From 8bd3321f1e25f3e9707b943628b91cfca97849a7 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Sun, 20 Oct 2024 10:59:58 +0300 Subject: [PATCH 01/23] WIP: Added third party enricher --- .../container_watcher_interface.go | 4 +++ pkg/containerwatcher/v1/callbacks/base.go | 34 +++++++++++++++++++ pkg/containerwatcher/v1/container_watcher.go | 4 +++ 3 files changed, 42 insertions(+) create mode 100644 pkg/containerwatcher/v1/callbacks/base.go diff --git a/pkg/containerwatcher/container_watcher_interface.go b/pkg/containerwatcher/container_watcher_interface.go index bc9ce8e5..5e354c93 100644 --- a/pkg/containerwatcher/container_watcher_interface.go +++ b/pkg/containerwatcher/container_watcher_interface.go @@ -36,3 +36,7 @@ type EventReceiver interface { type ContainerReceiver interface { ContainerCallback(notif containercollection.PubSubEvent) } + +type ThirdPartyEnricher interface { + Enrich(eventType utils.EventType, event utils.K8sEvent) error +} diff --git a/pkg/containerwatcher/v1/callbacks/base.go b/pkg/containerwatcher/v1/callbacks/base.go new file mode 100644 index 00000000..709e89f6 --- /dev/null +++ b/pkg/containerwatcher/v1/callbacks/base.go @@ -0,0 +1,34 @@ +package callbacks + +import ( + "github.com/kubescape/node-agent/pkg/applicationprofilemanager" + "github.com/kubescape/node-agent/pkg/metricsmanager" + "github.com/kubescape/node-agent/pkg/rulemanager" +) + +// EventProcessor defines the interface for processing different event types +type EventProcessor interface { + Process(event interface{}) +} + +// GenericWorkerCallback is the generic callback function for all worker pools +func GenericWorkerCallback(processor EventProcessor) func(interface{}) { + return func(i interface{}) { + processor.Process(i) + } +} + +// BaseEventProcessor provides common processing logic for all event types +type BaseEventProcessor struct { + metrics metricsmanager.MetricsManager + applicationProfileManager applicationprofilemanager.ApplicationProfileManagerClient + ruleManager rulemanager.RuleManagerClient + // Add other common dependencies here +} + +/* +func (b *BaseEventProcessor) commonProcessing(eventType utils.EventType, k8sContainerID string) { + b.metrics.ReportEvent(eventType) + b.ruleManager.ReportEvent(eventType, event) +} +*/ diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go index 86c6edef..c88394ed 100644 --- a/pkg/containerwatcher/v1/container_watcher.go +++ b/pkg/containerwatcher/v1/container_watcher.go @@ -119,6 +119,8 @@ type IGContainerWatcher struct { thirdPartyTracers mapset.Set[containerwatcher.CustomTracer] // Third party container receivers thirdPartyContainerReceivers mapset.Set[containerwatcher.ContainerReceiver] + // Third party enricher + thirdPartyEnricher *containerwatcher.ThirdPartyEnricher // Worker pools capabilitiesWorkerPool *ants.PoolWithFunc @@ -202,6 +204,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli if len(event.Args) > 0 { path = event.Args[0] } + metrics.ReportEvent(utils.ExecveEventType) applicationProfileManager.ReportFileExec(k8sContainerID, path, event.Args) relevancyManager.ReportFileExec(event.Runtime.ContainerID, k8sContainerID, path) @@ -347,6 +350,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli if event.K8s.ContainerName == "" { return } + metrics.ReportEvent(utils.SSHEventType) ruleManager.ReportEvent(utils.SSHEventType, &event) From 6b0f5614d1274e874a5910f115baf814006d6f7d Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Sun, 20 Oct 2024 11:33:17 +0300 Subject: [PATCH 02/23] WIP: Added enrich type --- pkg/utils/events.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkg/utils/events.go b/pkg/utils/events.go index e2f1e774..8ac03769 100644 --- a/pkg/utils/events.go +++ b/pkg/utils/events.go @@ -1,10 +1,17 @@ package utils +import "github.com/inspektor-gadget/inspektor-gadget/pkg/types" + type K8sEvent interface { GetPod() string GetNamespace() string } +type EnrichEvent interface { + types.Event + GetPID() int +} + type EventType string const ( From c31b89ec342d5990026b50dd7aa18b0449575b7d Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Sun, 20 Oct 2024 11:39:48 +0300 Subject: [PATCH 03/23] WIP: Modified enricher type --- pkg/utils/events.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/utils/events.go b/pkg/utils/events.go index 8ac03769..a3305108 100644 --- a/pkg/utils/events.go +++ b/pkg/utils/events.go @@ -1,14 +1,12 @@ package utils -import "github.com/inspektor-gadget/inspektor-gadget/pkg/types" - type K8sEvent interface { GetPod() string GetNamespace() string } type EnrichEvent interface { - types.Event + GetContainerID() string GetPID() int } From 636532dc9d15332a7759daba0ac68ef176edc6f6 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Sun, 20 Oct 2024 11:45:58 +0300 Subject: [PATCH 04/23] WIP: Modified enricher type --- pkg/utils/events.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/utils/events.go b/pkg/utils/events.go index a3305108..029f0093 100644 --- a/pkg/utils/events.go +++ b/pkg/utils/events.go @@ -1,12 +1,14 @@ package utils +import "github.com/inspektor-gadget/inspektor-gadget/pkg/types" + type K8sEvent interface { GetPod() string GetNamespace() string } type EnrichEvent interface { - GetContainerID() string + GetBaseEvent() *types.Event GetPID() int } From 0a6acb14eb47d3179cd3a57d18d8b64b1a5be0fb Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Sun, 20 Oct 2024 13:50:58 +0300 Subject: [PATCH 05/23] Added SetExtra --- pkg/utils/events.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/utils/events.go b/pkg/utils/events.go index 029f0093..72866b88 100644 --- a/pkg/utils/events.go +++ b/pkg/utils/events.go @@ -10,6 +10,7 @@ type K8sEvent interface { type EnrichEvent interface { GetBaseEvent() *types.Event GetPID() int + SetExtra(extra interface{}) } type EventType string From 01f9b507d8b144e1d04ff7df0b479ba73c234abe Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Sun, 20 Oct 2024 17:50:32 +0300 Subject: [PATCH 06/23] WIP: Added symlink enricher --- pkg/containerwatcher/container_watcher_interface.go | 2 +- pkg/containerwatcher/v1/container_watcher.go | 7 ++++--- pkg/containerwatcher/v1/open_test.go | 2 +- pkg/ebpf/gadgets/symlink/types/types.go | 9 +++++++++ 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/pkg/containerwatcher/container_watcher_interface.go b/pkg/containerwatcher/container_watcher_interface.go index 5e354c93..3e81c265 100644 --- a/pkg/containerwatcher/container_watcher_interface.go +++ b/pkg/containerwatcher/container_watcher_interface.go @@ -38,5 +38,5 @@ type ContainerReceiver interface { } type ThirdPartyEnricher interface { - Enrich(eventType utils.EventType, event utils.K8sEvent) error + Enrich(event utils.EnrichEvent) } diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go index c88394ed..95a313b4 100644 --- a/pkg/containerwatcher/v1/container_watcher.go +++ b/pkg/containerwatcher/v1/container_watcher.go @@ -119,8 +119,6 @@ type IGContainerWatcher struct { thirdPartyTracers mapset.Set[containerwatcher.CustomTracer] // Third party container receivers thirdPartyContainerReceivers mapset.Set[containerwatcher.ContainerReceiver] - // Third party enricher - thirdPartyEnricher *containerwatcher.ThirdPartyEnricher // Worker pools capabilitiesWorkerPool *ants.PoolWithFunc @@ -159,7 +157,7 @@ type IGContainerWatcher struct { var _ containerwatcher.ContainerWatcher = (*IGContainerWatcher)(nil) -func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager applicationprofilemanager.ApplicationProfileManagerClient, k8sClient *k8sinterface.KubernetesApi, relevancyManager relevancymanager.RelevancyManagerClient, networkManagerClient networkmanager.NetworkManagerClient, dnsManagerClient dnsmanager.DNSManagerClient, metrics metricsmanager.MetricsManager, ruleManager rulemanager.RuleManagerClient, malwareManager malwaremanager.MalwareManagerClient, preRunningContainers mapset.Set[string], ruleBindingPodNotify *chan rulebinding.RuleBindingNotify, runtime *containerutilsTypes.RuntimeConfig, thirdPartyEventReceivers *maps.SafeMap[utils.EventType, mapset.Set[containerwatcher.EventReceiver]]) (*IGContainerWatcher, error) { +func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager applicationprofilemanager.ApplicationProfileManagerClient, k8sClient *k8sinterface.KubernetesApi, relevancyManager relevancymanager.RelevancyManagerClient, networkManagerClient networkmanager.NetworkManagerClient, dnsManagerClient dnsmanager.DNSManagerClient, metrics metricsmanager.MetricsManager, ruleManager rulemanager.RuleManagerClient, malwareManager malwaremanager.MalwareManagerClient, preRunningContainers mapset.Set[string], ruleBindingPodNotify *chan rulebinding.RuleBindingNotify, runtime *containerutilsTypes.RuntimeConfig, thirdPartyEventReceivers *maps.SafeMap[utils.EventType, mapset.Set[containerwatcher.EventReceiver]], thirdPartyEnricher containerwatcher.ThirdPartyEnricher) (*IGContainerWatcher, error) { // Use container collection to get notified for new containers containerCollection := &containercollection.ContainerCollection{} // Create a tracer collection instance @@ -174,6 +172,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli if event.K8s.ContainerName == "" { return } + metrics.ReportEvent(utils.CapabilitiesEventType) k8sContainerID := utils.CreateK8sContainerID(event.K8s.Namespace, event.K8s.PodName, event.K8s.ContainerName) applicationProfileManager.ReportCapability(k8sContainerID, event.CapName) @@ -320,6 +319,8 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli if event.K8s.ContainerName == "" { return } + + thirdPartyEnricher.Enrich(&event) metrics.ReportEvent(utils.SymlinkEventType) ruleManager.ReportEvent(utils.SymlinkEventType, &event) diff --git a/pkg/containerwatcher/v1/open_test.go b/pkg/containerwatcher/v1/open_test.go index 7c91dd6f..7fb4e084 100644 --- a/pkg/containerwatcher/v1/open_test.go +++ b/pkg/containerwatcher/v1/open_test.go @@ -23,7 +23,7 @@ func BenchmarkIGContainerWatcher_openEventCallback(b *testing.B) { assert.NoError(b, err) mockExporter := metricsmanager.NewMetricsMock() - mainHandler, err := CreateIGContainerWatcher(cfg, nil, nil, relevancyManager, nil, nil, mockExporter, nil, nil, nil, nil, nil, nil) + mainHandler, err := CreateIGContainerWatcher(cfg, nil, nil, relevancyManager, nil, nil, mockExporter, nil, nil, nil, nil, nil, nil, nil) assert.NoError(b, err) event := &traceropentype.Event{ Event: types.Event{ diff --git a/pkg/ebpf/gadgets/symlink/types/types.go b/pkg/ebpf/gadgets/symlink/types/types.go index 3ac229e3..ec35eeb1 100644 --- a/pkg/ebpf/gadgets/symlink/types/types.go +++ b/pkg/ebpf/gadgets/symlink/types/types.go @@ -18,6 +18,15 @@ type Event struct { ExePath string `json:"exe_path,omitempty" column:"exe_path,template:exe_path"` OldPath string `json:"oldpath,omitempty" column:"oldpath,template:oldpath"` NewPath string `json:"newpath,omitempty" column:"newpath,template:newpath"` + extra interface{} +} + +func (event *Event) SetExtra(extra interface{}) { + event.extra = extra +} + +func (event *Event) GetPID() int { + return int(event.Pid) } func GetColumns() *columns.Columns[Event] { From 14ad5c1216e803b39cf83a9145aebebdd82f2ef2 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Mon, 21 Oct 2024 10:43:30 +0300 Subject: [PATCH 07/23] WIP: Added enrichment for exec --- main.go | 2 +- pkg/containerwatcher/v1/container_watcher.go | 17 ++++++++++++++--- pkg/ebpf/events/exec.go | 18 ++++++++++++++++++ pkg/ebpf/gadgets/hardlink/types/types.go | 9 +++++++++ pkg/ebpf/gadgets/symlink/types/types.go | 4 ++++ pkg/ruleengine/v1/failureobj.go | 1 + pkg/ruleengine/v1/helpers.go | 8 ++++---- .../v1/r0001_unexpected_process_launched.go | 11 +++++------ .../v1/r0007_kubernetes_client_executed.go | 10 +++++----- .../v1/r1000_exec_from_malicious_source.go | 8 ++++---- .../v1/r1001_exec_binary_not_in_base_image.go | 8 ++++---- pkg/ruleengine/v1/r1004_exec_from_mount.go | 8 ++++---- pkg/ruleengine/v1/r1005_fileless_execution.go | 10 +++++----- .../v1/r1005_fileless_execution_test.go | 14 +++++++++----- ...1010_symlink_created_over_sensitive_file.go | 3 ++- pkg/ruleengine/v1/r1011_ld_preload_hook.go | 10 +++++----- 16 files changed, 94 insertions(+), 47 deletions(-) create mode 100644 pkg/ebpf/events/exec.go diff --git a/main.go b/main.go index f34c487a..a26edb0a 100644 --- a/main.go +++ b/main.go @@ -269,7 +269,7 @@ func main() { } // Create the container handler - mainHandler, err := containerwatcher.CreateIGContainerWatcher(cfg, applicationProfileManager, k8sClient, relevancyManager, networkManagerClient, dnsManagerClient, prometheusExporter, ruleManager, malwareManager, preRunningContainersIDs, &ruleBindingNotify, containerRuntime, nil) + mainHandler, err := containerwatcher.CreateIGContainerWatcher(cfg, applicationProfileManager, k8sClient, relevancyManager, networkManagerClient, dnsManagerClient, prometheusExporter, ruleManager, malwareManager, preRunningContainersIDs, &ruleBindingNotify, containerRuntime, nil, nil) if err != nil { logger.L().Ctx(ctx).Fatal("error creating the container watcher", helpers.Error(err)) } diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go index 95a313b4..e91a4a25 100644 --- a/pkg/containerwatcher/v1/container_watcher.go +++ b/pkg/containerwatcher/v1/container_watcher.go @@ -30,6 +30,7 @@ import ( "github.com/kubescape/node-agent/pkg/config" "github.com/kubescape/node-agent/pkg/containerwatcher" "github.com/kubescape/node-agent/pkg/dnsmanager" + events "github.com/kubescape/node-agent/pkg/ebpf/events" tracerhardlink "github.com/kubescape/node-agent/pkg/ebpf/gadgets/hardlink/tracer" tracerhardlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/hardlink/types" tracerhttp "github.com/kubescape/node-agent/pkg/ebpf/gadgets/http/tracer" @@ -42,7 +43,6 @@ import ( tracersshtype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/ssh/types" tracersymlink "github.com/kubescape/node-agent/pkg/ebpf/gadgets/symlink/tracer" tracersymlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/symlink/types" - "github.com/kubescape/node-agent/pkg/malwaremanager" "github.com/kubescape/node-agent/pkg/metricsmanager" "github.com/kubescape/node-agent/pkg/networkmanager" @@ -204,10 +204,19 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli path = event.Args[0] } + execEvent := &events.ExecEvent{Event: event} + + if thirdPartyEnricher != nil { + thirdPartyEnricher.Enrich(execEvent) + ruleManager.ReportEvent(utils.ExecveEventType, execEvent) + } else { + ruleManager.ReportEvent(utils.ExecveEventType, execEvent) + } + metrics.ReportEvent(utils.ExecveEventType) applicationProfileManager.ReportFileExec(k8sContainerID, path, event.Args) relevancyManager.ReportFileExec(event.Runtime.ContainerID, k8sContainerID, path) - ruleManager.ReportEvent(utils.ExecveEventType, &event) + malwareManager.ReportEvent(utils.ExecveEventType, &event) // Report exec events to event receivers @@ -320,7 +329,9 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli return } - thirdPartyEnricher.Enrich(&event) + if thirdPartyEnricher != nil { + thirdPartyEnricher.Enrich(&event) + } metrics.ReportEvent(utils.SymlinkEventType) ruleManager.ReportEvent(utils.SymlinkEventType, &event) diff --git a/pkg/ebpf/events/exec.go b/pkg/ebpf/events/exec.go new file mode 100644 index 00000000..73f4fa29 --- /dev/null +++ b/pkg/ebpf/events/exec.go @@ -0,0 +1,18 @@ +package events + +import ( + tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" +) + +type ExecEvent struct { + tracerexectype.Event + extra interface{} +} + +func (event *ExecEvent) SetExtra(extra interface{}) { + event.extra = extra +} + +func (event *ExecEvent) GetPID() int { + return int(event.Pid) +} diff --git a/pkg/ebpf/gadgets/hardlink/types/types.go b/pkg/ebpf/gadgets/hardlink/types/types.go index 5a633db8..0d43e6fd 100644 --- a/pkg/ebpf/gadgets/hardlink/types/types.go +++ b/pkg/ebpf/gadgets/hardlink/types/types.go @@ -18,6 +18,7 @@ type Event struct { ExePath string `json:"exe_path,omitempty" column:"exe_path,template:exe_path"` OldPath string `json:"oldpath,omitempty" column:"oldpath,template:oldpath"` NewPath string `json:"newpath,omitempty" column:"newpath,template:newpath"` + extra interface{} } func GetColumns() *columns.Columns[Event] { @@ -31,3 +32,11 @@ func Base(ev eventtypes.Event) *Event { Event: ev, } } + +func (event *Event) SetExtra(extra interface{}) { + event.extra = extra +} + +func (event *Event) GetPID() int { + return int(event.Pid) +} diff --git a/pkg/ebpf/gadgets/symlink/types/types.go b/pkg/ebpf/gadgets/symlink/types/types.go index ec35eeb1..510b3c82 100644 --- a/pkg/ebpf/gadgets/symlink/types/types.go +++ b/pkg/ebpf/gadgets/symlink/types/types.go @@ -25,6 +25,10 @@ func (event *Event) SetExtra(extra interface{}) { event.extra = extra } +func (event *Event) GetExtra() interface{} { + return event.extra +} + func (event *Event) GetPID() int { return int(event.Pid) } diff --git a/pkg/ruleengine/v1/failureobj.go b/pkg/ruleengine/v1/failureobj.go index e8f491b4..10fd1bf5 100644 --- a/pkg/ruleengine/v1/failureobj.go +++ b/pkg/ruleengine/v1/failureobj.go @@ -17,6 +17,7 @@ type GenericRuleFailure struct { RuleAlert apitypes.RuleAlert RuntimeAlertK8sDetails apitypes.RuntimeAlertK8sDetails RuleID string + extra interface{} } func (rule *GenericRuleFailure) GetBaseRuntimeAlert() apitypes.BaseRuntimeAlert { diff --git a/pkg/ruleengine/v1/helpers.go b/pkg/ruleengine/v1/helpers.go index 3a8b0024..d481d6d7 100644 --- a/pkg/ruleengine/v1/helpers.go +++ b/pkg/ruleengine/v1/helpers.go @@ -7,9 +7,9 @@ import ( "slices" "strings" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) @@ -28,14 +28,14 @@ var ( ProfileNotFound = errors.New("application profile not found") ) -func getExecPathFromEvent(event *tracerexectype.Event) string { +func getExecPathFromEvent(event *events.ExecEvent) string { if len(event.Args) > 0 { return event.Args[0] } return event.Comm } -func getExecFullPathFromEvent(event *tracerexectype.Event) string { +func getExecFullPathFromEvent(event *events.ExecEvent) string { execPath := getExecPathFromEvent(event) if strings.HasPrefix(execPath, "./") || strings.HasPrefix(execPath, "../") { execPath = filepath.Join(event.Cwd, execPath) @@ -117,7 +117,7 @@ func getContainerMountPaths(namespace, podName, containerName string, k8sObjCach return mountPaths, nil } -func isExecEventInProfile(execEvent *tracerexectype.Event, objectCache objectcache.ObjectCache, compareArgs bool) (bool, error) { +func isExecEventInProfile(execEvent *events.ExecEvent, objectCache objectcache.ObjectCache, compareArgs bool) (bool, error) { // Check if the exec is whitelisted, if so, return nil execPath := getExecPathFromEvent(execEvent) diff --git a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go index 44afacde..a107d64c 100644 --- a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go +++ b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go @@ -5,12 +5,11 @@ import ( "slices" "strings" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" apitypes "github.com/armosec/armoapi-go/armotypes" @@ -60,7 +59,7 @@ func CreateRuleR0001UnexpectedProcessLaunched() *R0001UnexpectedProcessLaunched return &R0001UnexpectedProcessLaunched{enforceArgs: false} } -func (rule *R0001UnexpectedProcessLaunched) generatePatchCommand(event *tracerexectype.Event, ap *v1beta1.ApplicationProfile) string { +func (rule *R0001UnexpectedProcessLaunched) generatePatchCommand(event *events.ExecEvent, ap *v1beta1.ApplicationProfile) string { argList := "[" for _, arg := range event.Args { argList += "\"" + arg + "\"," @@ -80,7 +79,7 @@ func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventTy return nil } - execEvent, ok := event.(*tracerexectype.Event) + execEvent, ok := event.(*events.ExecEvent) if !ok { return nil } @@ -134,11 +133,11 @@ func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventTy Cwd: execEvent.Cwd, Hardlink: execEvent.ExePath, Path: getExecFullPathFromEvent(execEvent), - Cmdline: fmt.Sprintf("%s %s", execPath, strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")), + Cmdline: fmt.Sprintf("%s %s", execPath, strings.Join(utils.GetExecArgsFromEvent(&execEvent.Event), " ")), }, ContainerID: execEvent.Runtime.ContainerID, }, - TriggerEvent: execEvent.Event, + TriggerEvent: execEvent.Event.Event, RuleAlert: apitypes.RuleAlert{ RuleDescription: fmt.Sprintf("Unexpected process launched: %s in: %s", execPath, execEvent.GetContainer()), }, diff --git a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go index ef6626ca..66501b51 100644 --- a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go +++ b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go @@ -6,12 +6,12 @@ import ( "slices" "strings" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" apitypes "github.com/armosec/armoapi-go/armotypes" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" tracernetworktype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/types" "github.com/kubescape/go-logger" @@ -130,7 +130,7 @@ func (rule *R0007KubernetesClientExecuted) handleNetworkEvent(event *tracernetwo return &ruleFailure } -func (rule *R0007KubernetesClientExecuted) handleExecEvent(event *tracerexectype.Event, ap *v1beta1.ApplicationProfile) *GenericRuleFailure { +func (rule *R0007KubernetesClientExecuted) handleExecEvent(event *events.ExecEvent, ap *v1beta1.ApplicationProfile) *GenericRuleFailure { whitelistedExecs, err := getContainerFromApplicationProfile(ap, event.GetContainer()) if err != nil { logger.L().Error("Failed to get container from application profile", helpers.String("ruleID", rule.ID()), helpers.String("error", err.Error())) @@ -171,11 +171,11 @@ func (rule *R0007KubernetesClientExecuted) handleExecEvent(event *tracerexectype Cwd: event.Cwd, Hardlink: event.ExePath, Path: execPath, - Cmdline: fmt.Sprintf("%s %s", execPath, strings.Join(utils.GetExecArgsFromEvent(event), " ")), + Cmdline: fmt.Sprintf("%s %s", execPath, strings.Join(utils.GetExecArgsFromEvent(&event.Event), " ")), }, ContainerID: event.Runtime.ContainerID, }, - TriggerEvent: event.Event, + TriggerEvent: event.Event.Event, RuleAlert: apitypes.RuleAlert{ RuleDescription: fmt.Sprintf("Kubernetes client %s was executed in: %s", execPath, event.GetContainer()), }, @@ -198,7 +198,7 @@ func (rule *R0007KubernetesClientExecuted) ProcessEvent(eventType utils.EventTyp } if eventType == utils.ExecveEventType { - execEvent, ok := event.(*tracerexectype.Event) + execEvent, ok := event.(*events.ExecEvent) if !ok { return nil } diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go index 2be1abf2..b30deb16 100644 --- a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go +++ b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go @@ -5,12 +5,12 @@ import ( "path/filepath" "strings" + "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" apitypes "github.com/armosec/armoapi-go/armotypes" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" ) const ( @@ -54,7 +54,7 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType return nil } - execEvent, ok := event.(*tracerexectype.Event) + execEvent, ok := event.(*events.ExecEvent) if !ok { return nil } @@ -93,11 +93,11 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType Cwd: execEvent.Cwd, Hardlink: execEvent.ExePath, Path: execPath, - Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")), + Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(&execEvent.Event), " ")), }, ContainerID: execEvent.Runtime.ContainerID, }, - TriggerEvent: execEvent.Event, + TriggerEvent: execEvent.Event.Event, RuleAlert: apitypes.RuleAlert{ RuleDescription: fmt.Sprintf("Execution from malicious source: %s in: %s", execPathDir, execEvent.GetContainer()), }, diff --git a/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go b/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go index f9236509..43318012 100644 --- a/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go +++ b/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go @@ -5,12 +5,12 @@ import ( "fmt" "strings" + "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" apitypes "github.com/armosec/armoapi-go/armotypes" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" ) const ( @@ -57,7 +57,7 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventTyp return nil } - execEvent, ok := event.(*tracerexectype.Event) + execEvent, ok := event.(*events.ExecEvent) if !ok { return nil } @@ -88,11 +88,11 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventTyp Cwd: execEvent.Cwd, Hardlink: execEvent.ExePath, Path: getExecFullPathFromEvent(execEvent), - Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")), + Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(&execEvent.Event), " ")), }, ContainerID: execEvent.Runtime.ContainerID, }, - TriggerEvent: execEvent.Event, + TriggerEvent: execEvent.Event.Event, RuleAlert: apitypes.RuleAlert{ RuleDescription: fmt.Sprintf("Process (%s) was executed in: %s and is not part of the image", execEvent.Comm, execEvent.GetContainer()), }, diff --git a/pkg/ruleengine/v1/r1004_exec_from_mount.go b/pkg/ruleengine/v1/r1004_exec_from_mount.go index e266a874..2900be91 100644 --- a/pkg/ruleengine/v1/r1004_exec_from_mount.go +++ b/pkg/ruleengine/v1/r1004_exec_from_mount.go @@ -5,12 +5,12 @@ import ( "fmt" "strings" + "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" apitypes "github.com/armosec/armoapi-go/armotypes" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" ) const ( @@ -55,7 +55,7 @@ func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event ut return nil } - execEvent, ok := event.(*tracerexectype.Event) + execEvent, ok := event.(*events.ExecEvent) if !ok { return nil } @@ -98,11 +98,11 @@ func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event ut Cwd: execEvent.Cwd, Hardlink: execEvent.ExePath, Path: fullPath, - Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")), + Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(&execEvent.Event), " ")), }, ContainerID: execEvent.Runtime.ContainerID, }, - TriggerEvent: execEvent.Event, + TriggerEvent: execEvent.Event.Event, RuleAlert: apitypes.RuleAlert{ RuleDescription: fmt.Sprintf("Process (%s) was executed from a mounted path (%s) in: %s", fullPath, mount, execEvent.GetContainer()), }, diff --git a/pkg/ruleengine/v1/r1005_fileless_execution.go b/pkg/ruleengine/v1/r1005_fileless_execution.go index d1645caa..132e62d7 100644 --- a/pkg/ruleengine/v1/r1005_fileless_execution.go +++ b/pkg/ruleengine/v1/r1005_fileless_execution.go @@ -5,12 +5,12 @@ import ( "path/filepath" "strings" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" apitypes "github.com/armosec/armoapi-go/armotypes" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" ) const ( @@ -56,13 +56,13 @@ func (rule *R1005FilelessExecution) DeleteRule() { func (rule *R1005FilelessExecution) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, _ objectcache.ObjectCache) ruleengine.RuleFailure { if eventType == utils.ExecveEventType { - return rule.handleExecveEvent(event.