?F6>m4PNqpa^JuDd)7utD*z=BA6Sk4!<{HH0{8J%>vAutrxE! z`%4r=EUjddeYD*kH?IxJ9JTg=&phftj?iLgF4f-lYM8fOvfqf?5j|JHqR~O(l%ugw zownmT)w52)2$qStk9`Km^^Mr(+<7UJvW@t=)YcEBrJqF}Kbha?kL+%(yB(@AC1p8~ z5OEhL>;8zzD>H*P>=>gXJWt&&Q#Whx+uv0x@yfbATPui1z- zIqmt;Es3pg)hv@z;<1I=$J zmgM_X%vc5qvd0>*GixZ5Yu+_hnK-F_;E`~})@!&N-}2$q7nFIVTVBaES;(LkMgy)s z&sYrtcf?)c73bBd6)FADfjQK>2Hbe&HDXJf*T^|uEW*uPrmn+xI>Kjdh`@yU4hg<$ zFV~H4v7{Dcc2blp(}@%PU~LZgF+YeFmfF>nGoVrHGK?TNe$79D@c+mi{7eS-KAZZK z!{+H+2!?HKOWL`1+fkQI!g1k%hip|GeXA$@MqU$Jn^y#@x%%Qq>WNq2cN2rVBAN4+ z-%7}-%X99qbn`ApI~lNnJUu9#T;NdpPfscfjJCZW1&UPlaQn}zR!dWpJU1x*tCOQB zgw>&*AnLt?XH61!0hG_YtX!?jrl`I3aLE1KtHN@HnM0ihg*P+MwfBy>71w#@KFtIS6_KEc_}hnNl}a>)x9T(izp5+ae$S!CO1n*bq^{G=j%Wx z5d{j-<(c#Hd9TEHhFC?7-^npCkfxFai2BZZSbD$HNS1x7!SvQU>T0&dtxqg=3o-e? zfo*HP{L8+-ww4SOemHZqB;cFk;F=u98coX}-jj zV_dMJG%rYxLA@;`l$(*faMzj7=Dq5PJFoRdhU4da<#LEYUBksR%mbwigTv2nLCR&t z>{m>X;#bF~%-Zr+*gBV~@cliQKb_?aOLnX2@sAH#u##zZTedz(+PW1b;2K#JO+1#K zxxWQZEUQMQxzrLJ8ws2rW5~^!k_Ss7l(a{IIK4~#JMG0JcN5go^d4h3)!tDV%9WKR zc@!#PngBwP69yqCW-7!=N z28q@o75sp190byr7SL85vp2j7)_8VCJnuVeYWdybEV zPB(Kqpn8{^lEE(0YlpobxE~g6^*l*e$%gVNXBI|ky6L7$K}<$4&jm> zJd9u>qcy!X|1Qq;?e(q%5klp5$1^8b?6Q-A;6{QfK+^JaTg1h339Gsh*~3V|xr2$S zgsW^@bj|`YsZWZWi`TYi7m4NR!wa|Xxv7#Ls>wYaJ(Ww9%1YpjKePc4ty-*}m*V1d z44=Qj$`sgdOMTK5q?2rFKOhm^?Ele)<Iq z&M)sDh{?!dqibz^9&9dpR2^nNNg_FM664gX4iR(B*Cu`WsY2XPuuc4M!bRke%WM6F z$kjyCJq2k*&eS+b%}R6gP4ApbsxZNIxry zRd?t7Us)_(P3CR~s(UBPy>II9GcJk5rq|*zg`N$Ht9r2Maw*DZGcT4qG!Em1lQ&mF zTemdLWK(VquGj~q)+0k`yo(B@_(HCI`T~8iOEWn2u z);I&jgsRF`%|=XJVD&q&mJ#s=WO?mWQ{kmT=wPUNQSV)fJ5keZ@>ixvUv`pEP~S5t z?%@X#th*ymGTx1zaA*+{@{Wji-yslE(89iPN$Ii51G5Y=!4#Z^5esSJCmWR23Fq-l zTn`xP@cP9ckmq!t;OD3Dzi@VP&&@5VWxgVig0M)ox-Y?&POD+oK!s*nqRtEwS1x?