(*tracerexectype.Event)) + return rule.handleExecveEvent(event.(*events.ExecEvent)) } return nil } -func (rule *R1005FilelessExecution) handleExecveEvent(execEvent *tracerexectype.Event) ruleengine.RuleFailure { +func (rule *R1005FilelessExecution) handleExecveEvent(execEvent *events.ExecEvent) ruleengine.RuleFailure { execFullPath := getExecFullPathFromEvent(execEvent) execPathDir := filepath.Dir(execFullPath) @@ -95,11 +95,11 @@ func (rule *R1005FilelessExecution) handleExecveEvent(execEvent *tracerexectype. Cwd: execEvent.Cwd, Hardlink: execEvent.ExePath, Path: execFullPath, - Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")), + Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(&execEvent.Event), " ")), }, ContainerID: execEvent.Runtime.ContainerID, }, - TriggerEvent: execEvent.Event, + TriggerEvent: execEvent.Event.Event, RuleAlert: apitypes.RuleAlert{ RuleDescription: fmt.Sprintf("Fileless execution detected: exec call \"%s\" is from a malicious source \"%s\"", execPathDir, "/proc/self/fd"), }, diff --git a/pkg/ruleengine/v1/r1005_fileless_execution_test.go b/pkg/ruleengine/v1/r1005_fileless_execution_test.go index 8908972f..504b5da5 100644 --- a/pkg/ruleengine/v1/r1005_fileless_execution_test.go +++ b/pkg/ruleengine/v1/r1005_fileless_execution_test.go @@ -4,6 +4,7 @@ import ( "testing" tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/stretchr/testify/assert" ) @@ -21,8 +22,8 @@ func TestHandleExecveEvent(t *testing.T) { Pid: 123, Uid: 123, } - - result := rule.handleExecveEvent(event) + execEvent := events.ExecEvent{Event: *event} + result := rule.handleExecveEvent(&execEvent) assert.NotNil(t, result) }) @@ -38,7 +39,8 @@ func TestHandleExecveEvent(t *testing.T) { Uid: 123, } - result := rule.handleExecveEvent(event) + execEvent := events.ExecEvent{Event: *event} + result := rule.handleExecveEvent(&execEvent) assert.Nil(t, result) }) @@ -54,7 +56,8 @@ func TestHandleExecveEvent(t *testing.T) { Uid: 123, } - result := rule.handleExecveEvent(event) + execEvent := events.ExecEvent{Event: *event} + result := rule.handleExecveEvent(&execEvent) assert.Nil(t, result) }) @@ -70,7 +73,8 @@ func TestHandleExecveEvent(t *testing.T) { Uid: 123, } - result := rule.handleExecveEvent(event) + execEvent := events.ExecEvent{Event: *event} + result := rule.handleExecveEvent(&execEvent) assert.Nil(t, result) }) } diff --git a/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go b/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go index 8a4b97d3..15824227 100644 --- a/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go +++ b/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go @@ -93,7 +93,7 @@ func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.E } else if allowed { return nil } - + fmt.Println("GetExtra", symlinkEvent.GetExtra()) for _, path := range rule.additionalPaths { if strings.HasPrefix(symlinkEvent.OldPath, path) { return &GenericRuleFailure{ @@ -129,6 +129,7 @@ func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.E PodLabels: symlinkEvent.K8s.PodLabels, }, RuleID: rule.ID(), + extra: symlinkEvent.GetExtra(), } } } diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook.go b/pkg/ruleengine/v1/r1011_ld_preload_hook.go index 30041aac..67964ba5 100644 --- a/pkg/ruleengine/v1/r1011_ld_preload_hook.go +++ b/pkg/ruleengine/v1/r1011_ld_preload_hook.go @@ -5,12 +5,12 @@ import ( "os" "strings" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" apitypes "github.com/armosec/armoapi-go/armotypes" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" "github.com/kubescape/go-logger" "github.com/kubescape/go-logger/helpers" @@ -62,7 +62,7 @@ func (rule *R1011LdPreloadHook) ID() string { func (rule *R1011LdPreloadHook) DeleteRule() { } -func (rule *R1011LdPreloadHook) handleExecEvent(execEvent *tracerexectype.Event, k8sObjCache objectcache.K8sObjectCache) ruleengine.RuleFailure { +func (rule *R1011LdPreloadHook) handleExecEvent(execEvent *events.ExecEvent, k8sObjCache objectcache.K8sObjectCache) ruleengine.RuleFailure { // Java is a special case, we don't want to alert on it because it uses LD_LIBRARY_PATH. if execEvent.Comm == JAVA_COMM { return nil @@ -128,11 +128,11 @@ func (rule *R1011LdPreloadHook) handleExecEvent(execEvent *tracerexectype.Event, Cwd: execEvent.Cwd, Hardlink: execEvent.ExePath, Path: getExecFullPathFromEvent(execEvent), - Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")), + Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(&execEvent.Event), " ")), }, ContainerID: execEvent.Runtime.ContainerID, }, - TriggerEvent: execEvent.Event, + TriggerEvent: execEvent.Event.Event, RuleAlert: apitypes.RuleAlert{ RuleDescription: fmt.Sprintf("Process (%s) was executed in: %s and is using the environment variable %s", execEvent.Comm, execEvent.GetContainer(), fmt.Sprintf("%s=%s", ldHookVar, envVars[ldHookVar])), }, @@ -194,7 +194,7 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut } if eventType == utils.ExecveEventType { - execEvent, ok := event.(*tracerexectype.Event) + execEvent, ok := event.(*events.ExecEvent) if !ok { return nil } From fea007d59a63c35463ef96189c0e4da21e23641c Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Mon, 21 Oct 2024 14:22:24 +0300 Subject: [PATCH 08/23] WIP: Added log --- pkg/containerwatcher/v1/container_watcher.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go index e91a4a25..53380e7f 100644 --- a/pkg/containerwatcher/v1/container_watcher.go +++ b/pkg/containerwatcher/v1/container_watcher.go @@ -206,7 +206,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli execEvent := &events.ExecEvent{Event: event} - if thirdPartyEnricher != nil { + if thirdPartyEnricher != nil { thirdPartyEnricher.Enrich(execEvent) ruleManager.ReportEvent(utils.ExecveEventType, execEvent) } else { @@ -330,6 +330,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli } if thirdPartyEnricher != nil { + fmt.Println("Enriching symlink event") thirdPartyEnricher.Enrich(&event) } metrics.ReportEvent(utils.SymlinkEventType) From b66059ab408b89ff04a9b9522658c9f185751766 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Mon, 21 Oct 2024 15:33:41 +0300 Subject: [PATCH 09/23] WIP: Added enrich for exec and symlink --- pkg/containerwatcher/v1/container_watcher.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go index 53380e7f..d20422c7 100644 --- a/pkg/containerwatcher/v1/container_watcher.go +++ b/pkg/containerwatcher/v1/container_watcher.go @@ -206,7 +206,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli execEvent := &events.ExecEvent{Event: event} - if thirdPartyEnricher != nil { + if thirdPartyEnricher != nil { thirdPartyEnricher.Enrich(execEvent) ruleManager.ReportEvent(utils.ExecveEventType, execEvent) } else { @@ -330,12 +330,11 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli } if thirdPartyEnricher != nil { - fmt.Println("Enriching symlink event") thirdPartyEnricher.Enrich(&event) } + metrics.ReportEvent(utils.SymlinkEventType) ruleManager.ReportEvent(utils.SymlinkEventType, &event) - // Report symlink events to event receivers reportEventToThirdPartyTracers(utils.SymlinkEventType, &event, thirdPartyEventReceivers) }) From 3d610d12a4774818179c63ece54b2c712472cc50 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Mon, 21 Oct 2024 16:13:02 +0300 Subject: [PATCH 10/23] WIP: Added more enrichment types --- pkg/containerwatcher/v1/container_watcher.go | 13 +++++++++++ pkg/ebpf/events/exec.go | 4 ++++ pkg/ebpf/events/open.go | 22 +++++++++++++++++++ pkg/ebpf/gadgets/hardlink/types/types.go | 4 ++++ .../v1/r0001_unexpected_process_launched.go | 1 + .../v1/r0007_kubernetes_client_executed.go | 1 + .../v1/r1000_exec_from_malicious_source.go | 1 + .../v1/r1001_exec_binary_not_in_base_image.go | 1 + pkg/ruleengine/v1/r1004_exec_from_mount.go | 1 + pkg/ruleengine/v1/r1011_ld_preload_hook.go | 1 + ...12_hardlink_created_over_sensitive_file.go | 1 + 11 files changed, 50 insertions(+) create mode 100644 pkg/ebpf/events/open.go diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go index d20422c7..26dee926 100644 --- a/pkg/containerwatcher/v1/container_watcher.go +++ b/pkg/containerwatcher/v1/container_watcher.go @@ -244,6 +244,15 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli path = event.FullPath } + openEvent := &events.OpenEvent{Event: event} + + if thirdPartyEnricher != nil { + thirdPartyEnricher.Enrich(openEvent) + ruleManager.ReportEvent(utils.ExecveEventType, openEvent) + } else { + ruleManager.ReportEvent(utils.ExecveEventType, openEvent) + } + metrics.ReportEvent(utils.OpenEventType) applicationProfileManager.ReportFileOpen(k8sContainerID, path, event.Flags) relevancyManager.ReportFileOpen(event.Runtime.ContainerID, k8sContainerID, path) @@ -350,6 +359,10 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli metrics.ReportEvent(utils.HardlinkEventType) ruleManager.ReportEvent(utils.HardlinkEventType, &event) + if thirdPartyEnricher != nil { + thirdPartyEnricher.Enrich(&event) + } + // Report hardlink events to event receivers reportEventToThirdPartyTracers(utils.HardlinkEventType, &event, thirdPartyEventReceivers) }) diff --git a/pkg/ebpf/events/exec.go b/pkg/ebpf/events/exec.go index 73f4fa29..5ee924df 100644 --- a/pkg/ebpf/events/exec.go +++ b/pkg/ebpf/events/exec.go @@ -13,6 +13,10 @@ func (event *ExecEvent) SetExtra(extra interface{}) { event.extra = extra } +func (event *ExecEvent) GetExtra() interface{} { + return event.extra +} + func (event *ExecEvent) GetPID() int { return int(event.Pid) } diff --git a/pkg/ebpf/events/open.go b/pkg/ebpf/events/open.go new file mode 100644 index 00000000..012061a1 --- /dev/null +++ b/pkg/ebpf/events/open.go @@ -0,0 +1,22 @@ +package events + +import ( + traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" +) + +type OpenEvent struct { + traceropentype.Event + extra interface{} +} + +func (event *OpenEvent) SetExtra(extra interface{}) { + event.extra = extra +} + +func (event *OpenEvent) GetPID() int { + return int(event.Pid) +} + +func (event *OpenEvent) GetExtra() interface{} { + return event.extra +} diff --git a/pkg/ebpf/gadgets/hardlink/types/types.go b/pkg/ebpf/gadgets/hardlink/types/types.go index 0d43e6fd..008e5f1d 100644 --- a/pkg/ebpf/gadgets/hardlink/types/types.go +++ b/pkg/ebpf/gadgets/hardlink/types/types.go @@ -37,6 +37,10 @@ func (event *Event) SetExtra(extra interface{}) { event.extra = extra } +func (event *Event) GetExtra() interface{} { + return event.extra +} + func (event *Event) GetPID() int { return int(event.Pid) } diff --git a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go index a107d64c..e8825ca8 100644 --- a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go +++ b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go @@ -146,6 +146,7 @@ func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventTy PodLabels: execEvent.K8s.PodLabels, }, RuleID: rule.ID(), + extra: execEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go index 66501b51..4692bd48 100644 --- a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go +++ b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go @@ -184,6 +184,7 @@ func (rule *R0007KubernetesClientExecuted) handleExecEvent(event *events.ExecEve PodLabels: event.K8s.PodLabels, }, RuleID: rule.ID(), + extra: event.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go index b30deb16..def050d4 100644 --- a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go +++ b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go @@ -106,6 +106,7 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType PodLabels: execEvent.K8s.PodLabels, }, RuleID: rule.ID(), + extra: execEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go b/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go index 43318012..71a376c8 100644 --- a/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go +++ b/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go @@ -101,6 +101,7 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventTyp PodLabels: execEvent.K8s.PodLabels, }, RuleID: rule.ID(), + extra: execEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r1004_exec_from_mount.go b/pkg/ruleengine/v1/r1004_exec_from_mount.go index 2900be91..fbc47998 100644 --- a/pkg/ruleengine/v1/r1004_exec_from_mount.go +++ b/pkg/ruleengine/v1/r1004_exec_from_mount.go @@ -111,6 +111,7 @@ func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event ut PodLabels: execEvent.K8s.PodLabels, }, RuleID: R1004ID, + extra: execEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook.go b/pkg/ruleengine/v1/r1011_ld_preload_hook.go index 67964ba5..5de7764d 100644 --- a/pkg/ruleengine/v1/r1011_ld_preload_hook.go +++ b/pkg/ruleengine/v1/r1011_ld_preload_hook.go @@ -141,6 +141,7 @@ func (rule *R1011LdPreloadHook) handleExecEvent(execEvent *events.ExecEvent, k8s PodLabels: execEvent.K8s.PodLabels, }, RuleID: rule.ID(), + extra: execEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go b/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go index 2458929a..bc51c0dc 100644 --- a/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go +++ b/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go @@ -129,6 +129,7 @@ func (rule *R1012HardlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils. PodLabels: hardlinkEvent.K8s.PodLabels, }, RuleID: rule.ID(), + extra: hardlinkEvent.GetExtra(), } } } From 61ed4ea614b44e8668721f09fb375eeafa0d9a92 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Mon, 21 Oct 2024 16:26:19 +0300 Subject: [PATCH 11/23] WIP: Added more enrichment types --- pkg/containerwatcher/v1/container_watcher.go | 15 ++++----------- pkg/malwaremanager/v1/clamav/clamav.go | 7 +++---- pkg/malwaremanager/v1/malware_manager.go | 9 +++++---- pkg/ruleengine/v1/r0002_unexpected_file_access.go | 8 ++++++-- ...006_unexpected_service_account_token_access.go | 8 ++++++-- .../v1/r0008_read_env_variables_procfs.go | 7 +++++-- .../v1/r0010_unexpected_sensitive_file_access.go | 7 +++++-- pkg/ruleengine/v1/r1011_ld_preload_hook.go | 8 ++++---- 8 files changed, 38 insertions(+), 31 deletions(-) diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go index 26dee926..61d615a0 100644 --- a/pkg/containerwatcher/v1/container_watcher.go +++ b/pkg/containerwatcher/v1/container_watcher.go @@ -205,20 +205,16 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli } execEvent := &events.ExecEvent{Event: event} - if thirdPartyEnricher != nil { thirdPartyEnricher.Enrich(execEvent) - ruleManager.ReportEvent(utils.ExecveEventType, execEvent) - } else { - ruleManager.ReportEvent(utils.ExecveEventType, execEvent) } + ruleManager.ReportEvent(utils.ExecveEventType, execEvent) + malwareManager.ReportEvent(utils.ExecveEventType, execEvent) metrics.ReportEvent(utils.ExecveEventType) applicationProfileManager.ReportFileExec(k8sContainerID, path, event.Args) relevancyManager.ReportFileExec(event.Runtime.ContainerID, k8sContainerID, path) - malwareManager.ReportEvent(utils.ExecveEventType, &event) - // Report exec events to event receivers reportEventToThirdPartyTracers(utils.ExecveEventType, &event, thirdPartyEventReceivers) }) @@ -248,16 +244,13 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli if thirdPartyEnricher != nil { thirdPartyEnricher.Enrich(openEvent) - ruleManager.ReportEvent(utils.ExecveEventType, openEvent) - } else { - ruleManager.ReportEvent(utils.ExecveEventType, openEvent) } metrics.ReportEvent(utils.OpenEventType) applicationProfileManager.ReportFileOpen(k8sContainerID, path, event.Flags) relevancyManager.ReportFileOpen(event.Runtime.ContainerID, k8sContainerID, path) - ruleManager.ReportEvent(utils.OpenEventType, &event) - malwareManager.ReportEvent(utils.OpenEventType, &event) + ruleManager.ReportEvent(utils.OpenEventType, openEvent) + malwareManager.ReportEvent(utils.OpenEventType, openEvent) // Report open events to event receivers reportEventToThirdPartyTracers(utils.OpenEventType, &event, thirdPartyEventReceivers) diff --git a/pkg/malwaremanager/v1/clamav/clamav.go b/pkg/malwaremanager/v1/clamav/clamav.go index 10c893f6..3e5bf0eb 100644 --- a/pkg/malwaremanager/v1/clamav/clamav.go +++ b/pkg/malwaremanager/v1/clamav/clamav.go @@ -3,10 +3,9 @@ package malwaremanager import ( "github.com/cenkalti/backoff/v4" "github.com/dutchcoders/go-clamd" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" "github.com/kubescape/go-logger" "github.com/kubescape/go-logger/helpers" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/malwaremanager" "github.com/kubescape/node-agent/pkg/utils" nautils "github.com/kubescape/node-agent/pkg/utils" @@ -44,9 +43,9 @@ func (c *ClamAVClient) Scan(eventType nautils.EventType, event utils.K8sEvent, c // Check if the event is of type tracerexectype.Event or traceropentype.Event. switch eventType { case nautils.ExecveEventType: - return c.handleExecEvent(event.(*tracerexectype.Event), containerPid) + return c.handleExecEvent(&event.(*events.ExecEvent).Event, containerPid) case nautils.OpenEventType: - return c.handleOpenEvent(event.(*traceropentype.Event), containerPid) + return c.handleOpenEvent(&event.(*events.OpenEvent).Event, containerPid) default: return nil } diff --git a/pkg/malwaremanager/v1/malware_manager.go b/pkg/malwaremanager/v1/malware_manager.go index aee48edf..728ea60e 100644 --- a/pkg/malwaremanager/v1/malware_manager.go +++ b/pkg/malwaremanager/v1/malware_manager.go @@ -24,6 +24,7 @@ import ( "github.com/kubescape/go-logger" "github.com/kubescape/go-logger/helpers" "github.com/kubescape/k8s-interface/workloadinterface" + events "github.com/kubescape/node-agent/pkg/ebpf/events" ) const ( @@ -146,19 +147,19 @@ func (mm *MalwareManager) getWorkloadIdentifier(podNamespace, podName string) (s func (mm *MalwareManager) ReportEvent(eventType utils.EventType, event utils.K8sEvent) { switch eventType { case utils.ExecveEventType: - exec, ok := event.(*tracerexectype.Event) + exec, ok := event.(*events.ExecEvent) if !ok { logger.L().Error("MalwareManager - failed to cast event to execve event") return } - mm.reportFileExec(exec) + mm.reportFileExec(&exec.Event) case utils.OpenEventType: - open, ok := event.(*traceropentype.Event) + open, ok := event.(*events.OpenEvent) if !ok { logger.L().Error("MalwareManager - failed to cast event to open event") return } - mm.reportFileOpen(open) + mm.reportFileOpen(&open.Event) } } diff --git a/pkg/ruleengine/v1/r0002_unexpected_file_access.go b/pkg/ruleengine/v1/r0002_unexpected_file_access.go index ca7fd204..d526729c 100644 --- a/pkg/ruleengine/v1/r0002_unexpected_file_access.go +++ b/pkg/ruleengine/v1/r0002_unexpected_file_access.go @@ -4,6 +4,7 @@ import ( "fmt" "strings" + "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/registry/file/dynamicpathdetector" @@ -99,11 +100,13 @@ func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, e return nil } - openEvent, ok := event.(*traceropentype.Event) + fullEvent, ok := event.(*events.OpenEvent) if !ok { return nil } + openEvent := fullEvent.Event + // Check if path is ignored for _, prefix := range rule.ignorePrefixes { if strings.HasPrefix(openEvent.FullPath, prefix) { @@ -159,7 +162,7 @@ func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, e "flags": openEvent.Flags, "path": openEvent.FullPath, }, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the open call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", openEvent.FullPath, openEvent.GetPod(), rule.generatePatchCommand(openEvent, ap)), + FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the open call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", openEvent.FullPath, openEvent.GetPod(), rule.generatePatchCommand(&openEvent, ap)), Severity: R0002UnexpectedFileAccessRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ @@ -179,6 +182,7 @@ func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, e PodName: openEvent.GetPod(), }, RuleID: rule.ID(), + extra: fullEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go index 7a1c7f0a..dc88f4d8 100644 --- a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go +++ b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go @@ -4,6 +4,7 @@ import ( "fmt" "strings" + "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" @@ -81,11 +82,13 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti return nil } - openEvent, ok := event.(*traceropentype.Event) + fullEvent, ok := event.(*events.OpenEvent) if !ok { return nil } + openEvent := fullEvent.Event + shouldCheckEvent := false for _, prefix := range serviceAccountTokenPathsPrefix { @@ -125,7 +128,7 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti "flags": openEvent.Flags, }, InfectedPID: openEvent.Pid, - FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the open call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", openEvent.FullPath, openEvent.GetPod(), rule.generatePatchCommand(openEvent, ap)), + FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the open call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", openEvent.FullPath, openEvent.GetPod(), rule.generatePatchCommand(&openEvent, ap)), Severity: R0006UnexpectedServiceAccountTokenAccessRuleDescriptor.Priority, }, RuntimeProcessDetails: apitypes.ProcessTree{ @@ -146,6 +149,7 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti PodLabels: openEvent.K8s.PodLabels, }, RuleID: rule.ID(), + extra: fullEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go b/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go index 35f7b736..72811154 100644 --- a/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go +++ b/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go @@ -4,12 +4,12 @@ import ( "fmt" "strings" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" apitypes "github.com/armosec/armoapi-go/armotypes" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" ) const ( @@ -57,11 +57,13 @@ func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.Ev return nil } - openEvent, ok := event.(*traceropentype.Event) + fullEvent, ok := event.(*events.OpenEvent) if !ok { return nil } + openEvent := fullEvent.Event + if !strings.HasPrefix(openEvent.FullPath, "/proc/") || !strings.HasSuffix(openEvent.FullPath, "/environ") { return nil } @@ -112,6 +114,7 @@ func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.Ev PodLabels: openEvent.K8s.PodLabels, }, RuleID: rule.ID(), + extra: fullEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go index 71a3bd40..a704fab5 100644 --- a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go +++ b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go @@ -4,13 +4,13 @@ import ( "fmt" "strings" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/ruleengine" "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/registry/file/dynamicpathdetector" apitypes "github.com/armosec/armoapi-go/armotypes" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" "github.com/kubescape/go-logger" "github.com/kubescape/go-logger/helpers" ) @@ -82,11 +82,13 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve return nil } - openEvent, ok := event.(*traceropentype.Event) + fullEvent, ok := event.(*events.OpenEvent) if !ok { return nil } + openEvent := fullEvent.Event + ap := objCache.ApplicationProfileCache().GetApplicationProfile(openEvent.Runtime.ContainerID) if ap == nil { return nil @@ -144,6 +146,7 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve PodLabels: openEvent.K8s.PodLabels, }, RuleID: rule.ID(), + extra: fullEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook.go b/pkg/ruleengine/v1/r1011_ld_preload_hook.go index 5de7764d..0a093529 100644 --- a/pkg/ruleengine/v1/r1011_ld_preload_hook.go +++ b/pkg/ruleengine/v1/r1011_ld_preload_hook.go @@ -11,7 +11,6 @@ import ( "github.com/kubescape/node-agent/pkg/utils" apitypes "github.com/armosec/armoapi-go/armotypes" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" "github.com/kubescape/go-logger" "github.com/kubescape/go-logger/helpers" ) @@ -150,7 +149,7 @@ func (rule *R1011LdPreloadHook) handleExecEvent(execEvent *events.ExecEvent, k8s return nil } -func (rule *R1011LdPreloadHook) handleOpenEvent(openEvent *traceropentype.Event) ruleengine.RuleFailure { +func (rule *R1011LdPreloadHook) handleOpenEvent(openEvent *events.OpenEvent) ruleengine.RuleFailure { if openEvent.FullPath == LD_PRELOAD_FILE && (openEvent.FlagsRaw&(int32(os.O_WRONLY)|int32(os.O_RDWR))) != 0 { ruleFailure := GenericRuleFailure{ BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ @@ -172,7 +171,7 @@ func (rule *R1011LdPreloadHook) handleOpenEvent(openEvent *traceropentype.Event) }, ContainerID: openEvent.Runtime.ContainerID, }, - TriggerEvent: openEvent.Event, + TriggerEvent: openEvent.Event.Event, RuleAlert: apitypes.RuleAlert{ RuleDescription: fmt.Sprintf("Process (%s) was executed in: %s and is opening the file %s", openEvent.Comm, openEvent.GetContainer(), openEvent.Path), }, @@ -181,6 +180,7 @@ func (rule *R1011LdPreloadHook) handleOpenEvent(openEvent *traceropentype.Event) PodLabels: openEvent.K8s.PodLabels, }, RuleID: rule.ID(), + extra: openEvent.GetExtra(), } return &ruleFailure @@ -202,7 +202,7 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut return rule.handleExecEvent(execEvent, objectCache.K8sObjectCache()) } else if eventType == utils.OpenEventType { - openEvent, ok := event.(*traceropentype.Event) + openEvent, ok := event.(*events.OpenEvent) if !ok { return nil } From 186cecbc4a3e6c39cc60615ae340bc45321b55ea Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Wed, 30 Oct 2024 10:02:18 +0200 Subject: [PATCH 12/23] WIP: Updated symlink & thirdpartyenricher --- .../container_watcher_interface.go | 2 +- pkg/containerwatcher/v1/container_watcher.go | 29 ++++++------------ pkg/containerwatcher/v1/exec.go | 8 +++-- pkg/containerwatcher/v1/symlink.go | 9 ++++++ .../gadgets/symlink/tracer/bpf/symlink.bpf.c | 6 ++-- pkg/ebpf/gadgets/symlink/tracer/bpf/symlink.h | 1 + .../gadgets/symlink/tracer/symlink_bpfel.go | 3 +- .../gadgets/symlink/tracer/symlink_bpfel.o | Bin 489344 -> 489568 bytes pkg/ebpf/gadgets/symlink/tracer/tracer.go | 3 +- pkg/ebpf/gadgets/symlink/types/types.go | 5 +-- pkg/utils/events.go | 2 +- 11 files changed, 36 insertions(+), 32 deletions(-) diff --git a/pkg/containerwatcher/container_watcher_interface.go b/pkg/containerwatcher/container_watcher_interface.go index 3e81c265..8c40cd53 100644 --- a/pkg/containerwatcher/container_watcher_interface.go +++ b/pkg/containerwatcher/container_watcher_interface.go @@ -38,5 +38,5 @@ type ContainerReceiver interface { } type ThirdPartyEnricher interface { - Enrich(event utils.EnrichEvent) + Enrich(event utils.EnrichEvent, syscall []uint64) } diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go index 61d615a0..506f4627 100644 --- a/pkg/containerwatcher/v1/container_watcher.go +++ b/pkg/containerwatcher/v1/container_watcher.go @@ -15,7 +15,6 @@ import ( tracerdns "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/tracer" tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types" tracerexec "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/tracer" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" tracernetwork "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/tracer" tracernetworktype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/types" traceropen "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/tracer" @@ -119,6 +118,8 @@ type IGContainerWatcher struct { thirdPartyTracers mapset.Set[containerwatcher.CustomTracer] // Third party container receivers thirdPartyContainerReceivers mapset.Set[containerwatcher.ContainerReceiver] + // Third party event enrichers + thirdPartyEnricher containerwatcher.ThirdPartyEnricher // Worker pools capabilitiesWorkerPool *ants.PoolWithFunc @@ -134,7 +135,7 @@ type IGContainerWatcher struct { httpWorkerPool *ants.PoolWithFunc capabilitiesWorkerChan chan *tracercapabilitiestype.Event - execWorkerChan chan *tracerexectype.Event + execWorkerChan chan *events.ExecEvent openWorkerChan chan *traceropentype.Event ptraceWorkerChan chan *tracerptracetype.Event networkWorkerChan chan *tracernetworktype.Event @@ -186,7 +187,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli } // Create an exec worker pool execWorkerPool, err := ants.NewPoolWithFunc(execWorkerPoolSize, func(i interface{}) { - event := i.(tracerexectype.Event) + event := i.(events.ExecEvent) // ignore events with empty container name if event.K8s.ContainerName == "" { return @@ -204,13 +205,8 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli path = event.Args[0] } - execEvent := &events.ExecEvent{Event: event} - if thirdPartyEnricher != nil { - thirdPartyEnricher.Enrich(execEvent) - } - - ruleManager.ReportEvent(utils.ExecveEventType, execEvent) - malwareManager.ReportEvent(utils.ExecveEventType, execEvent) + ruleManager.ReportEvent(utils.ExecveEventType, &event) + malwareManager.ReportEvent(utils.ExecveEventType, &event) metrics.ReportEvent(utils.ExecveEventType) applicationProfileManager.ReportFileExec(k8sContainerID, path, event.Args) relevancyManager.ReportFileExec(event.Runtime.ContainerID, k8sContainerID, path) @@ -243,7 +239,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli openEvent := &events.OpenEvent{Event: event} if thirdPartyEnricher != nil { - thirdPartyEnricher.Enrich(openEvent) + // thirdPartyEnricher.Enrich(openEvent) } metrics.ReportEvent(utils.OpenEventType) @@ -331,10 +327,6 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli return } - if thirdPartyEnricher != nil { - thirdPartyEnricher.Enrich(&event) - } - metrics.ReportEvent(utils.SymlinkEventType) ruleManager.ReportEvent(utils.SymlinkEventType, &event) // Report symlink events to event receivers @@ -352,10 +344,6 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli metrics.ReportEvent(utils.HardlinkEventType) ruleManager.ReportEvent(utils.HardlinkEventType, &event) - if thirdPartyEnricher != nil { - thirdPartyEnricher.Enrich(&event) - } - // Report hardlink events to event receivers reportEventToThirdPartyTracers(utils.HardlinkEventType, &event, thirdPartyEventReceivers) }) @@ -453,7 +441,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli // Channels capabilitiesWorkerChan: make(chan *tracercapabilitiestype.Event, 1000), - execWorkerChan: make(chan *tracerexectype.Event, 10000), + execWorkerChan: make(chan *events.ExecEvent, 10000), openWorkerChan: make(chan *traceropentype.Event, 500000), ptraceWorkerChan: make(chan *tracerptracetype.Event, 1000), networkWorkerChan: make(chan *tracernetworktype.Event, 500000), @@ -471,6 +459,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli runtime: runtime, thirdPartyTracers: mapset.NewSet[containerwatcher.CustomTracer](), thirdPartyContainerReceivers: mapset.NewSet[containerwatcher.ContainerReceiver](), + thirdPartyEnricher: thirdPartyEnricher, }, nil } diff --git a/pkg/containerwatcher/v1/exec.go b/pkg/containerwatcher/v1/exec.go index 136e1325..7d77a6b8 100644 --- a/pkg/containerwatcher/v1/exec.go +++ b/pkg/containerwatcher/v1/exec.go @@ -6,6 +6,7 @@ import ( tracerexec "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/tracer" tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" "github.com/inspektor-gadget/inspektor-gadget/pkg/types" + events "github.com/kubescape/node-agent/pkg/ebpf/events" ) func (ch *IGContainerWatcher) execEventCallback(event *tracerexectype.Event) { @@ -13,10 +14,13 @@ func (ch *IGContainerWatcher) execEventCallback(event *tracerexectype.Event) { return } - // do not skip dropped events as their processing is done in the worker + execEvent := &events.ExecEvent{Event: *event} + if ch.thirdPartyEnricher != nil { + // ch.thirdPartyEnricher.Enrich(execEvent, "sys_execve") + } if event.Retval > -1 && event.Comm != "" { - ch.execWorkerChan <- event + ch.execWorkerChan <- execEvent } } diff --git a/pkg/containerwatcher/v1/symlink.go b/pkg/containerwatcher/v1/symlink.go index 43708498..eca3836c 100644 --- a/pkg/containerwatcher/v1/symlink.go +++ b/pkg/containerwatcher/v1/symlink.go @@ -5,6 +5,7 @@ import ( tracersymlink "github.com/kubescape/node-agent/pkg/ebpf/gadgets/symlink/tracer" tracersymlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/symlink/types" + "golang.org/x/sys/unix" "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/go-logger" @@ -16,6 +17,14 @@ func (ch *IGContainerWatcher) symlinkEventCallback(event *tracersymlinktype.Even return } + if ch.thirdPartyEnricher != nil { + syscalls := []uint64{unix.SYS_SYMLINKAT, unix.SYS_SYMLINK} + ch.thirdPartyEnricher.Enrich(event, syscalls) + if event.GetExtra() != nil { + fmt.Println("GetExtra", event.GetExtra()) + } + } + if isDroppedEvent(event.Type, event.Message) { logger.L().Ctx(ch.ctx).Warning("symlink tracer got drop events - we may miss some realtime data", helpers.Interface("event", event), helpers.String("error", event.Message)) return diff --git a/pkg/ebpf/gadgets/symlink/tracer/bpf/symlink.bpf.c b/pkg/ebpf/gadgets/symlink/tracer/bpf/symlink.bpf.c index 17b8059e..5ca84c69 100644 --- a/pkg/ebpf/gadgets/symlink/tracer/bpf/symlink.bpf.c +++ b/pkg/ebpf/gadgets/symlink/tracer/bpf/symlink.bpf.c @@ -1,8 +1,4 @@ -#ifdef __TARGET_ARCH_x86 #include "../../../../include/amd64/vmlinux.h" -#elif defined(__TARGET_ARCH_arm64) -#include "../../../../include/arm64/vmlinux.h" -#endif #include #include @@ -116,6 +112,7 @@ int tracepoint__sys_symlink(struct syscall_trace_enter *ctx) event->timestamp = bpf_ktime_get_boot_ns(); event->mntns_id = mntns_id; event->pid = bpf_get_current_pid_tgid() >> 32; + event->tid = bpf_get_current_pid_tgid() & 0xFFFFFFFF; event->ppid = BPF_CORE_READ(current_task, real_parent, pid); event->uid = uid; event->gid = (u32)(uid_gid >> 32); @@ -184,6 +181,7 @@ int tracepoint__sys_symlinkat(struct syscall_trace_enter *ctx) event->timestamp = bpf_ktime_get_boot_ns(); event->mntns_id = mntns_id; event->pid = bpf_get_current_pid_tgid() >> 32; + event->tid = bpf_get_current_pid_tgid() & 0xFFFFFFFF; event->ppid = BPF_CORE_READ(current_task, real_parent, pid); event->uid = uid; event->gid = (u32)(uid_gid >> 32); diff --git a/pkg/ebpf/gadgets/symlink/tracer/bpf/symlink.h b/pkg/ebpf/gadgets/symlink/tracer/bpf/symlink.h index 464d62b4..4220eb47 100644 --- a/pkg/ebpf/gadgets/symlink/tracer/bpf/symlink.h +++ b/pkg/ebpf/gadgets/symlink/tracer/bpf/symlink.h @@ -17,6 +17,7 @@ struct event { gadget_timestamp timestamp; gadget_mntns_id mntns_id; __u32 pid; + __u32 tid; __u32 ppid; __u32 uid; __u32 gid; diff --git a/pkg/ebpf/gadgets/symlink/tracer/symlink_bpfel.go b/pkg/ebpf/gadgets/symlink/tracer/symlink_bpfel.go index 68ec360c..c1ad8d39 100644 --- a/pkg/ebpf/gadgets/symlink/tracer/symlink_bpfel.go +++ b/pkg/ebpf/gadgets/symlink/tracer/symlink_bpfel.go @@ -16,6 +16,7 @@ type symlinkEvent struct { Timestamp uint64 MntnsId uint64 Pid uint32 + Tid uint32 Ppid uint32 Uid uint32 Gid uint32 @@ -24,7 +25,7 @@ type symlinkEvent struct { Exepath [4096]uint8 Oldpath [4096]uint8 Newpath [4096]uint8 - _ [7]byte + _ [3]byte } // loadSymlink returns the embedded CollectionSpec for symlink. diff --git a/pkg/ebpf/gadgets/symlink/tracer/symlink_bpfel.o b/pkg/ebpf/gadgets/symlink/tracer/symlink_bpfel.o index d4966183f6ba96b82a06e0f1de32fb044687f982..3f2e259df1c5855daf4db08e8ef4e938f552bdf3 100644 GIT binary patch literal 489568 zcmeF42b>*M+5ab(O|l6k^b!c%Py<&Gmi#e|+!g=AKVx&v%}APXEn0 zXXf7BoO{?&hZlwni9#3>y%qJH1#1))JBRn4#E#-<9XxwB@#dwLsBZLiD`e?eX(RE^={{w98n>H>T5&m&WGAr_fwE3RuD+_zM>*!t@U@t4`jdSvj=3B~j=JH#UBO;Ae0{85M^BDei4GUK%dY(z zKh>wd{!-En&|fCqO7*nR>#2LO@9&=7d^usf>b5I7L*3q+xp@BB-mh*W-=C`gRvb%d zXEo)IYIAN;_P$ZM{qLKeOh1PEX9>3M#lAlOoBO9oQ3L!l?Okah{+VZx%E{YcU%&p6ZW&I(4l{Y}gH@o5^&BOim6zZvYQt5Xg?il^DyC3VWea_D# zwRS&_e$t;$_xZ`c2!?*#!sh)@kNNwh&VOa~f3)9ysPgNs_2c=!op1Zrp$o^TMk-gK zr_thnqQg@Cr#rKIv2SOnchGxw{8pAeq?>?edvF`kOw#g}(phkG|8L_bkSVFnqNr zx|4R*?k4qcPIpTJQ;1iv0QdOYGrGuMj;0W=IEa3o=-i|3-My}R&hzKG|90Z&p+6PE zygP$Ti=01VvF>mFMa}E3<;T(58}iXQt8%jSeA)V+OKx6JmFA!Ab>?&%N6{9w7zv>t zd#>{5y}I7lpRY_8p&$FttN#u?kEz?;6&!Rtrejxk9`x|f>hmv+>q6f?^`9Hpb^XBg zAJ^`MUT0xk=Hg!@=}zk|cMDPXVt;*$t$cn{(22&Qd!g6mC|~{ejgQI;did9M@R%=m zi7&V3d~1hvNN{>QH&gytfBk=}k1b|;|M{0%{-%qe(P($!jJkWQ-Tmj2yPaL*^j|lh z(6XM2-rYP_TJKlpr1x1l>;3c+dOzjATJQ7sYg?fk`k&3G|2Olye{kuW-^aUoG-VZLJ_k${WUnTTDIw!sV**!RRmwkSJ)t5Wqz1J(wUfIw1b$0O1@87oZ zFZX`t>YVic@e+FfSVixv#Qc6{PI})vC%um=q4#YndS4~`QsR2FM_aC$0uUgsnZ^HM%{(IiPU!0TP zYje{32_^J?Y(?+reDHtXv_npMUo9uSzqyf{zXm+7{>j-Z^SgRyFwgIg+xVAzKl4Rj zZrS%UpDm&Ht15a&=YxNKZ^=pTN93gUeM;zk&x+nx3B9kKlipu27 z{c_U#dO7L6s)XK$RP??|=>2Ez4;7XF`vl+c<(7RvbF;O#|9)n%vsd;r+RY5+{meNz z>3vF0dY@QA?}t_Nj?M@Fex{g{-rsS5iK+bW-+$xF9q|7BSI%CU-`(^+h`%rPfQ^5- z-@kt$C%u2Ngx)Wy=zW!#-|KVI`vE!WediK-|3F3WtAyT%<)rtQ-CqnU|9<94U+#eY z%nzKsvY#33` z^nP?sdOxs)-uJKQeU;GrhB@i|kNWQmqw>FhU*^jlu%CI+*(>`Qjmlu&&wSIyzufzo zD{|8N`6cvzZbk3teDLpQPRmK}yXU0$txM>AY(?*@gx>$I|He0m_wUd6a?Ad_`mnXP z|NEH-oxQT3ks1c`e&&Xp^gcHyz0WM6_lAnz(fQ!t&%`_xtySIqCh%5_^pZT`6 zxBvV1dz`(ppOG2{^M2+tIqAJQC%vCpLhq+n^p4I4|9)n#ob)~_C%s1{^#0xm&1;qU zUA-`v=lAE_IG6wL6MWT|TlW3TB5QB|{mhLOy`%HNKfj-ylip9vN$-c2(EEgn-d72| zZMg$9vhQcEDWUhPD|$!ggMWT+%SrD?=A`%iO6Yy>ir!ZV zy|0^--hW%=*3Gid??3b94%p8;@9dTRj7DWJ?`OVl<6rLm%%^hF`#B}_KEI-ObUyg^ zGbiVy_g!+*d$EMx$5iybO6dLV)!h13_V@2U^5vF&Kl6aKxBvV19%rxYXQYO~yq~!? zC%t#%r1$y~dateM9i0#U{mch*()$KE>3vuUy{}f$`zoRLmkMtED*JwBsV}$e`3R_-qHEs-_LBBliuGQ;^vXE&+otUO9`}Ka-<;2goSGaDA+}mX)YR%I-aV&Me-4I1XBj2yxH+y{z$Ii68 zqGy^<=jP*csdvBpMve8?dlvh6IG>KZOgfdLd0gdaX791`wf?L)i1Up9b1U(mLHR|} z&9!(`BPWFJn=kk6srBc|Z%;6^tLG|jSGgS=-3u>v{u@)DY}lB3Qmnfsdr!T;x^!q1 z?Zc9%^qX)j_2%emi+j90-QRPRsc!UjzCMe*gVwL>$aiDvl?}>Iruid%{Wpl3H`jI9 zx8msW!xe2%eO9ks|FL$D`>Rt?)IY!4b-76B-;Oc6(Evj2IxdQOuJrK?>Qw~iT71UX zGh8{kkCyWnw|hS3{d)Cyvp<&(v|s3{_2=s6?7kt~huw?)`re!VpZIH^Fu;GIl}CM+ zQJ%_?Zqz?o;c9PQ=K6X5S-zb9{W06xJ9!8h5QaunoY1q#MQ&fAcJxmd#$|(Of7c(~ zvsJq&+F%G3Aau_zx_I&s->*tP$yxjl)pIjY`KZL9(QYoE`PX{gb$9sux^FezX6}PM zxuoHcMXEcE*5UhMn5XE$HYT-sX%>$cZV;(aw*#G7pFV%1ys-%@@{yqa=HwK;RtbF+`7 zf9bKm{{6Rn`t+%KFQHGn7yEkrZ|;L4MGWx&pZdqfA?$NhuEGYxe7kf$j`N;6XI|-k zJ=|aY@8hW?`B&@Hy~y8>p&pY9t4HJK9M!G!dG!4#zl@iB{s{HdIOslCIyEWeJGr1U zZ&y5}_qxBII@aA<=BQ_^i=3{u0i|;(Q~4?$HIE;J>^ht6hoI9?kI)aQkH)okJQwyAXGbe%Z};b=N-U;_h0z4@W=g&!_u($iE1Ne%!(@<1QcN zJAc2_`LC@0kJ>yNbfEIlj8s`lv4?7u$> zde4sE%F>5)^Dp)Dz?eFOp#1E4_KXfU%|&O_9pUQRJ>dPpp}p-;JyurlCs)#M+DG|u zxBj;KFI(SqCFw%>qgLX-vhfMy-J32m-cihWkM{ew?j^qcL)~oP$E8@JJ)s|i4s{=P z|4+~Fi*X`ozjr6?s@+ZM;hgSf2z#I3d;IMgUF0uEQ;4l&vpN4 zU)n=|Duj7=2ALK)f5c+l-x}HGb=UIaXzdO8=>F`#&wSbXpG$6DP?hGN?e8b`tNL$? zT4F-z$FQGt*Rl8P>n^WU7oi`+{S@Z2e}|sO)a~vH4muvwv8y`|dRUoGLw)|Gab4)! zr~Y%}`Y*qiS?(61((h%wE=T$5zwbFfpFPMm%GI4zvp~w2O=Tc6;l+SD_vXp zWBv8)bI8m1Nmn#|fIhaE>HX(lYWZK~&xb~%9h^~jkG0$1|J@58b@T3+_3n0djnjYK zd_v1AdPg_^^gZO2Iq7{?&U!z+gx*j2uh#qg{n|?Im%@Dde>1=P2bRA1eY~4j{`2Pd zJ#y0fnq}4d&}dVe*Z<)l?6>;n^>>~9KYm_cWc$%|U2~%OJ9vGo-U{7|D|-Lu^ZTyErFDRk+>nnO^=)*qy zUwt0^@A+JHUQT*HJ}12&Tte>$RrJ0}=zVlfdjGR~aO^Jo{QjyhcffnESDd}FpYiMa z;GN&UZR20={mj)l>HXs+^!~Am-dBnF{mh*7zIRS~A6G)}+f?+vO6c9ckS_oG_viI> zng7N2fdAdktKakG4%p8;;_Q|Ej7EiV8MNO6US#86?)}XCob=vQLhp?gy`%HN|9C%vy#Lhq|r^u9{y{WX1T&gT^6p5J?Xxn+MpbEmbp|Mv)PbN0%9Mrs($`3y}F^!}#%4U&Q1C-{@ISLSy&y$|B&)yHl8%e|lZ zqA$1X`*>`%SCzf1lu|zT5%t z-+$ulmHo_M-_P7-<6rLm%qMcv`$tOXy}P3KRbqZWDJQ+}l#|{!FQNBMD|%lg^#0ck zw1SoY{reNX+_FEfrq2e_h}{cUQ^LKIv@P+-}lQ& z@9X8H_o@}Qr1y8+Ut%i%`}g1YatFMB|CO^>=65%}5903=JYeHr?)UFs z$Vu;?ETQ*HDtccf=J)!X^nO52df&N(-ak;$`zoRLVL9pjW%n0@%D{Kkm6+cr<)rtma?<|NQ=zvsdPK_0C|P-=DJaFZc86mwmZq-_KlELhqli=pCI8{`tK#C%qq? zlim+3q4)hOdS4~3wDiy*E_!j?M@FekRUI@0;YL_mL&^KD?s$RYLDSU(>B$ zW&iuY-}2>_eLwRRYj6Mk%&pE|+0RG~gLyx5K~8!{-}+Ax!=Dp%t`N8meBjBD|$!ggMWTMD<{1l zl9S%|D53XVD|%lg^u9(;djI9>Zrv>Ve&$(U?tuNw)6QPm&uCNz^M2-b8~<|eXD-S~ z@AFFNy{n>kbUyg^Gsoqm_w94i`{)vS->9PZRYLD?jCAW)+26l^-3!`IdSA1m_fW5SM+g5I2vMeSZI)FL%KE_t%}h zGQVq72J`&>kd1%2-@jj(>3e|X)S-@>+^_euE??~D+bdkRMegk~6Sd~)oj8`d-)@Map^@*`?wh^7hGS=1UePnn zr*rf1xzxK~ext_v>phEoJe*HQUM8K&(LAnlG_&_u`C5Ng9K?CX|GAa;&!GGw>E>EI zs*w{y_sy64_SE`w<+mpo+SPNFx2xO^j_!qt^WT{IWW&bPlVaU9*?a2!)ultDXdjk5 zrQd{OsW(SgTdYXw4zF!&YN#)EwieqPYU_)wP4#WHoilgjtaHEOHuWQ;ehw`SbNe}1 zl45In(JmGnJBr6lKI*6eiT^)x&s6t63XeF>&to_Kc1X0b)$FKqqDaSfr}b8~!0C_B(d^LIF2@6KzzJ$N_?{MGGaAf{%ZJ{MC))A;j@T0 z;1~zD5^H8$0?!S6UKE`hc*v0GBA8IE|H$+jhf%fullB`t57EpJb9~jGJHPvl*Cl?~ zGda0EV%6hzjTtQZ(fhCYv&fH$W)O{u+Hb-2d$5NK_*4~fc$q_GD7?y{af~^ZbLf}0 z6OK1I^atTnj=ymb*3t?Q(t(B1vik78aaLUvFjh%xD$m9`8b$`ioqQO~-Qjw1F^Ud@l}`*GXFL_20;}x_JOiE%r*IqG z2uEY1NZ;KzhCOCLUV=3)$q~%e@NC)1K);zPPT=?8b~uHH4U3|W!_g$}X;^h$ z0FO3K;jN9A!Q+ji4@J>|u=*i}4}(X-39R4x7BBcvG^D|JA$+d!BKR`n#qbx6Q}`a^ z`{4(TAAo;g{2=_I@k8)$jlT=8Fn$;w#v-LUJOZz0{3xuyfFk>2@UF(+gC`h&AD#@W zUC~i!7QP6KVa+w4ll>U_8@sp&cbR_-pAR#fQ379PoWfVb8b{q&Hy9`I&E^vw7e!w) zdklZeIE5dDKTp#5c=QQhr~Kg;%_liAihg4pofJiXg|C+ntPO?s7AZW+IGW5_2D|$L z-Wi@Ge|Qh$6yDER8=)A!5uX@78g~6NC5lcoj^WeHKY<&JQ@AtupTayA{NW4WTU0Lm z8Td9hIz5VRh3^7W_-^Cq!<-w(@OR-9p9DUO_!0TTKgIqi9G}4)1wSSq_;>L4)>bbiE5*07OeWDa2Ncn?9-y?JXl(d;mhDV-~|3W{5+h(x4_?kHHqG7{zdp+ z_@|g-_yPE5@`s;>HP&f;6#d*dYKWpg!Y|1m{u{gio(dPJz$VECaiu=;P=cYh1XH`uiiKEQYxtpAaJq9gr7gm*!~4K7{06+C(!&3MH&R-77@Z@Z=qAdCxfI3lrm*@vfwwk$dQ&uHC*%9! z4;nvkQ*_{m;MK~)WB60>Cip~4{NBEb?%tSF?c1FO z;LqSAjyV>>PKWRk;{~t<6&-yAJE3|%ek_H_s)~H0M__3{;c@f%pg-;Pc?P@71pAAy z>a#Yy96r!|6~%V^75fBuD#zc9nUM5oban$mH9-o6TMKP?s)`#E(z8?Ega0=gKtd6`DcH;=&10Rh~G>rW}Og^rk zA2T0adJ9lox&E1z|Y6L=%z z6y6d(fpikZ4rY(x@GPIeyJJ_K7Zjo)vGGFqL&l5XGmIC*GvUejr=*=77#$|?8L|&! zO@Rs3Z0Dm(joG$GmwOKH28UeBIsIQ1b8QiPGO@xf@Du@U_&R(FsCIq_{xGa|J^*hE ztDTP;KMFr#{3QGn4*Ht{{oevJ)3EC_5HDn z+5W6{m@#Y4kfV(Kl<6{dIo5*8gZf6N;xk64H0Uf?+EVB;j^T5R6ZjJ26uvU}llI2o z4}U56!*>UNIE7tbQt(s3AATwL!@oA46#kppH9@VmzUdoY(>Q^P#wq+kV>Ry7;19P4 zfB2%{4__JlhoXVt4}T;0!w(04__^RejJz2S98>jF%V@(?S!*qe0Uk-;G z=)X)TT-$e2n9;{0XTnF}PpCf2MeavI_LD77wf9VTR^N3IJ>usjE=LJR9X@ocTNhj5 zW^4+xVeY%$fWKSU^}M&OSv&9%%Wu9h(^7PSvGx`g3MWyr-svcxBF0bRvzuMK3Pz7n z%yGSO0)NRkh3|&RqG}u*-uHpg{n#fG#~j}`PGJj$OXy&|1EP&C?KAiUJ^u{85XU%p z@NC(s$OqsqFoyRr zp9EHz$C1Jlu&Z6t@Nw{bIHvPXg+Br(@Kj5i!j14b*dy9H8{S9$@OkjL@`ta6&xcd^ zM)+fJgeLET3DtA>@hv!LQp_Wc3lEr2=nJYiw8)hoV&_rDg=b(MQ+fkFRYlHT#_swA z{yFUWq}MAdyn~~K!e2A|(O_jNdpBeM6cv1fdZ`x@mnWFbqQa5% zr`jIcsCVEO^z+gCY734!IH8N(u{vd`UEJ#KGn!DXO|Xx~R^-roG!j;647R`?`fPjn zVr(&o!Y4Trfe(dC45-qYml}V9ct_F^de=mEMl~)npsbBUtNptDJ@B5co63 z78NFwS>Th6xec5?AH@H&cJWcmJLdcc##7g=RNG$-2Pkp;|8T5RBs$bUm%Wk;zJ=^jC}j4(}2b*08p4UQk&voq@@X zMR?aK-|((8hS#F31;h!*dN84SAwRZ+>0dX`?*cD!mzYb;XEEm!Gd{X}llds3T(^!$ zOW~PH_Aly(g_{Eqs~=S76UcL0v+G@zhXWe z@JKi&gY%51!k>nfCsDMRAJU=1m*HE9V~)FE^@H+%0R9rO!uMdM4fZd4bM!p+BjA`r z{z|L*YmY8_Cb-dBf;gVGK{^{2Lraj?*~q;fOhgQ@-p| zIo5z>PdL^w`vQ1Fv#0Q;W?u%6HM=@%J6LTk!n?uWfn)e!;{-m=IEBwNR;SDe{%{AZ zc{zd4g;O|%KW(fIztK2`Z#Pch@D3-1d$8Y6S`E@e@B?5BKMp?#C-9Hqhu{=e_^y5o zWv#XrcdphpJBZgizSjU2&&{6@3>9Lo)V}8Q#no*P+NVI*_tLvcut^#Yr$h zuS0cTD^hT&9|lwprMFNxg)7IBCbZ!c_aGtGRIb{0IbpU-HkALhd88P?~{ z77F@2KJW)J_8s9a@+4G0Z4RM6=V1S_*(`D?wLYjV%JO`C=nFT`d@55neU9=J*AtE_ zE&rdupErIEzSUUySty)J3HqFa$jv|Z;uHG12iCn>M|G@6nf-(3kH2YTO zj|SX(x}RtK!NMzj=Y?^uN1dTi%$RN^dmhlwzPkO zm%?P{`uQ>V4NLTt`TUu4*@MrEu;zqJD6E(1hch!=li{iGYorZ2`5mlh2ZcA_1;jDO z-{E(Nr*cG_`TH&bN5Y{FTBG;Z^}bMe7cSzXcMEz4zdQVQyB_u=G3Tno+r$aS-uURg zPVheheh-ccyk9a-;0E*2&CwS8;d6qW23-c@>gMiij2B>EWSqiZGF}FM-B@$_w~dSN zL&h=uwDDB-Np~H^BPbiJ)$YevCihp21#*ua%LY=OXoG z!l8GX>r&4Y4$oui3=4(zjEQ>pcI#)Z>+`GNJ3Uhuecw3PXTZOtd|cgLLGPdrvWv^H zvzNLcW?=pSZ)*8fZ|>`u;Zb&QMfCdPWNJr-8`VtAZ!0`CGh5T_jb znLVZN4>#7}9d8`NlZ_MjjNlK?gr}2-I=4Oe!ykc1VorFY`Eld(;LpRlRTkiL13W`% zxd#`)bm|4Vb~`+QSm7JS($Tk!i)5j-P(I@*S?|rnJJKuno6k<@;k(AWV1LATJpMm4 z-UItn#(Tm)Hr@+<)_8CDIb-hmaF^3^|1N@NsH;LKjG;X*;eQ0>+{wk);fZ$jFUASy zg)PjEzdpM<9Gk{vE$nW7U@S(PPXdpFon|R)k6?!!mgc2i-!W7$G!;g4WXu&40FuO{#;P^#n16c-~@ixIEB|Q`t>WK z9Yxsn`Fh;Pq3!Sou&b~1{#&1|ikHE=27hiot-pt0Pv8TvzYVAGL|AKUiq`aQZ7TV0ITnnh+GHxS&kN832e-Qtam}tcxi4{g{ zNxO;15)-P6Iw26bdH4g^$C_;?^VxDGKGLDWp7`v~e3ig2b7&n?2y0pqJ`5i%K{1EI z*5sEEA7%CwKE+rSsSo}`q9M)3jMI=V$9hKQcZF*8WQVN5jj^ehmB@<70&mJ_^9K+GBw6OqI z*p@go-cE6W`wJhZ6L?GG1m4}!rm)`ej>CT$e3co>hwCn%SFkI8h1WCumkbZ#ehxnJ z3u#AW>}zLuvkY&a;ay=uHEoFYhSwmgR2ISx*58L=KST!Ft2tA1R}6=FGJ&-YDi8I^ zQTT76v{Xuc;^r|}VR!5aJOv-wqoM4BjAMAVaRQ%boWcssT|=ijVokET>2#+I@0{UX zGORsa2)ku?B(@Eo++v)YWB4)-`Aj8# z68nzC3CB;3V=n#@raRobmuwy0!A{+xnBzUz`MIQ#0@LwnaVjx#>v;El2GN=6D}ET0tK1`c)J2UhM7nc!=b$`mR8r#hNaI~ zCxqbh@r=(^#bw-eDxz|B8>awt&MzVGk-AnDx^IqTcegC$dmjJLAhb>VkZOzGN7-oikUno`z6h zJ#~TP1M+2kb%8Z5go1uoYjg5pO6Q4)XE8XGu?NiB>-u~jn6=mS=LGXf$wl8GV;y!K zHPP%b=SRV;!|vXcR+VSU`DF9aAfE!WKD*Co!h4bgd+&Y^o)-LRP!r4=?&irkFl)H` z4qReBnkO%TSz%6)gS6*ew*;r$yIb z=W(cN3C0C*m_KhajPT;Q?r|_M@pM1U+{NcNUKYVZShwlsiRPg@b4?h(A;YWf$ z{Jr2$yM7S-;U|MX{B-b#b&t6EquUpPKdiM+cImnIJq-Mk`9uu7g~CSU6L{wg>-YHd zjDvpM=X{zc*{iys&lcH}Mlol-Wx=nI|31Vi$Lp~3$L~#;{i%D#TLH5tb)UD5*xuVU zF|P}UI*&0C8EF^iQN%{o-jByGth8tBT#}eZN{u+Fi>}btGLFeDWPLb{& zdK?b(`tz{LjX7R3o(ij6>=(q;P0x;@Zf~1U5ud^iKA#v~!#IIAHBR9z;E}}CbIA6_ zL*U(v3-H0ltHBzVSyuleu_KA0+NhiiH_1-;Fx+BX2hTB{3C}Zbfj?qA4<13=+emu> zTLV_4+->&putMt)KVJ7@SH7tZ<7Kew(~gg{@qM^MOh;gL)Dzn0-QVEVY~V(kCddRReObh~@@tzxkh>)v0( zSkJ*58qb4^#tFQY@x`#773MM)DZB%A^^p^lVs6Do?0aA*s*34=7!LQyVQ{y`kwzZ{ z&lj&tor1qIpq`V66`yG+c)Azh3*RA8-NJWBRJQ~0aeWT!J9>IAo50esvs3N_d`2oCc%tzFcnVCPyXT}@IJ^sN zgg;I`F=?93KY`Wf`kZV5hlRpL_*ocPAWsX0TdBj@ySnbH+Sms6QuDn4`|dcVMelu} z>VS{l=XF>HpT_6QaLjQvthOW^UxYtFJ}JBucI!Cj_Z!FXQ^xAIUl^<3-VOfLZ72!d zS_!WYe39$ww~b-xDuuTCI)mtfUx8T>2r z(PZ$3aSXp}oWR2vAWq%)xkef5=G(+LhQ}Bu@b@kA}ab{(<#7 z^!u5e1*ZDjkh5$_5)SF=K2n>`bJ@A_|tF#?+ITi zJI4X=Rm8eC4u)UCtb5}~SoPMuaXidWI5D3JUyZGZu&2V>zsB$^__Nq!G(8)>22S8^ z_%3`B?%@Pph&_cbgePH_zCR7`14oSYwZ<`g3%p4Az+ZtED=mCCd=ng@*B;{{tUy)V zp5syM2YOTVBlvdXpTYRJ{lqKq<;sWfOZW;nc4zKK;Y&DLDBO|Z`z#ID3ZLoYkw1ig zM?M7iS^b;FpTqvH@kv}Zj^zCF95Kg6_$UDjSRp0Z0p0Y!c1ai-9@anolh*^ z%ZQckT4E&N`fdpvv>%=)Vtj7LF1=3WxW_nwA2413KMqT;DQuxoABdt)r|@U+AyjAD zP`H^iFPZ%oRg^&F`cZ4e60^N(KC0jEVcJ3i~tT}BW zQ7ZPq^`r7te`qcL8~LjaMOgWN#p=MRg7a6I^4DRZ@FA`Y+smC*-(hLA2T3rkhh6ul z!e}@ljybl3wRY)zXZTJy<BHUd*+)!Sd&6H+aj@oQT-|tGi2pbH@>8mU z{(jJ9*ojJFQ}{+J_gj5=6~1ju)cbznJDKZR2OcFI|ElKE zPd@~D?D{jX`jTyJ^fLSn;v&Z{;d_WN3!tQ>eJ_-+Ei{TxyKMYTWcZYS~B=COlqi_lzY#h^ZlY$*S0oIxl zBfL{#wQDL|3vUbSZw<{do(Io^zo-1+^I+8{g)f1nJKacEm^~iGJY<}}cf!}oA6^Q( zv0`1gAO61T2|o-|T{kg33r_%x)%;#Xcm};(R z&VIst4#55-9OH8+{1lwPN5ap+DSRyaGx>9zY8=D$@E?g2j#=i(SwA1i+im=A@&>D>57^p^rnT~qUvLfAKl^FH^e z@U;2R)HQ$H&;LcA-2V+B_$ORHf$|B}&%mb{KMT(?mOd>MLV27Qp0~VLR?biD+Ow8W z0mm-;nk-v;6`7weg?f-x$9Q z|IT;?Jlxo_E&QtQd}LLoEw5+nLo@c@X6(Z<_7A&`by{_Gt75Ux{Tsp`EZrK|Gg{Jk zxc$rhbks<5-UJ_UF(hW#mRov?bbpUgm%@1b$*zU;Tq?YQZENzu-@W(Q4gRzF?GI}# zVva-LH?b$Mg~C3WcKyZD5cTRHl!t%eExS%Tdg~Q5`Lq6+;Np_y?lYdw~s_P2lP*+u~$;!^A(U;k~uoJm@ zUnJ&4;WAkH#PC&?b~U?(sZeFCG2`5YP~Ons7h?SPwmRWh(Ell*ptP5I?7i1R{WAJ0 zj4*$q0prkN>4^%fuf)&2Kj31hoBTp1E6Z;!jEk+ke(81v6xO!9H7^?W<{8E%#NoQi zTGvk0)?g2Ds8cwX|N1NO@9(!kUxLDh@a@!hea7%PGWaGOu0IG*#1?aWAHJ42<#;;S z8IxZbr|>(l+8=WiKIre$1YR8`fBoH)Xg#y1@MxIGegAD+*o`p_-5FM$wT|xvyMCeL z4l<76!{L1?Gl7qTHQp(Frm@!XHh3cn&^kUB-UQY>l5F~Bs}&4)@`wET6AP}ricZf;I{5PyxGLiqk$0zZmf_s9Yc3x%yLFU=wS_XZ;< zR3Q}Cf9;lCzY9WFR>iQMk2CjPv<(ijE9?#@T>lYuKq~IN&kL{{J1d9A4jt#bSs#_T zh3zxEV}^Ii@Xi_D)wuV&(3TGpaqF*6w=#HQcnarJ?jSsP{saD@ zZhoC61of5LIQ)RVzFHgJfy6QP^~|2YTN$UY!Uyn?5G)jq zuyM!i*47;}dF~H~XL|WFzD^rQW_+f=x;JBv24l6Y6V@0_<@mU90$&4X^%Jyx6ZSCf zUpJ2Ne+X8735P;x`%@YJpTWD(fSBvAn>~RQ#$!*3|BU@58EE@kFrhl5P1p7z2io5T z;o@*u^$&q;+_-FveK$@NHitDvu}*v_Ow9BrT8VbaPIIE1n`pw4%~;rICDej;`^Pg3CN#wmRNw!Ur&<;~pK#t5#% zNBO02v+*)`F6wJin?ohi()Vm)#%xodO z{0_&q{6L;_(Z)Osljy@2i52v2SZ$0s-oZzlaD-=v6#j?VbsuT2QypTC>VrHdaComN zU9E%t2+B-3)`yAQf~L=3j^rd}EW&eCk{OqY&QZ?M$n`V!Ng4a6$lpTYD6=z1_1-6; z-JzfQpRa5@kICdyDqa74f}ivq>T{gsL)5E_-98ZUzq;nrK#YTmb&5moYUPAqFcRju>fUct=hlRqa zD@hmjxcC&dCgoAogI}epN->-UhwC-4p5C9vk*B78agB{+sZ z7yRLyV7FFKxvv<<@VDVJlm{I45h?rtcK10LH~C}mOUfU97S`ILc_MtCmcn|jr5SF% z|AqPE7X21hJ&W+0aR0ggOv<(}ax2p;#k;lT@A!v#WVJYQ?}+6)5)Sv@I&gN7xLnxA z@)3{9@U|J=60RjJ|Eg5~W$F-cKc}f6L8q4d=7RRrfrMh2HFwBx5Cra zpYZMQOgM$V4xa@_9N&VQh+~dNVC9*>PZ+20bH?h_W$+c`5yQWNrGW%q4&&Th^WP}A9m;4J&jE0k{Na7!gE1%YBzO+?6g~lV zeZ|J{bXcD;B=9u&SIQHf33p@HP1geJIVOhBhBaO(d@(#!&fW+b@7Fz6Mde3 z6O1bxcizFnj}0Lo_*=&MJpEx<@26AvSy=C+qs^%cd@UTqzk|OZ-hzD%?CJoofc2U4 zGI-d*{7$@8E>^0inE05#;#eNTYCh$G*+sbEq-igBn z@eVvM!n$Ym%e=pYCxS8j2eYSe;Sd|go#g03;caE$Lt#cAkJR7P3HHW}{lJWUR>po% z#@?K<4G;of-Qf8T+B|T8Fsl+&#DH_rmA)`Ksu`oqgwp z{W59K#=aS82`HE$fVn-Y_MxveH->p;Ja*lKF+SR(eS~zn-}Rlh1dciMU8c_vJ7E$L zTuGYOtL$W7@*%nVUfH4WIr1kQ3kze8(_oEV!qEt8u87E^16F-v_#ES@@FnoMBvyUC zV4T9Y!Mdkh#)_fCR^$5)*a_7qxyb#%%HIhmk5Es$R5)Li@?qr1;QL5hja!WE3HSoL zzRXzmKN=_S3gZ-B>rkF?6w zS+2rq9QQb4+{x#YmiFr~q54yHP8HmDEA+b>mznK8^Z6!@kHF;bzC-bpw?{7!lP-Fd zSV?|Q95nnEEbS=_JIr$oZ(y9jTN66z~B!b9sJ?bVa@p|M}x5|nDm6gl~x{6 z?>GlNTxHkfr@ps9lX(8(yoy*St>jBw6;p=(Z<648Hg-Mt#rRwde_j_j|1>-l|EZiV zhCgQsZh^0X6MXK14ST1f~w|vy&%b%O-l>xQO4+;ZTR)!0xj} z^0ZJ0a}wvSU7sbB&@S_F_J=uRQZ<;g&RVpm~OrWzeCz^ z&le7l-1|i(Slc*;$H12oCmdVB$|B_mbLcWSynj=Ft})j8sNc57|BED0zgZ|Ov^o&= zeqU{o*%n)jZ$ayFNOKdsCwUE}ZAFZ|`(^l0tCQ>#VcmZ*$BD)Xd?vgGbx2_g1+Ddg zH=tMR@lpQcG3xjCmRR|rZ87#{d}K~Jx?%UM4qpgsU$6FCC>&0nDHG48f=^cbPT8POiLSAv%iG3cT3?* z;1Oh_A76kmyZ_&1k#UUu4&$kC4_uE=0zYb;!Y{xy!)f4ESpBB(d)Up*@SCvmPdNSo zKR}#vC}4N*A4g2Gdk@<>@PY1X?~lTo^r3~qTE-#mruc_(+%CiVULc=6Riz}H@S(o_ z#gXuGY(Ya|;7vQ1yL2@Z_yiQtP zAXFvryYROyZS_%}W9%CD`>@MrH1-GK6y6$sME+E8C-^ZqhWCKKFMs$z;}kv|{(<~C zj)tF*KgVSFN5lz7E&OBRl;bS;Ib!L=Lg70)ClK|nvEe=%=`XpNP1 zth_c;{wy=x1F zXUtC2+s0?j=H5Gd$HGtg(vQrhe?F5w)G5S2?MqX5p^r!2XXRsZ^W<#wqq#z1E;m6_dJoY&_``szES;_U?#hr;SKEcU;jhFiJ9QjHgk5C)`qAzW6Yc9jy z*EP||S2KP~aaiLd@Ar%M`#II?doh{|#&T?6ey>^jJ^P)zT3D4sO)Dt+u zo?IyMQ*~C5ZA(W{R3zR$!{If7?5~gy%eTwt=axU^MZYvw-G2qEO!echVdW+M4a_p= z%KR-n-R!@EFEV~TQ~y6;S5Th%d-4Rgi_rfc6ZlW~2QEzRm*xNIFZie-@hL6v1U5008_<{^y zli`~(e0PQ)%J2^}tp6J?)bpnq`)@M*R)&Y2+UKv|0|;r?$=El~u)dogeD=-QpYwYj zH;#v9>_=y~Cc`Zm*8gW2^3?zP7`Q9r^RWzHo?-nTioySejQx%bKayehfAyK(^ndS# zw9jUIUd!-X8D8zQK7acUe_VU@_a{R>n`C^V#+J^gre?wkCrmiC=ENgUJFMoUQ;$2W zrY7pzeK+j-+11j~IHRSZz9`p*ISu^mY;11m=&WsSi<(!UV~PQ`*Qjv0#E z+8Wwxnrgcn+M~MG=H{qjUPD`L=gg?Jsoupc4Rc*QqqcrVLuXB2z7)OJ9(_eOwYJPC z>PKXrz2#18ZEcEb4t76ly7uWyQa7`@$JD{)6sZ#gTLg_UFmp#dD9!4I%!aIZCf<0YkEy*)X~`7*3?kLi3}0t6ZIyV z*??n5cSl`qQ&UZ6du?5V>Oo(q4_n%!+V&Y8QLnwdJDT29i>0l-L6xhiYwg0XxBEM0 zwzg+ZU2oKN&hr_xwK6(2H5A6t+|<}ID`Vfq>d+zZRp|Aa);1lhOR+P&bDb1Xbd?&I z=eUl}_O80l;!4_7+=04m9~B9Rrg(Nkdu#E4;`sfY#q}kp6rj$lX=-hq)zwzh(A3a8 zZrjX2>{#4Z3AgvD8mAY>jde-4FV1)QSn-{;9kXhTcc|-XZ>K+NWTc2t#f;Am+pApZ zE9*NhTT1qV3d^L9I%l>w)YjKDwoGs3jzIRE4G}-Tdc1Ilz5gMs)iaP3MDl3ZU;LdArsA*}fZ}3z{=QkR+ z*41@!12(p{SPIwh8SSlIZBZAgo7-yI8)h528uZDtrM0thdSgR-M>NfAxC76&)~3d~ zZp5u-bkrdH*0~M!kvpNI=rZn~-ZKZy3|!RQIHTRwqo%E)rM{6Hz0XqL*ik#JiCp?j z{zhr9>!Ny$O;c;#teO_4Bqi*%cC|QrM_WT(V{MbOs~6l{(CtpA$$@@youhPWen(Bq zoVt#=&cUD0WV&kY>daUg>*u}ij5&a|WK5Q%rm3-m>9W1f)sv=&O3KvO)>zZo>Jnx= zLUl7H#!}UE`MfVw1L(xI`Ud82W=MB-R_nC7PK=14m8(vHPI&DN9o%k+cY164 ztRTi#&B4>UIvYCF?55V*db{Gsl?M9uv~@JP+d|UoYGA7N=Jtl>*3JfZ1$8#I)UcS; z&1n!dw$80>WPDJ7v`+1usJPa-Sh zYFWg9Uh8UGYMCVvFgJ3o=CH`3x|xkl^%z)QrZJVX=;?;6X+r8O9)7-IrOmD!Hc4sm zT@(KHTA76^sS~vmB-@CeM%YJpS|aE@k6!DIde4ab!ma7`uaJ; z{ba40BL%w?f8Vq;y4%OM+7h@9Xl?Cur_J>6bOxlk_AD2-wRSYl3z;yT^gFLnC9Jj7 zt=)AxedfsjkcjKOTskxsTIE}6n;RPIYddST0?+AaX!h~UWmA7TF-u=v9+eFT|>~)(bnENj~Ui0pJ--nOMPTBh#$pp(os7{f-n_^39X}+n~Z;K z35>MkF!ox}J?fg<5!H6pBd0pwYDzOeBk@1wyv(TMw1mc=&np;oXu&@oM`OkwXsle|Mspu*^?TrQCf9SJ$44e ztsm{J%p1Yp(NsIF-vxIEv5?O24X$fKvE2I2`q4VAi)Gw(gvO(m3T907A2$NimhY)> z=BM51%!O=CHRm=9BX4jCG^sLfntW>5S+!-)y>rIFXKvd@TP|5%)DN~GH)^xcFh_gK z>2A66GjmHG>>||PVD=jTS zp>9N-w4GmD6C2@XO?Q5%yPCZ`+u7}EVsTFHo_FMDFNba(XIg7zZm!8%GAvR1mB<;} z*r6d8x4Y29q4C!b-JKqM7rXVMvuRpQ*R;AwQ#pI}wniQvT)n5a*UpIC>d>LBO?_i~ zXCt}wArm;7igcmdbA8R+natp7QF{%N(gvl2JX{;xgHFb*?Wg)pTH%)LJ*{tO<6)`q z!gN37D^uUK{=9V#L(xTHJYwjsV=L7*)2ie=+?57OAZJY<5(Z*s9&T-IwiBpk#`HFZ zSlcmoU8dG{tvUXj_WJ%*fi*Lk0(&ijP}kYcM8H`2?&;m}sRrDk$kE?GnRC~(wv;jnuz)htyM+~L`bQ@>AKHx6p|)#- zqGthZ6SQ>~>k+D%(VkOVUr$4!S$?t+_S)JT+vd27bJ>6)4W+KBk&CuE?acQ+X(La1 zXjm6~9cD3ltQ^xC=xwUkQpci#X(pR+o&a{OXJ%v1Rx^u)wqEx>F}izzG@V^cJ=$Gb zyLj&GMgJ6}bCwLh?dW8i&#lC$)v(8)J{@R+I=hv>$xRgN zps8Ux{lG50hNpElPnsn4>cKbIm7>SAt~Rz3Y^yavxngNRU!8Qq7Kp9}{M_l6x5jDS zTlw_1Kqt<-7r2{wC*bay`lw-UGfMV5nod2esLR#cZs=44J&VlMT3_EfL*30BD>Ks! z)0Q3?ou}4d%ZKg1y(KC}dRtcQ2YC2k{vp}{r za<{Qcw(tnUEH z(ve3Wc0$cD$DVN5i6>1s;iM>7!nr*aQ}DDd9?Ckk#qurk&$i6)bZB^#QRUE9W1Zdr z_(v=54ToAv9r$^|Uq(LuS;l4$JCUq9ni?9~!p-GaIdFwx*Of4=Zo6iFo`au13x4ii zb(h>?CwkvKsC&gNanozr3D;-t&YIfkYNOl-UL*S!w_je_#hI;o@1?Cr-TQKsQ7=Ne zcvI4cyrXKV%bwdZo;A7EK5Ot#iCIfuZLJ8ae@$&?r`|oiuSg#6I(RzHrf;lovbQC! z-a2*n`OLmqV|rsdcQA9b7Efel6isU+cfD5#5B1adLv$?-w0(95kJW9gp?VW2L-Vw# z%`1T(Cfkzho~I-p8fzO{qFOtZ zLo1_6)Hb7a`gE579XW%4nym2;XLDKpwF$4){OcbUl*qqFg7gIMb_G0xYprgZp$gE+ z9xS4VF!Az3kB6=jdj6v!*|w-Z!z!tXh7^9y+-nce?eu!zg!r+jZRZ)$)pL4_o16R= zorlYoR(IR!g;!J5<@O00C5?E4e?ji8yYWoTV-~Z7#gtUT18RFq1COx&k_u-&l1OUY z8|#x!Vg@?qut@QQla4&u(ILkkecXhTcUNI}?sn$!6_w6p zwd~Y>gxuP+b~ZOMn<#HyYfqov;2Wp2Y0`tBws~43t8jD{>i{n(+*<{EobNqH+H4Rz zde7~pO>lQF#JKbIc|~m(J0#s4e%;~WqRVNPPaoXdBKQ0}i`Fpi{%5c3INg0W%(G}F zk^k9yl~aG!G)mQR?K`oVgeI{z^Lo0@z4wgV=Pi2Gg6`N2wba|R6qD!;F-Ae z4n+^(4s;UUkl4kuwKDfsN1w}N&%5l-ZPu$v`#{Futp22T`>ejp4TG%_*==8Nk3&d7$i&wlmY5nHI98ttrrH3ez@Br;wGxn{(#OnH=W)$(%E1 zCdI{#x~@?`vx*WFB#VG?MU9G>)vCcojVoweP@;=&#H!H+4a#0u_PX}s^7p;(@ArLw z`ArLQU7l;^y!qsNKTn=NpXYw==f3Z}=QSOV=kKL0vi@Y$Z`VF!-Jiv4CXbC8rPucG z{rn5JaEJBp;-ciu#A@@jZhuj}?mawM<)fe%IK1g$%bJ9_!{F{~cg&X5&`3LW_x{Ty zoRqr*yRuSSC4CT|;mqvwUI_L@4Q@ZsW1rQ>`Ho`;&l)}U;A#Do)p?3crRIQO}dMB(5}Kg`UXZP>~?^*IUgE@cWg+-dX!QRE1w6` z^JuCdvjci4z+EMEz}g_uox=WqA&*5^t%>$5M&azUa_6ztU%1C(&(nRu9U$&4ZkyK3 zy>9(EdC1PX74k#ggFATEy_S0EP=VTk!m}T)YHQeDPg zh}E7LIK6pyU{52rA6R1@uU@-)5B=OPVzA(WT}7zNC- zEi?3$M!JvWzpoV62i9?54{#P(kKn7;PO^EzFQy_-x<0c!aLu6~cB^M~vsC%DYEB#g zb!X*6m~WN&HJ8X>VsLfVqRYK?SMBKJHCY{LC+hZt^A2=ta@y?)O)z_A$=&SPuiU2v zH*Fi?fIYjUZm#r}8r84Zg7&ayYq?k8bfRksoyb;=drUP=3i_|{Q{2k5e)jUe{!?<0 z>x}$5UAlMgpc5ihB0P?_p>r;mUglk~J8wQTa5c$}E)RRHY92Mv%f*eWsd>*gHLN2{ z{UHKf+2YjNQl(-izQ7x2x%#(mkPA4wclD0-|M|D>r)&J`1M7E9QyEMz>xH)dO6%)q z8?C@Y>kS*Yv}edW*4npwMtH-V&i(Rttsfyh_g zO|0+U8Y!rIT_uv$=zRFur_Vn8-5>t=b7%G#`rL=lzWu`=`u5^=?