`H;MO#hNA> zU)ooxxyvuE_+z1cNMa*NiCee-YI+KLpMUGD6Y+9sn8TS{Fkgx(xNl5w$$URgY`YNi z%>_||T?(p%25~#}hIAzH^CerG`*>l6d-Ji${LnSPH1m^Ct%Q#b=c#2+RqoV$+(FBx zyMwkOL7l0S*>^agh2wsjlLt%&O}$eK?&(eEN|Q+JW->`2St((a5LS_(+5X=Lkg zcU@rYj{iu6*V?`ZuesE;+OP!^UVfaAd-_~^JUNaF^iUIk;=68>$K2CQ7N8J57M990 zNawpQFKW8&iq#oL)^1EfW4wBEbpL6n)N2)JtD>4JjnMMdOeX;j*qQmqWSr&P*DvZ3 z#9z~S>vr0*Zbv2Y!mL!A0bS$DF$dnowLFX+y8b ze-cQHsr$|TV;Q|WKvVn(u>oV$&Bi~bF#RTl5=DW3rL3SSf7kzL7OV*SkL;-UPf$Fk zfA6Tm$~q+TjccBq8r~*!pXk)8NzY6gdn&g!74$gNlqp$Wm`{XA*xhX()*po?qfH3L1=<;-|{ozM~i5Y>5zX$WP#)Vr^p3QhqPzg==Xy5R4Eo* zq_1w8W~c5yoBOala9Uimsk;@tqSJBU+6XZv*7lc)#vl6$^53Iu7;+jr>}^W!jHx(r0((YnO@nY!71O?3)jTxM3S53b$Zw!L?X+aQ=d7G*W7B~ane{0);EdAB`N#P!{LA@WNv|k) zgv#$SK=ON$$-o@?G4iR=UOf0cBh{?!es2MBG+p`WA9^bHexZ|~=s(C-tv^NS`$8fA zF@?GW`)5s59Fd4$YS|8wXiCFM;(y$-4JZG$Wy|<;8ex&rFScw4cY0+9QN%~zw`{}7 z(c^zKj*_1$h_;RHmu-85A`bn#W&1Y?O_{I62BN^gm+?IXtpA%7N{}Ad>?`FAnnD2q zf%!lHmT5&ZSjDYS9cmo8dZ92@ogsJ z<;j~NCKCHX#@}e!0<0iBUq!U<04k+pdaqhcUzP`1)vJ-*cA!1>pqOU3c#Oq-hfgGiAb=>t!XO5>1uEdpGh*7ZO9Mha|?MbOVU?D#vDNElO zeO$vE;w>vOEn;eAw4?;~Ox^W8){PF#UjTTxLmG#;G`DLflw!^&Qva=`SP96(3s z88ii`#Re2nGZjHUqJT($lR^nH1yOyaP@pO34t5YK!~7tSrDMGA*8{-|hB>`3hccC@ zP+aPpU9_viYx5bbM1}2rUpm;j|LI`o@{H+U--%RoWzF(%{xnWc)Xd4Shx4@j;DXKM zbB4;J5~O2g-uXi-?rgiwl>jeN0#RI2%UPiJt?tY>cSfvo}(`8BNltxf#ugAo9jD!rE?>lk{e+%PcZYMpE0H1 zs9CA!oXw0RdUt}gY5k9;F#RS4RkHk3|A(JNQ~s&{pISoyNIc55p?E|8iAQNP4^62C4)=UG#zhR~PDeXx1Nu+6L zVIIlE`KYUaoke8Q9UA=p%S}45iD+h!RFBP%~XcRcEclM*z zYWssed6t6miQRvEB8{euSwVkR7^9yN=YNwz39|d9F#hV3gZE82YGyas^{#r~X*T0A z|8y?5ShLXpvNv?%!ysemvl$@>x_}8+_{*huwIVo;%GNcz2ktdR_aQ7-#_zEMuLz?{ zD7l4apGtCG)RfrcXqmpRDo6d|g5d2M%=h9zna6Z5Mo8+}+v?@gslmN&l75Z| zmoT}Dsx=Xho>L!_dtaL_w9J97_J}flVk$6(b6wLg(r-?5nn=w33&cCxcx%IK=t$(i zT{tIZ4k=9Va4W*Uak6kJDt0K#{{!e5; z=6jJT