|!)Z(dRzTyU#xR ziDzH`_9vcx`t@&q^y44;w$#9U-Maa{-6^i#O6}vTXxgP_w%gpKq8*JJ)}4Ca+_XwR zwP2Hi_Pli4>S><7>sBeIW)rGaJR-j^eBSCmJZ+^{_Vkh}dO^O|o@f16&tIk|G8kv$ zcUJ#%wdty|Zj{tZWVHz%aP9tP9bvbxVgSi{KX2MNAG*ciZGQU5n{3w)M*H;1eKZ;c zFFr`UGuT$!LbM&zla95)(1brPb`hkVz(-iq-{!pJ?XWl1+P8O;JZE{pNsR$(kXl`6 zPu%w0Vr>@m6TV~ ze^I}tBVu(e>St?Usps;Bwycq;l=y;{O}DE)tb<0XMGWSptXrD zwwV`4p0V{X;1t;thWqFzQ(3JNb(ssFN;d|7qRc#uOR#)8`}v_>?FQ1thufZ|>f$B4 zD6JDVwe}z6*Y*TueT>Q7bOg{OWU;hJF2(j@E{8c$_iav8|24GvbylqF$Yz(MzC$(_ z>?oj1-Z~f3z{&+CW79(#j)m3b*oV9j-{5G;i`=sO43sOobSJ)ed3Nvm;I_@zvAGCo zAym(1!@a9^X086orxGtuw$?1LB4)*lg}Hp!9uaM1IaNZh-9t0hZszwf3CKp@?AWCw zHAieE*X*i(Da{H>HLBgJZ4B4C_-~r#sOoLfQGWS6BpBF1M0*%VF8y^SZzj)S{*n7% z^ML7X8#uaY&tiG>^wwSLJ4ubzi-$dH+=O@1ZLqj`@8vv7Y%fp%x101cog{Zdux>%S zZKjr^bw-@uGE%YERr0KtDO=Jod0|h)c68}7_vV%1odPA!(6w$=j18u%v0?4OtG97o z+WFyo=aogaAKG7BU+Go4j4m#*e48KiZTeQ)g!ECV1({jkwEcj)Y4q^ymbIvW_wU@*JLn@w#jSywURW87 z#--Qnemh^p+EKRjwOe_SKJI*Y%uGs&L;@+Pw?llYRxqNGIFF zG3zX`2Dm-^+g;vXS!ZW{VHZalG_?-Si8!}ngX$8hxgp`KdoJOmWJNXZV>J0+%D2xDD^W~ti+nfu+W}; zQW;K8JB1{Kjp5*7IG0WDWQKUd8#bfI#^bI30A((4c*AZb_ibD()e`n9-wEwSstav= z0E2o~Q()!RRL6nHA7Kv>b`2LdhUrJ@kk2pAOwwE_ShaUv`uW$aMz{Z8vHx$_wR6MH z+>N_;?SDIiHYSRjp{>jjYM?8&_Vb&az4j}z zi4N$wuvX%AYu?;_DfL2Ps!$&AvEDYTCGl{9Ih)o`^@6S1Z^_N4n%~T(IO<;OQnkn6 ze4NvWU3s#ZrZn1EQ>n?UHhuA1J5Qf|n+-mkJ!=iVItGI6 zbCVB`m7Id|7|L6(9^QDuW`*3giHr~IMuQgY;CcMWdFu1C$+^}F%QJc~qv($HyI6_z zRB`e1vSmdcfnK3ZJ1 z38(n;b!a4^U3W6K^klX$m$pJS&oqC~&FgL!C=1&|`va>CtkwFwwa4-&S@m5%UqZ7{ zaq7^sW*ugn+v?|-GV#+)?NYMh7Sz#Vz>9a-E|h}u>pp<>ov+@e(Hde-tIeo=hrPrn zeTyByC*Rj7u+NwvTYvSgm3ikotV81Q4`M>`_cp$-{J;mwkALc!XUaeOXUo^;SI%>M z64rJlt&MZC?T&nhyOSG0sVUF;nFzZ`4oUe#c{<=Yt#HcYd(z z{=?pH^Mtk2*e#q%tG4gF@>2clpH72M!q8D{rCrM0Dx=q&Zc1jldS%Z@`E2NpR!-#i}P{534g>QkCu($)BFQXo4JPL;`m~K zedHfj!PzO+RLI9lD{hCt*79Dz5&2q67et*`MBdcX!VNN;d_ z=%NJQ@CEbHKobBnd8`eBxpWv49K4uj&|SmGqgoBvT+{(}bFp6h)FnE2F%5v+XFoRT zUIyryOj*87TPy-*$Xs}Y)|bKyNm5rYVq37G;D1@ z?Y?4A4HFY-(#+X`6zZXEWciaYS@U=J!&w-u9aP0jbn_0mxkUOTd{+babsN3MD;%a5Y^q6q2e0r>Ze!ZR@2fTrc<07#dq`(L(apQ5s~pE5 zzszGt^1>P%c`iMMUGG0{?H9~%uwHOX&%^jvnxmI7&DP^XDJHDtK4jj1i;H)1&l|pj zg9l%=%=!;ZCQNfnb1hRB+?n+zaE>kJHe0U)rc~au5snwrGlezAFmQY0%=%;P4SQy$ z#P-u#PdD-rMrRi~%5^gAW{iVuOWb8^A-%*hX&A!Fqs#k-bh*1wkKrP#LC3=JCX?AoZ(z`jUiV?uZe%Ua}XI(JH$vo^G08o&|^hupf3@1@wo zgN^Fh>*Cex_wS~^&TihuEV%sehMtJ?8MlKpK8eSM{FM&-$aLM>99Qdxx@9vYtw3=< zO)kUV!@IX~wT6LOoq}{>rZ@P!g@)sM8)&ek8aRDBC|9P|j7cwwn_0S>=4GxDZlaN8 zZ`*Cd{?>a}pSQ;rn`4nD8)h<-Z7R|=`%98xW)kNN-bAf!k%-=1r&JJXuBS6+`Du38hTc3l9kwIn575Ii+B1~0pGPTA)Ebe11#9(+{cp^NwxFM z^Q#d@z&c-Se9{W$%i9i{eX?Gs9TK2{rq?%anMJlxI*B;cuiDHs?5rDHv-4rS3Rdq~ zYu@gZ7COFXvm@;@?|sHP0#aX8+A5omCem~L176fO&+epey`7!u73QA1t2`r)B<5Mz zR5QFx9ou$->;ks3*w9o{*vYU_ZQCH!Z^+G*pYH@VXrf=T5|H2D4VFF!B=}@GX zXP8CLUfuN4#sptE_Tq8>U$T9? zR=i|K`R1(wexmBKA2Jf7Rrz%BY~ z({+-jZCSm4zP)y}+Q#RBAsZvKxdzxH+q+vxpdvi57x_mTr(hHC>}9)4KVM*CM^1B} zXL|F7&7#CD(-uqzKAli|Gk-6`?t!=R_N1TI1$!Qye9MVK!8>n~h;U=!M} z7uM0k(SF-eo8z8pAXVw8@~r#J&WIg>+i4ZK#u{MW`-|53Jg|Y01gW8c?yBOtwZU?y zD_>aOkktWJG!4JAGK2-z0LlZg$%#bQp}~2UC)1y!ZC3vH^LMOu6W+05^mIj}wb|y_ zV9hB%i59Tk@vR0)TAo>rnad4s+tyfn&)%_4MZRr=;`qj1Zo9)p`|gRgvtP;ka(?gz z_6@p0@q_jaF;?FBK;q`eBbFNZXd>Yn$`xcjS=MKgWU=9d^b_Mgxw(lcPxM8q)>&Y6GcCcSNf0ZttyuMfLqD&QDmd{RoUYw}4*u#d6 zX{9R)Q(~y_J^SVZj+3q5rlw)hQ~_CypFSZywOaj=zy6hKHq>tEp((XWtnRWm&;o`e zgX=aa#s;1-eIa*3ra?rj)KVkOrlq6r$Ew%dT0Z}xg|!~+kfxSFn)#90ZawMk+$6Yj zFRvu+Pnx)vr)XSFml9jTYA&bR;T-U^HN2WX(|+da)L!IzEq}wsYTVqcNf#1s@Td=8 z#-n#?Xq|rnJCN-kuNxpw!msw>r1g5{YjOk1rZlF8IF9u7m+|-gGn?v!A2xT;ZjAY@yleKW2=pRf&o(U_J(f0f znR+JeMb`IxGLfAwwes$t4byNo%3$@@D#6Xg>SXJOK6^EPq+OqBR14pu&o6mY^CzJs z`#^1fxSuvCVeh_T_eQ%ytl~^x0I0ctx803y9wt>o%mLdb*H9k z)Y|(OFEI<;H=XdE8_#G;rC-rt2LY|&bZqTR;2WaYSUd`!y^60|*x0$XGxLNFJ1#Z@ zI3M|BxxLZ13m7Zsh_a64d9%%Kem3jMYCNnMS5#{3qcoljZP)U%n(eDySNQhn*=sM` z+g9mefz-vAUgcI;YM|l};HeEYH>YakXI0xAJPRe=?RDx6$ln?{U&LHfo>r0$Lt5Kw z_O;p=q8*)Q`CPk|uMaz8`2^$>mCnWWmu=J0PRA&g0nU&8KnHr7>VTKG)0YD9F52&( z$ZI&>fXJB}}GltzDOCbjyBP zAHOvR?FCkipXnIjMLJb@<7Io~K%>-NXNByAJ$c#RX@zL80rG`xFKmJ0rI#(U=Fkt= z4~)^g?{d zAFwOet`K||RFE6Ic*aThX|*%BtgYW3mTY=T`Ua>qPwm36rEy2cPt5R1O|bm!DqO(& zOq}Q3I=gC9UTg^Rs@-gCaJRHSc&tCa$Jl_#C%*f`&pz{^KlAh_&p!Dno1=90u@8OZ zqu-VWE>dwUa`ESUG$fsZca-lckmd0N%>GD+F;Cp7Kbl%`xvDwu`giZW^yT8%ivOyg8t6(m3xqQ&eck<^4%Dnm~GNYHhQK+oln9}W|d?#Mn>ds3W zSTB0Iwb;vC0pSIIi2`1xG*4Jb$@4aBthe(pX`0`d-qf8rf!(;%_eW4VwOQ~Ye|aqB z>DfKMx@AM%7iDbsZR9(BNNPRgm-%CJ69oO2$j|SZn4Ok4#=T`XaTLOZVm~-9H3Ppf zktVevOt(+Gxc`cMBkf|SS4S?bA+>^1A)B*dWpm|4BfQCl#-(fqlOF zY(Z&A7FWN0a5`L-w>1yIuBhZ!RFgc2rQU8jch+{YH|uN zCD96U_w36lchl*$_io$oIkA3XEM?P0Y}e70%l9NqyS!;%Qp1XMj&egHxp?`q4x}lA zR)^3YW-<5Qz8s#bjC%gzPW5xWU! z5!{U!CJAwaxUlhT!2ET7YpYJp=7&eM)6q;-S=#u^uUlLC#6Rw3Vw?T{=T&E`JFlfN z!-Cf(j`rots4%Q`_yX$p_k4j1Oot?2H)&7v%X0xB*ylg>7$2}^gnd??!BEdjJ^^}H zdBvt$lyw_eu?f}Be)QuXNx$r_eB9p0)>)I&KEWymG(PQJTPAPxqo{CF-SGGaE&g7_ zww|;iYmR(d=Tm3j`l+Y!i}NrHZ6AU)exFrKwuXy25GEeB`w9G&Pv89?#OI}n4(AOM z`=q*UORA85uuN-9Vx1PN$4$~!bN9klX?w0%jhF7t`JkrSz&1gGr@hsh9{)gT+h)Xte(%d0GIgC%7*&obm_yUJn`4d;ZP>HLrsLUT- z;)(PXv?Nj^Ji5P)G$Ah)o&9mZ(Yxd0igf;x^?|XMsb4tZh zXGea}$sLRO#(Hk4S$CLyM;PByzi27pGQoG}Z8XPzPgxo+PQ6GMC2}9QU2)bCpQq7s z5u0wwujg9LpSut+repK9-1_tE&GP~_P=!${>u17G_GNQ@snYOLrOZc5q{$3-jlVlc@1 z0IiLB<38?78Ye#KlJ|>UdvvmyPh@!g;LlD-}oVrF+)79Ae zk*T!g)aJE)vPm)dTRrJDeM+yfBis-U z#iqCM<$U{IlZ`9oc^LZsPWqZnUZGWY`3pP6y6Phn3RxtA*c z2AR}>?~Zut^7F?sb-vlywY`^qt3~dUKYz|ho$B^@p1(?`BkWdqe#+c?5ANK=BrQC= z6(_x%sgE!B-rjq_Ux9(^VSwKNY?pr;aKTcjE&cC}unuqgRuboBoqmry&2gc87?rjO zFnN9!zSi;ure>vqpnS5>`Ia8X&Sw)1{{+G+;&b#zTcJdqM^85K0$LW{Nv{>rdTYfUnvA zUs|)zCF9@Yy8JbliVhk7R?-I^yHxbZe}KGksTh-g=w0^jWVY<{u&tJfOXJ~V_HRGh z|CeoLO~<8ihy2TyzuEpRf&rI*gZ-lkm%sf|F(fyQA9?Ol`gdBe{ujW#OU0Zy_-)1u z$EER-{Nt9trF*H^xcsu^Tk>DA{H?ECDt3+^HQqbEVtjCX*|@N6!S=k#{-KRePc9V| z$4?p896w@QC%dckj$AgZ{IA;ab6hp9+V6_j`tkWS@|l%?WMlgu@=nNmfd}NDv*k-WnIp$l<1zVH zEwBE@rDE!qf2)1ojQrb{f72}g8%}=v*392?#r}P$mGxKI8i``!7M z=l1UulE1cP|J3R)7WvKpU+ z>+@^Izh~?EN~>rddgfBmB!8#zn>v@$zn_cz`;FiDocX}~w(-|>?Rs$hR^u-DCoF&a zr)~epPkx6TztVgl_l&E3+dpF*Pi@bP`43zE&@J;nQX{yi4*CHr@#-uRQ| z@0;@eq>Ib`D#2(CQ}Vk$X7$5o&3AGeY}e!5@mq}-j*)N3eJlU4T|Wo%FB!jgYxP|v@4xaY8TrGO zm*hV%e!uzG4CPxcf7tRa`C}iq`r3RPkY6-@_;a@XWF7B0`7@SZevj2>fmh_2ka{U-6!YiZNN+J8}6NET578wv~VLGY=ID z@|!z$Jem&``>_0hEPpF+&if;OYh>khvOd2-mcK2s{B1jizn!prH{`>RkH|XTlfYB5 z&i5?j^N=se+Wr+;=X>oK=X>KA=X*;=TjqW>y#^-DM8J(r_?8IV=Kj6?Z}%Td3~$*NzrWS##VS$-eM^1t$>dHa>u z$XdQ6%l`&h{x==N|5jMO9rAw22W0s_3Opvu|4GQFA)k}A{R^`EUpj{WE64DEO_u*V z$MAnomd{7B{Kr2Asp|p$*T^bgx;)j7WclAE%l|%E{twCWf8-ecPeb{c%i;fmEdQ5e z`M)L0{~cL=?;XScgJaxZt8dBsFaH~4`QHwC$K~+9N0$G?P=4fc_&+7f|20|Xe?ykv zd$RmLhP+bE+pp!TWcgo`<$v8V{BMNin<4LpyhoP*gTOrWcj=&%m0I8_+PPqjPa!XKt_4^Un9%^Hd+36$@0HXmj46Csr?Yj zPh6hb4`lg2C%?Iq+Yc+U{9lvh|Hd)=-#Ui>N3#5{eOcar`QIQbZ@L`*x5@Iq7s~ft z4*y4F`M)IV{IAIJe@mAC`;Z^Q^2H;0`{jR?EdOhc;eSci=hs8t4ta+x|9gS^Wcfb` z`7q>TvOa%8mj6@7@PFnQ{?Ezsf8`kdugUU%OP2pT$MF9c$`@arkEi^vkmY}qEdSeN z`QIhW|DI#`KMdtZE{FdUvizTt<^O^#|CeO>zj6%!*N)-;o-DsBUvcVxNmgEWIs9*u z<$ouX@46iR56JR=PS*KfkmdiHEdRG5--qQ7WcgowW!@k8UvUiot7LtCE#%FRx5)Cp z6Szy3|Gkj+Lp~(y^G9U)KXwfNCywF&lq~-jj^Y23EdSSJ`M+@t|M#K%!R4s`k7W5@ z|9kTBmH$n${BM)xf5$QW?}zdOm&5-NS^kg7@_$B_|8uhZUpR*UOULkkOP1e9vg-e8 zE$^T58W}nKuao6}E0k}$9RByn@_$O!`Ja*H|B@{K*CF4A<#%NHe;~{Mqht7Ad{y2* zeSU?E^2qBUZ;<7GD{z}E|2rY?hP+SK=MTv8f9M$gj~v7QFo-F@sUw!I-oh<*GWclB64F9{Ke9z_Ze?XT1L$dszkmdiBEdOVY;s4w* z{9lvh_ns{Oi$8hle}ydnYh?M~2<4kDhyNY2{2!Bb{wHMlKPSuoWysfI`3+hA@5u6h z?-+g`!t%$E*X-Z?MSEC(O0xWK1a6Y$e=Fqekax*ie~&Ex`;OuNz%l$ElI8!zG5nvB z<^P;4{}+zo|2mZ4xE%g($@0JQwp0IWWcgnw%m0RB_}>oYJ1&R+J+l1oljZ-2EdR%3 z`9EH?FsQ)YW@9)A7`CpQ?zPiide~T>thh&}q5n29E$?|_5 z@?}_lMV9{?vi#pVhX1>;{66HBuRZm@N|yg+;5u3UH$vVFd7G^L?~vtx*D?I>Ifnmz zviu)8hW}%-{GXEL|I9J`UxxB4m&5-xS^gi%YX4Nqe7xj;jV%95$MC-y%C}q&|2t&) z-zCfc0a^YJ$?|{X82*nP!~Z#1zOKpge;4w-%i;f#EdQ%tm-k=mtC5kz{{~t9_sIqS z49N0-OqT!Ckk7;N3$pxQk>&r|G5p_z<+mX}hP?Rtynph)8n{N5|7FPQA#akk|1Glo zZ##zn9mnv$OP2ow$MAnhmj7e2{GT|6|MO6O;d1!DB+LIjS^gi%^1t%-e7xj;)iM09 zlU2Uqa`@jO%l|f6{`bi8zfYF`1IO@x=otP_$?|ncmj9cOZ(R=m_hk8Be8Z{#6|(#< z$@0HT*7@&|<^PZ@|HmPphUI5u`M)5`|D|L2zY5E*L%t9Bfh_-vKXrONRLJtb8uD7m z>tyYJgDn4>j^TgHG5l|n<$upH{O^nDG?bsY9RAPA@_$Q~|9i50K9c2s z@#w|%0RL-bl`mZm{~Kia-z3Zb4q5(p$@0JF82zWbJ=Rmj89f@W0_0{x`|;zvCGGcggaMl|EFa6zb4E7 zEm=PA$@2f;82(q@k&lncSIH<3|4Xv`uao6}i!A@!WclB54F9{1;s1~<|EFa6zXG^Mv<$s$j|GOdYhvf%k`9C7d|FL8E zKMBiEL%t08iY)&(fwyG&zYF<3$Ua`QHwC zH!R;H%l`pc{tq3)|4~?e9P)X{7i9Ur3cM!E|4qoZA>Whb|AGALAJ6k0kB;GgapmIr zfd3V;{4X8D|2kRzH_7t9p`ClW;|I#u1uRDhSZL<9DljZ*?0x!w(e--j|$hTzqzaz{4 zy<_-)a18&CWcgoxPd=Vt_+KN-|2kRzHyp$Nb|~L*IsEUE<^Py0|EFa6KPSuog=6@? z4&^s4hyOdW{NI!1fAQW^|0`tqUv&)sYmVW+{TBLE-^%|kS^f_~K6E+!ACu+(ER>(S z9R9D!^8ZNI`7gdHZ;$-1k>!6qlMe;}*=Ka%Bt(aie;hW{1E@V`!$|827T?}fbY za`-KD3l+&9RAP9@_$R#`QMS{_mM3BEAP+StGq_m@+DdRH^}n8 z=@|aE!t(8q_d`A)%l}c}FDqp%B{@2O!ze|??eX{%?lI8!%G5nu~@-vsi{{>n8FUj(MLze$rvi#pU zhW~rV@W1lGQ~&E^`QHk8+vV`TOP2qGP=4rg_&*`b|20|Xe?ykvd$RmLhP?9k^|2xO<{}{>_-VHXAUUxbCZ<6JICzS8H9R3f;@_$a& z`CpLb|C%iSw;|t$`IEMfGQ2yX@)c;4a{I5TqkFWf1lI4G!EdM)> z;eS7rAGjR;kI3?WOqTyMvizTu<^RGl{9ihT|68*BK9W`cSFJA|{qf3cWaRL_PL}_z zP`>SQ_}?ST|0!ALe@2%7OS1f5hkP5B-;w42fh_-zj^RIk;f|l*Tp^=8@_NV{Wcl9; z+$PKaPRP3V+faVza`?X|%m3O( zPyMfx<$seb|67jXe>arxxg7ov$nt+kmj4s7{GXEL|I9J`pF4*CYqI>_ljVQ$9jE?R z$nw8Nmj8`VzUgxK-yzHYFxkGkmdi5EdTe8;rAgde+)Uc!(SgI zS^hTyH_7t974mk-yJYQuk1YTDj^Y2nG5jBr<^RMn{GXEL|C}uU7mnfoI+WkI9R6>~ z^1ovB1dfmD{~B5T*U9p~;TZn6L-~%&;eU@T|NCV5KO)QjF!~Ygp{twAI|08nEjx&CL&y+0x=OJH)4EdRTX;eXFD{O^%scue~m2vOULlP8Opa@4*xr3`QIhW z{{dP456NvikMMis82*nPBcGG|Rvy1!X-$^@yO8f)4*!p2`CqkhN9@1WS0f{b{|&PI z?~`@@2W0s_Cd>b6$me1C1zG;D$nt;f82)d<^4pLfLtcDW-aq+Y4O}C`EBwBvGUWA; zH_6)n7Fqtc9mD^QWBA`C%m0C6_&+4e|1nwqPaMPlc__bdIs9Le<^P^6|Bqz(UwJkk zFZo|}4FBt7m2bEl{Ge<{ z%l~S~Yay?bwf_yW{BJsj|1HPxzfG3^J;(6BPnQ2fviu)8hX2!0e&%xcKPSuoEm{8W z$@2L~mjA`4F0KdoUn8r0>2mnrAj|(IS^js(^1n-#|2@a>zwa3SkIC|XPL}_xkgr`1 z|F>lMe+cD|E=T=e{qDT~^1n^i`R|bBf1fP>han$_Xkzu_4EH_7t9;~4&T$@0HXmj46C@P8c2Ph1ZF zr)2rRCd>aVSw8Q{^8er%{#UyB_^5o9jPmfmB+LIgS^l@k^1n@%{~gEhzv~$O56SX> zN|yhNkS|>h|JP*szYFE}E{FfcpE>ovN!Iyqk>!7vEdToeWcfcK%m1lk_&*EF z&qKZr`Gze2cY*h0`F#laG31rMKOYb6f0Zo%YmVW6=@|ak$@0JD82-1(^1n-#|2@a> ze;CS-Tn_)oWcj}&%l|c5K5xnLf9DwfA4B=#d-L&-|5dX5uaV_{gDn4>WclB64FB7X z;eVej|HowcKMVQX3Fm zuzZIs|9fQl-**iE2VwbP$fqHnk>&p)@RBV5S0P`Ad`m9)XGfO*d<q;28cN$@0JY zd_JCF_+KN-|2kRzHyp$Nb|~L*IsEUE<^Py0|EFa6KPSuog=6@?4&^s4hyOdW{NI!1 ze{ucP{|Z_DR~^Iunq&CiB+LIUS^f_~K6E+!ACu+(ER>(S9R9D!^8ZNI`7d6``y>Br zWcgnYd6TT=TV(m)A4I_}?bW{~=lakIC|XN|ygK$MAm{%CB4w|2Jg$ zza`8616lR|ku3j<7xVD|!~cq7_+KZ>|2A3v_d?!xIs6}z<^Lpf8rSa z&qMiz%i;fuEdSSJ`M)E}|2cb2 z{trU=q08a_ge?EpWS##FS$^-y^8Xm}%ALIZTE0q_|0VhFJY(%)^S$mE{x`z%&5(CP z-XqKZLEs@-{*OXF4*8UhHM0C~ljVPxEdTpt`9E+B|Hq;H#O3gRMwb6`vix6><^P&2|2K}||JE`5Kay4d z*9Lk2<$r^$yyg?|1DYm??ZkJ%NH-_?U(;mviz?( zhW{m5pI;AoJLDbmXFhK8i|pUK>ILqT<^Le$!;p{3`uqu5{!bml|CwX>KPSuom1Fq7 zCd=n7S^n=F!~bI_U);;bQ~p=T^1n%z|827T?~>(z&oTTThVmnq!~Y3c{!hvBe?gZ2 zOS1f5Ifnmh$MAnomfw~8r~a2@<#m_C|0Y@fcS8BD%i+KMOR{Nxko=#Mb^aG*`M)O1 z|82fYEk>&q^EdP&=;eYX3-ambQg^cpZ>mhHD<$o)1n=Jo3A@7E~ zPuAxT$nt;a82*nO!~Zc^{?8o4|2bLyFUj(M{WcfcP>-Ge^P<$oh^lPv#R zA#aDgOV!{!bjk|0!Ai&&l$C;TZm}L-~!%;s2H_|11B%ssA;y z{I8Scf5S2SZ-??7m&5-aS^oFQ@_$5@|6{WJpE!p9Q^)XsNtXXxviv`U{OEGj|CK+R z_h0^(WUa66a`@jO%l{!+=YK?&|5LL3pND)ImS2(O|As98w~pceE-b$fdF6*r{jZYc ze;K$=mj8{AH$&bgYyUfB`QLR6|9g(%f1fP>M~>nDm@NONWcfdH4F8v*{L1CRKYqI>` zg?#UF_*xY$jIS;gDn61WS##3S^kg7@_!ogd02iymj5fV{9ikU|C_M< zHsr^U7o)s?^1m9mMwb6&$m=0*k_-N6k>!8eG5qg1hW}l%{2w@m|3k9;ACu+(#4-Gz zhw=-T!~Z2&{_n~1|45eqm47H7FZo|}4FBt7m2bEl{+9Cu{#3WclB84F6k>;eVSf|9g(%f1fP> zhh+Ibat!~cq5RC{@PAI0|68*B-;?F@ku3j{alI4HhG5l{hhW|~n z{O>r1|6Q{D?~~>Kz%l$Ehw>Ab!~ZE+{;$dMe@m9nd$RmLIEMd~e=Hv#m9LUf9{!hP z`Cli?{}x&Px5@Iq;~4&T9mD@2S^iJS@_!NXrOV;}nk@f!q5R(E@V^+J`rjn${I|&R zze|??{g4mC@*}eRpOEGM)G_>@h2`fVUx$1{mjAoJd$RmKg!~xt%0HfuhxWfpmj5-! z@V|5n|LbJ=-*OE9+hqCQCCmSwWB5M|c$?|^|^0~|5|B@{KH=+F2t z|2HAuhI~(!{|B=CKRSm0#Xog%eZc<;S^k%f;eVYh|C?m_-*OE9yP!7#EdLvh;eR`n@3Ys-$p0Ey{?|j^By0H=S^js(^1tgC{`bQ2 z{g97CJ|WBhS>QQY{x3ql4EdU@?cb2)|JE`5-#Lc=d$Rm5{@GLiD`fd!Bg_BNG5l|a z@-3Ic|2A3v56SX>OqTysvizSphX2b@e&urbzah*2Em{5_$g2O3WcgqGbNP6H;eW+3 z{I8Scf151-dm-<;9R3f<@_!P_PhAfG7i9UrC+qwl$nwAP<9Yk#e~qlXPS)}bvixt6 z<$v2T{O^S2yCENjd_wN*U2j1a5?;MlI4G&EdPgO`9CJh|A}MxKM&;>E{Fdsvix6@<^PT>|Mz71 ze{c-{kB;Gg?I-f_kpE4x{O^Rk>vH(tC(Hj)C_i>N{GXBK|CX%tzaz`j^TeREZ+`!KjZ_l{2v7#ljZ*;~qgRH#ia`@jS%l}>|-*-9u zACcw%lC1N;BFq0RS^n=sehkYOv%LNCze<+>HOKJ3Bp3Ws4|zM}9kTrI1@4pO{~+YU zkdMg)|4hj8f9e?i&m6=5Ia&U%9K-)LSw3&c@_*+T{vSj6;xFanDgP^E`QIeV|2A3v zcgga<=NSGEL-~=*;s1mz|EFa6zaY#1C0YKj9K-*$WB9)(%kRq1ocdpqmDgPk|C?m_ z-wEZrE{FdEvizTu3;tP<<^P&2|F zXY=uu|4p*|Ze@2%7bF%zjIEMdA$MAnkmfuIR>i_D` z<^5A$BO{0Zb+Y_#h4O8e!~Y&x{!hs||1+}uUy|kjI^^51{EjUD4`lg&bPWHCpU?ZJ z&##bC9(g_F4YK@i1#Xk&e<$SKkoU>@`~g}14;{n*kz@EjCd>bsWB5NO%l{=={;wRv z|7|G0b2&s1 zG5kJ+<&Pn+{VS)}M@g3djlfN^{BMQ49r7+&``;tW|Gs1RKX45Hhh+IbaSZ>bWcfcQ z%m0OA_`eS2H!g?&TeAGG{N+>sYh?LfC(HkaWBA_=Kh%EodWcfdF z4F9K&;s25>|F>lMe+c=}<*5HF|7zZU`CpQ?zPiide~T>thh&}q5n29E$?|_5@?}_l zMV9{?vi#pVhX1>;{66HBUpV!@N|yg+;5u3UH$vVFd7G^L?~vtx*D?I>Ifnmzviu)8 zhW}%-{GXEL|I9J`UxxB4m&5-xS^gi%YX4OJwS2tfe~m2vOULlP8Opa@4*xr3`QIhW z{{dP456SX>s9mD@QS-!5x@_!fdz02YMku3kK|9akkt*=H#4*wfu`QIn&{13?T ze@vGD(~!@@@(Z&3UytvO0 zxE%hs$nw8Umj6An{O^&r8EdR$LpN8dUWcj}!%m1Zg_`eFvuS32M`GG9|i+}6%dZ>`)e>LQ_kk`rD z{{~t9Hyy+OmSgzeCd>bxWBA`E%l{!+{*N5P|7j>cb2ahS^lp=zIHkM-;(A3A(TJ5 z9QA+o7xVth|2A3YzeAS)eX{%?hI|~BpOEGMj4c1>j^Y0zEWZr-Hsm|9{67RflI4H# z?}Y1vth`3n{+DF=Uv~`u8;;?BlPv!`j^TfoEdTpt`9E+B|Hq;H#O3gRN|yg?vi#qY z<@25_{|}Dgf903*@lp9I8Rg-BNtXY0vixt6<$s$j|2vN1f7dbmACl$&lq~-jAz!*2 z{;$dMe;3N{T@L??fA`e?CRyjdMV9|vvi$Fdd>ED=k>&q{EdQsD;r}cwKM(mj2<@X`v$BUD5!%%+Ya`-A`M(L}w=ReO2eRt_`oDL2{u^ZZ-zLldZpiy#`2kt}kI3?W>=^z}!t&FQ zFGIc}%l}Q_Em{8WLcS0Aku3j!8s z82;BC!~Zr}{`bl9e-!eu%i;f&EdLjw{LLRkHlAljVOiQQY{x3ql4EdU@?cb2)|JE`5-#Lc=d$Rm5 ze&y8v3R(Ww$nw8*4F8*Dqp%B{@2O!ze|??eX{%? zlI8!%G5nu~@-vsi{{>n8FUj(MLze$rvi#pUhW~rV@W1k3ocdoU%l}r$+b)OyU9$Wi zgz`g|!~Y3c{;$b8{~NOW-jn73G31qB&D*c#t7Q3KlI4HhG5l|Y<(nbzhP+3X|AW9o zviu)~d>ryAS=&D&%m2A!_`h%r|CeO>zi|xzw`BReC(HkXWB6bBwR}8PzDh=U_+KN- z|2A3vcggaMl|7T?RKPSuo6v)6cA|WB6Ys>+@?NZ-%@@mj9i=U9$Y|g}fi~Az7b4BFq1=WB5OD4F9KO`M+=s z|CeO>zb4E7jbr$~59JRohyO>i{ICCdKECq5NtXX@vi$EjhX4Ige&BNWKO)QjFfYEk>&q^EdP&=;eYYpIx5@Iq6Y_4z`(%CofGq!q zj^Y2vG5jBs<^Rkv{GXHM|B@{KSB~NTHk9AF9RBag^1t@qp88)W%l{@>{%|86MX zb2KX(lO*JSyi^1rpZ8z>mt?K4 z?sE9wBFq0FS?7O5mj6?-{GW$>8J1s><^P5(|F@3e|1K=Q4|(NpocdoS%l|TPoh<(w zA#aAfP1gQ*$nwAI82!8s82&dy`IgJ!e}^ppyJY!4Aj|(DS^ke4!~d~k_&+Dh*EL!G??S$JIs8A8 z<$v{m$osGL)yT-2ae(Y&@ud-_+KNdeCcxd-yqBXCRzS>$nw8Smj6A+ z@W1aE{*TG>e@>SFtB|i<4*$1g`F{xIk1j|3U;Ur+{>%S1S?9k)mj8XS{2zvV9G0Ju z<^PN<|L2b3{~|2E4EZ+XJF@&g1U{1GfAP6+eUO#c$lCvsEdT3{;eW$1{BM%wf5$QW z?~>(zpDh0ej^Y0}l%Kd9{!hvBe@&METe5uKljZ-xG5oLmFZuYWe3gvy@V_L>|2kRz zx5)CpO_u*1$MC=F82%5*@_$N}|BH|>T@L@(Wcj}f<@YX!|Hc1$>VK20^WP%N|1Men z_d`Am%a6$Ne?pf3Q^)Xs7M7ofd>!%)S^n<=@5%D}5b|TlEB{+Q9@_sZS^n1?!~fDT z{I8Scf6FoaZlpnbq{*TG>e@T}AYqEUalI8!-G5kM<^2I(M5BXmu z%l{f#{x`_-ze$$=EywV`?HK;|$?|_pmjAPm&s`4xmt^_B3FWsghyMq%>i_!xetP~J zWclAF%l~f3`(gP3S^kg6@_+0Y{!ha4(~vJiz9P&2P2eqA{_jG*5BZTS|BL@49}oFo zaSZ>fj^TfeEdLvh;eV4X|J!8w-*F88`=R{6%c|0P-eH_7t99rA8izDJh-1G4-dI)?wFu>3gW^N=sd@_!Y0O_u+gkZ(i2C(Hi> zS^gg#!~f!UFRl;xUm?r?(lPw6ljVPtEdN`M;eR)j@3|cQ_sQ~qN|yg~vix6?<^Ret z{NIN1JD0=%16lqb$@0JYf9B&M|7&FVUpj{Wb;t0(O_u+Cviu)~eC%@gKPAimMJT^? zIsD&{KlbsWc+1ZEPyeq||EpyAUnl?6Gez;PU$pBtVEA7nKl}-s|N92J9?0^) z;TZn6L-~%&;eVI>z}9#9Ypgv)mj6?-{GXHM|H3i+Ux)G=m&5-Z`ET3jz4;ltUy$X0 z@q4HKSIF|e>KOjl9K-)6S^js)@_!KWq08a_m@NNiq5RzC@PA4Eu})F^iLTA(b^J!- z9U1<-{kolBvivCi@4UbAuS!n7S@|Ye;L!@=)%D?3~yDnUQ+42MVhu&q!^_H#Q9wo88;<54Yv7-2C`~R|S?94Ih z0;}p${>zrX`MIJnb<^^1u+O_ZFz?8hKWX*EpSSbo_)+77<15BT$Cr)mRHXHNk1c zD<21*l7H!&?0ne8up)nLt0?~7U$kv{IImA!l7IAREC1P|Xplc^{Py1|iZ*#?{P5nk zhy1pW6vdbPeo+h@*NjKx4_IEalRYKhH2(VEH-8*IY`hNTH{_qU@^AaQcK+X(w^!?{ zl9ks3w?g^0@$cEXzOrqX(lhp4PX12gH+8I?LjHc^H$G?mR^;2pU)QyEyyLeTkI6q_ z`P)Bj?KJX}-(knEw0=)=&$!yRek@~LKid8c^B=bSph3CuFtjW@NSN=8n;>TZZLVAzzc#Zr+g9ZrD0T zyJ6=T?S`U~_gC$PlB{+^GvqCoqutOUtKHBKV?aCcl?aJDl^Zsl3k}Q9lWck|;c{eQIBg@|bS^f?k zr|0sp{5a(EkT1wO->blDvd-rw|ScEI+1X`7tN!xnxP!bIHnadM*#;cP>xQ(o_GdWcgnw z%l~G`+hO?*S^oFP^1tsmJ(q{&hasPad`6c4i@-~={9lE99r7(%{_n{0fA2Uwmpe|+ zJIC;UPnQ41TTlJ3kmY}kEdNW#@V^<#w_FbY+hqAaB+LIXS^iJS@_*(ywI4$H zmCIB6fh_;GjsT6VWI!M*S{mn|GhE%KN!RRBU%1mjPdjTN|yhPyVU1X{x^-`f19lN9n0Z= zmn{FsWcfcO%l|o9{x6K-|2oXySPuVpWcj}*%l{Ku{-4S6|6&aPug37d^+EOdkpEq> z{2zpTXgT~JljZ*`%%58h|5s%BeQgJS+9RXmj7F0_`frT|9i6hKN-XSGg&@g$?`va$gS@O z_}?OHeq}lQZ-rza^7~Ad|JRT=?pnWo?cXHJ|B5XC z+s5#}6ZY?hd>HZ(S^iG~Ps#Fs7V>$>mt?*E6{~e?gZ2OJn%IGKT+avi#o} z!~Z>5J|D^Q|6~mRuVH@ru=;$;{{~t9cggahmlAyJY#_C(HkVG5jBg`4h|G|BNjE z=VbZ6BFq0ZS^jT~;s4ec{vXNm`%2c&|K>;5>r>t$BZvQOvi$Fb`F+db|A;LAm*m8; zBFq0RS^n=sehmAc$nyU}mj72{_@6$iUZ46KWXwn24ta+x|9gS^Wcfb``7q>Tvic`v z`9C#=|1)FwKPSuol`;HZljZ-GEdO`L@c$U*pDc&}XR`cn-BSABCd>aWS^oEo;r}qq zA6X9nCuI3QCCmQ>S^h7{@_%Iv|JTOwe@~X*XR`cHA6@$2Aj|(2S^jsz{I2Eje?XT1 zbF!}gf-L{nWcj}h`9AD_Aj|&~S^l4m;rAu%e+_x-W6JkOMV9}az+JNZ?}fY{@*!F4 zACcw%*ckp#jN$*3EdLkA@PA2`|7)`R-x$OHeVBi+9R454^1pG9(*G7&{SF3uE}dG=~3Mviv`i<^Lt*SIhD9zwxp4`sIH`*74ew z!~Y&x{!hue{xh=tUy|kjI^^51|BfvG4`lg&G=~4Du>U#ajdtmOlPv$Mz-_Yp?}WS? z@;+JXACTq$&=~%YjN$*7EdOW5@PAI0|4Xv`Um3&yZJ58a9RBag^8ZTKpMM(ntk0MH zZ;|DHWeoqjVSdkY_&*@a{~=laPss9rN|ygKWB5NehW~4_eBG1f|0(2W%i;f(EdQGy zSFc~kYmt$|{|;IHkIB0J6SDlDljZ+1y!V@ zz%8=;uR`7qd6%s9_sH_UZw&tj#_)egmj4rD_&+7f|2bLyFO1>;I?Uf#4*$1g`F|$M z|0`MkH||}ZFZtgzhW~A{=65WI|2?w&?~~>Kh%EodWcfcahX1&C75{xz`I0POw`BQ$ z2>H=+_&rCEdS>rUxxixWcj}#%m1x0{NIKB_aQ%r z{6d!h=@ZKLLxU{;n;~z7yiL~nJ7oFaHHQB^WBA`E%m0xv{2!C$|CB8MXU6b<8RoAn zhyQD`{6CWA|CubGuVne3?sMz=0sgnhnqOHC|2t&)-zCfc0r_5^pKld>eg6A+viu$y z!~d}{e*VwN@_$X1|GSXyErS^l?;;eW>%{&&gpe_#y% zhh+IbCd>bcG5nv0`3uY8|B@{K_hk8hB!AH$-=EOQ|GrF?{}*HU-?(pmel)*H#(el+ zk>!7zEdP6C`QInY|A8_59~#5|DOvt6$?|^_@~!3Ye@~YGr!fC)Is8wbRQlf~>-zV| z@_$H{|KpHP!~Qd}{9lme|I!%#ufqQ8kncl&Aj|(#;4@i%UqXHjdE(zpDh0e#_)d}=1(k#|5LL3Uz6qkmMs7GWchzEhX3a< z|6)0Q{-Htx5@IqOP2pVWB5M|^GBA$|1nwqFUj(MO_u*#vi#o} z!~bKLf3h6@U&!+RN|yi42h`_7{3@?f|J!8w-wk;`>^~sO{}EaKkB#B~B-F!*@_%m({}0CS|45eq7i0YVzmnyD<019=l>bd*_}?aLe#dh7 z-zCfcF>#;kPpc6e-wC3mj9EGPeVQ@tA9b3|4U=| zzcPmZYqI>`8N>fQSw0`h^8aKE|F2=^1n-#|9!IjACl$&$Qb@l!~B`$ z@P9#;|4Xv`-;m}1mMs5w#_)e{4FAt$`Q6C>o`Chr|B9@CRzQhkat7gBg_9m;2~N5 zk3v2U`IM~w8Cm|%jp6^o82&HG@_%Ct|F>lMzbDK8gE9O+hxr%F@$>&mmjCVi`vQEC z|6Q{D?~~>Kz!?6I!~BWm@P9^@|8uhZUy^`ye?K70 z|7QMsG^|f~i;Nupx5@Iq7v}dZhyNq8{9lrF{a0l9za`86eaMet{}WmMU Te>H~x z=?m-islP$i?+@*ecgXU;7r0NB|AUYZLp~;}e?pf3Q)Bo)Glu_ja+TM0hwS^x82+!x z@_$Q~|2t#&e+=_amc#!uS^l>kS^D25%l|G}{`ZXG|1iuSSq}dvWcfcO%l`#g{x8Y$ ze`O5+*T(RFPnO?jviwh9RQlf_%l{Tx{&&LsuI2E5K$ib=vabJvEdSSJ`M(YMKJ0%W z%l{Ku{-2HE|0V2y4SDN}%lAh`mj9i=U9$Y|g}fi~AzAAmk>&r`82(R;;s2B@{};ya ze@T}AYqI>`7{mX4n18Sw{vXNmzwxNj{}x&Px5@IqV+{ZMVgA5!_&*}c|1nwq&&cwB zPL}@*WB9)`hW}f#{6CWA|0U#C%klHS@g?>8<$p!i@!FQd{~lTXPszIeGqU_&lI8z8 z5{$I)Z^G{<~pD+2}BFq2E82)#|{GR3Te?XT1 zL$dszkmdiBEdOW5@PBR$|JP*sx+ly3Q^?Pj!~ZK;{x`p@UcZjlA|r?Y9kTo%lXd+k zWcfcQ%l~D_*J1w+S^n?H@_%m({|{mRW5}-|PhVcIPyROpx5)Cp3VA!^U9#5SBg_B3 zG5jAG!~Y>!{!fhI|CB8M=VbZ6Foyr@Fn?n?{NIx0|CucRuVne(cyxWfH=+_&rCEdS>rUxxixWcj}#%m1x0{NIKB_aQ%r{6d!h=_||kLxU{;n;~z7yiL~n zJ7oFaHHQB^WBA`E%m0xv{2!C$|CB8MXU6b<8RoAnhyQD`{6CWA|CubGuVne39&_va z0sgnhnqOHC|2t&)-zCfc0a^YJ$?|_>4FAW*@PAI0|7)`R--Uc{Is8A8<^Ltjzgmu; z|INqN>zDt1vabJtEdR%3`9BT$JnX+9%l{Qw{;!SU|0e9e4f!$TC$jv%1iq5xe;S4N z2U&TGto2u9`QJ8%{~cra-zCfcfie6alI8!HEdM9Q@P8iWFD!@uOS1gmljZ-BET7M0 z`F}Bn|Bc7h=STCKWXy;E6A>UdK|Mz71 ze+u)@mc#$_Ri*!3a^mQb<^PZ@|HmPphW%$``M)5`|D`efUxoeGA>W7mK$icfz-O}j zzJ&Z5^2S%!=R@mnlI4HP82(qr@V`x#|2<>)-zUreAzA*9jN$(@%%52f|L0`+za`86 zJy|{<$@2eX4F9iTetLX;KIDIsEdN_%`QIVS|1Men_l)6x-x&Un$?|_rmjA1euPulF zTeAE=g!xCy;s1rKpa1QzDX)KrEdTpt`9BQ#IP5kYCC2KRuy7AM(Fp4F8+P@V`Zt{~cra-zCfcK3V<`jN$({%%4~e|EFa6 zzb4E7Em{8W$@2eT4FAtz{>5_q{7+A;&xibPkmY|xmj7+C{O=gU|E@9oACl$&lq~-j zAzxY!|JP*szYFvCmc#!OS^l@irT-OK{&&gpzaR2p*ndQp{}ZzOpBlseS=fIb@^#2J zWcj}fyeG^5L&%RIKa=JEg)INC#_&Hq>DKoL{BMxue`O5++hqCQCCmSwG5jBf`6J8W z|ClWQmt^_BCd>aVS^n>g;r}trKUog{FJ$?DCCmTjlk4*#|664FUm3&ywlVzgljZ-I zEdOUApIZ+9mt^_B3G=s>!~X+W{x`n1^uI}#|827T?}oe|_8*Yt|A;LA$Hwq~684{l zd>Qf;S^jSVZ^`n17xI0`k7W6OBFq1?G5o(6!~ZK;{x`p_KA&Lt-y+NZHd+36jNyMj z%pX_||A%DxKPSuoC0YKj$?|_=4FC6G{=stie!&FS+9Rbmj8QW_`H=rzviu)}d}ulRACu+(EX>ABTKGmjAQBbF%zjgnSwDHCeBJLze$rWB9)_hW~rA z{687P|1()WU&-=6J>%B*1N?81HNUbP{H%i;f!EdM8A{?u~#zaY#1Jz3ZPK$hQU zvi!e>yzx!->(~BGviz^e^1p2i|2tv-ZpeorACcw%B=D3h|7RhehkQxa>tB)O|JoS- zZ;avpmMs4d#_<10md|Ih{J$8(|HiaFpPJt!V?O+Ek>!7%EdPgO`9CJh|A{gDpNIJi z%i;fuEdSSJ`M)E}|2zDscvixru!~cq`{&vXwAs>+C|0wX7EdM7VpN4!+ zR{w%5|Ch$_e`O5+*JSy>Glu_rvV1<0<^RbT{$IoV^sM@P%Krvg{&&gpzfYF`L$drI z8N>f+m_M@|{x8V#e@T}A8?yZ0lI8!-82;~#;s2Q|zZ=gk{jbQ%+m^%sE?NE$!u+A- z@P9&<|7)_Y|As98_hk8h4EZ_ie<92N^sV)J<1l|>IsBiI<^P;4|5s%Bzb4E7jWPV+8pHo1S$<#1`uX4d_IiEFTV&+$ zzfG3^y)eITIs6}y<^Phb>%St)|1DYm??ZkJ`=7}2|3a4kS7Z2}X7&2i-ymZ?@^;8O zWcl9<+$YQbLCA+8ACnWuge?E3#_)e;4FBh3`M)xT|7)`R-;(A3&KUk5!~B!w@c&Gf z|E=eg{gzG5p_?<@cE^|I>Gr z{x`_-zeSe+oiM*^Is6}x<^Prn2bRPC5n29^$?|_jmj83I{9hQu|D`ef-;(A3ku3i& zA-`IVpZ|^Ts@E_7E3%H)wjBQV$nt+m*7cu}<^Pf_|JNbkhW&SB`F|kG|D!SdKZX6z zA#Z$l>3@?f|Es`lvi$Fayc_a9S?eE=<^Rwa{*R2||ClWQXU6b=nJoX)_m=)Q$nw7;%l{!+*MCHo|5LL3pND)I_Fs|Z z|As98x5n^)7xv$W{2cNNS^lRNl<$WIS^hUe-U@k}to3)u^1o{g|9i&pzfYF`BV+hK zCd>aRS^m$A;r}wsUs(?S*JSyBB+LIZSw3IM@;|-s*7pPaZ;>^>vK;<*$nw8Smj45? z{2!9#|Hv5rkB#B~oGky>Wcj}f`QCE)eQL6-k3vix5g!~ad#e;e{+$WLVXe+hgg%m4KK;r&5Y-Xd%L6|Mz71e;WclAE%m1D+{O=pX|1nwq&&l$C74o&^@PA8||A#RDXgU19 zkoEJw{X^yT?~vtxpDh1}As>hRCuI3QBg_A}G5lYI{g)x%hI~hs|A)Xwviv`V{2cNt zS^lRN*XKk2H;mzb(-{7@$nw8q4F9`i`QInY|A8_5ABXu9%i;f&EdSSJ`M)L0|2WYY|1R*JEdLK7 zKZg8Fmj4&B{J$E*|FpdI{Q>_QWcgni!~Zr}{&&gpzh?~phhhH6a`-yiI0vixs{yi3;pJ+k~Ckmdi-82*pK{^O9(L%tx( z|5e~MS^jTAz76@Ftk-`a%m1S>{687P|1(+sr zr)2p*C(HjOS^lq#;r}+w-&qd-4`lg&B+LH`SwH`;WciK zDCA?y;s2B@{}*BY(sKB}A$m&*8Ux`{O^(Ff8QAX56FpQ z81iYzXJq-m2)rcA|5eD>A>Wb{$Br!j_r~!5U=06{WchzF#?SvNS^hU(UY}3--!z8* zZL;QfEQkMHviu*D<^Pl{|L0`+zc7aX>o9*~IsD&|<^P^6|4(H3e&=Cvi$Fm z<$u>0{`bQE{g97CJ|WBhS>QQY{x3ql4EdU@*S{gl|E)3n-x-z!zx5%1bSq}f(WcfcN%l|Q1{!hvBe`XB-mtp?Oa`?X?%l|D|{vXKl|45eq zCu8`3HirL=pDz7xljVOe%l|!D*Z)A4-)FM?zlOZ=Gxh7& z{!Oy{ugLPhZ4CcAVgGK(han%4<^Lq`lq~;eA)kkQN!IIMk>&r|82)dJ;s2H_{}0CS z|45e4XR`di7{mX@E9>*A`AstB!~Ygp{`bl9e@K@9W3v387{mX0n7^Sq}df zWcj}&%l{2o{%^_he`gH;_r~!5OqSn`pDX>Z$jaN6!~ZT>{tv?Zq2=&@LYDt)vabJz zEdTdp`F{-gIqZKS%m4KA^?Kxg!x;WI$?9)~yc_Z!S^f_K56SX>6!LM%r)2fd$nt+~ z4F4C#@PA2`{~KfYza`86Jz4%AjN$(|%)eNUpZ`~~{BOUyKELw6OP2qAviu(y!~b!Z zKd~JC&&cwBPL}^Gvix6@<^RSQ{%?)p|B)=euVnrFZ~o_ceac&8Tvic`v`9C#=|1)FwKPSuol`;HZljZ-GEdO`L@c$U*pDc&}XR`cnZA$;!WclAE z%m1D+{2zw-Bg^6cge?E3Wcj}!%l{=={;!PT|JoS-@5%D}OqT!Y7fb&eWclAB%l}T8 z-?be656JR=PS*8bkmdiHEdRG5--rDVWchz0%m1@6{Jw82+!x@^w#^|EG|j zEry|A44; z|32jBkYC91KmA(yerS;8e>3E*khjTNe}^ppyT{tt}d|Bx*I z$7K0GF^2#1Fn?h={9lsg|DG)Wk7W6LCd>beG5l}5p*}yF-y~x`{IAIJzfG3^J+l1o zljZ-w82%59;s2B@|CeO>zX|!)a`?X|%l}iDf3_U{r(NlPm#pjGBg_9GS^kehJ|!oP z8Cm`>$nt+_4F6Z;#IX+fKI8|o{67UgljZj%~^8XO#A1#Of7qWi-x8GD={|;IH_sQ~q z81ix0e?pf3GqU`j8^ixa*nb)FZOC_I`F{v}B+LI($j>3alI4H;t@?b(|AsOAZyLk@ z7FqsxjNyNmEdTpt`9Cm*|Kl)!VmbVulI8!JEdRG;`M)R2|AR67KZp4j%klF+y}3Rg z^1nfr{}oyOx5@IqV+{Yh#_)egmj6?-{9lB8X*v8~ljZ*|%->rM|4(H3-}>#+|B5XC zyJY#_5BV_cKO)Qj30eM6jp6?+>^~3rI^-L&{NDxMljZ**e-`q&bB$opac0a^Z!$nt+|4F4x#|7pmVAzzW@|0eL3EdO^Q--rB2mj5TR{68DR z|BEsFzmnyD^Y`lW35NeIvixt8<$uQ*{`bTDf#vXjNS6O|vix6?<^P&2|2M|)e;?)_ zEQkLmviv`j<$roh>3@SP|C`3}zhw;nyJY!4B+LIv$fuUW|2bLyufqJb zu7CRddOh;LMV9~Vkax-2zekq;1G4-d8pHol*nb@IdB_)J`M(OhCd>a#$hRTillA%! zWchzIhW{sH_&rHEdMXY@c(KI|66}tpAY%pCCmRo z$cL80|1nwq&%*q<%wJg!|2Jg$za`8616lqb$@2eX4FAu@@W1h= zrT=ZR{O^UlZ#n!QlI8y-%%55g{}*KWzbEVZAIS3iOqT!GkT>2|zkcoCB+LJbEdSfa z@V^uG?}mIB@)247PXbTL@_!ccdB~S!z5W$h{;!SU|Hc^pZ^`oiU=06{Wchq1%m0fp z{BQhOeLgk6NydEm-y+NZK3V<`$?|_pmj4rD_&*Qx7nZ~S6-z7=^8ZMd|L2fj!~W@5 zzkd1OB+LJnG5oK{>Tidzah*2 zEm{8WjN$*@82+Eh^1JaDrT-OKdE0XM-zCfcL6|?Z9R5$p@_$X%_1}=?|DG)Wk0C#Y z{V!zspZ>C5kNj^K!~Z5({jHF9L*66H|3Tm(S^kegJ`VYmto|8U{?Co!|H2slFUj(M zV+{YdWcj}*%m0Hh{6B~J7t8VU|4Nqs?RV7YSN?a&^1n}({{v(AKMwOJmc#!US^m$- z@_$8^|7)`R-x$OHtug#RlI8c6te^kQzpB@#yhTP1|J!8w-wX5mmc#!MS^h7{y8bJ& z{NIx0|32i$u>XlH|1V_ue>H~x>96bcslP$SeB|wrcgXU;7r0NB|AUYZLp~;}e?pf3 zQ)Bo)Glu_jvix5e!~Zo|{%^_he`gH;k754Fa`=BH%m3CpOaI$s`QIhW|DG}YABOoO z%i;foEdQru`M)5`|0P-euZ-dU+8F-t$@2S5mjCHg`rjbS{}x&Pcf$OxR5S7jojbhP?GR<@=)|%l}T`E?NHfLf#MgkgWa@ zS^kfW;s3-K{!hvBe_;&&mt^_BCd>bgG5p_$`3KA4|B)>J8}BOpZ;|DHn=Jo3#_+!% z<_|1~|0A;eACu+(j4c1>Wcj}^hW|@r_`fB~|07xcUqXJh96$dXe_O9#{#RrjuWdQ} z?~&#Il&tGNBg_9KS^lp>z76~D$nyU{mj6d%_!{!fhI|CB8M=VbZ6Foyr@Fn?n?{NIx0|CucR zuVne(IM?S({x^-`f19lN9n0Z=k1YTDWcfcL%l|Q1{!fhI|I`@%FUj(COP2qKkRL6F z|7WuNPye;_zd@G&6+kIX2@G1Z(z&lvvqjp6^8EdS?Z`M(PJ+H&~6CCmRqn18e! z{-4P|G)UbeA~=TGW@ya@%j3aAm_H%^W}lA%EZ(rgVpI%-55AOXiQ8=KF1o?~?f(=3gwoDd*{5>-9V{?|+wBzFuSbXxx-W#y4l4l0W{D`QNARa#PxpzdQ47s+&?XpQyjg zKW1K%k1@`_{^b0>Z@O3hzdY9Yf8Uz355M;fO!+@`rRQdTnmGUZK6%?~KEBS+fPCdVW+mycFcu0P6zs^UQe>NXq=VwaR z{+Gjq>>O%-H`K*>#L_=3mPE7IKvr1=jxi%-)}F zU-pm4I^Hg`AFp$V@_3E+D_?JytiBal=VP1M`!AV&{e$-}*R#p&{nZDQ{nyNXzS?)J zS^W#L`q!Dg|CHJLds%)zpR3H?-@H@Vf6DCr%{!O-_FMr0l`wwItfAwKy|ADN$`{8B(FthhB zGJF4ptoPsGBg+0AS;t>gW&e(>y#0}7e?PPL&oX=eiLCzKN0t2>vW`EyrR?93mA5{+ z?C)mw{z+!P1`*&pZSM9QYLDum{_bmGt zWaU?~{BM0+*+0na{Ts6SoB8)$_iskl@dx)V`)6e3XR`Vm`S)dCe=oE5ugL08pHTKs z$U1)SK4t%eto%q;|24Dsck=J+-oGHL|B~6)Kgz%FgLVAQearq4S^1u<{&QyUuRf{l zpOMvn%Iy7v`<4CG{mcFVS^ZnG`j45tznTA>;_IJ~)qlwB{k=~q`fdGd{?4bB{pkT^e}}C8C0YI3%-(;=?CT$Vdd=$JWcL2*fo1I~X76wI z%l=7b?>~`s{LRD4{u5bw|8vX!ac1vdW%mB`d1e17v-cm!I{xb6Wk3GT1lL1(_w&pC zVP@}NWcL0GS^f{cpzPm~b^OI6%KjZ$d3#Xy_cMF{EVK8Y$m;KXVcEYS>-e)rmi-&D z^41rX{oTyoKgsO<2eSG*UtIRD$U6SyQDy&%ti16hWq&)f_m47r|BkHw>PyT11zE=* z4a@!oS^1SL|65;H_75_9|Awso=9icKGqR39cy!r6BP&0X)!+DvvcH$v`&VT3r>`vg zCuAMJ_n5MOLRNkxtN)tW&wuB!W&eV#{!3-e3=mHi{K@;zDo=gi(;eO1{% zBdh4}QKW6s+=GT<{6SDdbnZ3XFgtEW+#InCfR{xr;{(WZe z$6xUH^&gSdzsv0XohOz3>B(h(hphf3S^eA0-havL{e!QqS^b;L-d}xP*?-CGzyDQF zsagGVvijGVz5kTi`+Hws_OCK~fAgtj|0%QgHz#HPl&t<`X74{__WsT{l>Lj$-k+XU z_8&5Pe|mb^KPIbxp4t0%nZ3XI#>p+J{sURZUp=erKaiDopI!D3GkgCc zv-e-f@_+EHW&e(><1fCg?B9`Jx~{k_cIzapzYy`b!$kahgt z3(NiqS^1Hy{%dAG|DEqE`xj*OUo!jqZ}j~&>-e2T**_vH$9Jpa=cD@ZUFzOn{Xp4| z?>@)*P(Qw#-1`SVSoT*hD*Fdy_2av(y&vCY?fuOkD*N%>)83EohW7s6i_8AzOUnKp zS^fBKVeiLx344F~;j$m!{pHa7a(uU!_v5>~ynmC~`|KK;v z{_2fo|A4H1JloRy@hnU4Z@#JQ$FnDW{dhK{_xFCQ>~Frg?C+7)k7o;dKb|G%{pq*M zemwin`|)f(@9+Fh*`M}he}}AoJloCt@hms*zhp+A{(OdKuX#V7jpqH;@0I)hHjwwHL)m}G?EUGF%YHmt#{2Os8Smd^_WtTm%6>eX#rrR0o!{MC%l->lIiBs| z{dks#_ir+LfAei+|0J{bpU67?=FiIh6InT)t>FE5mV)=MGJ8L6Xaei~Kg#U=2eOX8 zdVAS_AS=gb+r1y3W%vF?X79&m&%J-}mu3Hstm7}V3`|;Ud z@9+I}*}oy{__KGG{Ts6K)~W38X7>I`X74|cb^belQ}(aOI{xHcW&et-9G|W8_2aX2 z-apFh{rK#gufO`cvVTF=@kj42`xj*8_-vE+-fF*l>HO3a@^bR{kWIk`#b+w_T%1r@5jCI z{{9>NQ_VVl=e=eBh^!pORZSP33)-N3!m-#C?^1pJhL@-)FhX?Dtt7Gy8p(?VIad_gUh;N zSnccs^2iL6rO=j<}KBVl|eU<93T4n#7tp0Uo?>}Ys{@z{7 z{#9o0Z{Dr!*L{`hZ+>XmKP9Vwnc4dfnZ3Vr_p*PH+56LnmHoP}QvK<}%l5v&`OqA?y9TtLi@WU&zXbA6e(>pJw*{O=jHZz03aA$Cv%x%-%oA?EMF_ z`a7Rc_OHn5*L{`hU*+H2@%x|hMyKp=XZHS4X7AsT)n9#L*}ov`_`0uB{fqmS{a3R5 zZ+%kPKgjI;8?ySF_bdBnWcBO5O7+j~U-qBL>Ti5<+270T{VTHi)2EdE6SDesU#0pd z-Ln5kR{u4#pa0IMmi-H|`Y)ON{Wtown$@rSD%C%FK-s@1tN)zY`>Rhc`)6eJpE7&@ z;DKeo?yFS);6Y{omaP6`X76u)M%h0htN)PM`+L2zU-wn2zxUv>e@#~ZKC}0y&n){# zWcBYddw=I4WxwvLRDb8Q%Kjx;{oBmmf646r4L-YO^=~qJfA!F^U-wn2zxtfAe@<5a zI|G}4*{X4Sybzi0Wcf+#3{bgl;KePAGGJF4ttp47Ym;D>E`gLEW`Ztd*`&(a8 z_IERT|0J{bAIR$Od}Z0cBCB8bRjPmWn6kg|*s{N!+51PCy?;kme>E!m7i9J8zDo5k z9#{5X$$I~{zN+jWWcL0IS^dqgF8gO>_3OS$_0Jw(_Mge>Z+uPJ-^=X%E3*326UzPx zS^c`NQvH)Bmi|AMUkOJ;xnjhbuD%C%DO4+|9tN)nU`nccs^H`c8FO=j<}o>BJezDo61 z&n)}rWc9Bzd;cl3_xHZ3>|bT}{^qpo*L{`hZ+>&xKP9Vwnc4dfnZ3XBEoJ{Av-hWG zmHoP}QvK=KW&fD0{&{Ba-(~jx>RZeHS!VCQkoEr4eU<9Jd|TN+{PvpFKh5m@o6O$d zoR$5P%-(+@t6%q3s{izyvcLZwW&b#{_pdU0fBMd{f0Wt#4`lW0zDo5Uo?G^JzpLyY zX7>I?X79g{<^SNj%l;i%{kpGG{k!Lt{q1?#-_Pv*v&`OqBCEgmJ!SuftbW~Bss7FL z%l_8)mi^t#-apCg{Rgu8J1;2vS7i0;zDo74URd@wzOU?WXZHS4X7AsT)n9#o*}ovG zU-wn2f3Yb0uVne(`hl{4klFh;Wc4?Huc3|8^WXX5vVTEV|0T1(|3=H2)vx<1)j#@?vVTuj|2ebw zS3g?z&&cXOW%mBTkCpwpuTuSkmzMoovigsiy}$Y6W&eb%{zGQ(@4c+-*L{`h@BKvC zzb31HpV|A%UCA0fC_^F!JzscZi;8Ia&Sd%-(;>?ESr;Df?HMy}$X&vS0UAs=v7|`=?~}FEe}pA+z^)ezxpi zWcL2_sNoJBD42j$nt;iD`o$VtbW~Bss7z-%l`I%Df|1Gy?>V3`%h%`_qJvKhOBHZ>&pJtua^DY%-%oA?EMF_`a8c?_OHn5*L{`hU%kHUZ~S`M-_Gp)qs-pFBdfpq zjk141R=@76RR7`)W&f2d|69AVe~{VxH)QqWJKNnqd}lgX{kpGG{j)cg{b#cJ8*eK6 zdzrm|MOHt)Gu!*|oz>p2`zqBxd2`u+B&+|L+0TFHx6A$oS^fCVV(-Uy27ABmt5pAJ zU-s|G>OW`p{_1zj{ux>Q_|91G$9J}RfAyBSPyGY3uFsaN{$pnEZ~lJSKOw6h-`VN? z_|8o4*L{`h@BLx9{xw`!AW@ zzrml>tbTlFo%dI7E&Fv}rTVKsE&JzW^{+E~|0%Qg_uf|a<2%E=zxiinzwWD4fAi1F z{wZ1g%go+?$n5={W7&`IZ1Vo}_Of61RjNPzMcF?ltAC!^`*)eWzxvCvAK#hd{rJur zu>972mFmB|qwF94Rn6+3X7>I~X76wQb=i;aEb)GPXNdRfzDo6<-dXndPi6l&v-htu zdw=?yvLD|W;r;l|2JhE>mFhpdtL*RoZP`D}?EQ<(-hUy>e>}6_`|-?t@7H~m>fgP) z>~H^l+27CX{j<#8e>#+SLc|MMFPwubd{1ji$;ARH=$3yvg@T^fE1NJU&tozpF0Xjc=p^WZu<8|cq z=Ii6*Z8!REN_hUHk2~}D=R5e;l$!4k&d(~%*U`s)`1-hlR zn$mZ1y?7p^k1u;4&`oJ~C*PXV{rGzD{6-%?!Rx-ci*HToWBEGqyhR^>%-6a45Z{{8 zSMmJd`G`JVc;md>loogMtttI9J;d`2eZ2XGXE&wUhxyk0Y*Vfm&mZ*h&wQPe%C{z- z$D0zK7wF^uT<_=>-zh;L2lL0m7MH|FEH^m+AA-@(Mk=Vkf$7GB@cBYkUr zBsWQ<`$Uc%F!lSJCJ6BHx^&`gYf8V&>x<`W_!#s09)8TXru6q*FP?|tTL-rvWQ*jv5cx2E(2o;Q3x-^YTz&HVSfKHkdp z;`8)A@O*vzyiITPttovAuP;9T?&H0DotNM8ttmZ)*B75x_i<0I_w+lyHUIv|>x<8q z`*=66@8S1+YfA6p^~LAGecXlX-Ti@YP3aL_FFwER&54feJtrSzBAd!U3naQ zUf9RmxL$n6tdA|PZ};R|^Pkh$J9t;Q{pWan@p)VyU&8C#d$(^*>94q6e16u)-FTim zXWyDq#q);GyZU$-&vW%2-fEw_ViN;ei)1iy3Ryxn}`yE!~~9JdGE(j9Ib;^wruaXoL{<8N-9=bIBgFX{uI zz0BYKk??&SKJa}D*xnA?@13{e?-M?klkd)dzTn37x;f$Vr9SSL*Ngd2;Kq;SKi_-f zJl~vlVg4;#*C}lOy?lHe=Xv2c-+p6W?hU8z?KiIb&8Z*G^IO=vztMB+EB#RR;`5z8 zZpZV0zgP0{!#8}mIpOo2KGr;b>xPfFCU3lP-EU6oaGd|d*N^YA@$pwT{JA;d^P4`t zRIlfbzBPZ}3C}-1Z|UQ6dEGB}@~tWTDPIphAL--S^yd`*9^>EX2|my0;|)A-hw%3p zAIw%?J3_l3g264UkJWnyW-orzSt?6-GFFt?cf3y4O3&tcaX+??r}O$Qp5t5dzqauD;{ItLAI0^~p6gpv`rquu z{mwo#bhmTl4qA@%rL^SRc1xZ}Ufd zYf3-D_XX}>_3?0?=k!wFn*Uy%>&5-1K3>P`dwH2}P3hm*i~B=;jJe*^%YAG9ds?m+ z_jCGqG}n80g>Oyiy}Z7-|I)_`>GSTDzBQ!}<9czwq>lry@8(s$HNRiDUfkd4<6d0v z>eaqA|2*M(aX+Guzuyx+&}2!oqV0M*Z9_yp2YRyem@^~<9a8r^{pwr zoId0JJRi?t@91^DHKo7idT~FUkN@C$2e0?7`M=Zgyy5;gA1~(h?Y+Ubru0}|-`1|& zKIirAys_MV3(p(wFZ1!MTyOPe-*V)|r*8KNWTrck5^6_M@H@(HT zrnKSp#r;-3?#lIE{=m29zo+GS#{E$~-jC}&9eiv4o{U9}nSqp1j+)=D(-n^~L=uJ~q6*_%3=M@8)`O zKZ%dWa=nB1_|}y0eUCT({rw-y?T_So@m$8p>2!=3T>fgDTjS7pA_|GCQ{zi#HgePjEr$GM?X-iFhT`TEz0Dl^7o^MpI) z-W#Viv;K+8jrscHXO$TPKc=v~0_4%E|B=2v|MSlI&lMVbzRoYXar_%6^+u%Q|9d7J zM}M5DxZ_=JY`<}mZfv=sLH<>nIo9)p{C^dGkq7?q#Qc9l<8l7=%=k(9*La>61~xxF z{~x|47DK$h;YrO;&KvO^u*$zSbL`ja#{M||9KXl||G?|n8RPZn?}_kB^p8XTCh#@9 zp8ub#JAtzvT^u=o{xdx@nT>a5jA58@aEIWJgJxn68nFi#u?H8i2aVW+M(jZ&_Mj1a z(1<-~#2z$a4;rxt7h%?}zPIju-|zGJoci>)pHx+TIjO4io;sDMW`92S(>w5VJb%!K zAMcHq{B(TMm;AK<-{~bk?N9NNpL*YX$v^Nz|IAPO>CAiT>0a_v?>jH~spn}OiKp?j z{geLyUhw<)pMTmX_y63d5BA}B@`t>AjVF9Kp8WKqHGRT|<9R;+NS}3yYuw@< zk9fu_-tmb)iumyVJ@4<+_356*v+wwUW1Qj~m$=3)?(v9cyy6|7`1$;Q?tSs;^ZnU( z{QUL$JRdWk;vAQ_#x3sgh-bXw9iRC5TljO&i%)+`fA$?eaEw!&;}X}n#XTPJj90wl z6MuA~zjVI8cnW{Xcl^LH{?zMoKKu2PGhgBwx46e6p7DxzeB$RHjZgpk=}Y6qr+-vF z`;H$t#?P-me189&`4ZQ-#XTPJj90wl6W>1l^Xz$lU*MFFySc?b&zyw66Kf$0Nom&T)xr+~OXOc*ZN<@rgftsP{_G3w*~9 z9OI{T+@Hqt@yl_EYuw@&y3Vj8mNB64$uJJs$ClSG?mB-#+?x;%D#QPyK%Dv%WL` zz%fqor(U=4*^gH;U*i_{c*HYa@s3aYsoz6{^gO|5ea8yqtj+~OXOc*ZN<@riFAJ>T%z{rlAG^FQmS>kGepzCUn`Q=H=x*SN(!9`TGul(}y%5jNn+~OXOc*ZN<@riGr_tpJH64DLbq#wpHmiEG^A9*=m&E8g*mpRS+&G@j4L7x<1JIL0Z? zafxf(;vSE9#w*_OiEmF&?7rNO@A&EZ@h@*5;}qw(#5Hblk4HS?74P`OPuIVHx#tDG z|Nrvw$#IEm+~OXOc*ZN< z@riGrex2WEzW(vkdIc}{JaCLtoZ}MLxWzpl@r+lz;}bvsqUbaIU*Of=r}Y?K>Blin zagIw|;}-XL#4}#;j!%61g0J?yz<2z>PwP#*e0)-z;}X}n#XTPJj90wl6W>1ly4BCz z|M-p{IL0Z?afxgE{P)1m`_nT&;u)`a$0xphp;zy}r}aNxzCZ8yfn%KF9GAGpE$;D% zXT0JapZNBLU+sN?@Azqblb4TAj8mNB64$uJJs$ClSG?mBKdr~|a?cBV#}6Fi6z90a zHEwZ_M?B*d@A$+|>&?8| zf3^1ozT*duaf)+X;u^QO$0MHcig$eC+sEj~cl^LHPH~P)T;mq^c*HYa@s3aYv|iZL zcLd=X??|~@tOM{=eWc* zZgG#F)^B|I^UZk0J3jIA3wodT|HbFN`tk4h`Fdo}+sDkOIL9Tfaf^FA;u)`a$0xph z*;jjC;5&Zc7^gVLC9ZLcdpzP9uXx8NzI{3R@f|;{=lL`~bN}NM=eWc*ZgG!CJmVGb z_{1MA9{y6#i!c9C-e>xruc!Ci`(QrC&wsc6ynW7miEG^A9*=m&E8g*mZ;w}dU*J1_ z;25Vk$0e?Di+eoc8LxQ9C%%0J`tj5Hu}|aq{(RsVr#QzYuJP0Qv@d_Y9*=m&E8g*m zZ(s4%&-Z*i$miZW^AG%d-G%4vQ|5DA;u^QO$0MHcig$eC+gG9=-|+*-_-Q@hr}2C| za$MpXx46e6p7DxzeB#^dukP>Ddc{xUdH?VDfn%KF9GAGpE$;D%XT0JapZNKDrq8`E zzB2vz`MM#`+sDj5t>^qSp67F1;u^QO$0MHcig$eC+gEvYe_!A`e&DC|r=P}iZ;EqV z;u^QO$0MHcig$eCr}eR4-v1Z)jvqM2Db8_;Yuw@mkM|ep=7| zGhXqIPkj5@ zulByccl^LHPH~P)T;mq^c*HYa@s3Y?i|NOA{J=3zagIw|;}-XL#4}#;j!%61I=7F; zXU>0o#}6Fi6z90aHEwZ_M?B*d@A$;GuS-9^;|Gp$igR4z8n?K|BcAb!cYNa8*P|cb z@dL*=#W^l`b;vAQ_#x3sgh-bXw9iRC2E$GL0{J=3zagLwYV|)I7 zTQlF{9*=m&E8g*mpD)<=ygx6}SC7XXKX8mwoZ}MLxWzpl@r+lz;}hS$<*U6f@Et#J zj8mNB64$uJJs$ClSG?mB-@X<7_>Lbq#wmVYPw@HtDw(hG^L6{5x9^!B@r+lz;}hS$ zHU0RGA2`M-&T)xr+~OXOc*ZN<@riFAryt+(1IIYUIWBRHTioLj&v?Z`b;vAQ_#x3sgh-bXw9iRC5LekIY>x=Bw<8j9i{Jfs)^ZTdF=lFTul;`bh=3Ct3 z5zlzVJ3jI4+rQfT0^jii$2i3~E^&=p+~X0?c*Q$D@$Ea%kMH<_W1Qj~m$=3)?(v9c zyy6|7`1T#?$9Md^9`W<}8#ABc=XHOcw=bEmaf^FA;u)`a$0xphC;IUnKX8mwoZ}ML zxWzpl@r+lz;}hS$GyV9EA2`M-&T)xr+~OXOc*ZN<@riHWg?{|Jp7!(k`(QrC&+Aq_ zZ=W+?;u^QO$0MHcig$eC+jpfO-|+*-IK??GagAHt;}Oqz#XCOnEvFyf@dL*=#W^l< zja%H~5zlzVJ3jI4yWKt-&*$s&dhpM_GylNP>#jX-pE95064$uJJs$ClSG?mB-@ZHj z_>Lbq#wpHmiEG^A9*=m&E8g*mZ{LG{e8&$Q;}qw(#5Hblk4HS?74P`Ow@=WI@A!G$ zz~}QlW+ilIK??GagAHt z;}Oqz#XCOnt)L&@@dL*=#W^l`b;vAQ_#x3sgh-bXw z9iRC2ed)({{J=3zagIw|;}-XL#4}#;j!%61e)Quze&86VIL9Tfaf^FA;u)`a$0xph zfBNwqKX8mwoZ}MLxWzpl@r+lz;}buxJN*3p{lyP>^?2Oz1IIYUIWBRHTioLj&v?Z< zKJiBj1b&$Onf@P0KYrjCr#QzYu5pWdJmMLzc*iHc{h(KSU*J1_;25Vk$0e?Di+eoc z8LxQ9C%%>R<2!!f7^gVLC9ZLcdpzP9uXx8NzWreO@f|;Kj8mNB64$uJJs$ClSG?mB z-+l=F_>Lbq#wpHmiEG^A9*=m&E8g*mZ$FfNe8&$Q;}qw(#5Hblk4HS?74P`Ow>Rm> zcl^LHPH~P)T;mq^c*HYa@s3Y?`(gCsJAU98r#QzYu5pWdJmMLzc*iHc{c!s69Y1i4 zQ=H=x*SN(!9`TGBo2cz%fp7j!RtQ7Wa6>GhXqIPkj3s^y52z z;25Vk$0e?Di+eoc8LxQ9C%*km`tcnt@A!dZoZ=jpxW+B+@rY-<;vJv(_Vek-cl^LHPH~P)T;mq^c*HYa@s3Y? zdz*fI#}6Fi6z90aHEwZ_M?B*d@A$;GUqC;;;|Gp$igR4z8n?K|BcAb!cYNa8FQgye z@dL*=#W^l`b;vAQ_#x3sgh-bXw9iRBt(U0%=fn%KF z9GAGpE$;D%XT0JapZNBR>Bo2cz%fp7j!RtQ7Wa6>GhXqIPkj3&^y52z;25Vk$0e?D zi+eoc8LxQ9C%*ks`tcnGhXqIPkj5;^y52z;25Vk$0e?Di+eoc8LxQ9 zC%*j}`tcn`b;vAQ_#x3sgh-bXw9iRC2+vvx4{J=3zagIw|;}-XL#4}#;j!%3W z>Bo2cz%fp7j!RtQ7Wa6>GhXqIPkj6B^y52z;25Vk$0e?Di+eoc8LxQ9C%*j-`tcn< zaEw!&;}X}n#XTPJj90wl6W@L({rHX_IL0Z?afxf(;vSE9#w*_OiEr=HkMH<_W1Qj~ zm$=3)?(v9cyy6|7`1ZT#$9Md|F-~!gOI+g?_jtrJUh$4keEZ$><2!!f7^gVLC9ZLc zdpzP9uXx8NzWpBh@f|;Kj8mNB64$uJJs$ClSG?mB-zNI;9Y1i4Q=H=x*SN(!9`TG< zyyFw!elPv_jvqM2Db8_;Yuw@`b;vAQ_#x3sgh-bXw9iRC2hv>(5{J=3zagIw|;}-XL#4}#;j!%61!}Q}je&86V zIL9Tfaf^FA;u)`a$0xqc^y52z;25Vk$0e?Di+eoc8LxQ9C%*lW+ehQI58r;yhqo8_ zjvqM2Db8_;Yuw@k;|Gp$ zigR4z8n?K|BcAb!cYNa8d-UTwe&86VIL9Tfaf^FA;u)`a$0xr1ar*HcKX8mwoZ}ML zxWzpl@r+lz;}hTh1pWAqA2`M-&T)xr+~OXOc*ZN<@riGLl74*04;Lbq#wpHmiEG^A9*=m&E8g*mZ!7)yjvqM2Db8_; zYuw@Lbq#wpHmiEG^A9*=m&E8g*mZ-1A5e8&$Q;}qw(#5Hblk4HS? z74P`Ox1D}`#}6Fi6z90aHEwZ_M?B*d@A$;Gzjym+y!PSS&-w870^jii$2i3~E^&=p z+~X0?c*Q$D@$K)^kMH<_W1Qj~m$=3)?(v9cyy6|7`1TLz$9Md|F-~!gOI+g?_jtrJ zUh$4keEWcYe8&$Q;}qw(#5Hblk4HS?74P`Ow|_`KzT*duaf)+X;u^QO$0MHcig$eC z+drZo-|+*-IK??GagAHt;}Oqz#XCOn?H|*R@A!dZoZ=jpxW+B+@rY-<;vJv(cF>RS z_<>`b;vAQ_#x3sgh-bXw9iRC2Pw2;Y{J=3zagIw|;}-XL#4}#;j!%61r}X1He&86V zIL9Tfaf^FA;u)`a$0xr1Gy3rzKX8mwoZ}MLxWzpl@r+lz;}hThIsN#KA2`M-&T)xr z+~OXOc*ZN<@riH$f_{9*4;#0!5cpCg@cQJ9O4KkIKu_5aDzKM;0Z5y!w0@_@E_^NA&zi@ zGhE;bH@L$Cp74SeLq862gcF?M0#~@f9Ukz6 z7rfyEUpV-G>Bk|CaDp>j;0iam!vmi1f;W8N3kUxn{W!!CPH=_`T;T?Hc)$~0@P-e3 z;ozg+df#rZeRvo?di;Y!9N`3KxWE-|aEAvx;RSE_z!wfa=W{+f0Y1}@Lmc4*XSl!> zZg7VOJmCdz_`nwq{xkYUb<4es!OC%oVdANaz-e@;IRafB0`;R08B2q!qh1+H*|J3QbCFL=WTzHsng(2qkL;RI*6z!h$AhX*|21#kGk z7Y_bQ`f-ROoZt)>xWWzY@PH@0;0+)6!ohzM>xS5E^vh#+~EOFc)=S!@P&i_j(!~C2q!qh1+H*| zJ3QbCFL=WTzHsp0(~me~c2Rz{gZ}`9$4qniYLmc4*XSl!>Zg7VOJmCdz_`nwq z{s;PTh$Ecf3>Ub<4es!OC%oVdANaz-|42U$afB0`;R08z8{FXmPk6x_KJbNuFGN2MafB0`;R08xS5E^vh#+~EOFc)=S!@P&i_jeZ>B2q!qh1+H*|J3QbCFL=WTzHsor(~mz8{FXmPk6x_KJbNuFGfEOafB0`;R08xS5E^vh#+~EOFc)=S!@P&hq(T_tM;RI*6z!h$AhX*|21#kGk z7Y_ap`f-ROoZt)>xWWzY@PH@0;0+)6!oioIABQ-?3C?hVE8O4?4|u{0-td7h9DGUo zaflxS5 zE^vh#+~EOFc)=S!@P&gfO+OBCgcF?M0#~@f9Ukz67rfyEUpV+O^y3gmIKde%aD^M( z;Q>#0!5cpCg@ezfABQ-?3C?hVE8O4?4|u{0-td7h9DG^&aflUb<4es!OC%oVdANaz- zgMJ+12q!qh1+H*|J3QbCFL=WTzHsmr=*Jj;0iam!vmi1f;W8N3kP43ejMTm zCpg0eu5g1pJm3j0c*6(2aPXDr$03ezf-_v;3OBgJ1D^1LH+ zZg7VOJmCdz_`nwqzB2td#1T$#h6`Nb26uSC6JGF!4}9U^tI&@_9N`3KxWE-|aEAvx z;RSE_z!whwPx^6)Bb?w27r4R=?(l#oyxz8{FXmPk6x_KJbNuuR%W!afB0`;R08xS5 zE^vh#+~EOFc)=S!@P&h~ML!O4gcF?M0#~@f9Ukz67rfyEUpV;M^y3gmIKde%aD^M( z;Q>#0!5cpCg@c%W9O4KkIKu_5aDzKM;0Z5y!w0@_@O9|NA&zi@GhE;bH@L$Cp74S< zeBcWQUzdIy;s_@=!v(HzgF8In2`_lV2flFd_2|bTj&OoAT;K{fxWfaU@Papd;0p(D z(2qkL;RI*6z!h$AhX*|21#kGk7Y@EY{W!!CPH=_`T;T?Hc)$~0@P-e3;ouw4k3$^c z1ZTLw6>e~c2Rz{gZ}`9$4!$A%IK&Z7aE1$9;Rbhjz!P5Zh7WwZOBb?w27r4R=?(l#oyxxWWzY@PH@0;0+)6!ofGCABQ-?3C?hVE8O4?4|u{0-td7h z9DFnSaflUb<4es!OC%oVdANaySN#0!5cpCg@bQJKMrw(6P)1!SGd6)9`J-0yx{|1IQZ7|;}AzU!5J=ag&W-A z0Z(|r8$R%bgOAgXLmc4*XSl!>Zg7VOJmCdz_`nwqz7732#1T$#h6`Nb26uSC6JGF! z4}9U^+tQCi9N`3KxWE-|aEAvx;RSE_z!wg_9sM}O5l(Q13tZs_cX+@PUhswweBmIY zABQ-?3C?hVE8O4?4|u{0-td7h9DIBFaflUb<4es!OC%oVdANaz-ccLGMIKm0eaDgk_ z;0_OX!VBK;fiE0xWWzY@PH@0;0+)6!a+_y4snDNoZ$jjxWOGB@Prq<;R9bd z_-^#$5Jxz{87^>z8{FXmPk6x_KJbNu?@m7safB0`;R08xS5E^vh#+~EOFc)=S!@P&g<(2qkL;RI*6z!h$AhX*|21#kGk7Y@EB{W!!CPH=_` zT;T?Hc)$~0@P-e3;oy7Gk3$^c1ZTLw6>e~c2Rz{gZ}`9$4!$@2IK&Z7aE1$9;Rbhj zz!P5Zh7WwWr5}el!U@iBfh*kL4i9+33*PX7FC2V7`f-ROoZt)>xWWzY@PH@0;0+)6!ol~a zABQ-?3C?hVE8O4?4|u{0-td7h9Q*+KaflUb<4es!OC%oVdANaySNk0y8gcF?M0#~@f z9Ukz67rfyEUpV-|^y3gmIKde%aD^M(;Q>#0!5cpCg@YeLKMrw(6P)1!SGd6)9`J-0 zyx{|1IQXIT;}AzU!5J=ag&W-A0Z(|r8$R%bgE#5NA&zi@GhE;bH@L$Cp74Se~c2Rz{gZ}`9$4t^y4IK&Z7aE1$9 z;Rbhjz!P5Zh7Ww<;78GqLmc4*XSl!>Zg7VOJmCdz_`nwqel-0!#1T$#h6`Nb26uSC z6JGF!4}9U^$Iy>M9N`3KxWE-|aEAvx;RSE_z!wgFEd4md5l(Q13tZs_cX+@PUhsww zeBt27(T_tM;RI*6z!h$AhX*|21#kGk7Y=?r{W!!CPH=_`T;T?Hc)$~0@P-e3;h?4; zhd9Cs&TxS%+~5umc)|=Oh$Ecf3>Ub<4es!OC%oVdANaz-Poy7*IKm0e zaDgk_;0_OX!VBK;fiE2VB>HiPBb?w27r4R=?(l#oyx#0!5cpCg@d0=KMrw(6P)1!SGd6)9`J-0yx{|1IQS{_;}AzU!5J=ag&W-A0Z(|r z8$R%bgP%%24snDNoZ$jjxWOGB@Prq<;R9bdXz0fwj&OoAT;K{fxWfaU@Papd;0p&o zjeZ>B2q!qh1+H*|J3QbCFL=WTzHso<>Bk|CaDp>j;0iam!vmi1f;W8N3kN@gejMTm zCpg0eu5g1pJm3j0c*6(2aPTwf$03ezf-_v;3OBgJ1D^1LH+e~c2Rz{gZ}`9$4t_rUIK&Z7aE1$9;Rbhjz!P5Zh7Ww<;BESG zh$Ecf3>Ub<4es!OC%oVdANaz-FQ6ZXIKm0eaDgk_;0_OX!VBK;fiE2VLi%xtBb?w2 z7r4R=?(l#oyxz8{FXmPk6x_ zKJbNuUrIj?afB0`;R08xS5E^vh#+~EOFc)=S!@P&h4 zPCpKDgcF?M0#~@f9Ukz67rfyEUpV*`^y3gmIKde%aD^M(;Q>#0!5cpCg@a#7KMrw( z6P)1!SGd6)9`J-0yx{|1IOyreA&zi@GhE;bH@L$Cp74Se~c2Rz{gZ}`9$ z4t^c|IK&Z7aE1$9;Rbhjz!P5Zh7Ww<;MdcSLmc4*XSl!>Zg7VOJmCdz_`nwq2KsS` zBb?w27r4R=?(l#oyx zxWWzY@PH@0;0+)6!ohE%ABQ-?3C?hVE8O4?4|u{0-td7h9QUb<4es!OC%oVd zANaz-Z=)ZFIKm0eaDgk_;0_OX!VBK;fiE14^y3gmIKde%aD^M(;Q>#0!5cpCg@fNt zKMrw(6P)1!SGd6)9`J-0yx{|1IQSj(;}AzU!5J=ag&W-A0Z(|r8$R%bgWpL%4snDN zoZ$jjxWOGB@Prq<;R9bdc$a=0;s_@=!v(HzgF8In2`_lV2flFdyXeOuj&OoAT;K{f zxWfaU@Papd;0p)8n|>VP2q!qh1+H*|J3QbCFL=WTzHsn+=*Jj;0iam!vmi1 zf;W8N3kMVZIK&Z7aE1$9;Rbhjz!P5Zh7Ww<;P=vxLmc4*XSl!>Zg7VOJmCdz_`nwq zejoif#1T$#h6`Nb26uSC6JGF!4}9U^_tTF<9N`3KxWE-|aEAvx;RSE_z!whw0R1?` z5l(Q13tZs_cX+@PUhswweBs~^(vL$N;RI*6z!h$AhX*|21#kGk7Y_aq{W!!CPH=_` zT;T?Hc)$~0@P-e3;ouL`k3$^c1ZTLw6>e~c2Rz{gZ}`9$4rcmsh$Ecf3>Ub<4es!O zC%oVdANaz-AE6(IIKm0eaDgk_;0_OX!VBK;fiE2VQTlO+Bb?w27r4R=?(l#oyx=VG5Jxz{ z87^>z8{FXmPk6x_KJbNug?=332q!qh1+H*|J3QbCFL=WTzHsoT=*Jj;0iam z!vmi1f;W8N3kQFiejMTmCpg0eu5g1pJm3j0c*6(2aPVj7$03ezf-_v;3OBgJ1D^1L zH+e~c2Rz{gZ}`9$4*nATIK&Z7aE1$9 z;Rbhjz!P5Zh7Ww<;4jmULmc4*XSl!>Zg7VOJmCdz_`nwq-lrdjIKm0eaDgk_;0_OX z!VBK;fiE2V75Z_ABb?w27r4R=?(l#oyxxWWzY@PH@0;0+)6!ofyA4snDNoZ$jjxWOGB@Prq<;R9bd`0MoJ z5Jxz{87^>z8{FXmPk6x_KJbNuzd=6^afB0`;R08xS5 zE^vh#+~EOFc)=S!@P&iFML!O4gcF?M0#~@f9Ukz67rfyEUpV;N^y3gmIKde%aD^M( z;Q>#0!5cpCg@eCCKMrw(6P)1!SGd6)9`J-0yx{|1IQYBt;}AzU!5J=ag&W-A0Z(|r z8$R%bgPndH;s_@=!v(HzgF8In2`_lV2flFd_vptVj&OoAT;K{fxWfaU@Papd;0p(T zpMD(T2q!qh1+H*|J3QbCFL=WTzHsml=*Jj;0iam!vmi1f;W8N3kM(2k3$^c z1ZTLw6>e~c2Rz{gZ}`9$4*ntiIK&Z7aE1$9;Rbhjz!P5Zh7Ww<;2+VCLmc4*XSl!> zZg7VOJmCdz_`nwq{xSVH#1T$#h6`Nb26uSC6JGF!4}9U^pdW`g!U@iBfh*kL4i9+3 z3*PX7FC6?6`f-ROoZt)>xWWzY@PH@0;0+)6!ofeKABQ-?3C?hVE8O4?4|u{0-td7h z9Q-r-afl=gxe?>q37=9hUfj^Evf#1Y$;kWTS_+9)Sejk5;KZ##E>Bk?#uj4oH z$MGldoA@pKHhu@ci{HcV;}7sB@oWE@e*7`~I(`Fx9Df48iQmF+<9G18_&xkS{s4ax zzxHqF#~;J5<2Uff@h9+`_$~Z4eh0sc-^1_Y5AY}PYyXyh{4xAGegl6Te*(XW-@ zcksLTJ^ViY0Dls{_DTBj$MEa;4g7KZ3H&C03%`xu!SCYt@cZ}!{7L-UzoQ?248M-w zz#qq-z;EKW@Z0zu{4RbEzmGq_pTw{Id;0Om@ay;u{BisV{3d=2zm4C)@8b9H`}hO= zN&MP>pdWt>zmDI)AIG1-Z{oM`+xQ*)E`ATck3Ybl#IIfS}`%m=akKxzx z8~Ee+6ZlR17JeJQgWtvP;rH?X-`d^7xQ?A?9M_$d?RA!p*N&4o@x~u(`7_K|B#$(A z5++$J1j7YO0ci*bv#Z(lMR@Nn?r;q+z+wv(0m34M3KuL=s7S%W0n`{Kf&@^Jf~5)< zEL^B0;xG9FFcarc=e#rb{&DSXEMTnX_lQS_FD1>6r?_)~kMQu(X&3ZB7pcnPQQ z3SPq-cnj~~J$!(V@UX-D@Ca7$44%VFIE7d68s5NLcn9y{1AK&s|BLzI5v<@DJcpNX z3a{Wbyn(my4&K8D_y`aG5A(w#Siv)R4lm&pUcqa418?CSyoV3)5gz^q^TQ)p!83Rc zFX0qk!E1N}Z{Z!hhY#=(9uCg*Z+!-Xq5kTx#3$eptl$|uhnH{)ui!Pjfw%Au-opp@ z2oLXJes}~ccm~hmC7i-5cnxphExd#G@Bu!;!!yhek6;DQ;5od6Q+Nfh;SIcnckmuQ zz(;ua9Oj2du!3js9A3gHyn@&82HwIucn=@oBRm{pes}~ccm~hmC7i-5cnxphExd#G z@Bu!;!w+D7cmykW2G8LooWd)34R7Eryo2}f0Y1XR4`P0J1S@z3&*3GU!YgDY2yoNXM z7T&>o_y8Z_;fFClJc1QGgXi!PPT>{2hBxpQ-obnL03YGuA7FlX1S@z3&*3GU!Yg|d-wn!;h}^1;SsFh89axVa0;*B zHN1hh@DAR?2lxmNKZ5z;5v<@DJcpNX3a{Wbyn(my4&K8D_y`aG5c9($Siv)R4lm&p zUcqa418?CSyoV3)5gvXN^TQ)p!83RcFX0qk!E1N}Z{Z!hhY#=(9=?eA;SsFh89axV za0;*BHN1hh@DAR?2lxmNKZg0?5v<@DJcpNX3a{Wbyn(my4&K8D_y`X_j``sctl$|u zhnH{)ui!Pjfw%Au-opp@2oL`V^TQ)p!83RcFX0qk!E1N}Z{Z!hhY#=(9)1Gz!y{P1 zGk6X!;S^rMYj^{1;T^n(5AYEl{xRlQa1=nx` zw{QnLe~$TK7Y^YFj^PB(;2bXC60YDHZr~Q~VCPeqA9mpoj^G$h;0(^;0xsbSuHgo5 z;SP3Q!u+rchj0YPZ~|v=4i|6^^B0&OcHt0?;22Ke49?*KF5wEU;RbHu z4t73``C%6h;Ruf51kT_bF5nWb;2Lh=7Vco@GngNC;Si4C7*5~}&fx+s;R>$d25#XF zc0P;wVHXbJ2#(+iG5RTv&PT&mA;Q}t<3a;S>Zs87g zUdH^e3x{w7$8Z8?a1Ix630H6pH*gDgu=9D$54&&(M{o=$a0cga0he$E*Kh;3a0fdh z%n!S82uE-XCvXPmZ~>Qa1=nx`w{QnLU%>pZ3x{w7$8Z8?a1Ix630H6pH*gDgu=7RC z54&&(M{o=$a0cga0he$E*Kh;3a0feI!u+rchj0YPZ~|v=4i|6^^JUBr zyKo3ca11AK2Ip`Amv9Bwa09n+2RmQE{ICm$a0JJ20%vdz7jOwza1A$b3wN;dRm=~& za0o|m3@2~~=Wqd+a0S$d25#XFcFr+B?7|@& z!7-e`8JxofT*4Jx!wuZR9qfD!^TRG2!Vw(937o+>T)-t+iG5RTv&PT&mA z;Q}t<3a;S>Zs87gCYT>~;Si4C7*5~}&fx+s;R>$d25#XFcBYsgcHt0?;22Ke49?*K zF5wEU;RbHu4t6duKkULG9KkW1z!{vw1zf@vT*D3A!X50~$NaDhhj0YPZ~|v=4i|6< zS8xqCa0_>^bBXz37Y^YFj^PB(;2bXC60YDHZr~Q~VCSzfKkULG9KkW1z!{vw1zf@v zT*D3A!X51V4d#bkID{iOh7&l0bGU#@xPoiAfm^tPoe=ZGE*!!U9K#8m!8u&OC0xNZ z+`ui|!Oq`ee%OUWID%t1fipOV3%G*?Zw7B(E#JIO7jHaB`XgU^ck%F1`silx+B~vY~9{U|eVcAdN4LcN^p+ zJo_{g6TF3zCXmLL#*=V)zrSdDTnWAj-s1l05&bL@d=vDAy|9Y{37!f1%%^r$Ai*<1 zud<7#5|jkrgnldY3Qi>`3BC#XSpwNxf@gx>+n2p1cqWV&p6o3_N$^eZ7Spj^tt9vo zF3cseclS^CdOH*JrIRL*#+SyEFtv*(Cg@S638e9*@gyj_XljDqQW_;qAdN4LC&9Pp zIW<9FI%$+Nfi%7}o`mUG#xy~XDNP`aFO4T*YCnPYUR~PYo6x@rPL2L3O7Kk3!(G^e z0|}l9`eS7mDG9y_dXZf-m7pZ}Cg?4dY$?GrL9Y&EO9`F{DG`=*RgsCrknxH=+(gf1@(s;K)_8gx= z|4EcRr3s|*rSWvQ`#I&QpJDEPIy;xsx%AC9xj=$v!gz82^hp071RH!4yv2oGqa^qe zrc-CE~+hCt%;@c2N@J#R) zo_)mJ>vNJ2Nbuy4>DV5tB=|bK|CK(i(m&35_PuL@e(y>XNaIW6Nw_#I(x+vDzA(}R z()iMN5~fqTl@0w==0%>G(0>cCjglsi#+SyE5XjS+pr1|}B~2iWFO7HG*wvn#g9-W^ zq*2lY()iMNI{cO^EdM{^+&=&1*j!&F!8bww=y!Ug|7Kx>Z-PFB3%e+g;F-{Wx3CY{ zpr|WdwVu03BCz> zma$!}B=|b~es15?|LELv&v+{LjSrpL|M|$%51N0i@2>0Je|_+-I;B@&VgK*kJ$ZXs zFaBNYzw@&vj~)!3f0~0&>%|||-7DzFqYs>#_iX>7zVGLh^}YLBuD_nO{}1fG|NTDu z|C3(-to^@h_y3oE6MgIV>(7Y$f7{M)ehbhaX>R{&|1QwKNn!7K{r*$;{rU4X{D%Fz zI^VJDwoyf-{p~G`}=;cCvV@^=%1785u&GJ^TKD`EK2{ MK34Ysq^Sr04+Y1fifpE(o%Sf~X)MP+Sld6;TmH?f3l8c~3GVy?*-r{O;A{9+;eG-g(ddpL5R4 zy-CkL_{c*t6%|nk713X!fwN$ZqPS~x|4Hm9j@HJrZzFGBW{K*@UB5z>zQx`?Iuk|L zuUN5S!$Fyz&t;kVEZg-)H*TsFvTq@Kwa%hwz3LgxuKeFx4g0y?K4u*s_bv7D=uup! zoW7htUq-pgLix?%Q2GstdzZZB>erwCpZKq}GXF&w38TqxIpwLGO3p($xuwfp{tHg` zHbnX2B!=CwO$nW_tO~C4fe~8b=gH5t`bFLa3ZL^8ZVVUSZ{gK4bfXF z-AeVd$m^$fiSOUOoqaiBeCoH^#2M;$_x-it4DVOJ!Me__c5K11jCNI1{+JGDj?(vu z${l>4^riYO+%LCa>s{jO^RL`5S&ACspK9+)`-wU#^e*-HOPEL28|B-n^KH4_SMS`S z{(7YH4gEN{|Lc_R;QFW1t*k!1i$7S8X_?iciF1$aRXyf2#$(p^_2?^*PpGHHA@n0j zqmb{kjLsMzA4SuN{dGT%U1PKEdfx;WIeiJGFDX*_DjqYRAB1#0()|$T$xx5b4=PvV zy0U&;S%1i1#`LC@0j}N*JRet@oemwux`E_93Ie)xrq;eJdnl1h(IxN(Gx>I|X z_;!YR2fe4qZ)NF2x&;>{uHED75rXo&*|+P|E;qeJr`8|p>f5`-_fPMl$G!hL2lcl@ z^$6vs%Y9}g{kDv8_2X{+ZS78{%daF|D1XdK{8u(UVZ8g(rN%ponWx9i_xiZSx4+8G z27X+!1=IxI5i>-x8b%qgRQdJ84&LXQ_vCx?2*M zPP~Ezw{J^ljxO+*qv^ye_NQN`czf?IUe|q}@aMY!cHrovKNZ5fJCjVaoIhrER4%M{Iew8 zVeDIOA?jV?uWz=6&u=<9(RlPO^12-3tN(%VQF%cR|Go~M@a5j(%k4YI+94ehoF30k zl|R8>|5x>~*(~qB;3CW4bisbfT{yM=erxyO`Q%<_*Es#p%_p?1udH`Bj}_MY6(!R9 z>=Nt!qXqPS(*LyH7wpxsLO1k3n@|7$%Z0llAF z*87N<-%l%%-ghsN-nT8F_pQo$9}#-@FQkkA{{02_&6eWtXP)%s4%yE<=IrJD%y8e& zEVl74_I_qTiS*u5K<~|Ey^o0b{h$)*eSC@ZzGeZvuU6Lkh|v4%`q-S$DT+P6_xW;* z{(k08YwzIi5!~+V<^7D*fFA7okLmAMt?c_Z;rn3!JMZ5wERo)GCDQxx1@wMQS?}n4 z_bSwt(KREbASe z5C8eStwef1v_yK}qk!H&Qr7#3(EC~?()+L6Z(0@q{rii)+#&m!=bgR0pV4k+IPYif zvhgqWe&*99()-5?=)JeBcXU4d_cK#Vr1u?4r1wn==zZg|-baMq-&xPCUqyfa{wQGb?+qo=`@SX8`;GKU-IP^eLr)30li;S);l^M{_}fxiS&L{iS)i-0ln{C z*87Oi`}!r)`|tJ76-LE>|GwOpJ7hoeva^@>Ga8lQyq~$x#=qG6nafM0_j3y9{p_;d z(fRP-&zw>sz3);Yy>D4S?-R;;9}#;0oBr9}61;!^kuSIC&#T|I_6~kO^DSpD?`Ncj z;k=)@p+tJ0S0cU7Dxmkqvfk18@ZZnGCDQvwCDMCM0lkkd>wQG%{ikcV^{eQApWqw5 z+@kMizHIFsyq~$%*~|MGsbM(pXU;2;-cK!&-j6Pz_an-BN9V(TKeKg-^uA(sH;)v3 zet*lCJLLWQZ=Jn7ziU*6^Zfp}jeoJY>D)~U5WHQu7KV*DC>Ph=>6>)w|*7<{rh)(xkca4eAC)H`2G9+&R*Wn zNDaezKXX-y^xj$`y`NSdH?=1XD{z(G%CY+Kl7lCf3e@cf38G&zp#Mb&oAp8oe%&0OkIiezGsQ_ zzI_3`Z&TL$h|qhcM0$T|v|BfezMpx@mpf!X^MtdP_cI!m;k=)@(Z;{n`r15fsRi_YTv_kveE9EYK3pQbSCvTb?^L<@YsmBJADz8CzpHnK z^Zfoj8~HVw%dS6i1J31f!` zs0`=%{Sh1gV!wa?LW%T#Nddiox~z9}KK$qRrV{CW{}SnaVgbGHP}cj1(0g@>^!}Qb z%@X{3!_WG1hwNvbcJ}gq#&tu~yY#IUqP|7`d^9R~YsHEcddr|+06m{$4oB~jXPn>o z`kkF)@6A5l_^yfWT>Y7a!n(1t{PYiA_vg3hU6lN;+k zCX7Z?FN%t$6R+T37VTZ+_bW54{CO7dF!naQRPSQ%XU_HI7JdKTZS5WWenz8L{`+D< zm%~@@N80!oTkl)>a*L+-4P1Gr)~|2v9jy0toc+IbelIj%O{-Wpiei7CW@$l~Z-Z|C z)AMQXI_}r|S(g((-(K#zEpl&{nW!~S@4&Il{dPkXRYksEdzX5BjmFNjyrOT0Pv_?2 zv#Ix>{Kic1*ZY?Ecr>4myh=Kiqj_BAXlC!T^0oe~*q`&1|BqMVKa=vaq?>2)m}X80 zy-P3i?aBFbKqCHshlztHMr~7-3GS!c}-q&ZbchLHEJ^5}(z0yJX$+V!x*MGfe_NKZn`xYF1ez>Cb zs%Q1v^$% zIC4vuyMA79x-VyNf6TG=POBgTLRCb?34M!Q?eh8c-fFtN+^2K8<&x4z#7f`E zF)c!v1eMd|$p5Hvy-t0)vd)mcpC(}%nvZY4^0~lg;eN_*0<_E*ldAVdzTRi}`9k$M zlVd@%7v=)fq3rqxQs;4GIqFyS?UN3k!Don$7U4utdsnvaRJuIr{%t)h@_Oi9;`_O8 zXJ5`d+Ls0Ex6`N)@42CmH)8%JsQ$X&mhoHR)s#D?Lssg&)W_1h^fy@V{#!i*dQ`n{ zp$~hP_|B0SL zJvG0nyq$=<#=Yw1xB6>;?Bd>>-FM@j@#jsx9`etEp&vK%%eKo$`7YQi@BCL*|Ho}! z4LVTy_1F6G{8#76fpzNq@g(nG2m6|JHc+pXmA_Jb(;nTSgZD#0@9FVdS^AJ}!9{)^ z7+;SNl%GAnp4#Q6wdmCPLtTA)hrBO1sJ|Vm$I9yc%u4!A`zAl`*57vjrR$qtNxD$} zn3ediY<$9a_oqvZcN8<;L*0kH|F`G$B{&hZzq^xm z<#v{OIH$WA!v5#=zAc?Oy1-wKrW0$wH)e{r_wM3#-S-K9uKQ2>&_4Q8AT19F1dL@Ra$U{zn|2v>c7o$#Dvg~VgKl^WAEG3 zU0$g!LO+K4Da>d82|bUm-^CRibUeOmk~qfUz2g-n z();WZ>;0nz^nTL+wB8r&)lqQ26z0?aKl8hPU>TU-C%Sp%zi)ouwM2Sfqo{hXiZ-@+ z{T~j(ersS}f8W{v>*w{wwjUkqniDP9-s@ZSR_I+)*84x7-=DMb_v`*6QX-bcjzep-q2zI%!EzHI@$Z&lX&h|s%#Azl3U?=R@iS)i^0llwQ z*87Oi`|JAHoX;tWJ-_$)a*O_c=1yzx;O`OK?(F6LjMOlk_cIrkNbk84>HYWudOxPD zcXU4d_cPme{Uc?)j|jc5RU*Cr%KfHQ@xM>-qAz#I`}gOay}X|p?)#a$ zZ2XJ8pZRo&^#1VzdhadkeMHRfQ%j`x9ZID4O$+FK&R*WnNDagJ{rl%jr1v=`())}8dao_(9i0#V_wRd^Nbl>ENbi*e^j=Zc z`-sr{Puw5=DgJ)u9$#+J_cKeay@U5NOPsyDpV4k+IPYi9Dv{o&mq_nZ3h4ddvfk18 z@ZZm5OQiSr++SiU{`>b|`*Mf8fB&Vkm*;mky$|E>6Fh9=U+nkq*Of@`7Z=d`r^0lj~ytoIS2_faL%`>XCR1{Hrl^NcTd$bRO#&R*Wn4EO!aEjIqe z-p_oZM0)Qmp!fE&-bcjzet3!WzD0@jzHR}%uU*#rh|v3+Yik87{`>bweYr({|9-Ev zckui7yPdtfpOG4d^ZWNpN~HIhCDQvz1@u0xtao%i{NKM%ERo(m8jB z|NYDn*|i_aFIki~hX&ZENq~_cPye_VRv4Y8cM@ znHx%^_jx7K`>X<9 zzfbU0UvAO&GmEXggZDFEEbASe5C8f7j1uYngc9lfpaOcIT-N)D(EBDO()*vQ-MU%y z`TccY?vVHIKXdl-enz7*ocA*i+V~gy{rl%ir1uL8=>7b%-qHE+-_O*QNbh@=NblPh z(EB!Jy^jdJXG)~^mqxpFv*`Por+m3X_A^g7dwD;jQ5nwrnHz2Vi@l#YvqXAtE1>t; zWxb>G;lH0bq(pk(tVDWWtAO6uDC>Ph=>3gRZv86y_X!^IAk*0dY@WA@5hz(j?Rbwe&)j^(tA~j^!`qjo4XE@LA z-?Q;A_Ven^zTBekXFgv*?^l=gj?Rbw{N7O_y&qO0z3){(@4J`vJ|gr!wnTdWO{H5m zi$1^q#Fsl{Kl6gKm-jOomEpXf`I?P?vG+5dDUsgKDxmiTWxb>G;lH0bu|#^`sYH6u z7SQ|nvff98-rrrttzSid|NebnZqfHM4_kW&zkly@_VRv4Y8cM@nQKd=_pTD@y`g~K zb7j4w^Wndr*{4K$U#~=ZA5}o_tCaOVBJ}=B#;spP-_I=bY$?{E5YhrECPm9v-Uca6$$ zp5Gs_@h|rK_b-%4@0S$N`=`r#N9V(Tes3y~-uEw&-X|8&`wnHjj|jb2mq_ogY1u5n zzc>7>FL%g(=4ody?`K>$M7>MjS|RFNnk!S81@dgZ?_7IZm$ z^?sy{f3fwxl`pqwdf&j6cWV9m*51K-U&q=1Tj%#e^VPJ9b)zWu_i2_Eg!wk;_CGzJ z_O9c8y`OdYLOdD^0TCyXYrV3P6)kA zFZ1om`E%tr2@LJ(yVBcLZWl-IqQv=cNPW^_L+VMf?wag<4gTt~swmonB~R%$;#lU* z(bX0!Qo2KO%`J@$+3xmiXJf7*+uqX9k?WrIVa~eu%5K$A6Af}`Yn(U8!IEU#JF|8% z+uW5sdfJgk4oUp~kbA1S|5bSCv3?%=;%_RV4XtMJS=<^NzdgCXsu_mI=|_?DlkGo^ zbScts$}agbWD3F0pW&iw7Cw*$$%Nqk2!_U)P^~}kHQr%Vtv}|uh36sp>L23Ju82QW zUMa2Y2D^W3j5y}t_HyxI#L6?_ILde-@$tra;uDRR6Q9DdHisJCM6@1kyvtR4ELbE~4al1cveh(OrC4Sg5Ik|md<>PjZ zSu6VP2e0|F$d7|&4UL1^Y{B()u!jryRAzB_i9=;5Ea%YJ#T;*P=ohsUj<-1UN8s}u z?{E;-)T$8Dfthi#`tX6VRb3P?R!Uzg&&D^(kbyYnSj{+r*Y_E(xiOqBBh{vi#?eA1 z8_4<~!?`Qh3McAst7+45jJU3$bl(7W zB<>^T|J8Se*CEBMfr-;{DA(fe(RI z-a_~&cwaaVpJYBU7xhgZ)iZ(T!w1R-J{MM6b?lYKS>o%BW8%feb;LItC&YIfFC^AC z;9UKQzr%5m@}yI~2OlG50@b(njsp`W&L6_3i5ZCH@F8#>{x$6C$wc@L?DB+1kyjl) zng}<5XMi!hxp4w-2iMDo!PGZm8^qZtnhYzS7(UXt4n6@^+Y`7RZi4f03)~Dx6Qbx0 zcorDL=fN76cybhd7M7k8_*Ub~;QL|axe$IDZh`agFX1V0bO7yw+rR`K&19kW=HU%s zWZ?#9JLBpD(Fm+Ov+&`t@`>S`+4FF>@pAZFSmkOEJ_~Do$-=k7E-n0ZxE*^Qe$?#w zgBd%x1AEMXya;Ptl0%uR;W@IC!S9U|_&vB&`M_FyKM6;Nb5Fyn^Fnxi<2;--UJmQG zd*u@y5k-5!>W3Jf4A;O3e3bFRBch6&@gjJE@nTrN6)*oK@FL?pe2?)%aG&wR@Ds-0 zf?qIx1pcM*qwxF2--a_RQp*1^c#QGm@W#eZz&jW}3GZwC9r!p{?TU^>@9+g+3~R3W zoa{$4R@lW^c#iqU@L4d!871&V#(DU1SmUT0>ssRkUTi+mu~Bq~*<*N_aUOmIzJ{bR zH{#Rq^~xW9!F-YvqUd$wXlfL_4SzvC@ZaGZ;5@uqwdZJB6m1N<`vTTqm}6+81fFP| zhj%m9=4T)Hi}=LwVX*6;=`_bUhEFvA1kM@f;f~;c67yK_hZFc_l?z`6yFJfGqv$61 zF4Y;n%Q*U26n)b;h983SN((m;KPG?pIqZ+a@u|#F@DuWZ-+;d(ANVcU>6Xb%8wPO# zuLD0NA9#J(?Wby^NPkiGd)Q-mEBI;o!#lvw$RFMn{yrSl(O2-ZU<~W85sMS}IO9BA z3;zgvl#8O7uB>H9Z&%*b@FJg}2 z2jQQ{AATCvSmzs}=oRCrF^YZzzaoG59e5#J2mb?p4Nl-HDsvm0hu4A+gkw5?6ZmKH zfwzaHt313r{Bt;(i68t6Foq9?UxyR;1o)S59_DE*dIQ$v-46c>jN!9kH%9O!@UP_$ zUkAS_|7Pk7^M8~-ojL-C%RW1b?lX?zM~xHsS@^f|hhK%?61Nk>8F)Edy_(H+9V{#G zpRmWU{w1ax>h)*EkRBUv~Y9{O2=o!BGWmfp3KM;F5>$gk7G! zJk!7#>@oa&u%Ce@;Z;3te1!Y{*a?BJgnYoh%lyt>)~M{BY3!Y;fEoFab{xSS1cq4qGTm0U>5;<+isrKzo1Mp?| zh+~c~z)pwojm8UM3o1Ig1v{a7FMiw&lT{`8M&E*^0fooSXCHss@AG}^E)(o8z^cz$ z@SE^{=Bp^S<8ADd;X00YjG30Azrre4b*&iIhCpnY*k=c!COY9U^sRAd#2ix`C;6vbqV}E!Gag2|iQ=D$$!?A0u)#z!)G2CRF z!0pC)`265c9#_Jcq8Qd*>j*f3ufcvKoQD@0t0QlM-8jPcz(?T|jbi@~laK4?N6kl< zo`ThXF~{>T**R^zn)3Mre5m>S)i~kYLPqV+tUZvw#^Nx$xH@)mZ0AH7_0ihc3GUsG zBkTtm5M};CW!J-JRq7LC*bH`k2v0PYeNW>AJ_J@<@*Kw)FNaTqoz5AHnZ_EUZsP<# z6FwT>ys`R9d3_Rl(9EUAS?pKA3`gZe_(oW5Qn(#fSqaBI#(DS=*yTh1(#9lgS@>z} zVtr%cdH7g3hAm`{0e*s=E#<;f!8t4!<)j# zlTM=8+UzkLp5+sGC+w>8!c0`LkMSb-P~*k$$;M0I26!6&dD6B9Mu#7VPnCTXYYI%L zW;-8!(wJ>~bg}2~Zm{CBoYVi6G1qQ@Pb5}Y0#6svhCAVtK(+IJ_+zlz`5?SCtad(P z{5bp_<7eO>82=c438u=GS<fA1FNh&#~)!r_3`M*U9*n6>Wm0ErmJ8F?@z`0-tZ3hc5~Kq`fZq!%Krd zd{^*?zX`j(q~PxbfB41V5C7bJ^6)!m*95g9_`|EN>+7jGaT8F|IfoBg~7tterUgC0;aMa>Mx4Lz4Hr$F$ zp%v!7>ks(5bzRSUTbs2VAF=%A88avDU8RuaOnNQKddIyBROZ$C%f}Vd2pO0f4ym9M> zU&fBKDj$d6ghM_5Y%Kr3!Ck}&N9FpS^YH5MA;cQkv9QwS;R)~@*{R4ja1R*6yP8h| zE6nG}!~0@ayQJYG;RSF^=S_n@4kz%(ENvccgwMhr(biUY5BbAq!e`4Lz8pRW&coNi z=fV-1{0dB{p39GAaL}ZfM;sR(G@sBHRIw_{l_#SjF8)EFT5pD%JHX*sgRIo-P*!=MrG;UB_=l(;a#VE z!@JHHuA!`j#0ke3m{7flADhDTubbyT1TS`%n4`>R3Fil;e02Fn^HD^(ZXJ=9!ZVfZ zH|d9kr2&Z5532LgAj1IJ`= zrg0toX;^s@MPKBHbf|DMd@FIx@fBG8p!^?%ZzERtHmtP4{v~gYeuVu{IOdSQ(yIR2 zqsyKOZnSQ}pf>45?}9^pUL&o0w#WWDtokP$Z^5BlY32@W3je@4LJl^c;tSw-*H4E$V^y`WJF9+`Xf0TMqBbimcR&3P>~1aC2%kk}-^~1(W}IMt zn(_xTuMM1Mwsk$~44G_-w@>kQDc(E96HuYw8HzjKlAs|40_+3(F}k*j6UkM#USOZx}-ZkX&` zKR*h;ZHc~TK7Zs~_TcjZtT`bSGV7%J;j|RjrnnCNDQSaF-hlP&pzu3*A#u#{F8m&G z9mn5b-FFGcs7(gypf!4LY^jiWpOa1S(Ypn`gWn1Mn>mC%NzA$G@Gfz}u?s#ffBX-G z|Bg+aUNc3yd1vMSabS)##uOT9K%l= z*TKu-J(WNFEBHV-4~IQ-G|GP`Pa2Ei-{B)p;P>Fa${((zbDRzl<{0A`9tXSn!&@3J zgm;4XP+C~~1UKjE2J;~^iGJAE`@4DL7&z=(royg1!P{?1TwUk_SKcZ35W@G27zGzH z{x9r!PR&!4=I0ZocPGvz%FN)Tj=YE}tGU<%S6Oanz?y5KET2&rSHoApxK#3=d#`c2 zd@RrxZq4~JKI(Uc^qS)>QDzSu@5M*u>b}aut6I65`u|7Z{}i|p*5^(HbxZUN{(yT1dkMZ)MuMJ;)Rzf|-f51do_RPt zkEt^(WY#ez>fhU~o4T&guYzw=sxJDDaj?&XU!#0n-CjZOp!Tn zPbOCQszPtG%{)ckuPA>ieo?=)3V4QINk6_1NpIse- zP2*CtnavN3#rm+)Ch(T9(=3He40d>5*xfReb(nD$o@yM!iW7$k;;rZAT?0NV+So4_1?sLX5e4B9se-++>w0Zbmc(T%x z@x#W?z~47s4!;C%hreE+>m8BiXH8O?=g$UpU%Y}(0w?fajPvkXS-*Zov||(4_4zv7 z$D!@;HrUlyd03yVikHJX1b=Qmt-l9i*LM*2#QrXPdVIc9o^? z9i9a1UdzJ`up1ZpuLIs4{}`SN@2RvK@{DXgF?_Lc9ej;(0^bU|JYhYj@1?XG(Vy5= zA3d8q4C}XzWB6%U_j*J-ehMpX4F3^!8i4-}PsS$?_pe{{an%Icjy-{^VU4fW-qqlP zuxk^sHhc&i!<)l74K7FB<0>yT?zk<-@~|-`0vDh#Qz|Ej+ki0Z-^DDHs?kr9#2fD z&gz6fZiQ-}rcV)h&G56X5lYr@~tr zPlNY0J`tX3jD{*sF-A8P4aVrEqQe;7RGe-6QTP($kHOa%p9(KBJ`MhoaV>nWaUJ}C zaSndWcn188aXtL1F&eG-oiXcZ#XH8Vg(#cv@oB6%RzbVc#zI(OYvR1|Hi|RcU-&qk zz?&K;@J^OC59=N8w)iiHC!3EJp5x6YhU?%1$g&QeW849sWj+afiSa`CI#}iAVFj{w z?{#l9yKHx*IQUco4`L6Re=5cD;kwJ`W$emd;TI|XLyG^NV)<2C+A8kzkaqPHZ<7v~dmql)=QZ$8Va=23AFYGRLwzy@f31D0l={TY zW3a+5*c12!d}NQR_)4X547VC5@R`PWSb@2#s?HJnFsqwRcS!M$Dc&i?+S7%wbBb%I zWgQnLZ*KL0FR^lC_;avpBfP{o4}S$#dn5AdGtR=_GLGSkIOJ1D{1o;N6DJ(c8OL0F z4W>KXyO(qw{*0ZvMKQ;Fu*(MyWhJlz*;U5G`tHFr87#=Iz26Gby7}Mi6TWuxv=yZ>x2+|&Pn-P zY8*Qc_an0l+P)4up?VL}-wrFS+M;&?ueeLR6UMH-itU^zGn%vyV<)Q2V$gRs_O+d2nDx^IqWVkYVZXsm0aa7HE8bXHk)CH0c$(Qxj z1=hF_GOV-FIPzgi=ZT0p01jnLgjsuCpYIB@_PYMu*L?Ei@+g909d;dcklAC-r@*Yk z?%tGEm1mywPHQEoMkVXe8UTLRy0_B{M>@E^rRA2J^y|G>M!-^Yh4y7lGfa9AVc z!+xYc;OaGmPgtk^03U!ymg8OHiSP@6%9F>E^K@UYy=}iw)rQ7Yf6c5h zj}%qg8>83EF2+nHqxUhMK>el|Z^cNSV2p$_rx_Ei(q#N0xZQY1UQ#~bIV zbN{?aop-=asAiuWLWX^^3%K^rV_{4~thy?&cMc)rp56RerVjhw88ro-&5U1%_lIqQJmB~CajWG1HiQf&|Rod@iWG?!C%cLbkVT+w@`(U=qZTKk$B zySRX|)UKH0Vt5wm6Zk6QJiG*MR+${P7$@-E@aeLnH47P?KY*Pg-97Xa9Om^GV3iwl zylz|vt6c2o#nesDj-hVvnoky=%=SK?7+&2tfj2hJ!<)f1#MHB5JL3v?XX6ZffblA@ z#$~qE|1j)GqDmW;6X6!w2_J*ojO*dK#WZ6Wxlx?m3N->N6Reg6bot zxvoCqEXTcOp9m|oSNQSzI(Fro*I~RIR((40kv6^qcZump?fbgLb{F-)iA|Q}%pe`4t-V!sg1WA9(nIR6NCJ-fIz@Q(Ch zSal2EAyM7-#mDuzm_FH^>j^9!J3Hl0#-~R4z*CGD!qZ{;+&w4d;P5W68U7^s#H498 z{{&W_>vOV&92PPc;Af#GL!K5gw^E0AlIy<84Q*hxA5b_P`!2-!tj^r;={O&~&+GE0 zXc|6Wf@6-4!fH#xF&q9g`Q+gyelltYA)Ry=70CBaHw$} z`|-xnDB5cr!;Nqvf4DvP!}Eea8-cTfKYXEa0$%~YP1-zsBdoeDhi^9@O$PTF$M8eO z3H+3C9{y4A=jMAg_`^R7{_yXEKm1(D#?@SQ8Y<39+Wv*ZsS1>Y-w zxB*t4ddJ^otatq3_dWHF|2*u{Lmm8C;{?71UPeB7_+HrEJDah8hwsN8!#{xOz9`P} zyJ@h>N?;3_i}6!n_}6f4gU@mnYbzY=>G(I~#eSgj4X(chUt;gZ;XLeZ`~Ukzzl^G^JehX*s=(FYgqf&7@h=w7Q1x6JN$V#f%k{+ z!YAQAKLlQcJr5rNAC6u6o(As$M~royaSXS@ied^ZiX*YK7=p9m&36;b3Zb-;b&BnM{*duhE`A@T8I@UB?{u!QJPzah8jhIbWqcN5PvGM@?%`O-5x)DFhhN7> z)mqN+TbNLNt>s1Jo|pAK+w08sj`>`#iy!g*APp*f!F=>RoW-1HWh9Wl`<~V6_=h!B z_8ZLKeB5`3*2ZUR83-G}U&JTmj|nyS>kPj;Q5zY4_u1Cw_$%y4tgQDYR@Z*~STcq47fa3Rrs0!xl0PfhhW;6n-5(gz8iqGD}Hw zquFm(MF~W%ueDa(Vz%4NNAn$54n&z_QfZHcH8(4qkjF-MkGX@dPTD-&XytxmAg|0fjfwi-FFcUCu65uN((!-geER7spwF&f z2dgjH)jfIZ-F^{% z$9OrMp~Kx=%FQ;$I14L$mpo&5W9+9;(FEQC)_jzQw}(|XeGf#T7JEFFeI#~OD}g5) zFNBYSb4m-(fM>w^<+FCUUTNVoVg8R2_yPgFT=VT< zCBK)=PFwox{fgOsHjpOsDm)d^`sY5%SGOlAOZRUGzq54DVozyFBy5Vmn*e=`V1@$6NRa;@`>S- zE$u3H4O7Pb!XltCBXS{>R~7t1jQ{RdCmb{ScLWra_9Bn{_j;&bN?(~(&7Ww>&Qv$dDyG=$7rmbd0b!~Q(OxP&-dS6O52L~RZB5QjR2 zbNR2k692(|>kTBxtPgin-*p+oACtjZaJc>{cnY?d<8t^~;ylMS!Ooc6Zk&hvV6{Ky zcpTPPB=GlP^4H%ziC!>!9$pR;x$nQd3A-_-p?`u^=REv3*!2q?SGAAb3-Idjo|Kuu z>%$uFJiMi`*74oo4JbhC_`dK)u-5TI;EmxtY$22S8{#$NDL2^1se(S#Y-)C*sw}o6 z$Y&F~emuOH@hR{G)jz;SsBCq?`KNY?tB>r+9}H z@0j9A#{J)gwtSF?TYq)Bjrn|;I=JUVZ2DauS07mW1F&=J=4Y+O`+0F{fsBLUl@;uI-OupW`mkx3KCT z0@=86c?J8V)@gXxM)t_i3`g1Cu6|mZ#3Ym{sUQ}zy{ES~_ce_rz`|qu= z&kFN$*awGuOJ%IOAM-GEz7r0=$ER{P!tUlt3Y=h^SD$R{>y}Vn0~3H7BX~P}#CdoZ zK!{@?oeCWiBVa?Ss ze4TLuABAmC>XL{1e^;E2x(%Pbu*a~4%s)5}TuuIg_c43Af6uaupIa0Zy|G}*_osI?~}9aV(6#A z=PMh}qf_}5N;f#4;3s`s$Q*0=5cTWgIJ2ewj>q;3`bBeVOk(v*$p3BZCvaW%ci?Go z00y+ z_;lE<6;!U%IEK%GPvv?7hkZmIz7V_n9E_X%Qur0+4_^;!ZP7dtK2OWTdak7zZoa?O z{BeuE3ag%3`0McCx&JiEwotQ$X_n&M+VU{|VIFw`t~1|f;Bfyv52pu-yfRx^KH@Pc z-a5sb!`sBPLw!#DcLCHcg}q|`PC9{O*zKd?<6!k+p5s*5X_&Unf*Yw@47bBgZ~}M3 zv*0{@27EdkaeM-9A&xmd11rx2zS=ks-(ajxT?$`L9x;47EDa>^y)dqBE`Jb~2A0!# zkHPBah;}^-x8bDmdJ&!jC-8DOA929HgS(W`D4ql09{Iy7-~%ux@LH33kB2=EZwR}- zV&gag)@KX}ye<4o{PXaRa4&XkzITQ7923JatntdjN5c!`!#Z~&e6{i)%Q(ZTzdlbt z9mduD&fHx1i3;*y4*i620$&X4{j~PP*TZ@z9c@Zq!Pmkud>4G3cr*4ju&V?7D6G$% zm%~rN@2adU-#38Wv-|}1gYXxW7Jdum7*hdYnJad3+_C;?NGR-ObekuFxlwJRZ zM(}S<*`?uNZy&H{ItI9Aa>}POWj`Qg?@rkdOxX{De|UhK&fRmHelL99fUk316jl5PgoBY#vEB#W0!F31iLw$JobcDpBO&KxDGxBKAXg< zPtG_Gcfq=+T*iu_gIA&M*a_8BUF3dX<#QYI2=%l}nR8SrA8O8p&m(O$ZZWp2;q&bJ zQe)ZgF;3t|jq~si;ZMq+y1i-~!*3d^{(prp$4B+IkU8JVAnM;Ee9NxeCAnrUuoEuz z`&~HTkogom>L9?zL68Phqzf!$-iX zn>2qMd=b70JRR2Bk%v!%-I!MLJN)ov_{4A<3_1;~PM_vP;U$hs;jB&wWZ^y&J08|& zxe6z8-0z5SC!dQg?HMqk`ZIP;72J0#^t&3DnC(3Cxev$Bz~t|~L-BcUj}{S=F1n3a zN$w`*7H}GV0G9R?o-&T%my8qm4dXog=isl39PHD^@H)l`JOS36pXd0Hu`8JLgv=FI z9#Q`|2R&SA*W{*2zc6m$*`8>)$2`t}%8!_r>@e4PT=RoKJ(R@UP>v z8UCClXoWuytKReB{fJfXvtjrA$h8Y#=_3z+2Br?~vy;!lmQD0U<1Bu+z@ZLz!tS$0 z^0bf%a}wvSU7sbB&@S_F_HT0{dzRxq@*z}TZv~Q_+qda&sPcb0WNrwRV!HVT+(+7Q z&p!??wCm3q$E5xld=YWN@hey^d5$oLE{DVWH}z-r1n;AM`#t_QkwE=sA+yNJAnO0V z+G4XUu^8Ws*5#1qM)-a5s-kUKjQ#s%xaJUFp6qMFy8mL1jf@j`OL%qakcTZ~wAKe+ zk6zs#ALTz0;|*gOD=R;=EylhJJ~HPy_J`fGI(!7IeZAUmA#(_Mev*l2WAco#Ukryi z>1y~wYzfW_VeJR=u)b$@TPmL~i8=1T=gY(i$1<4zo#q}kjw$P@V259Twcm*m$uG>F zz`rwAL*EN_c$LF^p3x|tU5pcW6Ik`s3L3r#9mCsTzg_ilD=RvN^YD(AHm>IPMPcpT z^6)Y6s$`=dIT&-4g=ZPZaF1~vd_LTOPXb?JoQD^|G{b4&Hdy_pa5wDcX87x{@=rJ( zfgdK$b0}bU?;oGW9zNH99^TJi4nH$%(1#W>YZ`~Nui+oY@wX|~_X5|VZg~=pK4M^h zF$R7MTb5%zSo@V2-UJTgz7>2IcIoHCu=W)R$FA@)?0I+}_&zbmA+Ywank9~a!@6`V zEd3|gr^DJK(6PTzdKWRW8J&w~*1b z^HTn@-;GV-Q`qlG`Gf9RP}ja@K9}HgxC|CByLIw&*pZG4`h8<@)}QKU=3Yw=*Q`5W zcdgYqO?Cd)lMmh3zxLigkWOuM^|=wBH3#yDzWzZUmsam|+`a%my$_O0mg5f6@&chU zfggguX=%S_9AnqGKZspE%i(XqdHC1xWAdkhe}tcaWB9M|cjT{%AL%&{uMU4#{v7MT zPs^WUWBB{T3CA|@4~g>}6X72dOD7gG59pjg)W61t`zW>kWcpU(r#uxNwiwJjG{7}? z3~8G~OqHy2&aJZmSa_hpvP4+b1Em!|Umk=cp* z+xVQ>+3D4sji2i5YyQg8?QiEHpZY=P z&fD_&HYX}y#|7s1+Yi<=^Oog{OU>&1xXk>1Z+_QvPBVC=7)5_DU(JV$urpmdJJXX3 zS$?X{3bJkPD2lSg+ogDi6yHofEZ;7lpIZKu7yZImb^j%-GS!c7z{*SfYgqHQ%KQ!7 zWcD}V3ykkb)&F#@!Ki>TZ-41HjvLoDc&l@ z+ogDq6d#e|lT)nk0)@KOrtC9Qtj}M9PfyCO-?<9*^HcUKQ>?vS@VOynzcs}VrTFO- zzmnqLr}!@^9;F9L>+=m#ynTvyN%6rcJ~qW~x@`Q|>2DB+JWomaw5Rxj6zkup3;z1| z=K_B&<#SVtA58HxDgIH4f12Vyr1;=e{uR>)%Bo56hAC!Cr{FZXP0GGUiVse){&rmO zKQ3iIHO0*-PEveXiWjGNS&I8o{M{7m-|!3NzL>JVk>dAKTyxTZ{{|`EF2%d2`0x~; zmg3V>{P7fDl;W#WtbZFX)N^6VerJjwNbyrC*6#s?w9lvPKTol~n;(2ur0n{4bA!F+ z+|JJLPj&icd_j{td<8-;lERr1&!_cK=qN=}rIkUPya= z%IC`|ejvq9r1%FZ*598D`MjF4N6l^BQElzy~3yt?CQ?7c0{dh-ECd9%?(k94*lrin5np@kp}epaqC>hA4mj9PQ^YpHQ(b7NODyRkQ#n``N5j2c@zx_fJVTd>x4 zHJ{PwFL`uVx;|K5Q*%o<4QkDGL^FDtYP+MZ=GKmu##&Bfh$x?^Khdm49J_kE>T@kE zwcVY$`bO1*zEJWNakREHx6Mx3cd|Nk349g$y=HVYVRb2Xgm^J-h#+h_N5)Hb#>wr;z1Y9KzG-C7B^ z^QoGfvfEB@Nw>=`aQRsA-MOyWwZ_}m_jGpBpS3blM5toQXZ!6`uJo1m-8NlH`hp5e zrH;C1bvEW2YMa}d+PNE$e0O8S&-&R>PgibcW7Od~D{616t?%fG=H+I)QD!uSjkQfJ z%^h7Su5DS%s|`I}jSU02C_8fPoP#2o+f`QUR#*w)a@jXq#$Xzt3*Xd#yYlfO|q>wBmkW7E=J zKfAV#=|~Cttvzkd-qq1q-<)f4cJ+dr3wqt@3^~wGu5*-5&F`vhn_J&C&pG(>Sxi^$ zJ>4lwbHn@(oG}N`mXyho)V4HtF;#ZfyL!^}P)V7ZJDO{|+g-wxN2qSf#8|4DE}su% z>_^!t)73Ph&u6Kxd_x9K8<>C8w1_!4SKr+{x3LzQ+nTG-k$KeF#k7IEn4g=wP2vvg zr5bN!{-+Z=8XB3unIYZT>FqP>yD=hycCI=FI^lITc5%BQ-lq1>*+Go$nuBNbbT@XX z*)8q42D{?Nl?M9ubaXYl+d|UoX=JMQ=FY~}_U=Y^1$8#J)v}n>&utVnx6jKpGd?Il zTBmkSR9ta-Ys&SsFyYeGPT95nI*OV)+s|lhlPYUl8(SM1S*nyDOn0=jxKgy*H8q4L zcjUU78){u2G7&UTW(U(U8tUqx{Z5HduDiXJJJm$0Rg!zuX)Ws3vWNk_*5}%C%n}Hg z8#$*rEV8J6R&z@O29}o@Oyw+kx*=;@kUEQppKn-c(<_HfQf>vNep&!nTKvrAZ)ZDk zQlG0~scmR)qi;1Wsyr57?o-O({_H=WhaakC&Y7!euSW|s)z{CN?k8*2Tq)R{`1_`< z+1)DTc_)E`pl94ArUut zxpZkPw92>TS{s`ia@{$tz;nAATYWsM)z7 z)DX0Fb#%7RXNL94Cz_ROYlv(H@uL_{x^iH1(fo zKCbs7W%AMN=NBv{ZryXuY)7M5&2-Fe(k-WcEShOA>uqy;u0GOy;QJ?6 zU*BD;$%-3v5)&C`b6Zm<8oT)&EEL?o{cBJ9q*iN`RvlE2oxyPHM`t_pMzD9av!TH%N&TZJuwB}Y?T7p8|h&pLIzm66*!mXO_ z{80C_dUqU3VjM|_UawYJUqC1H+AM_Ms9WJ($=P-xwE^O+y;;d98E>K(CfLO zcHS&zaJ8tj7D;J?(nTJw4emiFW!Cmn{U)t&OZJ~OG`KvNT2BXC3AWXmpj@#uV4zMqVGBf81AgxG%Ukmd@2!0LTc8u?-4EQ&yc2MD zO+(Z;uN5Wx9Zk0$R@CL{Z8vnPfu2R?X{~Q)pQ-Lw&@{QTNeKahb2r+ zpmOPCM{Um^{#5HDn;<%zM{9l#yy%(59IFIQShZd4O)QWd&D?FQl5IS~FpJH|DXo^* zs2Qa+vR`L^g{NX(|M0}5EL^{OErcv)>jL+Y6{4HisdmcoQx7}p;NxqLKIZs?PnbIS z_^DB_gmZf;rr;SpJd|~7i{)G7pKY1p>Co^fqspPJ=6byW@Q+s98xFOUI`H#^zl?nR zvy9Cib|P7IwKO(%gqzE;a^MQXt}9_!-FD6VJO@927W~}3>Mps(PV|9$Q1^;k;+k^o zgd0+KXKk)YZIt`aYh>T%_RA}~IICUny|neH|3Hp1>P1KoZ%PJ`cT{cl>2q7g(M*BtrcPQug!IL>)q1_isbRGi>Kps`sRifdt2h_ty6cO&l;FDnwmSggPEhX zcp@vKXht)+>%BsFsGq?fp=)cT?Q^<#tnOe9)tf*WT4zKZUJ3LdH=mwF-To-osfVu? ze_~Sv`xE9QcW3BzkiXw`>WM{`&5s`MyZGUjMg*ZZcRKY-2e?ah?q+^sH}w&B&d>ze z)x%pIUSG}R6(&aaw!kfW_%Vu@Y)h_to|1TI%r&<~IXjg@JEKX|F|)m?$t6HX&fuRW zYyHF7JeGfL!gHE`{lkJ1`S(bWp5WcCfM;;6)g3cc0Xo@(Mf4CRUViBD&{aaue>5cB z7WHRXB{k8I!mpXT?Fzb`UjLgAKNh)8o)KL=o7&vmOx^>BlUdE0vMfhi=x`#(G6 zKKSTg>n3>VvvDphn&Vbzm)uY3?p%vGZx-C5PRy1^OQ%k?w70f15ij(cR8GzM|4utd`x{kC0o3*3Q;uW)tPjYwf0{ zM&CG{&5#}hxz-uYtisXhtOLBDaBmgtalZc?X|qA>>OZ%aHo@J!5aZ6*=M}jgc1XH8 z{JO)#MUT@gpFX&^Meg}|HmzaY{m*{cak|USm}k>WBLB1hDyROcX_TttI&fk$2~A>c z=Jj;Fd+!;!&s+4W1>Lb5YHP4*$(wlX(lx6U!838`9f}^n9q1&yA+d{RXl3rNjy{)3 zpZD0E+p1TS_JNGQS^Y`>_E~+yqnf=H;WY?@!sd_3NF&n1!x^<7xIUoxekpf4scY4! zo#SU)>jvtq?xk98(qIPWU4%B>TKSkV_~dC`=#TnNS0mmhYkr&2%j?f*9^&CsBgg-T zwYQIYExYf#&e$GX*Kra}oCKx8Aji(+*q#|{W^70Gs~pF+9LBahwiC5+^60+I9o@`* z(cC+CMh*@Yp|olVAVO$Vh>3s_M0pbsh)N1kzz{(bDoUU#gj6I>QE37y?H^iM>0120 zdw;*r^V4tagsjE0X6~bpzI#jO<#YDgXP+%ScJY1nnVUGn`e$)a@?>JId3tSsP`>Or zTv+9;pa0-;egn7W=&P%t=mekQmD|YAJ^Caw)I|DniQeP##5wGFQ?DJ6wjztY_ z-PdKGwa594V;j#pJ$B(~rr<{@Do!!O*lje7U4bv0~M(!8{D$aT9~#G*gT-`DS@M)=wMi(_?HaAvo$j{A1j zy>|Cq8p6AF_dAQLcb~v$!{E&BZ`!ED9oud=Q0)-0))O~QZ`>K!)yS>;)>+4+moDGM zIQO%-S#aNuBD8*1uNXXc_kMBRu6nOMa}U>)srPcz41J-I&LjEX$BSzN8#u5FI16k< z@I~t<*&N|#Q;{d!m|4DQ&09YlR?q5Ysq$mBoY(*w&dQrGpDOcX*2rLD@a3#Wmq+U^ z+t$giWNoDFs9X2X2hgp{X{RT2!R(qP53^^#@|YIfv}J??cI}dexzbbWRKH*q?PAYf zJ7B3m==F|{-)=)c5waWAIV=P3Wn-z5jR&B%|_p?l{x1|d=-!tHnqI_Glf zVO|wG^X5$hSCi}*^03Eh=FtK@UtGVOy7zoiw{?VRJVc-)Tbz1ZYE*2;7kJ_2%y?Hcm7_4e(Y5uPxo z^SJyS8%IdjxF^N!EN%v3Y$@MreZl$!>CHHPhmNteCN_3&ofNdat`W&XU^<0^fMnm`|b~a@VkqbJ^SJA$3F8Fo_+f1Pd@$fr$70TkG%ZJkA32UA4(m} zm%TQhw=>1%o2h?%8C|>7&322MRJ5&e-G)=|nVZ(=rygul(5{zmSv$?$cg-5b)NMku zic92YhF7iq!_`)LWLGb#p%>(H?RnOJ@%&-BB7<>u|IXTfzHB%eaALqn|hIJ|Bj~;cdS9$ct>p5AOEqo%`rC3ZA{6MrW|BwuInBoK zy(HQ)7e1Lz41PzMdAKjZ@@enqi+c4NNEdHzYnGae=j@=gLDr56_kxJCU?^o zK$nokQk7ha{l#1k^P%q9e5n3Q=<{o@*wB&9E=gmD>@L_=z>vHRE~FbP7nqDq7iriQ z)|O)(awR^&yCu(Z$?`Q&ZtT*T_~PN&-D`teHebi)BBV-ap3R24mu=5l`;&Ji9-b_% zSztxXif0RR`Ho#8+MVUp2)%R{-B>%B-@_yzyZdI_E+wfuVlQ&Vj_T*qtf17Q+Ns*^ z;o1=Y4bvP=y-hmG53fRkfo(+ehq2|-Kac0d%j5t4Kq+%~?D$ zwxnV5!mfyI>(XVe%?rcZ1xlP@Xx*9^yP2-ehV=(8-@04mCiDQC? zE0wkzJgG%Y%MZAd?jD}qv>p}k-t9Yj24e)NxOGs|11p2Oap^IK-_EO8Kgw!fxtXi< zapuDlckjK3!CAXZ*WHt}6j=4*@|7EDYnX@-+4>HTztjGIhyDMg{r`k%SzNK{H;+GV z|2K-ef3&#UENt}h>aegQ;oc29-xTS*jOXqZCaI<`WV2EekWXbcU}Bwc8vw8~y*;u4 z&-}m+kaXkJ201St=6%3Zc&hY5K}w5xadOWuV)LWYl)wBYdFEhxY^CkCuPwoI)?ppK z^KrWr$LLRP4hHty`i5ue_WRj&qHUd9MLH9uu?CBkSQi;4+VxK=!wG7qkfgBtIJh9r zWz#d6A>Z)2&FZmx@-~KmG8Z_!Zl{xbc5f`T6!s{e4edc{5A7ZSZtPiWffu*#IyOXp z3%ii8+o@S^`70c!@v2y<*Cyb zE{#NDx=_C9VKS`!za%%FYmC5QQO?x7b$ zjNP4Gd9i4``|&55XnoTt4(42uFgl!K4do_&YreTUx}N+_P)u7N9vr0@(9Y? z$R3_}%w~q%vdN71?PP;q?BFVX6m{oM!#$K#My0WX+CBHiq%Nu4u)IplNY^Jl4C{o#j;OE&2gKW{`w34Obh z`K2c_hFRMR*<927MmMgxnV>9e7w-41F|eNNRqK=Gcd{nDJg=b{sn~TGU9&+m&TsYe zOquwprgkVz%*6O{F!&yjGi4`xbkMcY2R)z$f0_D6r0$ zBwN0C$I86*EjB3e==(9L`1>0_P=DY1>Yw=RQ%}{u@P+!z^T*F~yc1sS@$_n(mu+X| z+gzR82}<30wjXzG$}X;E9(_McKT=0?a_4$^`t(~K`3i5`_<{3{UHUhBugw+KN@KOK zC#~7O{latQw|yktfU3W6r;f#_pTDbl@$UM!U;EtcZ+k>fV!`aaCA4t_q+2 zimURtTNVFie~48%e^!&Nw4!8p00GZ-~P>uo(F>LaB(xh0k%9}Vdl3T6A;O-9tvYSHQxQs?@WusSG<7{ z*ZN!YuefrkWKHg^N9uM7gz_MFNJeX9-l%FkHcK{q}_bd3|m|Upy9)k zq*1_uog&i7Azh26j(vJ`^ObpY)X19p+zzmcxA zFemT)@r$=ObY&0F$+0!HM;!RIN2%{>ztat9`)y|jyO2a+Q`7QI#XJ&jP0tH9W}mL0 z&{n1%la;o~w0U0gZM!3g!NvSs>Y&?N^U6MzyJ8pq_&=9O?}SfX;OuPo;qeHY=^2|e zlApmNJd=Bhb{YGk-O;;!{gz#BbHwMyoiyl;ZIB=4yFl{7x(#_&JZ_-gyK21<%v7-P zY)rJnovbw5E@PT^$IDAhJ`ropr`8yDbg zS+3eyX8+hoS(;&HldLr3irw$LU+kJ0?_`dd5zpGAmu$Gu#(S+i zAKX97la#L8Jo)Ad?fR%^pdku;!v9ZO^vgEwvK*{}0^Mda(YU^*mIbB0d=*|-Oe zz`HL&Bde4yYR~EU{HU-iSG(%W+S=>hG%c(*-uc*fr;kM0@AJo>`KW`AhfllU;~(s% zjcywUirH&XJq&*4D+)_+C5Ph?!>KpY1&d9QvdxVVbZa?mY3)eP|K=OrckLFf-5(m* zM}q9`4z8!N7WtUY!%OC@-J~!LU2!x{FL>A1Dosy3i>)8;x_f#P18CWe29cW&lp4Yypi3(|p^p5Rpz zx_|F%pxcpJ;Pg44+?ZNtBt0l@Wa)00m$^x}fv%E0ZKn$Kj`EDyl9(}Jlg98c4N=<;vIE%4VnI_&VLQX_ zPul{aeZzc~tQXorQ;YZcY$E2(d(S*$Qy(xmlr}|rc!v4#9G^`O?T!_ud*Cq+W&S?n zw3GaKBRk#U#BkHj7-^11hIDM-v(H234~t}fZ2@lQdw}+K_Q?xeLZ_P|_v{>$?&{f` z1#7HwX}iT>CmqgB&I?IMi)}Zx`4Z`3JvB9byN7Yz2H|Wh@9Lew=Tpxm-xIMnL~E0_ zL%K;~_hYWTXyfBW`nbc{)mwHF#L?k5{L7x;t@!6`9j_G6*;c-BbAaDyy6hLWz|CiD zLm^5ZZL|lr4e@C8@<0{9}&QI#y@!!`u3f4Jaa(JK63zVtr*Xh_ON*FMH}3| zf`5kj24zSAvOjJ&4fBu&7wcK>{N?P#@y&$oE& zZlBE>z#7@w-9!Qv;ekEKztSBCb^*_xx3l!s0#h_{nny3wlhUy?L+#1@ z2@5+1-ptFBe%oN`d365S7F!4vx2w`;Ze6kMX3y|MeDmCtyd5pE(_ens+jh^|#)s{x zG%#wvu?XP2mFxjJK6pOgn6pP|yf?QxM%V0JY-Tx5yl5Tm8C=iXuba2{;J!^mvayDn z`1KC_zHGCS@f21xAMUqr-b$30IF-8y(_w$@nJf2gYWlUphHH4=-d5CRtEU!7O*)!9 z8w9gGVq4%=dWqa(4KRcKSsO+k*e#9(siT2Gr{bFR!Se7aAJ_-{*)ujY$fxc0Ha>fo`|fbjK1E{v>=*L7oNv5=eHLy|{IGr2i;Z{QkT^MV zi=|FJx=1*Nas!!nmW_NQS?tC@`i(m{xx0zUOZnt!?Y_-AykngfJNP&Y#(INjl5mZY z+9~^uA~ov9`;eKo1y_46fPq7Q2Ovi3oWpG2ITd zMlE&HY=SvPaIAUFz2)1>huNA3v=&6?bSvdM|5 zBaSV7?Rorr@60AG;g`(HZWx5uYD&tLAq?NseUN`fxq%)`C6zf}I=f z2(gAUeVoJA;=awINNa~$*MRn0)>@N@;&u|w(=+k;92*o(&8YSFFCJn(x9>XP(=(pY zl}cZgCw;k0dSPvEnjSXf*NpS_3=P1s#<>u2Vv8Ma+)E^prQ$#Q$5ZwD}5ocD&c zCC|HUcJj0NQ`X|)g>gis&OS=x%FtFVU#r==+Hr-?k)FNuyghA=9x9}P!t^Nj!cqqn zn*djBXt_D*B44Z8;^0~+>28nHXh8n_$9WZVO?i5ev>DQ?y<{JdjUoEcdA`n-oB8;# zJ(hPs-ce~^TzlRY9sP9Nk21jiv0oSlPm>n#@K&1Mk7v<;|9qA{6-vDsJi1~#)4C^k zh!2_ZVY=6C1M&H`0YW@u%kG}Rp*HX73Eozc0HGp}| zQs?#}PNlCsj~j1xO0s(wwu%7uGf5bZN`n$6Q?}NQ%XE**e%naBbqDPMUK+pCHo$|l ztMJ70cFBQGsXfjL*#o=svVYSHqQeHr2eLh|3dM8JTV~y%AF^M#+it&c^3sF6#!1)D ze){Q8efE=|`C#$Ur#tyU=jrds5Ar_43Sk+p;Ikgu)P}g*bbh$2zjr7P`PaWSlH`>XEpC!+i=D3)~XyD0(I!4LTj>#J<*H3q}ajMKM zD<(>%Yk+6dhdu0kZx3>Ldyr1USFdEN(FWM2%LlWaSyQRAJ6C?lj$AuJ@TpEg?(pIo zC!MF&&tP49eY;q)i6-f@oYp)!tCPB5`Eyb@fc2i(&$)MY*(R^pjl|1# zvawsVb^F0({rNe@Zfkt~SV%Yp$myUCG$y{EW@xyyC?(CWRuE!KCu{X6U_ zyA|WU)a4TE<&9o{D}TSQo?rg4%ot^F6e?>crgZwKzZH+{<<3hR*eH5Bwb;Yl0O0|@ z4gn8Snx~$mDoO%x@kA8FUr{J z+x_eGCaL$3ALh5sT@Z|4B0oQCVxC!E826NC(biv8jY(+vFVLz~I@sr{&mNR+tm5dm&+b?U z$?oAr_U**p0+ zu^Tn{e(c%c(f41J#%uAg#Y>`peR69TU$$iRYz7ocrUu8R5Mi`iw?E%<{sO1BtManu z+vwP$Rv#b5#n&&{y?g63b0&ygN~GmBP8y*ffqoW#;{!(dyJzfT%N|*`((2mjFJB)lJ&tag_IU#Nlb{uMik;w|o9^ib04J#SkhP5r}%c>1_$nI5DYD0p?8W_6BDBU|=v z=c88`9?(^Zz4l8sOY8I*Ykja9me~i(Fd&1)xA_dHm{8tMzIgV$f(m5FW_Wd1Sv9U6DI1V-B_`y z(NBNu6CX`qSyzA5p2yNzm($+C8U}Pe?OCgn7y4l|IH_%T^!*lpKVo~G^g`Ah`B3Mx zXW#YNkKpU?a2wj*1h4o5)-2g8T+C!J@vz*F;h((w?)@;{FHKiC@0i#-m9{LYLHgl( zdbK3hX|Xacl9rmQ7nVxP^SHHm>D-(*YHAH^5hQq8TfNew@2lJLSxr2P#lc$J1O?{i zbN%gauiHI48@sRHzEgk6W(L>srC=C^vMQI{3qAfGl+9O+_1iX|u#U_6x?Nb?HEg;) zRJZTc>9gN}+ikf?)=Su-`BgV|KCn(VkDUc=s!7;uHh<)idf4~B&)(5{+jdBs;Pf3{ z_UbDBhuHytz)ODBRmNVy%3yc$OYd~9d-&8;F4Yg@ZtCg#aTGMgy(~E|Mo}nSB<>< zs{`$G0BJg8N`9X&B(!qqYF?DJ8I2cTYIyktbsOwS%%b&QtLVOh5URg?*3%y}E9!}t z&5FubGUr>%+7C=f;tZtvox62T)~VmPm#!piE)ut{o5l0;_8|?BB)z%M&L;x#408Ik zS@QCgc>>dqzVe(n8{5oN%iJbE*^G~!*$-wle3i|t{ISQsT8YaqsLUT+;<5CJu&ee( zX}0-JmgC}89(%H|{;7QlBJMz8;KBOs=2`LB6}x7B%sPJd@7+78JEdZ2up?jS^;J3;k>N*DYygrkk#iKma`2EV~b+A47VU`q&W?Zrmm~8jU%0J`Q>tvH+^5=8XWBQaHV@0?iycL_C#>edK z6H0bpDbK^uCvnmTX7USKbC*AQlur3Jl4QHf2I2Xe9;Hzv-svgqY9o(Q zry)PTEz{te-MhBu()Uy3G5PcBj5Mfjm*@FIaoWP}1@>%P^5L$uO@PVsv+x0x zuQD|&-3ZD%3xjXza_oFY5e_EIGDx2d5ZDKRaA(Qp#@qO@jr{4O?ojdE{qq}6czyph zae44AU6P%AS6qHRe+8VrHZI?#O5X-z7gjbxeg1(13=-h8RQxPcdJ}8wxb8Sm@jW7# zyJ4f*eSF|Hzkq!K^iTht2h#WcTdq+Yc0#-+7?;Rr~u3_?qj#ZeR3o|D_*% z-F83!U53Pe)4r=8U(1g&*VA7ID2jhzkG~$@;a__oW#FfbFTFXx7g#@~Jplip1onDM!p?Kj6y z8rK}Z-nb+`Z{;h0;eqtGzfu3kj4#>Bw3+`kyq+z5$MKWKJ;$#%9+2Prc6+_QY}F0WaaI^UGf*~JMJ$ni}W{}Q2)0+ zV1JkNOGU9^F5Zzp{Shnw%l3Dt$UkcQrr)!DXn!mO^?%0r!J{n?`8SPU_bT(nam~0z ze&t7Pf10da^4pES&DxQ^;|Gn$q5On=)5^c$@7w+k`6lH1z{RWc^6LF7#y@AT^=tP3 zE1ojn$q%*d80pyZlizIoYCFE0{E%^*d}jHZK4Pg(woo7O&re98QamS6g^{VgW)FB!l3r_A5ieL~(2^*iK0XXP)w&W>mDFBrdOY5U9ZA2A+=`lFDK$$!`C|f*$T3#i8$@sl?yp?3VUc==N zTHYqV{u9<7+ws~XKWhA-9nTZ8w)d3$0n0DF!`l163-Wc#U-x^~o`rlB@(o$9za{^9 ztN)NS<~zsVWW0C$M~n~Tzk>3wvc}K;_5`-aZy0||{S`&U@oS8$jz4W&Bfsa9R`nl# zMbRODpYdxRc}3A9KWqF=?|4NqBx`v`E`OEf6Y|en`PbS>en#FHzpnX;VjJr3$ny6{ zmcNzP=JiotBkTR^Wck}5%ipGB_}dEg+ad3Vd_dOz9t9qgwZA7JpN4!+*77gN+TTmZ z*xxJ1*xzgN-?HubHQ#7{IDU=so-7}ZWcg6o-&TlfR{7 z`?q0!km1YQ%!iR<_%jXVXD)|73$pxKlF$7it9{v#)xPWty*~I)?v^ zP`?@SZpeFN`9BCeB+LI%$j2d{lC}IZvizSrhW`u4@PA2`{~O2fe@m9nd$RmLIEMd~ zuglw0<*Q_rPwgXF{S40$``9kTrI1@4pO{~+YUkdMiF{|QSF%aE@_{S8_E@5u6h?-+g`Lj7aNYu|EueALPEzY(}emjA7g zw?p0~YyEp<`QLX8{|AoY|Bx*ICywF&lq~<}Wcj~v4FA`m{Kn<*e@mAC75lsL@I&o? zjV%95vixs2hX3tQzTc$nt+omj4sS@PFzU{x8Y$e@mAChmap#j`qLu zt$F?Bf1Rw?D_su%TV(k^By0bV$nt+mmjCmRFGKwmS^jUx@_*|X{_jHleaI{Jw|TLD z^;0Fw|9aq(EdLuJZ-%^0*6Vl3^1tgC{`VZi|2|p%j~v7QFXkzZuH6Tn_&`WclAE%l`pc{twCWf8-ecj~&DRIa$80 z$?|^}^1aL9|B)>JtM+$u{rRFsMh^cQWclAGYyS_(@_$U0|I?7qL;VF={;$aLf9)9l zZ$kZT$d4f}{?WXC^1m9mMwb8eke4BElC}OVvixs5hW{PM@V`rz{{zSHe@K@9W3v38 zIEMf8P=4WZ_`f8}|2LQ_ke6hwe}gRln~vds%Q5_KljVQUG5qh7 z<^PZ@|3{AD|1^}Jxg7q_$?|_omj8RQd_I!pfAOY^;{pEH$SPlVIs9*s<$seb|2t&) z-zCfco@4mmcMSi>WcfcQ%l}o#*Di;eVGb|NCV5KX45H$D#bhmj7$A{NIx0^PVjK502q~<>9=2RK7|^dH7!^ z%m0!r|664F-zLldj$`=WbqxQ9WcfcO%l}2lmoA6@YqI>`h4Oos!~fztPW^9^wf|dW z`QIhW|9;4aq5g<0|0iVmKXnZMXQBQ)n=JpkWclB74F89r{K)0-e@vGDOS1f5ljZZ4EdO_o;r}s|FW!>3 zhy1US<$sMV{~Kia-z3ZbmSgzeb`1afWcfcP%l}!(=Prl;OS1gmgz{UL!~X+W?SJ{! z)BWEd%l|f6{&z#(5A_FR`9C7d|FL8EKMD1xAzy}kMV9}Yz+1BX--Uc1@*`RP7jMhk zL;hDB!~d#d_+KN-|Au4u-z3ZbHd+369K-*9C_ivH{2!9#|C}uUmt^_BCd>bgWB9)h zSFt5AOJ za`?X^%m3P=r~cQ;@*neRu{>9w%JbLSA@7FzJ+k~Ckmdi-G5jBe`s0w#L%tx(|5e~M zS^jTAz76@FEdLK=`G0f_|BJ`+_COB*D`fd!cMShavixt7<$udD{O^YHJ(t7(K3V=x z$?|_rmj6q#{9ieS|JzW0=W_UeAj|(FS^ihwp0|hmuaV_{-7)+x9mD@NS^oFQ@_!Wa zvCHBAlq~-jq5RV2@P9*=|CPq6|5dX5FUj)18S-|h-yzHY9$EhP9mD@Ys6Pz(G~_d~ z{9goKlI8y@rAe^1nuw|7FOVWYuqx z<$s4P|GSRie=pSUhkP9J30eNn0?*0ve-ZL!$k${o|As98w~pce&N2MoljVQ$j#K|D zWcgns%m2D#_}>iWTP}zHZL<6ylI8!HEdQru`9E_E|Cgcs%H{BXLze$rviv`g)&3vJ z^1paz-X381UvUioOS1fLljVOer%i;fmEdTdp?f(N={#V|WmtX$Z z$jVEy>Nm*pzeSe+ZO8Dx6Y6(EJ`DMYEdM8gr)2p*3;8_cOR|=KMV9|-$MApS82)d` z^8er%?f;Q1|0~~_x2OECI)?uxS>+ophyV81TT*){|NCV5KP1clFo5Ns zWaUkl!~Zr}{`W%pzRThNh%En?WbOYIS^jUy@_!%lW2j$zATPiCuaf0|%`yD1llA^( z$lD?BkmY|baGxyy2O%GZd`#B+Pss9r>KOjd9K-)PS^lpa!~Zo|K5xnLf9DwfA4B<~ zmA9w-uaM<`lPv$+WclAE%m1EZ_&*HgM=po|6SDlDlI8z`EdQ5e`M+`u|JRP;|DG(r zD<3@dzfM+Ox*YyD$@0Gw%6DB3{|99GKPMObS&-%bnk@gfA>W7k2eSMxzALYf{I58M z|5dWyzZUXl$XjIj-wE6$%l}@;`yn5a_5LHW{2x1p{}adXe@d4B3&-$(NtXX>vi#pT zhX4Ce{@`-7|3|X?FF%yGul#S4<$s$j|2vN1e?OETxE%hE$nt+omj5%d{GXHM|H3i+ zUpj{WTeAE zLYDtivizSphW~TN@PAE~-+QwBFYMlvpU+t#%l{f#{x?GTrpw`fhb;fcWbOY6S^m$- z@_!lfb*R4~%l{o&{_h>b??b4640)}6dVJK$^1l(dNtXYukheqLC2ReAWclBB4F3m? z;s1~<|0j;&|CB8M=VbZ6a18&~q5Q_>@PA8||CNuO`d=f<|B@{K8;;?BJCyIZ9RByn z^1n}(|0A;eACu+(#4-GzI)?vCvi#qY<^Lh%N0+1huY6BlfB9c0>-9>P!~Ygp{twC8 z|0A;epOWSOJmkwze?^x68?yZ0I)?wdP=6ot%0G7Mf0Zo%>w!zM{BMN38S*w+>)#>E z|E^>B-*XKA`(*h)at!~+WcfcO%m0~U_`eM0S1yPDYqI=5lGXpI*m)D}rTnjv<$v8V z{BMTxEtkXp4q5(p$?|_dmj6St{2w`n|6|ASe@>RKYqI>`g?#UF_BFq1_WBA{34F9`i`9E+B|A%DxKPJoniDURb59JpwhyP2m{NI!1|B)>J zD|X)&+e`je9mD^Utnv+)!~Ygp{m;YU|_J5Bo|A%DxKMwgc)Sr>%|AH+4myY58D%4+xd>`@y zS^gKF%IhPpkmY|hKkSza4j^Y0_l%KgA z{?Ezse@mACd$N2!lI4H#blzTI_+KNdeBI^nzd@G&O|ty&kmY}uEdP6s;Xl5c68(zpDh0e zj^Y0}l%Kd9{!hvBe@&METe5uKljZ-xG5oK5Hg6x5uaZ$7{@2O!za-257Fqtc$@077 z82)!1qx~O}<^Pl{{}&-&x*Yzm$?|^}%I{qc|BLTE^}k8h{%?`xf0r!(`yn5O`XjRZ zpOEGM)G_>@h5GZ5uS32e%l}>AJz0JqLVgT+<@@sX(E3-&^1tR7{?{GD|B@{KTaMv> zn=JpkWclB74F89r{K)0-e@vGDOS1f5ljZZ4EdO_o;r}s|FS>bq$p0!?{@2Lzzd@G& zO|txNIfnmj$MC;Tmj7e2{GWwHcq!<$s$j|GOdY zhx!Au{2!6!|JX77pM?6;kS{~NBFq0x;4NAH??S#0`H?LDi$9*Xhy1TNhW}N^@V`cu z{|(3Rze$$=ZL<9DIEMfIP=4TY_&+4e|2bLyFUj(MO_u)~$MAn2${$>g_P_Z4yglT9 zg)IN;Wcgo`<$uF5{BJsj|6Q{DACl$&B;-?!8gG5jwb!~Zr}{`bl9e-!eu%i;f&EdLjw{L|M!mJ z|G_c*Ka%BtwU@Ui82;DD^1md@|Au4u-wx$FE{FeJviu*D<^Pl{|L0`+zi;WclB94F7wfem~^nkWa|+e-?O7mj8>8FGId2Yxy^1 z`M-4x|96hz|DG)Wi>s&pSIF|eMwb6|$MC-y%C}q&|J!8wKP1clFzq?}Yl@kPkyXBFq0t;3--D&q6*A z`I4;VUyNi8) z4SA0&{|AAGWcfb|`8ecLvX*~Fmj83d@PFYL{x8Y$f8!YbZ^`m`PnQ1&$MC;$GjC6o zuaZ$7{@2LzzfG3^U9$Y|ljZ-wG5jBg@)MWC{~1~S&&l$CMV9|-vi#pThW}f~@c&3w z`(L}2*I)iO$jX~8hyQJ|{O^VGeV4=k5n28($=d%bvi#qY<^Mk9$56kxotIz!SIP3f z<{19h$$I}XS^h7{@_*$R z{;wUw|2Lze$Lvi#pWhTn%!{}}SxOQ*+2oh<(wftzIc-wJs<;@#xE%iX$nw8Wmj5HN{2!C$|HLu;pE`#BOS1gmlI8y)sJ|l1{|#CGZym$`U8uhgdF6*s{jZYce?4$Xmj8{A zH$&bgYyCT9`QLR6|9g(%f1fP>M~>nDm@NONWcfdH4F8v*{L1CiWTP}zH9kTrIlI8z^EdPgO`9E?D|HqEu|C}se*JSy>3;EvV@c&4b z|J5(#_1Ejw$jIS;gDn61WbOX}S^kg7@_!ogd8of2%l{Qw{;wUw|4pdB4f!$T#gF9m zlmFGgHM0D#hrA4VldSb`k>!8eG5qg1hW}l%{2w@m|3k9;ACu+(#4-Gzhw=-T!~Z2& z{_n~1|45eqm46~{FZo|}4F5~A$~RmN|664F-zLld9$EhP$?|{T82%3(!~ZE+zAnk~ ze-rYp%i;f?EdPr?aq54CEdT3d`QIgL|M$r9e@K@9WclAA%l|G}{`VZi|Gs1R zKPJonIa&U%LcVr6{NIx0{~?q=x*Y9)^+)si%l|gH;7^Av|NCV5KMeUe)Sr;$|BNjE z=Z@k3BGg}od>ir|S^ggaAIb8+_@~10K~`QPYyInF`CmGQ{|(3Rze$$=9mnv$OP2qA zviu)7hX3PGe&TZYKPAimHCg^|$?|zmmj4IG@W1jW^Y&5sDjDVBf1ND!7z zEdM)>;eXdL{2!9#|CB8M7a?D|9R9D#@_!e~?_Cc6i+}pm|0Y@czeSe+U9$Y|hkO|7 zkI3?WLYDti$MAm^>d!;I4*7;G|964+Wchsv`7z{`Kb5zK*1t-Y|24<(zwQ|Rmt^_h zat#05WclAE%m1EZ_&*HgM=po|W3v2TlI8!JET6Yz`M+}v|Bs=3@u&0lkpES({I8Ma ze}gRln`HUlat#05j^TfwEdR%3`9BN!+~x3pNtXYcP=4!j_JP~Be?*r5W5@7+66#Mwz6|+_EdMuww`BRh3;90eN3#4c{!HE;^1tF3{#PBt z{~B5THyp$NCRzTs$@0JB82*JkSzZvA)mS&{?Ezse-+BFT@L?uWcgqFXHNaE zlYjkt?EAHkMbRY7|8~f`p?;4n{|99GKXeTLN1^^Wh5G%Fk3&8o z%l}#6Ia&TMLcR?7nylsDkmdi@G5p^-hW~rA{4aj|)c*=u{@2LzzwQ|RH$(ZB%i({U zEdPgO`9CJh|0!Ai&m6=5WhlRLIsD&{<^Pr}{|{uf|3|X?FaE{6J;3n4;u!vyWclAF z%l}@;`!0w7L$dszgz{6D!~X?Y{_n}!{|B=Culz(_e)(S`D=*2a-yqBX7Fqtc9mD@l zsNW6wFyte${GSA#lI8y_W+ zWB6Z^RlebJ_}?VU|2|p%56SX>OqTx>$MAn1$}e0F|5s%Bzb4E79a;YG$@2f;82%p} z!~fc!%iBZ#H_7t96Y{Rh;eVej|3{(x*yZqlMwb6uviARuEWeLr`Cs|Tyu8Y5WYw>e z<$r@L|C^5Ce=F2)hrA#10a^Z!0*}e^e-iR($me7&|AH+4myY58$}#+3ljZ-;G5p_? z<@1p&|BLCx@c{p8WRL;0D@;s1gx|CeO>zah*2 zEm{8W9K-*;WB6bB^QZooWcl9;dE4dize|??gHV3xa`- z|2K}||CTJD_hk8ha18$||4QDTDqkg|Jp8Yb<$s$j|GQ-Q-zUrefn)eT4&^5aSZ>rj^Y22toFb5Q+fU6e}k;N>2mnrCd>a`DBpKE{2!6!|B|fz zzaq>3Em{8WLw*ePi!bKom;Y6={I5BN|8=t7zYKXhKPSuom1Fq7Cd=n7S^n=F!~bI_U;L|id&>U`S^hW4^1n@%|6Q{D?>UD5 z!%%+Ya`-|JP*szi|xz_o4j3i!~bq5-*Y+qACTq$kSzZvWcfcO%m0~U_&;|H|JP*sy(i26 z;@>>=ze1M(HM0C~gz`<7!~YIh{*TGp{}ZzOpOfYPGUV$}e?yl4JF@)WJBHtfQ2!Y6 z+RvOGA9b?)Zv<|V<$o*W?T~lLTK^td{`Vcj|AAxpKP1cliDURbCCmRgS^h5^!~bzebk-C0YJA9K-*1DBp28{O^(Ff1fP>M`ZawCd>bcWB5OH4F8v8 z`M)L0|3k=+E=T)cndkMF|8=rnuXH*5Z;|EykgWYbBFq0NS^m#Mz6|wOWcj}#%m1xo z_`eJF_aU$R+o%3l$@0G*xFpN}M#!5XZ<$pcoWyqUkt$&Lw|J#n?f5$QW?~>*J zz%l$ElI8!HEdM8t;r~38U$`9pFUj(MPnQ2jviz_7dwF}w|Egp7Uy@b6;d1!jBFq0a zS^oFP^1n}({{zSHf9M$gPs#FiNtXYckZ)ZM|Mz71U;O*0{#VHIzfP9_U9$Fnk1YR( zWcfc1`83p@k>&q_{0mRnd;s%(=@|a6Lj85f_aQ%!Kkx~gpY#s9e)tbgkB16b{#Qd@ z3wcS_`Zvh(zv&qMw;aR&Hd+4n9K-)US^f{n@_*zQ{!c^snakn-oGkyhWcj}*%jYBc z*-sY5+sx-;adAAr{~B54>n?}?4YK@ilI4GgEdRS?`QLL4|ND;N|ClWQ=VbZ63i;aQ z@PA8||A$ci=yJ6G)&DTBzx;2Lwf{S0`QInY|6$0-q5gy{|7T?RKX(lO7oq+#L74U9$Y|ljZ-wG5jBg@)MWC z|0!AiugUU%OP0@jviv_dhX0lSIBy@7uaZ$7{@2O!za-257Fqtc$@0JB82)!1!~Y>! z{!hvBe-ZMf%i;f;EdO_*{NCm8zxdfx|C?m({}x&PcggaXkza-25mSgzeCd>aWS^oDN z!~bC@KXN(zACu+(k}Ut%Wcj=$%m1BY_R{uh5KZx8ujA&q@EdPg&;r}SqABTJ%@&#G`uL7^h@_!TZZOHdz`F|kG|D$90U;O;V@d5uUWcgor z4F5~A{BM%wf6Foa?}qX{m&5-)S^iJS@_$a2|4Xv`Upa>V+faVza`=BB%l{);{#XBU z-X8M5Mwb6|$MC;&4FB6?`QInY|53=tE{Fe9vix6!@=KS){|#CGSN`);|EpyAUy|j2 zGvw`1zeAS)J+l1oJBI&*P=6TmX~<_}`M(IfB+LI*$k!p?lI8!7EdTe8;s3!g{6CWA zfAzn}+Y=1`Yh?LflI4HHG5l|b@*S7M|1MenkIC|XN|yg~vix5-hX3nOe&cfZzaz{4 zJz4%2zi{e*g)IN8j^TgJG5l|m<$sqf{|6x-x*YzG$?|^|%FkU6|5s%BeP{O^$q{`5mW4*7&E|7U^cWcj}c`7-2da>1VsS^jSw z!~dOQ_`fI1|Kb-<{jZSae~m2v>yF`nGn8++9R9b-@_$H{|6{WJpOWSO%rX35hVm0}THwj^Tevmj7+C{O^Ul?{fG*B+LIvC_i;M{9lme z|DIg%=RlVKmH#R)zx=O}m6v4IZ;<7Gi!A@!j^TeN)bECT81fNW{!ao=$?|^|@_ERY zWG(-SEdSSz;s3@l{NIx0|G_cZ|07xcSH6_Dr~I!vhW{m5KkSzbl zWcfdF4FBh${KDn%e?^x6YqI>`k>&rMEdLLV;s4Pw{IC7jd3(tJCRzS>Lf&;b{O^+|11AZUS8!jvg+5#^1nfr|4qm6zZL4YL*5VhfGqz< zfyZR|KMDCXnDG?bsY9R4rJ@_$K|{~NOW-;(A3&N2MoJBI(2^{M|QS^l>| z-gY_s?~>*JAe0}v9R5$p@_$X%{@;-0_ns{Ok0G!8w|V(hze<+>b+Y^~9mD@dsNW2E zH{?CC{2v4!lI8y>3HCg^|9K-*uWB7k0 ztNpM2mAwA)zd=^sbUFNQljVOel<&J7{*TD=e@WKKPSuom1Fq7Cd=n7 zS^n=F!~bI_U;Ikmp7Os!mj6w%{BM)xf0r!(dye7%Fq9v;9R5$p@_$N}{|mDGUy|kj z$}#+3JBI&zviz?6_ox2X$;wNY!~Z7vOCK+a_nP0GP`>MO_&*@a|2bLve?gZ2YqI>` zhI}9DAIS2*_^Ww+|5hm9b~*g- zk>&rCto=VD%l{=={;xy64fS_q`F|kG|D$90U;MSaetQ238Re0eA#af7e=BgCEdM(p z?}ofj*8300@_*VJhS|7&FV z-w5TKE{Fdeviu*Dwf`q%`9CMi|7FP6q5g&}|952hzjqA3525}s!{!bjk|0!Ai&&l$C;TZm}L-~!%;s2H_|11CV zssA;y{4dG!zu_4Ew?p}k%i({IEdTpt`9C7d|1nwqPaMPlsbl!RB+LITS^ghFesnq7 z|H@y_>o5Q7WW8SLa`@jO%l{!+`+r21|5LL3pND)I>aWQ1e?yl4TgUK!7wYdrUfG`d zUnR@`df<{Q{~IB1hP+MI`gh3kzv~$O_Z-9jK3V>c9K-)HS^iJS@_*(S{x3uMmCND( znk@g1Wc7b4ezwa3SkIC|XPL}_xkgr`1|F>lMe+cD|E=T)c-R1R{|827Ne}^pp`(*h) z4EdN`@Ml7n|1+}upF4*C3v$7qWyrT7-;w42A@Gqb|BL@U93N!mHFCk9I$8dgj^Tg9 zG5l|m<$uR9{O^+Gf1fP>2ae(YIFz5b9R5$q@_$X1|68(r-jn73!7==={6^kBDqkg| zJp8Yd<$p<*|1GloZfj^TfeEdLvh;eV4X|J!8w-*F88`=R{6VK6i|4Xv`Z-%@b>UYTUzekq;eaG;B5b6&@J`MSdEdLjQ zmt^_B3i&$ZTeAG$k>&s1G5kL`hW|&h{IC8_-kxCiUn9%^k}Urlj^Tehl<&A4{&&gp ze@vGDQ?mS@ljZ-yG5lYL@*9`K{~cNW@5%DN_`gp5uaM<`)iM09IfnmDvi$Fo<^Le$ zLzlzm&bbWcgo)yh&F57Fqsx$nwAI82W1kpHy3-&1`XKXm*`;{o|^SpGFHSpSy%w~gOAwD~rUztMOe$}e30O3PQ| z_kOAg1ZApaRF|Jon3{{7!8ihp3k1b@-^;li$W9Y1K?B>z3jAAFrH zFZrpbi{gQr^-t{gvtOUr9|04fE%fHsVYmpy49MSccs+j-{r4aRfFb>jv3C$0R~_w2mj z@=KN<$UpKn+pe~qhqkO(Uh&u-4<9LtpSJ%m*}~2o*Nv^IOZhKa{@TwJg{hnBzslb4 z(if~;#vRA6 zH?~zy^`E!$m7lfkN&Ye8OG}&gLjIJ!{^!;<4&nGo zn5Sghtm$V@{-WizovknVSB$^u%eKBQ|7OdJSLWsY9m~JLDpwpoYFu?(HExpi`YrOe zH_VUUw&O75!;p^yPsz_&{rcax^>th|UXXv>@~W-O($#;+-fu;oTmG&^QS8WCzCHPO zE&tY^EsE}|^7<<8k(CbvkI7$n7xtfh?GO34K2Q|@$d_!BKbT)nTqS?{BUb*GZJo$J zYW$|(v%dpJ{u$#3kG4GI-!y*RtL!}PxMn;czw)EDKW*oY$!|CQw%;>f96xBh4CPnk zn^yh}uX<&140-YDy!^^*fg5DKf7AHq?6rQ){(r?&cHK>W$Qqj0bZq&_Z#I7QXKY-G z{G{<4yS6@#A2J@2&n$n_=d2$_K7P!$U){zv$q#>z?f<@wQyHVZ(DJO9f6DS#+_dZR zknfp)(eg`QwqxiudHH|I_|-pU{YEkmpQ1%pzpYDFzpWqgVW>YMtKT*utKT+tjDFiZ z)L(>rNmjpLMOMFH?HK)njbro+4rKKUs+GL{>KBw`E`T-Aq+4{|7ZSOT%{eW%Y9a;U*eaH_XFD~Wv)9Y8r>W5YxqaRvxjDBdHtbS&L ztbS(GG5VP;$EjaQR=;vYR=;vWMn4k$#yMHbyKp)BjVrSHjT^H1jg{A)u5Xnre@n9b zZHBxZ>UYTUw?~%0eaGp#JJcVBd>Zl@S^IktcuCg&UWI%e@-120Z%5Yt-aAg$-Hy|B zH(A#m)vw9h^ZdG-EFVg;d}ug^5A9ICHviz8mb=@&1>$+p%I9+##@*9_@ z>u$3A*^|%xd0k##wJ%k&+LxMRv@dnXXkS`nwI4mQ+LvL-M=nSEG9jydnTPTVm!o}I zlhwW)$=d(L*XH$+|24AwFGJoWtA2|t|2t&)-*ud>yF>kc$j2d{kmdg@@SH6F7a?DU zd`;H!Z^-h0>o{F^J5JZ#Wcgow-KqZ-viz@+<$v8V{BMTxEtjYEku3j*WcfcP%l|1^ z{?8nz>+Vo~|Mz6={{vb6SE_k^Yx!4X`M-7y|2K}||CTKO4~{YJdL+yL%0qd3{>CSY;#%0WclA9%m1ch z_}>ck+ad3Vd_b1}|1V+hA3t4Nk9(gzx4TB!nG&WXi^!x~jTA#a43R0R5ivwfBvYhO zehh_)XrvfYCOf&n7^_d{%^?ge@mAC2eSM> zlI8!&82+D);eX>pOaI$s`QHn9-*WgrB+LIvm_M}~{x8V#e^1u+Kal13nJoXWA#Z$G z{ra_klPv!$vixrw!~ag$zZ>#l$VX)PKM6b~%l}!(=OJH`_4-$2`M)-X{~KfYza`86 zgE9O+lI8Q6EdMXY@W1il_4(BNCK>bLe~T>t`(*h)B+LIXS^iIq;r~3$Usw+RS7iCW zCd>aFS^n?I^8a8A|BuG-|4P=+|5mGBzx?lzm3J+N|9!IjABFj2%i;fwEdRG;UH=_f z{vXNm{~Ypb*gxI1e*N;lNtXXDWB6Z@)!z<%l|G}{`bl9e@K@9BV+hK4fAJ~ z!~X?Y{x8Y$e?yl4TeAG$8N>g*G5kN1<#*#FO8+ae^0wvhze|??gD`(+IsBiH<^P(j z>%Sq(|2XlH|1V_ue>H~x>7(lPslP$SeB|wrcgXU;7r0NB z|AUYZLp~;}e?pf3Q)Bo)Glu_jvix5e!~Zo|{%^_he`gH;k754Fa`=BH%l}qY`rjtY z|1Men_l)8HFw7rW4*w@)`9CGg{{>n8FUj(MWeoq<#_)enmfvTx{7)ZU`rjbS{}x&P zcf$Oxg#E7}Z+%Sp{;0_EzZ1Ai zmjAtw_d`A;YyBg#{2v>`|A{gDpOWSO!WjN9$?|_qmj4@L_`eVH50=CKBU%18?pgZZ zBFq0aS^js7;eS8OA6O3mM`ZawCd>aBS^m$-@_%6r|Ch$_e@mACN3#6Cg#2nbe*QN; zwqC#dugE%H+j98dBg_9OS=WC?mj6q#{9lKB8}{Fk<^O>!|BuG-{}lE=hrID|rT-tZ~@_$a2|I3iC!~Pqx{NIt~|K1q>AHx2} zkY7Wd+V%S6e=~54EdQ&Jw?p0~YyCa4{O=pX|A8_5ACl$Efh$?|_rmj4T5_`eSG zHaA%i({IEdTpt`9C7d|1nwqPmJOJ)ENFR z$?|nemj8#4A1#OfXR`cHpHTYWAj|)XEdPgOUH=hT{!hvBe;)E>*ndTq{~NOW-x|aJ zUD$sg@^i>9Wci=&Q@$S>Wcl9=c`M{?vew@r%m1!1{O=jV|2|p%kBs5}m@NONWcfcc zhX2bje`PuRUz6qkku3kuWchq0%l~xCt?vi;-y&;%WjXxskmY}uEdK{&`9CDf|B*5L z9~;B}Ia&U%$?|^}^1bEo|45eqmoWcoIez{(Ke1lF{O^->{Rd?EKPG?Gqw@C_{#t(j zhI}6OUy$YhiY))v#_)d=_TPs581fTY{$B!L$?`wlH@rW{%3EZuzaq>3wlVzg7{mWA zS^f`<;s1~<|HowcKQV^?^Duv5Is9Le<^P^6|Bqz(d?w5Pi!uCf+^;@An%^X2KK!r9 z^1n@%|2?w&?~~>Kz!?4yjp6^4EdQ5e`M(MI)^hm2C(Hj+n18k${-;jqf0wN5-y_Ta zAzA*9Lp}}r&&cwBL6-kZWB9)c`{O=j+#iei$oC;Xkmdg=@R=;XFCo8%yzxnOpVr?b z%m0=!{I87Rf151-d&cm;Pk!5@^ZoQ6klznv`9Cs-|I;vkW;y(ylOOb$d_V5p^Ph*v z@_$d3&quQSKN-XSYnY$zU!M>8-z5KL?z?^dd_#*Y|2t&)-zCfco-zFI8^ixGS^m$- z@_!ZbwdL@COP2qKF#l*d{J)StBwvpY&L4JYe{y;KJ7oFaC(Hj~$j4#-30eNn$nt+~ z48Ip)|7FOxA>WbZ{~_>^EdNg-KZpEEmjCGi_4$zh4P*G{`bl9 ze_#y%$6@}&a`->e;)F6$Twv9zYDx4%l|{jk0C#k<^P2&|F6dIKYi-0?+^IjAj|*C82-1( z^1n-#|2<>)KMeCnmc#!sS^h7{@_$X1|68*B-x`;s25>|2JX&)^hlNAj|*8rR5y7i0K;CCmTjr`P8b z4F6kX`QIkX|Bf;I?}zyV%i;f!EdS?Z`M)H~|20|uZ;avpKFmK@4*ySN`F|$M|MZ~J z{{~t9H;v(c%NYK5$?|_lmj9EGPc4W4bF%zjh52jC;s1^-|F2|S|McK`J@UUrmjCUL zcgfnnN0$Esviu(!!~ap(e;o38$QNY!zY4r2%l}Qtw;|t?_4*HF`F}Kq|0iSkeKlq~<}Wcj}&%m0-z{NIN8JImq!fh_-zWchy~ z>*xQKEdSF(>+=DI{|#gK-zLldK3V>cLO!+}{!hvBe-Y*{Er;2 zFoyp}vi!doe@d4B zGh_I_4D(l(!~YFg{%^_h|3H@iN3#4s8N>gxG5l|QcIkhcEdP5U?^_Q4hh+Ib3G=6x z!~X?Y{_n}U{s*%BK9lADHRO%Ysb9bLZ<6JIMV9|lMe=vssN3wiAljZ-#82&dNUY}3RZ;~+|{`k>&rMEdLM2@c(EG|F2~I{BPyI`^MjY%l{5p zdDn9I-zUreQJ6or9RAP9@_$R#_1}@@|B)>J&mq5t{qevYyngxLB+LJnG5oK{>Tid< zAMycN{*MBW$?|^^@@dHDWc4q|@_%Uz|5wKFe@&MEJ7f62C(Gv}S^l4l;r}(vPmie2 zr~Ge_<$sqf|NCV5KP1clkum(AhWRtg;s1gx|CeO>zah*2Em{8WjN$*@82+Eh^1JcK z(*KIAylpxB?~>*JAj}_H4*w@)`M)OX`ftece@~YG$B>`H{ui?RPoGz>NB%dA;eV5? z{#MAlA@7mp{~+*?EdNI#ABTKOR{xAF|L4Z=e_;&&mt^_BF^2zJvi#qZ<^RDL{-4AA zi{<$FeTFDTz16OaEJB`QIkX|Bf;I?}zyV%i;fsEdTLb zN%$!LXJq+5C(D04cM|i#@PBCx|F>lMe(4)p$JOUc{WB5NchW|^leBF}e{~_c@%i;f- zEdSG&mi{-$^1mX>{~=k|e?*r5Q?mS@hkP0KUy+g`|f7clP_l)6xpDh1J#_)ekmj6?-{GS=a|7DoJvK;=e$@2e5 zmj7q6e7=(9e|r3_?+5tbB5QtSIsEUC<$sqf{|99GKP1clkum%q8^ixOS^lrd@_!fd zz2)%#NS6PXF#l>fe*QPVyk5Wj?~`@?2W0s_Cd>b6$me1I1zG;D$nt+}4F5M_|82;R zAwQAj|0VF1EdSG2g!czod5f&|S7iC$HirKlWBA`C%m0Bf{2!9#|ClWQC&uu99_BAB zhyP2m{NI!1|B)=8&t&<3F^2z*C)DRh^P6PMhyN8>{s?Ue~Z<6JIi!A>;WclAE%m1D+{O=pX z|1nwq&&l$C74o&^@PA8||A#RDXgU19koEJw{gvhQ?~vtxpDh1}As>hRCuI3QBg_A} zG5lYI{g)x%hI~hs|A)Xwviv`V{2cNtIca=VeLm!W!x;WIjp2WbEdM*k@V`rz|9!Ij z9~i^`ahN}`9R5$q@_$X1|68*B-;?G4!5IFZ!~Bco`1zlnT%Qm5-yqBXiY))zWclAQ zhW}k-_&+4e|0!AiFG9Yw9R9D#@_!fR?=6S_C$ju+eRb)7MV9|vvi$Fdd>Hm0k>&q{ zEdQs*@P8KepND)M@(o%3?*i}1^8XO>W5~~B>3<>1|En?lPfxk^{Q>_QWcgni!~Zr} z{&&gpzh?~phhhH6a`-`|4GNPhVTFNB+0S^1mJO zE?N8c$nt+cmj6Rz_&*B!k3&8W`GPF}SAo}L`M(MIHspJcO&T{yFAj|(FS^i(h z`uTq)%m4KB`h0-lf5RC5x5@IqPnQ3qkdG~g|5LL3UxfKf%i;fqEdS4BUH=PN{x`n9 ze*N;lMONM>YyS>e{`bi8zi$lx2VwtV$fqHnk>&p)@RBV5S0P`Ad`s5r-;rPT=zP7h z-+N>De=vssN3#6C7~|*vl`Q`oF*{BIh=|2A3kJC?)$E?NGM$?|_nmj83I{9hQu z|8lMe=vssN3wiAljZ-#82&fDsXm{Y z-y~x`{BM!vf1fP>hh+IbCd>bcG5nv0`3uY8|B5XC*JSy>Bg_9iS^gi4;s4PX{$I)Z z`QQ5Hdj0ahLss6k9RByo@_!WOk1dD)GqU{Ol6C!eWchz2%l~u8uVMf6E%ob{|4p*| zZyCe?imd*2$onB5kmdg<@R%(BCn2APd`?#Xf-L`+#_)e-4FA_;`M)!U|9i50K9c4C z$r%1$!+d;!Fzz3d{|&PI?~>(zpDh1}WcfcbhX2zre`Y!SUy$Yhk}Ur>Wcj}(%m1A* z{NEeH|1(*BH@>y>zalGdTMqxbWcfb`^M{th{|Q_bIez|M$@0Jb?E3u5|1Men_sQ~qU=07qVgAH&_&+1d|2bLyugLO$ zO_u)~WB9){hW|&h{JxU)^S}9=dVR`UWaRL_O_u+?Fu!j({2!6!|B|fhzaq>3Em{8W zLw*eVpUCq6LYDtmWB8xGyCGNW3u`uWcfcehW|5T z_&+Dh|CKTPUz6qkmMs5w#_<0b=ASHw|7WuNZ+%DUf151-yJY#_Glu`eFn?q@{GX8J z|CB8M7i9UrB+LJmG5lW}!~Z>5exJ$mKYeHEe}gRlTV(m)3G=&_!~X$U{?Ey}{tL4F zUz6qkHst%T|A8$3Ph|OjHiqAqu>UpWty%g0sL1la6Szy3|Gkj+Lp~%YjuBb@kB#B~ z#2Efh$?|_;4F8v8`M)O1|BW&H--r1J%i;f#EdLwNE&Xqi<$s$j|2xL;zaQogEQkLi zviu*D<^PN<|L0`+zc7aXOJn%ICCmRKS^i%_ezhDw{~O;`uV4OGWF4<bsG5nvC<^Pf_|5wKFe;elSEQkMlvi!f2_2-|)^Xl^@|664FUm3&y zZkXS*9R3f;@_$H{{}ZzOpOWSO%ozU9jp6^AEMNCz`F{%e*>d=QCCmTj_tfjx@mgf$ z@V`Tr|6{VQ|AZ|6=VbZ64EZ|jzah*29a;YGjp6?x?0*dTHRS1g>-EY1X5bcC{#PMy zhrCPH`g>&g-#3Q;17r9WDNhu#_)emmj7$A{NIIqZ#n!w zlI8y;%)eTWpa0G8uh%dC`($1J0r_tqnV+wHO=(P)|I?7q!~P4h{9lpf|JoS-Z^HiD zkRL;SBFq0v;44}Frx%9z2U&TGto2u9`QJ8%{~cra-zCfcfie6alI8!HEdM9Q@P8iW zFD!@uOS1gmljZ-BET7M0`F}Bn|BV;b=STCKWXy;E6asAwQ7i|0(d9{FF!M|Ni-Z=YPKr`8DK?AFR)Z z*54${|CTZQuZ-b;n=Jo(#_+#Smj6St{2v*^|7n;%vmE}<$?|_omj8RQd_I!p|H&Bs zU&H*gsLzM|Z<6JIi!A>;WclAE%m1D+{O=pX|1nwq&&l$C74o&^@PA8||A#RDXgU19 zkoEJw{X^yT?~vtxpDh1}As>hRCuI3QBg_A}G5lYI{g)x%hI~hs|A)Xwviv`V{2cNt zS^lRVuFr@3Zy3Y>rZN0)k^kW_DcvFa-Z6&%U9$Y|ljZ-w82*pL{E6l8e@d4BYqI>` zlI8!NEdLM2@c$gS^igK`QIkX|Bf;I?;6AZAzA)U$?|^@@}=eQ ze@&MEyD)!mIs8A7<$vo(O8+ae{O^+Ge?R2Iu>XiG|0iVmKQ)H`v#|d>Htx5@IqOP2pVWB5M|^GBA$|1nwq zFUj(MO_u*#vi#o}!~bKLf3h6@U&!+RN|yi4m)7S){3@?f|J!8w-wk;`>^~sO{}EaKkB#B~Bh;s3!H{vXNm|6+`v|5vj7Z@j!d zpYp$H4FB6?&F@$a|GQ-QKPJonDOvu{$?|_;4FA_*{>F0nzaz{4Jz4&r$nyV8mj4%H z_;LqtGq?l z{uNpNcgXU;YYhK;|4!Jy8}ebuM`Zaw2|Ojs|5?cAAzza9`d4K6zcz;d8)Nvt zCCmSVG5kN0<@1>=|1ZYyzwyfYd}@A^jQQ}tMV9}4viu*C<^Py0|0l-qe;(#9EQkLq zvix6@<^PT>|Mz71e=vssM`QSZCF|#Z>u2lr%l{5pdDn9I-zUreQJ6or9RAP9@_$R# z_1}@@|B)>J&mq5t{nO9YuV4N*$@0Ht4F4;#`r9GzhkQVm|D(WTvizTfd>ZmOS^W#L z{9hWw|CKTPUz6qk&KUmh$@2L~mj5SX_WDNhO zVgAf=_`e{_|0P-eZ^-h0OP2pTWB9)}hW}@>{BEpE|0}Zcw&n1@OP2qGFn?${{GX8J z|C+4pzah*2Jz4%ALw*kXU&!)5{d~P1`QI>x|4p*`TOsd;yhoP*gTO z2gdM!9Oh3fhyOFO{GXHM|B5XC*JSy>F^2zJWB7k0%kL{$KmVJ*P_IvUi;Nupx5@Iq z7v}dZhyNq8{9lrF{a0l9za`86eaMet{}WmMU&!+RY7GC=FV^c*e}jzq$lD?BkmY|b zaGxyy2O%GZd`wpVge?E3#_)e;4FBh3`M)xT|7)`R-;(A3&KUk5!~B!w@c&Gf|E<@Q z{gzG5p_?<@cE^|I;s({x`_- zzeSe+oiM*^Is6}x<^P%Sn&|20|uZ$rKh`ya^i|3rS{qw?Q}XP?i;@cR<>zlOZ^ z%jNr{B7erC^ZgYM$p8KjxJ#D*y^!}qJ|t`XBeMJ-8^iyJG5nvB<^RGM{x8Y$e@&ME z8)Nvt5AzR}!~Y{${x>$I|1GloZ|6{WJpONMNoGkwr#_)e> z4F9)e`F|wK|4YcPmgDDt<5%kS%m0e3&r8 ztm{7_%l|1^{?9|c4EwLh@_$2?|661DzYF{CLw*kVg)INmwtPP{$nw7#@>a;(WUaqL zmj7L2_}?>z|9!Ij9~r~{FpOrzb4E7BU%2R$@2M1mjCJXx4s|X ze~Ya7mF4iiLze$tviu*A<^PZ@|3}8~e{2l@=VbZ6Cd>a_$oH1R|07xcU&8#W<@ovE z{Ed43^1n~k^&gPs|ClWQry-w*{TF2Uzaq>3wK4qPg#EW6KZg87mj9Q)SF-$1zZu>i zWaTZg)?bn3f7=-TcZ}hGmn{DW#_)egmj7e2{GS-Z|9P0dupIs`$?|_smj6exd_I%q z|HT;oH{MX6AI)!)F(3X{WclAF%l{r({`bl9e_#y%hsN-KN|ygivi#qKd}}%U-;?G4 zDa=1x4*%0{mHv0hy8b<~{2!9#|2X8+u>XuK{}*KWzchybtFZq%^~vP{~1~S&yC^#BJ95m`8MP`viv^; zK9c4CDdgvnU&%@1P4)SZ{|#gK-!z8*EwcRY7{mWAS^oFQ@_%3q|Hone#B%sQCCmRc zS^jUy@_$d3{|96Ee-866mgDDtdUJg~a_n7_9i{-4P5zx6w%{}oyOcgga^}|p zGUO|={NDuLlI8y{DB56SX>PL}^mvix6@<^RSQ{_n&5gXQr5M3(<&viwi`(*Fio{x^-`f6EyDcgga9 zNS6PTkWVd#|8uhZUxoQ=%i;fyEdQ@$UH|k4^?Kxgi!A@!A@7p4e~&Ex2W0s_G=~49 zu>UyZ^N=sd@_!Y0O_u+gkZ(i2C+qbe$nyVa4F6BY@c&Gf|LLuz{|&PIZ;|DHWeoqj zVSdkY_}?eX|0!Ai&&l$CNtXXBWB9)f^LLiR{{vb6AIb9nLe|g!D_Q=hx7FtZ4F4O( z@V`x#|9!IjABB8uIsBiJ<^LkgUs?|TH)Q#LChPiN$nwAOhxO~1|1GleHd*_3$nw8O zmj8WY_&*5y4?{i;`HU?87lD^#`M(PJI^+i`QJ2#|8277cPxkhU9$WiljZ-EEdS?Z`M)rR|LZV+V>$fak>&rMEdNhr`F|$M z|BEsFzZ%2;)*sd9L;iQk@_!KWq2=&@OqTz%Fn?}2{9lpf|B$?|^@@@2@^WWD|kS^jU0;s4GU{_n~1 z|6~mR&t&<0CCmSGxb^)2|663uuPlfEZL<6ylI8!HEdQru`9Cv;|I09cWjXxckmdiD zEdLK=`F|wK|C2HNKO4jU#-Eh_x5@Iq7xKR4@P9~_|C2C(YB~I0kmdiLtm}Uu%kMK; z{$E4h_|y9JYyT!${#RuA-!_K-ov?p5zx;2K<$uc<{#Ru6w?p0!`G73{M}fy=`9BHyG~{!# z`WIyRzchybD`WV-Cd>bwG5p_?<@1p&|4+v7{~G3}zo^fr{BMxuf0r!(`(*h)B+LJi zG5nu~`7_Jm|AH+4mt^_BAg;s4$k{-4S6yYZK${}owz+j98dCCmRom_M`} z{!hsAe@)i)-;m}1o-F^5AwP%xFJ$?jj`e!vf5RC5H_7U6g}fW`9$Eem0uRaZe-!d@ z$fsoW&&cwBZVdky#_)ehmj4@L_`fB~|2SFE3*7wljZ-$82)dK;s22=zprHd{BQnMy*}kFGIIFe zCd>a`nBTV?{*TD=e@WK$UyHtugUU%OP2pTWB7jz^G}w;|1(+s zx87Cy-zLldE?NHfjN$(<%pX|}|0iVmKPAim1zG+t$?|_?4FA{0@PAL1-)FM?Pk&ST z-yqBX7Fqsx!u+n~@P9y-|8ugg|AH+4*JSy>4f#Ioe;~{M6IuSBjp6qt?0*e;>u<~V zM@5$ZoxokP{O^UlAMznt>mQNj|JWG*PmJOJlq~-j#_)ehmj7$A{NEVE|9zN$upIs$ z$@0JP?$ZAjS^l@l^1ovY|NCM7z;gIMBFq0VS^m$+@_$a2{|jUIzchybTeAE=lI8y; zTFEQkLCviu*C<^O~%|EFa6KQo5^b7T0w zCd=17S^l3wezqL`U&->n`SpvmO|2bLyFGIc#`)|nde@B-8 zdt>;22>TyHehqp0FZKH5e=~54EdQ&Jw?p0~YyCa4{O=pX|A8_5ACl$Efh$?|_r zmj4T5_`eSGHaA%i({IEdTpt`9C7d|1nwq zPmJOJ)ENFR$?|nemj8#4A1#OfXR`cH|4{nhAj|)XEdPgOUH=hT{!hvBe;)E>*ndTq z{~NOW-x|aJUD$sg@^i>9Wci=|v3x%?$nw7#@>a;(WUaqLmj7L2_}?>z|9!Ij9~r~{ zFpOrzb4E7BU%2R$@2M1mjCH|>-z!zx5%1bSq}d@WclAE%l`pc z{twCWe`E~*$Hwq~PL}^`vi#qLd~Z4YKa%DDCCtBCj-UU{f2!9n|NCTJ{{dP4kIC|X z8uEGAe?gZ2E3*7w8^ixi*nb=HW5`cr`F{y~CCmTxU&H%@th`0m`YW>hZyUq^jxqf2 zlI8!v82%5*@_$U0{}W^QKM(U4mc#!gS^n?I^8ZMd&u6myzZk>+#{25?qxnrT=EMJr zEdSeN`QIbU|2|p%4~*ge&=~$t$?|_mmj9cOZ!L%ad$RmLh52X8;eYz)(*G`5*S|-W z|3k9;ABTJz_MegE|AH+4m&Wja74~0;d>`@yS^l2_pULw367p-v8~?37A6kEtEdN`^ z@V_#K|827T?-|4YK3V<`$?|_>4F9KL{>*atKPSuoEm{8W$@2L~mj5SX_&p(@R2P4Pa!{t{7RPp=~AB$ z`QI>x|4n1~-y+NZjxqf2lI4G&EdK|_@P8cUPb`Q3Q?mSDljZ-GEdTdp`F}8m|K~9O zVmW^Pr+=-_hx~7l<$pz%|827T?-;}Xt}*-{lI8!DEdLiFUs?|T*JSy>3-kAu!~Y}s z%LXakahUJtHNI`;^xy0C!k>FSIbUD0{HVzCuVeE+D9;~;`6Kf4bKj%J`R@;nZ_2zP zzcc4|_{RL_Tk=0;{)B11-^TbZnU7)q$?}_Wejz{j3sSnvEdT!gZ}oa~{3aRsO*yZ~ z-rcu5`1pF&=e|0nsF`TKImH(;kc8Xu6-i!x8iqs+gZ`R_iX&X<|-pW=ru2ixee&b`bw0@a^ZEEXKV!1?KV^P(&NaWf zT}r=f^VgZNzh3{5to?h9^7zxt*#AM_2Dr{?-SV{WG%qmzll) zklFh?S$;pCi_G4i?o{?4GJAizbJ;&8tAC!^`*)eWzxt4}f0o(%FJztH-CfH53t9Q_ zL+f1q)6Cw#$?W~j4=ej8nZ5r+*6}wVUiP2J%KNRdf1KI-SDC#(-L>o=W%m99S;t@9 zt?WOLm3Kd)>>p|cn_3>r@AhY*x$m(yl%l;Wz#~<9g?4Oa9pULWPd_vjZ z%k2Ftviej0eb@b;kahgtEoJ|Nto%q;|24Cp|4#mW+WQw|^-e4fmHi{K z@;zDo=gi)Z-{-x5MppkRv-b}^sqC-rU-l2k>fe&pf6VOt%}*}-CuH>>GJAjT0cC&l zfn|S>to}7w{rk+`k3a1A`bT8-?=pLT=Tpo6)GhlvWc4q}>fdJe{!3=>AADNP>fdDc z{_4}q{!3>6{jYjZ&FY_%)xXZ{{in>{-+OS`zsl_W&4-lzr_A2pd}!G}C98j#+4~Qf zy}y(HoCwzX7n!|3^~(N3X75j*S@w^~>Yr!!{#|D8uRg2npJn#`3t8uP_pq}6LRLQf z>^fKfG_&__GJAjXbISfnX74|db^Oi4%l;EtdH-|E{&8mSUuE|G)Gzx-nZ5r&*6~-5 zDEkj&<=sb?{lm=OzsT(U7qYJZ;PcA<9a+a;JgV&9k(IYUzwGa4_WoIB?>~{%-^+iF z_w{ecI{xf2W&eh(yfrBMyP3UzlG*zYWc7ExpzL3fb^OU=%l;KvdE*Pq{&r^XA7%Fb z9a;U=7nS`BvW`D`T-m=ME5DNEf9s3O{y}E%-;mYc{F1VNM%M8M!?J%yR(>X{zwxDI ze=oE5ugL08Usm={$U1)S@n!#nto%q;|24Cp|IU|}{R^`CFPYuH(O1;0<9D7=_K(QQ z_hj{-Gkbsa#Ik=zR{trp_YX#8fAyrYe?V6MmaP6`X76u)W!XO=tN)PM`+Hwi_BWqg z_V>u@Uz63p&+Pr_tIPfoS^c}r-rspj*`L0q?C+4(za*=Fo7wv>nccs^xMuZlGJAjZ z)UyAQ*?<45o>sH^=VbM-GkgCjv-kJDw(MVJ_WtJAmHns8-rszB**_(#f0^0)51GBc z^Yvx_BD43WXO#Vi%-)|SW&fD0{&{Ba-(~jx>Kn@bS!VCQkad1{&n){dWaYzW)w%ko znZ19L+54N{SoTjcd;f{7<8QvH>_3r}_rJO9A7}RdRc7x`-%|FEGJF4ltmChyW&eS! zy!)+X|1h)nFEV@og)ILE-&XeT$U6Sw*=7HZti1i4vcI3%`)8TG|3p@Q@7v4%4Oz#Z zeMi~9AuDfvXW8G)?ERC>-hUvgzcVZQS7aT3^4zk2MONPUuCl+K+51PCy?;kmfA!sE z|AMUJkDgcdFUZQTWclCvp0aMnXLZCyzK8~_Wl)F z{ptJ4{s~#f@4cYxpOBRw$?Csm_VeHQ{<42TR{tflzyC%rtXaqJyr}FSk(KYs>OW`p z{^|$H{ux>Qr_A0z_`$NjT9o|*vikAe>iGGreteg@_cwp2?8kSX<9etc-%alQy&o?7 zn=dZ=dt~+FyRE$+-(~In=|{?beD}2XizgGSMNV%_I`Z#s`ul&QN6$U<7NLTv-dZD zqU^_aYkEJvOVj%gnZ3XBlVv}?o6`H!%gg>lX75iwRrce%4ZR=VW$698%-&zE%Klkq z@4t|Bes`}Z`!8hW_-;Ax$9Ktj|0c8dH-Dz=pJev_6IsXKyt3>+k(J}Sy}Tda<>mdW z%-)}VuIwLW_WlD|$6vjw>_3o|-|6Y`LcgU*6|mwF8g<6 z<@jzJ@5gu9c>gT3_v5=~yubI0W&eh(7rejv)v|v<*6~NLE&CT_<#@Kf_v2am-ap9f z{do4h_cwpN?4OZ!{K4zW{ux<0o^9^^c$T^M_cD7wo;~jUXL&xZ8=&hM7}=`Ce{hpc`)ThROQEJ5$TWJaIKb}qH{psyx{~@#Yr#~wD@oXdS$Fq#Qf0x<&t3NLL@oXUPzmRo)cZah7LRLQf zld^xB+50z{y}$XVW&b3z_n*i*{^lKJ|B0*|&-U>3<5?cwzsl_W>CemlQD*Nykahgk zUzGg^vT{6I!Ta$n1@B*E_I^D30Ic`_;8^zW$U6Swon`-ytQ?Ejz4=>*}owx$7hSZAD<=m{z+!<$7g@Nzw@_c|B9^RPu^YjugJ<9r?S7D z+51PCy?;m6`LF)2>|c;|{Ly>L{smb%K3nJO$7kuhe~{Vx@!2@&3*~mHqhahxg;N z8UFqo{nwgx{LcHz{t;O@?(O$}+{^F%)jya0xcA=sac{i$5B^)(U%kKVACT3Ld#k-4 z_fmU*^Iyt--23ePxHsARdzZ4m`LAVvkF0*&yXwcoy{0&x^6_Kq`z-U1?Hl(!>ORZn zZOZ#Bdzt+{%Twn2<$ZLY<%Rs=Uzj)M(a9a2=i5YYuyWm3srxJkH6lOrC#swgUZ*tBkT1ZGkbsYKb8Fxvic91y}x(IvS0UAs=xoiW&eh({(WZe$4$k4 z{zqi>?=pLT=T2q6?yFRP=gwvSlC1u1X79gb_Wr?#)U5tZX78`=QugbR)H}{!?b}?|oR=zsl_W%?~g8bzi0Wo2{~cN>=|ev-ck|dw=JyW&a|x_ous+{kpGG z{plmh{xMno^UU7A%k2Ht-OK)2X79g{^?uTQmFmBIWZ6HwN6qS=X7>I~X76u)RM|ht z?ENRQ`Zra5eD$Bm%KIN(_K!1r|0=Whr;jQ7N146XiM1%-+8ttH1e4W&ez<Z+vpu-^=X%E3*32 z1IqphS^c`NQvH($mi|c=8f646cztN}GtbW~Bss2&7?BA2sf6nav z)u)yHGqU1Ds}t5pBsL1q7zto~zW?{7Z1?4OX;f5`0py@!6iVB z%-)|KQTFS;O7*8lmi=S0`sbOwf0x<&tIsR@XPLeKLe~3F_f@L@@~EI?X79g{<^SM|%KjZ${kpGG{kzAN{p~L<`}>)_f0o(%Ph|D?zNGBmkkzmI zD%HOkmi?_SE&IEfy?>I~`wwLGcfPFbUy;?X`zqDHdVJa6`0}#9o!R?GnZ18UR)6&s zW&eV#e%)88{>2l@{wrDjx1Lz`4>EiIhOGYPsO+DS)vx<1)jxYu*?%Uhzwwo2e=oE5 zugL08Usd)`$m-X9mFk~7x$HlZ)qlOW`p{%TzI&&cXOW%mBTQ_FtcSE>HN)5`uWS^dY%-rxM%vVTHW{~@#Y_r9*|*L{`h z?>)WjUz63p&+Pr_>&yNTS^c}r-rspf*{}O5)!&(v{Y$d?x0${FlG*(md_&FZ-(>dw z>X~J~?yFRP^{ldgPFDXqv-h7edw=g6%l=hn?{9un*{}O5)!+Q)vVTfe|1z`pA2NG? z=UdADMP~0$)3RUpRjNOIYuP_0tAC!^`*)eWzxuYaf0o(%FJ!&{bYG?VFV8OfhtH{5 z{nO0ezscciF!qt6%q3s(<&qvcLU3Wq&`j_s=qW|B0;r-uIUM z8?yR!U#0pt&oBF1^RmC2+50D%z5hT~f9Lzk{uNpMy023Gs~430jqfk}+nK$8l-c`t zWc61sEc+K^_3OS$^)Fsj_Fu{Jzx4xU{~)vXZ^-Iz{$SZZBdcHcRjPlsDErT3^*4T~ z?C)jv{uNpM>4(ey30eKRuTuS!7nl7OW-m{@#z5 z{kpGG{k@+k``2Xk?=yRU`pL3?L{|SUv-fviUiRz0O7(Yss_b8q)xXW`{g=${-(Xd< z`Zt-qzj{U4ulp+1U;T91KPRhyo!R?OnZ3XFGiCoOv-dY&S@!F`O7%B?w(Osh)xXT_ z{fErn-}$++f05by)2qsU-B+ppv@ZL{WcAN8d;c!8_g6n(_RlhV|AnmgpYE$v|K-(X z|L_-TR{u1!_ir+LfAbg1{z+!E>V{q4-& zKg#U=JF@z#-z@tVWcBO5O7$<^Q1)NR^1t<4W&a?v_ixDRZ~k`KKO?JO_f@KY_QtaR zOjdtmSN8WZd;f~8{`97@AK#gd_k;R%U#0pdZ!Y_fWc6P&`}yzuPT9X8s~_K)?e9N) zXSMh1zDo6v-ct7O$?896_WtVk%KjNy{rJve@5grrd%y0hRR3UK_HW7RKW6s+<{y;( z6SDg8ow44J?`-vc-B+pp-rLIlHCg@p%-)~=uc@8`dVh5&`*mNX`l~-F`{!i!uQPl9DYN(Y{Yr!!{#|D8ua0Fu zzO%{u@tsLvz5jJzrTQ=LEc=IlRkQl1nZ19L+54M+UH0QUbG#qlS>ye>uTuS|ca{D9 zzbX62nZ19N+56Mqmi_q767R=%hIqg3t5pBt-DQ9GRQ3-ud;cP{_g~2JAKw|_{rJuX z@7H~m>fgPm>~H^l+27CX{j<#8ebzi0WH}5U`TmMk@cQbqcB(wJ) z$m+*4)4dHhx$JNJQ`z6n?ERz6-oGQOAJ44zempbU`*mNX`WNpj`>$mA z-}>jWe~{VxH)QqWnZe$VXZCu(?yFS)?EPi`nXLZCzm)yG%-+8us~^v7^?p1v)%$f{ zrTQoTTJ~QvE7de|SCfF#idBo$IjurFlM%b8qgi z3Pdhtw1A7A zPQEpz2k`aa8IC@Fir0O07vGxF$MbdKnTtODgs*e);l4GcujKi`GZKBg=*D@uDb4QY zTT}X3dWdHl`gqF?&u&VSkMyni`KI#i9_99b;p-e#<@PPF3!WM15?#%O??(bVu`c9rVJX6lc=X1T62l&>MeudW;&w%ssfn4wD zQ+;bn|AW1FW}A;L*L(PM-;u%~%9>dS%D1NUI-X}d1IY)T5smlt=_$T7e|IL=i)R-3xHH## zc&cwr=?{3G@r)rKL#}uCb-p#FKjL}DGl6{kGS|C#hHp*j?mP~j;p5}k>|H(6x2E(A zUSB+O$Hz~zckxZWHKliPy?92BkKf>WXH(yr(s%Rv;+ZzZ;CY@ryV#n(nb#N3pz-k_ zu6OhuzBQ#auP>e%wz32JXl!ja{p2_0lphp_js^sOoV8m}*&vEgIP>%04L z-fC;p16c@8XrdHKott zdhv`1AFt>2oxRGprqtzn@k|FF|AVh{@@n6j($lzJJcGf<%XwW!uko!Zy@ux*&rI;~ z7refMjc-lqPFydZaZn7dxA)p&Yrs!6v zx2E(VJPtnd@8hZLZRWo-_VE;+H+)9l$AZ1-jlMOdcW}MpcCgZ%ygxyuSF%x{rHvy@%iTt@-yyUSE91+{b%)eRps5ttq{S*B74&_i-1l zck_1Nn$lyqUVMhz$1Pm%>fl@R*A($Q<1^Pjp2_tt-r-yG*L1KKpON)Uy+Z%yfMxL$mQ*2mp=o~yHOO{wB}!)IQ7Jc8%B`99y8KYz&U zi_fU~coNr}-tSvedN9|E&y@Oj6|XP8hsDR+cs|p=`PTZ^H>DekD}vv@ao%pe@%{x4j-Ev>$*9$!}eS9B>a8C zBRTo*{O1dAT(6rGK4a?R0eQWc{}gWgX#Vs4H_r3TX&2_-lj}N#?QhM;$8nw?j`N*2 z=G~ko;ncnJ#&y3rb;Egn8+*4mdTxECAHiOH#?!~`cpmU~OFn+|h7UIElcEdhY03Q)==2<1?2&9;xeo zC*PXVpYiqJGm<`@Lw^q8?=k*^p5QZ$KHkXlwhMoc@v%HV_za?td-D8j!rx;&jqAl{ z27UbLjrHH0R^jh4euCE*pYikYmpq?~%D3h}XL7yxOrDQBbG@^B`qq>dTrWOD=i|lf zo!rZ}=IhAg;4^PNn(Q6j+qdS|!}EsEsQGvmukQeFG#lT|>x<8n`S>wj-`@RvYf7KX z^M=oW`S?S=&d&XPYf9hD^M=oC`S@V2w|by&P3Z@CeeoG9AJ5_SZFYTY_KnvUpNaBu zAFek&$hW5S!CWss!{p;0T<<0PJ;v*Kp7EI@A79G#o_fAD|31s>i_Zx8_z7N@!^3=Q zN*}@X;xj$P;CgotFSe#9alQBqj*s_py_-k)*8KY>*Ne~0_`r7?;pg+}QNA@l2Y}ZX zpK^J;Ar;=Nxdo_zZ-Pck*?1p5$Be z`-SVpXBK=sfa|TE>|67n6L_BS83P}G&)3=f8sD1I8+o4bnE)SWzRvVC-048JIL{mIY4`DRUf*WyFT8<^;R$T ztttH+kAr(`ef%-k+kB~S&EE~j>x+A0ecXn<>1Dn(rI+!2fqPheJc{S}^5ecW|Ghfb zi+fIeyq?$h^m5;t(!aA8_lWu!bG?UG_}2XQv|KOl>GbhutWp zx2E)1o;TbR=Hq|yb*8;<&3{kD_2M2bA5Y_YFK_j&`8x}FeR0o~kGpccr?>mo{P(mx z&$vg*#|Lq}hl6iT=_S0rxTnd-=W@Nfclg$n-p=cbdyss*fa~4-g>TL8NA}{LAs_GO zby>aBx2E(Et{32cgP`*7#{_naDY?pNgv zclv+ta>%cn6MpZ;_FIp0L#MnArycY4uMt&dj3?#^cgnptPHSfU6PFwF^~cXDGX{Q4 zVS5G0qgDR{A5qM&^TwiYY}xX4e({at-#Do^w(I!+kqO7qA7`o?Y5vaE8{2Q3q#Ijq zXpn!^W{&kdCI4TAU*v&*d`>RqTx+-rn$}&YzYy z;(K5*kbiCdzu2$WjU30H;}?10A9y`GW4xXe`o@7bfzRRfOv3A__yTY~pOKH>HOBe* zY-7CsfiYgsmm6cfW8<&Stp8pH^RS*5G6!S5OJkhRR|eLfQ!yX;8$!Mhd?I5#PtWsj z$^XOvXG{+Ug+2C)Z&*i#0v2ZPwtc4(+27{tTioLj&v?ZGhXqIPyGBL{JH1jt)ySR z|8ay9{Iura)A9WG<+#K(ZgG!CJmVGb_{5(~^i%VF@ig&I`Hmx;;LrSA&ZqhrFL8}q z+~X0?c*Q$D@$;v~r{8{h*Ld;ypDLey#}Q8OXa2wYseZ;wT;mq^c*HYa@s3Y?`~1&m z&%IA;Rz4lizT*fd_H=eWc* zZgG!CJmVGb_{1N7srS-+U*J2AaDpE=$4_gJJ{`~3yT&c<@rY-<;vJv(_W54|KhNiB zZ~0Hp?=%1J_}qLW#uNO&IWBRHTioLj&v?ZNFwYbt;GGgMcJD(T$ zjw77l2hMScYuw@NELo-;HN#uo{m>OzJ1=uw;Y$a z#x3sgh-bXw9iRC2<)3Ezx%s}pcO2maKX8tpUuX7weQL&A+~X0?c*Q$D@$DopZDB*|LQN#C&JIK zQ-41H!FY~KT;mq^c*HYa@s3Y?i(c+~fuHwMf9{JIPw>;8tWU@D`8h6eja%H~5zlzV zJ3jI4YrH()r#)kzj_3K`afB26z&S2)ja%H~5zlzVJ3jIA`j5}OFTN)I_<5a$=kpWB zpZ3&!I-bXKT;dwHxW^-&@rrkR;@j7HdA=|39Y^?S58$Wcx%Yu{T;dwHxW^-&@rrkR z;-@`|KRy2!_>Lo-;0MleiEG^A9*=m&E8g*mZ(o~!{Jc)c^Zgq!{GhXqIPkj4tUha8; z?>NE{&YO|MmWI_oZ}MLxWzpl@r+lz;}hThyO;Z3;5&|Rf}i$y ze>$G8SB^_u;}-XL#4}#;j!*o&PSf*zUwqw{=l`@v{nPP09^nK(?P34v^K)F{8n?K| zBcAb!cYNaK7w|s!z4&@B&;O1ioZtt}afxf(;vSE9#w*_OiEm&3<=z+gjw77l2hMSc zYuw@-6J0j&On>IL9Tfaf^FA;u)`a$0xphWBTzOM>xR`oZ}MLxWzpl@r+lz;}hS$ z3H|tvBb?v|&T)xr+~OXOc*ZN<@riHWlzx225l-*}=eWc*ZgG!CJmVGb_{6uAetgFf zPVfWgxWqMXagRql;}!4t#J6uoKfdD#C-{MLT;dwHxW^-&@rrkR;^&3WU-|eleBQ^m z7vKEl>v6{sPVfWgxWqMXagRql;}!4t#J6wpa_w&u@rrkR z;^zhXp8vfUkC(5<9Y;9951iu?*SN(!9`TGxR`oZ}MLxWzpl z@r+lz;}hTBpda6HgcJP0IWBRHTioLj&v?ZNEBb?v|&T)xr+~OXOc*ZN<@riHWoql}B z5l-*}=eWc*ZgG!CJmVGb_{6vGK|j9Z2tV&r_565$FrMQQ*SN(!9`TGxR`oZ}MLxWzpl@r+lz;}bvc|Ni{=eepeS zpB&G=ZqGJM|0w-?{{NE&C+KfVN?egFRIL9Tfaf^FA;u)`a$0xr1(3g8(;5&|Rf*&}?C9ZLcdpzP9uXx8NzLoUjJC1OI zA2`P)u5pWdJmMLzc*iHc{V@9R9Y;9951iu?*SN(!9`TG9N`2%aE?n{;}-XL#4}#;j!%61pXtYU9N`2%aE?n{;}-XL#4}#; zj!%61k@Vv`j&On>IL9Tfaf^FA;u)`a$0vT?==rl>|5Yzvk5BJs{Pg@##CU=~y`S;Z z`8neyu5pWdJmMLzc*iHc{iv6FU*J2AaDpE=$0e?Di+eoc8LxQ9C%*k?`tcn{IKdB` z;}X}n#XTPJj90wl6W@Le{rHX}oZtt}afxf(;vSE9#w*_OiElraetgFfPVfWgxWqMX zagRql;}!4t#J3+uKfdD#C-{MLT;dwHxW^-&@rrkR;@gj>AK!6=6a2tAE^&=p+~X0? zc*Q$D@$DzjkMB6b34Y)lm$=3)?(v9cyy6|7_*T=8?>NELo-;0MleiEG^A9*=m&E8g*mZ*S9&?>NENENE zIL9Tfaf^FA;u)`a$0xr1H2U!!M>xR`oZ}MLxWzpl@r+lz;}hS0I{o;LBb?v|&T)xr z+~OXOc*ZN<@riFggMNI+5l-*}=eWc*ZgG!CJmVGb_{6uLNk6{h2q*Y~b6nyYx46e6 zp7DxzeB#^Bq95OJgcJP0IWBRHTioLj&v?ZNEIL9Tfaf^FA z;u)`a$0xr1BKq+iM>xR`oZ}MLxWzpl@r+lz;}hS0G5z?CBb?v|&T)xr+~OXOc*ZN< z@riH0gnoR-5l-*}=eWc*ZgG!CJmVGb_{6tgN) z;RHW$j!RtQ7Wa6>GhXqIPkig?$9Ejz1V3<&OI+g?_jtrJUh$4keEXHRPmWhUe*1YJ z-(KK5j&On>IL9Tfaf^FA;u)`a$0xr1D*EvqM>xR`oZ}MLxWzpl@r+lz;}hS0HU0RG zBb?v|&T)xr+~OXOc*ZN<@riHm(vR;r!U=xh9GAGpE$;D%XT0JapZNA`=*M>);RHW$ zj!RtQ7Wa6>GhXqIPkj5e^y52@aDpE=$0e?Di+eoc8LxQ9C%*kU`tcn{IKdB`;}X}n z#XTPJj90wl6W<2<@f}Av!4I6{64$uJJs$ClSG?mB-+n#)_>Lo-;0MleiEG^A9*=m& zE8g*mZ@+NEpijJC1OIA2`P)u5pWdJmMLzc*iHcjr8L?j&On> zIL9Tfaf^FA;u)`a$0xr1Hu~`$M>xR`oZ}MLxWzpl@r+lz;}hS0JN@{MBb?v|&T)xr z+~OXOc*ZN<@riH0gMNI+5l-*}=eWc*ZgG!CJmVGb_{6vO=*M>);RHW$j!RtQ7Wa6> zGhXqIPkj5G^y52@aDpE=$0e?Di+eoc8LxQ9C%*kI`tcn{IKdB`;}X}n#XTPJj90wl z6W@L}{rHX}oZtt}afxf(;vSE9#w*_OiEk7A_>Lo-;0MleiEG^A9*=m&E8g*mZ@-6r ze8&+^@B`<##5Hblk4HS?74P`Ox8F-YzT*fd_NExR`oZ}MLxWzpl@r+lz;}hThx7#PjD<8l8ypL}$@Eu1u!4I6{ z64$uJJs$ClSG?mB-~KTD_>Lo-;0MleiEG^A9*=m&E8g*mZ-0b-e8&+^@B`<##5Hbl zk4HS?74P`OxA*DCcO2maKX8sqT;mq^c*HYa@s3Y?`=j*ZJC1OIA2`P)u5pWdJmMLz zc*iHc{W1FS9Y;9951iu?*SN(!9`TGkjw77l2hMScYuw@);RHW$j!RtQ7Wa6>GhXqIPkj5c^y52@aDpE=$0e?D zi+eoc8LxQ9C%*kT`tcn{IKdB`;}X}n#XTPJj90wl6W><)@f}Av!4I6{64$uJJs$Cl zSG?mB-~K%P_>Lo-;0MleiEG^A9*=m&E8g*mZ-0S)e8&+^@B`<##5Hblk4HS?74P`O zx4%d~zT*fd_);RHW$j!RtQ7Wa6>GhXqIPkj5E^y52@aDpE=$0e?Di+eoc8LxQ9 zC%*kH`tcn{IKdB`;}X}n#XTPJj90wl6W{(e{rHX}oZtt}afxf(;vSE9#w*_OiElgo z_>Lo-;0MleiEG^A9*=m&E8g*mZ~y!4ljD_--+tc5w-@-1Bb?v|&T)xr+~OXOc*ZN< z@riH$2mSbtBb?v|&T)xr+~OXOc*ZN<@riH$C;j-2Bb?v|&T)xr+~OXOc*ZN<@riFA z(vR;r!U=xh9GAGpE$;D%XT0JapZNB7=*M>);RHW$j!RtQ7Wa6>GhXqIPkj5k^y52@ zaDpE=$0e?Di+eoc8LxQ9C%*k(^y52@aDpE=$0e?Di+eoc8LxQ9C%zr@<2#OUf*&}? zC9ZLcdpzP9uXx8NzWqJ=@f}Av!4I6{64$uJJs$ClSG?mB-~K-R_>Lo-;0MleiEG^A z9*=m&E8g*mZ~r&__>Lo-;0MleiEG^A9*=m&E8g*mZ~uUPe8&+^@B`<##5Hblk4HS? z74P`Ow|_`KzT*fd_NEIL9Tfaf^FA;u)`a$0xr1Gy3rzM>xR` zoZ}MLxWzpl@r+lz;}hRLq95OJgcJP0IWBRHTioLj&v?Z);RHW$j!RtQ7Wa7ilz-dDQ(y3g4}9U^Uw*Ft>F@huIK(kd zafSZg7VOJmCdz_`nwqKKZWq z?e@yYm*JDIe{hInoZ<`@xWWzY@PH@0;0+)6!olZ#-X{-$&-UXG$2i3qE^vh#+~EOF zc)=S!@P&hahkhL57^gVH1+H*|J3QbCFL=WTzHspG(vL$N;}mDOz!h$AhX*|21#kGk z7Y<&bABQ-`Db8?#E8O4?4|u{0-td7h9Q=Fq;}FL<#ThPeg&W-A0Z(|r8$R%bgMXiX z9O4+KIKu_5aDzKM;0Z5y!w0@_@E_2RLmcB2XSl!>Zg7VOJmCdz_`nwq0{U@?W1Qj) z7r4R=?(l#oyx#B;}FL<#ThPeg&W-A0Z(|r8$R%bgD*fo4sncAoZ$jjxWOGB@Prq<;R9bd z_=5D~5XU&h87^>z8{FXmPk6x_KJbNu7xd#0$2i3qE^vh#+~EOFc)=S!@P&i_jD8&A z7^gVH1+H*|J3QbCFL=WTzHsoL(~me~c2Rz{gZ}`9$4!#KeIK(kdafSZg7VOJmCdz_`nwq{tNnXh+~}M3>Ub<4es!OC%oVd zANaz-7o#7CIL0Z?aDgk_;0_OX!VBK;fiE0$*aD^M(;Q>#0!5cpC zg@Z3kKMrw>Q=H)fSGd6)9`J-0yx{|1ICzzQ9O4+KIKu_5aDzKM;0Z5y!w0@_@a5>o zA&zm1GhE;bH@L$Cp74Se~c z2Rz{gZ}`9$4!#ooIK(kdafSZg7VOJmCdz z_`nwqz6$*~#4%2Bh6`Nb26uSC6JGF!4}9U^tJ04{9OD#cxWE-|aEAvx;RSE_z!wg_ z8vQuLF-~!Y3tZs_cX+@PUhswweBt1$(~mUb< z4es!OC%oVdANaz-*P$*aD^M(;Q>#0!5cpCg@dm{KMrw>Q=H)fSGd6)9`J-0yx{|1 zIQVbq$03e!iZfi`3OBgJ1D^1LH+$*aD^M(;Q>#0!5cpCg@dn8KMrw>Q=H)fSGd6) z9`J-0yx{|1IQRzi;}FL<#ThPeg&W-A0Z(|r8$R%bgKtPb4sncAoZ$jjxWOGB@Prq< z;R9bdNa)8Qj&X`JT;K{fxWfaU@Papd;0p);J^eVuF-~!Y3tZs_cX+@PUhswweBt1K zpdW`g#wpHlfh*kL4i9+33*PX7FC2U$`f-S3oZ<`@xWWzY@PH@0;0+)6!olnG;}FL< z#ThPeg&W-A0Z(|r8$R%bgKtbf4sncAoZ$jjxWOGB@Prq<;R9bd_$Kt@5XU&h87^>z z8{FXmPk6x_KJbNuZ%RK7ag0-(;R08Bk|Caf&ls;0iam!vmi1 zf;W8N3kTnfejMT$r#Qm}u5g1pJm3j0c*6(2aPZCP$03e!iZfi`3OBgJ1D^1LH+=5 z;uxnm!v(HzgF8In2`_lV2flFdt?9=hj&X`JT;K{fxWfaU@Papd;0p)ehJGC47^gVH z1+H*|J3QbCFL=WTzHsoMABQ-`Db8?#E8O4?4|u{0-td7h9DG~)afoA_;tUtK!VT{5 zfG51*4IlWz!MCFyhd9P5&TxS%+~5umc)|Ub<4es!OC%oVd zANaz-8}#E4$2i3qE^vh#+~EOFc)=S!@P&i#KtB#~j8mN90#~@f9Ukz67rfyEUpV-V z^y3i6IK>$*aD^M(;Q>#0!5cpCg@f-zKMrw>Q=H)fSGd6)9`J-0yx{|1ILPS7A&zm1 zGhE;bH@L$Cp74SWq92Di#wpHlfh*kL4i9+33*PX7FC2Vt`f-S3oZ<`@ zxWWzY@PH@0;0+)6!oi#L;}FL<#ThPeg&W-A0Z(|r8$R%bgYQE>4sncAoZ$jjxWOGB z@Prq<;R9bd_`dYx5XU&h87^>z8{FXmPk6x_KJbNu??*olag0-(;R08e~c2Rz{g zZ}`9$4t^N@IK(kdafSZg7VOJmCdz_`nwq z{wMlzh+~}M3>Ub<4es!OC%oVdANaz-TlC`)$2i3qE^vh#+~EOFc)=S!@P&gPK|c<0 zj8mN90#~@f9Ukz67rfyEUpV-m>Bk|Caf&ls;0iam!vmi1f;W8N3kN@vejMT$r#Qm} zu5g1pJm3j0c*6(2a8S{YLmcB2XSl!>Zg7VOJmCdz_`nwqeiZ#U#4%2Bh6`Nb26uSC z6JGF!4}9U^N7Ii(9OD#cxWE-|aEAvx;RSE_z!wgF4E;F7F-~!Y3tZs_cX+@PUhsww zeBt27(vL$N;}mDOz!h$AhX*|21#kGk7Y=?L{W!!iPH~0{T;T?Hc)$~0@P-e3;o!&9 zk3$^e6lb`=6>e~c2Rz{gZ}`9$4t@gtIK(kdafSZg7VOJmCdz_`nwq zehU3K#4%2Bh6`Nb26uSC6JGF!4}9UEp&y4h#wpHlfh*kL4i9+33*PX7FC6?-`f-S3 zoZ<`@xWWzY@PH@0;0+)6!og3YABQ-`Db8?#E8O4?4|u{0-td7h9Q<_pafoA_;tUtK z!VT{5fG51*4IlWz!Ox%{hd9P5&TxS%+~5umc)|Ub<4es!O zC%oVdANaz-&!QiPIL0Z?aDgk_;0_OX!VBK;fiE2VZ2EDCW1Qj)7r4R=?(l#oyxQ=H)fSGd6)9`J-0yx{|1IQTjA;}FL<#ThPeg&W-A0Z(|r8$R%bgP%)3 z4sncAoZ$jjxWOGB@Prq<;R9bd_<8i>5XU&h87^>z8{FXmPk6x_KJbNucj(6Zg7VOJmCdz z_`nwqei8jR#4%2Bh6`Nb26uSC6JGF!4}9U^7t@bJ9OD#cxWE-|aEAvx;RSE_z!wgF z3H><4F-~!Y3tZs_cX+@PUhswweBt1i(vL$N;}mDOz!h$AhX*|21#kGk7Y=?I{W!!i zPH~0{T;T?Hc)$~0@P-e3;oz6kk3$^e6lb`=6>e~c2Rz{gZ}`9$4t@pwIK(kdafS)IL0Z?aDgk_;0_OX!VBK;fiE2VO8Rk#W1Qj)7r4R=?(l#o zyxz8{FXmPk6x_KJbNuUq?Re~c2Rz{gZ}`9$4t^W`IK(kd zafSZg7VOJmCdz_`nwqeh2+H#4%2Bh6`Nb z26uSC6JGF!4}9U^J^FEoW1Qj)7r4R=?(l#oyxOq#uVk#wpHlfh*kL4i9+3 z3*PX7FC6?X`f-S3oZ<`@xWWzY@PH@0;0+)6!olyRABQ-`Db8?#E8O4?4|u{0-td7h z98C1%5XU&h87^>z8{FXmPk6x_KJbNu-$OqRag0-(;R08$* zaD^M(;Q>#0!5cpCg@ZppKMrw>Q=H)fSGd6)9`J-0yx{|1IQWC~;}FL<#ThPeg&W-A z0Z(|r8$R%bgFi$+4sncAoZ$jjxWOGB@Prq<;R9bdnCZtMj&X`JT;K{fxWfaU@Papd z;0p);8~r%MF-~!Y3tZs_cX+@PUhswweBs~^(~mUb<4es!OC%oVdANaz-AEzIOIL0Z?aDgk_ z;0_OX!VBK;fiD~^^y3i6IK>$*aD^M(;Q>#0!5cpCg@ZpqKMrw>Q=H)fSGd6)9`J-0 zyx{|1IQWzF;}FL<#ThPeg&W-A0Z(|r8$R%bgFi(-4sncAoZ$jjxWOGB@Prq<;R9bd z_|x>`5XU&h87^>z8{FXmPk6x_KJbNuKSMtbag0-(;R08e~c2Rz{gZ}`9$4mSF6h+~}M3>Ub<4es!OC%oVdANaz-U!@<1IL0Z? zaDgk_;0_OX!VBK;fiE2VHTrRgW1Qj)7r4R=?(l#oyxz8{FXm zPk6x_KJbNu|BHSc;uxnm!v(HzgF8In2`_lV2flD{(2qkL;}mDOz!h$AhX*|21#kGk z7Y_a&{W!!iPH~0{T;T?Hc)$~0@P-e3;o$Gnk3$^e6lb`=6>e~c2Rz{gZ}`9$4*qZY zafoA_;tUtK!VT{5fG51*4IlWz!9SoMhd9P5&TxS%+~5umc)|%0K#C@6)foFn$%khF`~T;5YGG_-*_Seiy%o z-^U-|5AjF%m48e>eigrlU&n9YH}PBeZTt>?7r%$!#~e*7wa4Zn`xz;EKW@Z0zu{4RbEzmGq_AL5VjEB};! z{3?D8zmDI)Z{oM`+xQ*)E`ATck3Ya4;*anv|BQb8Dt-;Wj^Ds<;F;n(pS_)Yv4 zejC4o-^K6Y_wfh#L;Mkb{8v@SFH8{5F0Ezl-0)@8b{f zhxjA>%D{8v@SFH8{5F0Ezl-0)@Bja;-93!s=zYg=?VN0%bF{O5N#Z1DCppV6Ntm%nKGN(Y zw0$@zK?;@v(hv~lPIKo)xO;~kp5X&nY@xyh3l}OC=7&eHf@km? zUcxE7g4gf{-oiV04EHp!E<;Cr|=41!y9-D@8CUr zfRFI-CCm?xU5v<@DJcpNX3a{Wbyn(my4&K8D_y`X_jrrjbtl$|u zhnH{)ui!Pjfw%Au-opp@2oFDl`QZ_);2AuJmv9QN;5EE~x9|?$!w2{X4?m0f;SsFh z89axVa0;*BHN1hh@DAR?2lxmNe+%=&BUr&Rcn&Y&6kfq=cmr?Y9lVDR@DU#VHs*&% zu!3js9A3gHyn>5o{7?G#(Is5LHQc~0+`-Q8+|A$b_bTkdAsoRmoWL2J!v$Qz6Qa1=nx`w{QnLpU3>L3x{w7$8Z8?a1Ix630H6pH*gDg zu=54X54&&(M{o=$a0cga0he$E*Kh;3a0feofcaq;4&exn;RMd$94_DzuHYJO;1=#+ z=MOPI?7|@&!7-e`8JxofT*4Jx!wuZR9qjxO=7(K4gd;eH6F7r&xPVKzf@`>eTeyRr z*Dycq!XX^NF`U2|oWliN!WCS@4cx*V?0gaP!!8`c5gfw_oWVIT)-tM< zE*!!U9K#8m!8u&OC0xNZ+`ui|!OkCJe%OUWID%t1fipOV3%G$d25#XFcFr+B?7|@& z!7-e`8JxofT*4Jx!wuZR9qfD!^TRG2!Vw(937o+>T)-t+iG5RTv&PT&mA z;Q}t<3a;S>Zs87gCYT>~;Si4C7*5~}&fx+s;R>$d25#XFcBYsgcHt0?;22Ke49?*K zF5wEU;RbHu4t6duKkULG9KkW1z!{vw1zf@vT*D3A!X4~9!2GZahj0YPZ~|v=4i|6< zS8xqCa0_>^bBXz37Y^YFj^PB(;2bXC60YDHZr~Q~VCT;Dhmsz5L35pZ&|d@8A2^ zd;fd(le6R5|D6ra)9de~gYzfX$@v@ezdG;n{^R#=u9w%}zJ8nzt{=UZey}h(eRB2I z^?UC=e4H*8Hy_;SuSdzl$A5d3o-g$6?MLb0mmKk7k6)P+xLf@-{q%2LCCN=67WzD{ zpWN*>IGxSS;QY-S{XdVc-n$vRbG3ZuI$gZ|FzJtc^Ml2s$LZsn!JF^Def!v{kt6gX zS@W%Ho$q#jZnD#5xqIwaoYmkwNxuDPakX4Nxq0}`V39n0>-zD{^&q`^^3LM@hs(kF zP5LCgdQ;zj@aS~^G`=*RgbRD@#Dwue zNfSupOXEqH*hNzl#*5o9k%yE#6iDMs<4FkY2~SP%787ZdG=Vg}G~R8Hlkn`*Oib_= zN}50#Um8!s<%9mB>2W3aCU}bnr$_X&NbpV27xuy~3M6Y!COqncD0h=OSmwX$lg6T z-Rtd4(3eh{KpI~fPr}qLo|vFVl_rqJm&TKz?4qd&dP`}PG=Vg}G@bj{J)4e_g6Z#LJZ31b0X*>xRcJagn{VtLwkj9tBlQ6N1rY7hurBTuZ()iMN z5(0ZxQxo)P(kN*HX?$tC+s3Z;}i7jgh&%e<4fb+2HA6b3jHTh_LL@& z#+Sy^;qK>@=YEE{`|0dlPUq4$-{b-bo(bc{gVQ7Ze-Lc&P4E^Mc8!wYOPEgWvA1C& zO(4NDLBG%w`#gaJ&xHQsm=}5~K}qmU&>srBcq&0j@Na{CmWgjeAi*=iTX^;nbFa@y zLLkADL#AVUtdijC@Znebv`YUt=h^qJ3HrS&O(2agjVIyav`C+p3HriF6G-Dr<4KrK z?N&DQQ<)ceYC``lz&1*nKpI~fPeLG1XM%n@X_Pd9G`=+6ZDUt^atH+W+{(^ADPTZSSt@-G6=bt~#aHVPXI8)IEE9O)vgc>%aTc zXOA8XUVff~FX+V|*WK&rzxTzDoSLV$zpwB6Ic0tC{+8>n7w!M=cHe*gko~`_*S~20 z`y;de_xerrt>3S2xc_(T{N}e9{gLMO)c#$ce~`l7^ZNZj_x<_vHTtA&J z|K48zAKB&o^?yZw$^P>C_Z?^Im)!q1^NMu#_b+|d-?)GODS6TUPrqbd|9`aW`~CWl z68HaWz4=SgFW%J;J=I^gx3T^Fy?Wc2z;k_17kuyZN8Z0@-~X@Ot-IF8%Ko1-_2B;j DDU$}u diff --git a/pkg/ebpf/gadgets/symlink/tracer/tracer.go b/pkg/ebpf/gadgets/symlink/tracer/tracer.go index ada3ee6d..f02a8171 100644 --- a/pkg/ebpf/gadgets/symlink/tracer/tracer.go +++ b/pkg/ebpf/gadgets/symlink/tracer/tracer.go @@ -19,7 +19,7 @@ import ( eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" ) -//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -no-global-types -target bpfel -cc clang -cflags "-g -O2 -Wall -D __TARGET_ARCH_x86" -type event symlink bpf/symlink.bpf.c -- -I./bpf/ +//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -no-global-types -target bpfel -strip /usr/bin/llvm-strip-18 -cc /usr/bin/clang -cflags "-g -O2 -Wall -D __TARGET_ARCH_x86" -type event symlink bpf/symlink.bpf.c -- -I./bpf/ type Config struct { MountnsMap *ebpf.Map @@ -136,6 +136,7 @@ func (t *Tracer) run() { }, WithMountNsID: eventtypes.WithMountNsID{MountNsID: bpfEvent.MntnsId}, Pid: bpfEvent.Pid, + Tid: bpfEvent.Tid, PPid: bpfEvent.Ppid, Uid: bpfEvent.Uid, Gid: bpfEvent.Gid, diff --git a/pkg/ebpf/gadgets/symlink/types/types.go b/pkg/ebpf/gadgets/symlink/types/types.go index 510b3c82..dc0b29f1 100644 --- a/pkg/ebpf/gadgets/symlink/types/types.go +++ b/pkg/ebpf/gadgets/symlink/types/types.go @@ -10,6 +10,7 @@ type Event struct { eventtypes.WithMountNsID Pid uint32 `json:"pid,omitempty" column:"pid,template:pid"` + Tid uint32 `json:"tid,omitempty" column:"tid,template:tid"` PPid uint32 `json:"ppid,omitempty" column:"ppid,template:ppid"` Uid uint32 `json:"uid,omitempty" column:"uid,template:uid"` Gid uint32 `json:"gid,omitempty" column:"gid,template:gid"` @@ -29,8 +30,8 @@ func (event *Event) GetExtra() interface{} { return event.extra } -func (event *Event) GetPID() int { - return int(event.Pid) +func (event *Event) GetPID() uint64 { + return (uint64(event.Pid) << 32) | uint64(event.Tid) } func GetColumns() *columns.Columns[Event] { diff --git a/pkg/utils/events.go b/pkg/utils/events.go index 72866b88..db144105 100644 --- a/pkg/utils/events.go +++ b/pkg/utils/events.go @@ -9,7 +9,7 @@ type K8sEvent interface { type EnrichEvent interface { GetBaseEvent() *types.Event - GetPID() int + GetPID() uint64 SetExtra(extra interface{}) } From 5e5ce2f61321c9e3d33ed3d08dc9197becd91f92 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Wed, 30 Oct 2024 14:03:27 +0200 Subject: [PATCH 13/23] WIP: exex & symlink enrichment --- go.mod | 60 ++++++++-------- go.sum | 110 ++++++++++++++--------------- pkg/containerwatcher/v1/exec.go | 6 +- pkg/containerwatcher/v1/symlink.go | 3 +- pkg/ebpf/events/exec.go | 4 +- 5 files changed, 94 insertions(+), 89 deletions(-) diff --git a/go.mod b/go.mod index 492e4459..209de451 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,8 @@ module github.com/kubescape/node-agent -go 1.22.7 +go 1.22.8 -toolchain go1.23.0 +toolchain go1.23.2 require ( github.com/armosec/armoapi-go v0.0.439 @@ -10,7 +10,7 @@ require ( github.com/cenkalti/backoff/v4 v4.3.0 github.com/cilium/ebpf v0.16.0 github.com/crewjam/rfc5424 v0.1.0 - github.com/cyphar/filepath-securejoin v0.3.3 + github.com/cyphar/filepath-securejoin v0.3.4 github.com/deckarep/golang-set/v2 v2.6.0 github.com/dustin/go-humanize v1.0.1 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e @@ -28,23 +28,23 @@ require ( github.com/kubescape/storage v0.0.119 github.com/panjf2000/ants/v2 v2.9.1 github.com/prometheus/alertmanager v0.27.0 - github.com/prometheus/client_golang v1.20.4 + github.com/prometheus/client_golang v1.20.5 github.com/prometheus/procfs v0.15.1 github.com/sirupsen/logrus v1.9.3 github.com/spf13/afero v1.11.0 github.com/spf13/viper v1.19.0 github.com/stretchr/testify v1.9.0 - go.opentelemetry.io/otel v1.30.0 - go.opentelemetry.io/otel/trace v1.30.0 + go.opentelemetry.io/otel v1.31.0 + go.opentelemetry.io/otel/trace v1.31.0 go.uber.org/multierr v1.11.0 golang.org/x/net v0.29.0 - golang.org/x/sys v0.25.0 + golang.org/x/sys v0.26.0 gonum.org/v1/plot v0.14.0 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 istio.io/pkg v0.0.0-20231221211216-7635388a563e - k8s.io/api v0.31.1 - k8s.io/apimachinery v0.31.1 - k8s.io/client-go v0.31.1 + k8s.io/api v0.31.2 + k8s.io/apimachinery v0.31.2 + k8s.io/client-go v0.31.2 k8s.io/kubectl v0.31.0 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 sigs.k8s.io/yaml v1.4.0 @@ -75,14 +75,14 @@ require ( github.com/cenkalti/backoff v2.2.1+incompatible // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/containerd/cgroups/v3 v3.0.3 // indirect - github.com/containerd/containerd v1.7.22 // indirect + github.com/containerd/containerd v1.7.23 // indirect github.com/containerd/containerd/api v1.7.19 // indirect github.com/containerd/continuity v0.4.3 // indirect - github.com/containerd/errdefs v0.1.0 // indirect + github.com/containerd/errdefs v0.3.0 // indirect github.com/containerd/fifo v1.1.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect - github.com/containerd/ttrpc v1.2.5 // indirect + github.com/containerd/ttrpc v1.2.6-0.20240827082320-b5cd6e4b3287 // indirect github.com/containerd/typeurl/v2 v2.1.1 // indirect github.com/containers/common v0.60.4 // indirect github.com/coreos/go-oidc v2.2.1+incompatible // indirect @@ -181,7 +181,7 @@ require ( github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/pquerna/cachecontrol v0.2.0 // indirect github.com/prometheus/client_model v0.6.1 // indirect - github.com/prometheus/common v0.59.1 // indirect + github.com/prometheus/common v0.60.0 // indirect github.com/s3rj1k/go-fanotify/fanotify v0.0.0-20240229202106-bca3154da60a // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect @@ -217,46 +217,48 @@ require ( go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.30.0 // indirect go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.30.0 // indirect go.opentelemetry.io/otel/log v0.6.0 // indirect - go.opentelemetry.io/otel/metric v1.30.0 // indirect - go.opentelemetry.io/otel/sdk v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.31.0 // indirect + go.opentelemetry.io/otel/sdk v1.31.0 // indirect go.opentelemetry.io/otel/sdk/log v0.6.0 // indirect - go.opentelemetry.io/otel/sdk/metric v1.30.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.31.0 // indirect go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.starlark.net v0.0.0-20240517230649-3792562d0b7f // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.27.0 // indirect + golang.org/x/crypto v0.28.0 // indirect golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect golang.org/x/image v0.18.0 // indirect - golang.org/x/oauth2 v0.22.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/term v0.24.0 // indirect - golang.org/x/text v0.18.0 // indirect + golang.org/x/term v0.25.0 // indirect + golang.org/x/text v0.19.0 // indirect golang.org/x/time v0.6.0 // indirect google.golang.org/genproto v0.0.0-20240515191416-fc5f0ca64291 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect google.golang.org/grpc v1.67.1 // indirect - google.golang.org/protobuf v1.34.2 // indirect + google.golang.org/protobuf v1.35.1 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.31.1 // indirect - k8s.io/apiserver v0.31.1 // indirect - k8s.io/cli-runtime v0.31.1 // indirect - k8s.io/component-base v0.31.1 // indirect - k8s.io/cri-api v0.31.1 // indirect + k8s.io/apiextensions-apiserver v0.31.2 // indirect + k8s.io/apiserver v0.31.2 // indirect + k8s.io/cli-runtime v0.31.2 // indirect + k8s.io/component-base v0.31.2 // indirect + k8s.io/cri-api v0.31.2 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20240812233141-91dab695df6f // indirect - k8s.io/kubelet v0.31.1 // indirect + k8s.io/kubelet v0.31.2 // indirect oras.land/oras-go/v2 v2.4.0 // indirect - sigs.k8s.io/controller-runtime v0.19.0 // indirect + sigs.k8s.io/controller-runtime v0.19.1 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/kustomize/api v0.17.2 // indirect sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) +replace github.com/inspektor-gadget/inspektor-gadget => /home/afek/Projects/Armo/poc/inspektor-gadget + replace github.com/vishvananda/netns => github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6 diff --git a/go.sum b/go.sum index 1f1e9734..33fa07b4 100644 --- a/go.sum +++ b/go.sum @@ -170,22 +170,22 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0= github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0= -github.com/containerd/containerd v1.7.22 h1:nZuNnNRA6T6jB975rx2RRNqqH2k6ELYKDZfqTHqwyy0= -github.com/containerd/containerd v1.7.22/go.mod h1:e3Jz1rYRUZ2Lt51YrH9Rz0zPyJBOlSvB3ghr2jbVD8g= +github.com/containerd/containerd v1.7.23 h1:H2CClyUkmpKAGlhQp95g2WXHfLYc7whAuvZGBNYOOwQ= +github.com/containerd/containerd v1.7.23/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw= github.com/containerd/containerd/api v1.7.19 h1:VWbJL+8Ap4Ju2mx9c9qS1uFSB1OVYr5JJrW2yT5vFoA= github.com/containerd/containerd/api v1.7.19/go.mod h1:fwGavl3LNwAV5ilJ0sbrABL44AQxmNjDRcwheXDb6Ig= github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8= github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= -github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM= -github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0= +github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= +github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY= github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= -github.com/containerd/ttrpc v1.2.5 h1:IFckT1EFQoFBMG4c3sMdT8EP3/aKfumK1msY+Ze4oLU= -github.com/containerd/ttrpc v1.2.5/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= +github.com/containerd/ttrpc v1.2.6-0.20240827082320-b5cd6e4b3287 h1:zwv64tCdT888KxuXQuv5i36cEdljoXq3sVqLmOEbCQI= +github.com/containerd/ttrpc v1.2.6-0.20240827082320-b5cd6e4b3287/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4= github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0= github.com/containers/common v0.60.4 h1:H5+LAMHPZEqX6vVNOQ+IguVsaFl8kbO/SZ/VPXjxhy0= @@ -203,8 +203,8 @@ github.com/creack/pty v1.1.20 h1:VIPb/a2s17qNeQgDnkfZC35RScx+blkKF8GV68n80J4= github.com/creack/pty v1.1.20/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/crewjam/rfc5424 v0.1.0 h1:MSeXJm22oKovLzWj44AHwaItjIMUMugYGkEzfa831H8= github.com/crewjam/rfc5424 v0.1.0/go.mod h1:RCi9M3xHVOeerf6ULZzqv2xOGRO/zYaVUeRyPnBW3gQ= -github.com/cyphar/filepath-securejoin v0.3.3 h1:lofZkCEVFIBe0KcdQOzFs8Soy9oaHOWl4gGtPI+gCFc= -github.com/cyphar/filepath-securejoin v0.3.3/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM= +github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8= +github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -508,8 +508,6 @@ github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+h github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/inspektor-gadget/inspektor-gadget v0.33.0 h1:cUCVuGMY8m/SMNBfYvKLgW5n3cPBonUt9QGE6HVfXDo= -github.com/inspektor-gadget/inspektor-gadget v0.33.0/go.mod h1:Axsy1a2c1AaZCw+WJqX21Ibo9uTfxvY/PNCW5/ZwiO4= github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6 h1:fQqkJ+WkYfzy6BoUh32fr9uYrXfOGtsfw0skMQkfOic= github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= @@ -701,8 +699,8 @@ github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= -github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI= -github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -712,8 +710,8 @@ github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQy github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= -github.com/prometheus/common v0.59.1 h1:LXb1quJHWm1P6wq/U824uxYi4Sg0oGvNeUm1z5dJoX0= -github.com/prometheus/common v0.59.1/go.mod h1:GpWM7dewqmVYcd7SmRaiWVe9SSqjf0UrwnYnpEZNuT0= +github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA= +github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -869,8 +867,8 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIX go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= go.opentelemetry.io/contrib/instrumentation/runtime v0.55.0 h1:GotCpbh7YkCHdFs+hYMdvAEyGsBZifFognqrOnBwyJM= go.opentelemetry.io/contrib/instrumentation/runtime v0.55.0/go.mod h1:6b0AS55EEPj7qP44khqF5dqTUq+RkakDMShFaW1EcA4= -go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= -go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= +go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.6.0 h1:QSKmLBzbFULSyHzOdO9JsN9lpE4zkrz1byYGmJecdVE= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.6.0/go.mod h1:sTQ/NH8Yrirf0sJ5rWqVu+oT82i4zL9FaF6rWcqnptM= go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.30.0 h1:VrMAbeJz4gnVDg2zEzjHG4dEH86j4jO6VYB+NgtGD8s= @@ -883,16 +881,16 @@ go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.30.0 h1:kn1BudCgwtE7PxL go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.30.0/go.mod h1:ljkUDtAMdleoi9tIG1R6dJUpVwDcYjw3J2Q6Q/SuiC0= go.opentelemetry.io/otel/log v0.6.0 h1:nH66tr+dmEgW5y+F9LanGJUBYPrRgP4g2EkmPE3LeK8= go.opentelemetry.io/otel/log v0.6.0/go.mod h1:KdySypjQHhP069JX0z/t26VHwa8vSwzgaKmXtIB3fJM= -go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= -go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= -go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= -go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= +go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= +go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= +go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk= +go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0= go.opentelemetry.io/otel/sdk/log v0.6.0 h1:4J8BwXY4EeDE9Mowg+CyhWVBhTSLXVXodiXxS/+PGqI= go.opentelemetry.io/otel/sdk/log v0.6.0/go.mod h1:L1DN8RMAduKkrwRAFDEX3E3TLOq46+XMGSbUfHU/+vE= -go.opentelemetry.io/otel/sdk/metric v1.30.0 h1:QJLT8Pe11jyHBHfSAgYH7kEmT24eX792jZO1bo4BXkM= -go.opentelemetry.io/otel/sdk/metric v1.30.0/go.mod h1:waS6P3YqFNzeP01kuo/MBBYqaoBJl7efRQHOaydhy1Y= -go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= -go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= +go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc= +go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= +go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= +go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= @@ -921,8 +919,8 @@ golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= -golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= +golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1031,8 +1029,8 @@ golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA= -golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= +golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/perf v0.0.0-20180704124530-6e6d33e29852/go.mod h1:JLpeXjPJfIyPr5TlbXLkXWLhP8nz10XfvxElABhCtcw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1123,11 +1121,11 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= -golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= +golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= +golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1137,8 +1135,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1374,8 +1372,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -1421,30 +1419,30 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= istio.io/pkg v0.0.0-20231221211216-7635388a563e h1:ZlLVbKDlCzfP0MPbWc6VRcY23d9NdjLxwpPQpDrh3Gc= istio.io/pkg v0.0.0-20231221211216-7635388a563e/go.mod h1:fvmqEdHhZjYYwf6dSiIwvwc7db54kMWVTfsb91KmhzY= -k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= -k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= -k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= -k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= -k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= -k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= -k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= -k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= -k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= -k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= -k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= -k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= -k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= -k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= -k8s.io/cri-api v0.31.1 h1:x0aI8yTI7Ho4c8tpuig8NwI/MRe+VhjiYyyebC2xphQ= -k8s.io/cri-api v0.31.1/go.mod h1:Po3TMAYH/+KrZabi7QiwQI4a692oZcUOUThd/rqwxrI= +k8s.io/api v0.31.2 h1:3wLBbL5Uom/8Zy98GRPXpJ254nEFpl+hwndmk9RwmL0= +k8s.io/api v0.31.2/go.mod h1:bWmGvrGPssSK1ljmLzd3pwCQ9MgoTsRCuK35u6SygUk= +k8s.io/apiextensions-apiserver v0.31.2 h1:W8EwUb8+WXBLu56ser5IudT2cOho0gAKeTOnywBLxd0= +k8s.io/apiextensions-apiserver v0.31.2/go.mod h1:i+Geh+nGCJEGiCGR3MlBDkS7koHIIKWVfWeRFiOsUcM= +k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw= +k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.2 h1:VUzOEUGRCDi6kX1OyQ801m4A7AUPglpsmGvdsekmcI4= +k8s.io/apiserver v0.31.2/go.mod h1:o3nKZR7lPlJqkU5I3Ove+Zx3JuoFjQobGX1Gctw6XuE= +k8s.io/cli-runtime v0.31.2 h1:7FQt4C4Xnqx8V1GJqymInK0FFsoC+fAZtbLqgXYVOLQ= +k8s.io/cli-runtime v0.31.2/go.mod h1:XROyicf+G7rQ6FQJMbeDV9jqxzkWXTYD6Uxd15noe0Q= +k8s.io/client-go v0.31.2 h1:Y2F4dxU5d3AQj+ybwSMqQnpZH9F30//1ObxOKlTI9yc= +k8s.io/client-go v0.31.2/go.mod h1:NPa74jSVR/+eez2dFsEIHNa+3o09vtNaWwWwb1qSxSs= +k8s.io/component-base v0.31.2 h1:Z1J1LIaC0AV+nzcPRFqfK09af6bZ4D1nAOpWsy9owlA= +k8s.io/component-base v0.31.2/go.mod h1:9PeyyFN/drHjtJZMCTkSpQJS3U9OXORnHQqMLDz0sUQ= +k8s.io/cri-api v0.31.2 h1:O/weUnSHvM59nTio0unxIUFyRHMRKkYn96YDILSQKmo= +k8s.io/cri-api v0.31.2/go.mod h1:Po3TMAYH/+KrZabi7QiwQI4a692oZcUOUThd/rqwxrI= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240812233141-91dab695df6f h1:bnWtxXWdAl5bVOCEPoNdvMkyj6cTW3zxHuwKIakuV9w= k8s.io/kube-openapi v0.0.0-20240812233141-91dab695df6f/go.mod h1:G0W3eI9gG219NHRq3h5uQaRBl4pj4ZpwzRP5ti8y770= k8s.io/kubectl v0.31.0 h1:kANwAAPVY02r4U4jARP/C+Q1sssCcN/1p9Nk+7BQKVg= k8s.io/kubectl v0.31.0/go.mod h1:pB47hhFypGsaHAPjlwrNbvhXgmuAr01ZBvAIIUaI8d4= -k8s.io/kubelet v0.31.1 h1:aAxwVxGzbbMKKk/FnSjvkN52K3LdHhjhzmYcyGBuE0c= -k8s.io/kubelet v0.31.1/go.mod h1:8ZbexYHqUO946gXEfFmnMZiK2UKRGhk7LlGvJ71p2Ig= +k8s.io/kubelet v0.31.2 h1:6Hytyw4LqWqhgzoi7sPfpDGClu2UfxmPmaiXPC4FRgI= +k8s.io/kubelet v0.31.2/go.mod h1:0E4++3cMWi2cJxOwuaQP3eMBa7PSOvAFgkTPlVc/2FA= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go/v2 v2.4.0 h1:i+Wt5oCaMHu99guBD0yuBjdLvX7Lz8ukPbwXdR7uBMs= @@ -1454,8 +1452,8 @@ rsc.io/pdf v0.1.1 h1:k1MczvYDUvJBe93bYd7wrZLLUEcLZAuF824/I4e5Xr4= rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= -sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.1 h1:Son+Q40+Be3QWb+niBXAg2vFiYWolDjjRfO8hn/cxOk= +sigs.k8s.io/controller-runtime v0.19.1/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= diff --git a/pkg/containerwatcher/v1/exec.go b/pkg/containerwatcher/v1/exec.go index 7d77a6b8..d360fdff 100644 --- a/pkg/containerwatcher/v1/exec.go +++ b/pkg/containerwatcher/v1/exec.go @@ -7,6 +7,7 @@ import ( tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" "github.com/inspektor-gadget/inspektor-gadget/pkg/types" events "github.com/kubescape/node-agent/pkg/ebpf/events" + "golang.org/x/sys/unix" ) func (ch *IGContainerWatcher) execEventCallback(event *tracerexectype.Event) { @@ -16,7 +17,10 @@ func (ch *IGContainerWatcher) execEventCallback(event *tracerexectype.Event) { execEvent := &events.ExecEvent{Event: *event} if ch.thirdPartyEnricher != nil { - // ch.thirdPartyEnricher.Enrich(execEvent, "sys_execve") + ch.thirdPartyEnricher.Enrich(execEvent, []uint64{unix.SYS_EXECVE, unix.SYS_EXECVEAT}) + if execEvent.GetExtra() != nil { + fmt.Println("execEventCallback GetExtra", execEvent.GetExtra()) + } } if event.Retval > -1 && event.Comm != "" { diff --git a/pkg/containerwatcher/v1/symlink.go b/pkg/containerwatcher/v1/symlink.go index eca3836c..66a6e53b 100644 --- a/pkg/containerwatcher/v1/symlink.go +++ b/pkg/containerwatcher/v1/symlink.go @@ -19,9 +19,10 @@ func (ch *IGContainerWatcher) symlinkEventCallback(event *tracersymlinktype.Even if ch.thirdPartyEnricher != nil { syscalls := []uint64{unix.SYS_SYMLINKAT, unix.SYS_SYMLINK} + fmt.Println("symlinkEventCallback syscalls", syscalls) ch.thirdPartyEnricher.Enrich(event, syscalls) if event.GetExtra() != nil { - fmt.Println("GetExtra", event.GetExtra()) + fmt.Println("symlinkEventCallback GetExtra", event.GetExtra()) } } diff --git a/pkg/ebpf/events/exec.go b/pkg/ebpf/events/exec.go index 5ee924df..c7bea8de 100644 --- a/pkg/ebpf/events/exec.go +++ b/pkg/ebpf/events/exec.go @@ -17,6 +17,6 @@ func (event *ExecEvent) GetExtra() interface{} { return event.extra } -func (event *ExecEvent) GetPID() int { - return int(event.Pid) +func (event *ExecEvent) GetPID() uint64 { + return (uint64(event.Pid) << 32) | uint64(event.Tid) } From 12a829dbe319b60ad2e9419c37ee2339729c6750 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Thu, 31 Oct 2024 10:55:23 +0200 Subject: [PATCH 14/23] WIP: Added open to enrichment --- pkg/containerwatcher/v1/container_watcher.go | 17 +++++------------ pkg/containerwatcher/v1/open.go | 13 ++++++++++--- pkg/containerwatcher/v1/symlink.go | 1 - pkg/ebpf/events/open.go | 4 ++-- 4 files changed, 17 insertions(+), 18 deletions(-) diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go index 506f4627..d59370b8 100644 --- a/pkg/containerwatcher/v1/container_watcher.go +++ b/pkg/containerwatcher/v1/container_watcher.go @@ -18,7 +18,6 @@ import ( tracernetwork "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/tracer" tracernetworktype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/network/types" traceropen "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/tracer" - traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" "github.com/inspektor-gadget/inspektor-gadget/pkg/operators" "github.com/inspektor-gadget/inspektor-gadget/pkg/socketenricher" tracercollection "github.com/inspektor-gadget/inspektor-gadget/pkg/tracer-collection" @@ -136,7 +135,7 @@ type IGContainerWatcher struct { capabilitiesWorkerChan chan *tracercapabilitiestype.Event execWorkerChan chan *events.ExecEvent - openWorkerChan chan *traceropentype.Event + openWorkerChan chan *events.OpenEvent ptraceWorkerChan chan *tracerptracetype.Event networkWorkerChan chan *tracernetworktype.Event dnsWorkerChan chan *tracerdnstype.Event @@ -219,7 +218,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli } // Create an open worker pool openWorkerPool, err := ants.NewPoolWithFunc(openWorkerPoolSize, func(i interface{}) { - event := i.(traceropentype.Event) + event := i.(events.OpenEvent) // ignore events with empty container name if event.K8s.ContainerName == "" { return @@ -236,17 +235,11 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli path = event.FullPath } - openEvent := &events.OpenEvent{Event: event} - - if thirdPartyEnricher != nil { - // thirdPartyEnricher.Enrich(openEvent) - } - metrics.ReportEvent(utils.OpenEventType) applicationProfileManager.ReportFileOpen(k8sContainerID, path, event.Flags) relevancyManager.ReportFileOpen(event.Runtime.ContainerID, k8sContainerID, path) - ruleManager.ReportEvent(utils.OpenEventType, openEvent) - malwareManager.ReportEvent(utils.OpenEventType, openEvent) + ruleManager.ReportEvent(utils.OpenEventType, &event) + malwareManager.ReportEvent(utils.OpenEventType, &event) // Report open events to event receivers reportEventToThirdPartyTracers(utils.OpenEventType, &event, thirdPartyEventReceivers) @@ -442,7 +435,7 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli // Channels capabilitiesWorkerChan: make(chan *tracercapabilitiestype.Event, 1000), execWorkerChan: make(chan *events.ExecEvent, 10000), - openWorkerChan: make(chan *traceropentype.Event, 500000), + openWorkerChan: make(chan *events.OpenEvent, 500000), ptraceWorkerChan: make(chan *tracerptracetype.Event, 1000), networkWorkerChan: make(chan *tracernetworktype.Event, 500000), dnsWorkerChan: make(chan *tracerdnstype.Event, 100000), diff --git a/pkg/containerwatcher/v1/open.go b/pkg/containerwatcher/v1/open.go index 41d19655..4f35ca3f 100644 --- a/pkg/containerwatcher/v1/open.go +++ b/pkg/containerwatcher/v1/open.go @@ -6,6 +6,8 @@ import ( traceropen "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/tracer" traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" "github.com/inspektor-gadget/inspektor-gadget/pkg/types" + events "github.com/kubescape/node-agent/pkg/ebpf/events" + "golang.org/x/sys/unix" ) func (ch *IGContainerWatcher) openEventCallback(event *traceropentype.Event) { @@ -13,10 +15,15 @@ func (ch *IGContainerWatcher) openEventCallback(event *traceropentype.Event) { return } - // do not skip dropped events as their processing is done in the worker - + openEvent := &events.OpenEvent{Event: *event} + if ch.thirdPartyEnricher != nil { + ch.thirdPartyEnricher.Enrich(openEvent, []uint64{unix.SYS_OPEN, unix.SYS_OPENAT}) + if openEvent.GetExtra() != nil { + fmt.Println("openEventCallback GetExtra", openEvent.GetExtra()) + } + } if event.Err > -1 && event.FullPath != "" { - ch.openWorkerChan <- event + ch.openWorkerChan <- openEvent } } diff --git a/pkg/containerwatcher/v1/symlink.go b/pkg/containerwatcher/v1/symlink.go index 66a6e53b..c0d73960 100644 --- a/pkg/containerwatcher/v1/symlink.go +++ b/pkg/containerwatcher/v1/symlink.go @@ -19,7 +19,6 @@ func (ch *IGContainerWatcher) symlinkEventCallback(event *tracersymlinktype.Even if ch.thirdPartyEnricher != nil { syscalls := []uint64{unix.SYS_SYMLINKAT, unix.SYS_SYMLINK} - fmt.Println("symlinkEventCallback syscalls", syscalls) ch.thirdPartyEnricher.Enrich(event, syscalls) if event.GetExtra() != nil { fmt.Println("symlinkEventCallback GetExtra", event.GetExtra()) diff --git a/pkg/ebpf/events/open.go b/pkg/ebpf/events/open.go index 012061a1..2acc81d2 100644 --- a/pkg/ebpf/events/open.go +++ b/pkg/ebpf/events/open.go @@ -13,8 +13,8 @@ func (event *OpenEvent) SetExtra(extra interface{}) { event.extra = extra } -func (event *OpenEvent) GetPID() int { - return int(event.Pid) +func (event *OpenEvent) GetPID() uint64 { + return (uint64(event.Pid) << 32) | uint64(event.Tid) } func (event *OpenEvent) GetExtra() interface{} { From 1c22e63b6d128686151abb4f9d67738b9efa70be Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Thu, 31 Oct 2024 17:08:24 +0200 Subject: [PATCH 15/23] WIP: added hardlink for enrichment --- pkg/containerwatcher/v1/hardlink.go | 9 +++++++++ .../hardlink/tracer/bpf/hardlink.bpf.c | 6 ++---- .../gadgets/hardlink/tracer/bpf/hardlink.h | 1 + .../gadgets/hardlink/tracer/hardlink_bpfel.go | 3 ++- .../gadgets/hardlink/tracer/hardlink_bpfel.o | Bin 489384 -> 489536 bytes pkg/ebpf/gadgets/hardlink/tracer/tracer.go | 3 ++- pkg/ebpf/gadgets/hardlink/types/types.go | 5 +++-- 7 files changed, 19 insertions(+), 8 deletions(-) diff --git a/pkg/containerwatcher/v1/hardlink.go b/pkg/containerwatcher/v1/hardlink.go index 2bce183a..1d99cd0d 100644 --- a/pkg/containerwatcher/v1/hardlink.go +++ b/pkg/containerwatcher/v1/hardlink.go @@ -5,6 +5,7 @@ import ( tracerhardlink "github.com/kubescape/node-agent/pkg/ebpf/gadgets/hardlink/tracer" tracerhardlinktype "github.com/kubescape/node-agent/pkg/ebpf/gadgets/hardlink/types" + "golang.org/x/sys/unix" "github.com/inspektor-gadget/inspektor-gadget/pkg/types" "github.com/kubescape/go-logger" @@ -21,6 +22,14 @@ func (ch *IGContainerWatcher) hardlinkEventCallback(event *tracerhardlinktype.Ev return } + if ch.thirdPartyEnricher != nil { + syscalls := []uint64{unix.SYS_LINK, unix.SYS_LINKAT} + ch.thirdPartyEnricher.Enrich(event, syscalls) + if event.GetExtra() != nil { + fmt.Println("hardlinkEventCallback GetExtra", event.GetExtra()) + } + } + ch.hardlinkWorkerChan <- event } diff --git a/pkg/ebpf/gadgets/hardlink/tracer/bpf/hardlink.bpf.c b/pkg/ebpf/gadgets/hardlink/tracer/bpf/hardlink.bpf.c index a37e9728..ba0ee4a7 100644 --- a/pkg/ebpf/gadgets/hardlink/tracer/bpf/hardlink.bpf.c +++ b/pkg/ebpf/gadgets/hardlink/tracer/bpf/hardlink.bpf.c @@ -1,8 +1,5 @@ -#ifdef __TARGET_ARCH_x86 #include "../../../../include/amd64/vmlinux.h" -#elif defined(__TARGET_ARCH_arm64) -#include "../../../../include/arm64/vmlinux.h" -#endif + #include #include @@ -116,6 +113,7 @@ int tracepoint__sys_link(struct syscall_trace_enter *ctx) event->timestamp = bpf_ktime_get_boot_ns(); event->mntns_id = mntns_id; event->pid = bpf_get_current_pid_tgid() >> 32; + event->tid = bpf_get_current_pid_tgid() & 0xFFFFFFFF; event->ppid = BPF_CORE_READ(current_task, real_parent, pid); event->uid = uid; event->gid = (u32)(uid_gid >> 32); diff --git a/pkg/ebpf/gadgets/hardlink/tracer/bpf/hardlink.h b/pkg/ebpf/gadgets/hardlink/tracer/bpf/hardlink.h index 464d62b4..4220eb47 100644 --- a/pkg/ebpf/gadgets/hardlink/tracer/bpf/hardlink.h +++ b/pkg/ebpf/gadgets/hardlink/tracer/bpf/hardlink.h @@ -17,6 +17,7 @@ struct event { gadget_timestamp timestamp; gadget_mntns_id mntns_id; __u32 pid; + __u32 tid; __u32 ppid; __u32 uid; __u32 gid; diff --git a/pkg/ebpf/gadgets/hardlink/tracer/hardlink_bpfel.go b/pkg/ebpf/gadgets/hardlink/tracer/hardlink_bpfel.go index b0bd0cdb..1998ad1d 100644 --- a/pkg/ebpf/gadgets/hardlink/tracer/hardlink_bpfel.go +++ b/pkg/ebpf/gadgets/hardlink/tracer/hardlink_bpfel.go @@ -16,6 +16,7 @@ type hardlinkEvent struct { Timestamp uint64 MntnsId uint64 Pid uint32 + Tid uint32 Ppid uint32 Uid uint32 Gid uint32 @@ -24,7 +25,7 @@ type hardlinkEvent struct { Exepath [4096]uint8 Oldpath [4096]uint8 Newpath [4096]uint8 - _ [7]byte + _ [3]byte } // loadHardlink returns the embedded CollectionSpec for hardlink. diff --git a/pkg/ebpf/gadgets/hardlink/tracer/hardlink_bpfel.o b/pkg/ebpf/gadgets/hardlink/tracer/hardlink_bpfel.o index 51918c287a0ac08f6dcf39f139da90f2f3bd7a9a..6e8caa47f933b95888d5024c7f39207c3afc57e6 100644 GIT binary patch literal 489536 zcmeF4349$@+5ab(qzx@lD3qm8xRtGJQuYD@Q}%r=J2gqOw4vFWrERFdAP5L9EFuc1 zErklGY$^poG9a>wq9}s06jwx46a_@3|L^ad=OjbY>-+lu_};6@J)cg_cb<99{+n~o z%)Lp^J?O}Ta}^a)2o=#=(ZE@-5_ga8KZza1(K>kcZRE|%Em8f%>sHFrcfGfd&PCC6 zD_5@Ea8RZn;j&D9mhFVmvo}==**BNHT4zx-p}N7@mH+Ewv7hhlsOa z>8tbS%PCh`D8G3eO1~j-@6y*@{rc1Y6aTeW<-Y_YVKn)zpgfgR$$2QJZrKW#|DrQ} zIfL6hZylFBI??*PDx%_qY=5a8gVTlnnh@>Z-%sO6H`uRkyvr`yaJ48R8&?-uChc71 zF4S51ebifFHgTSKfyFZ?@9y&NyCicXsEC#$4v|?!D6c^{JBy>X+Rx zsb3;u)w`49#E1$JR9_ofcV1;@y;u7D-;+;%Rr&b-Qa;+i*e=3vntxe z*Y}!>U42!bvpE*c_O)1K`jdSvjs+Zfj{4EQUBO;IdOfUOM^CN33LP$SmtFfceyY!4 z{iUQEqQ6YKRqAPp*HiCO-`{;Z`*Ol~)o-15hWb4=aq*(FykGqWzCTs}%{i9S&T7gZ z*Wuiv?0uth2j4e+nSKoS&rR5Rm-_nrZ|(1+m-+iA%qtT{`S$62 z3fKGUomO| z>Zx%E{YcU%RQdJS`0@PT&bI^W&_^bzMk-gKui4^% zqQgS{r#rKEsc&bfchGxw{8p7dq+4`J;@Ul_9w8{dFZy=P>~hmxG_(E?SKr>HzJGd` zJnH?|J+QwWsz)e4Tkcb<=(pvJs~>mkZ)1QiSNHf6K{9teM@m7j9x8@Zl_&! zJ4-#B)7_H5$;2yJfcyOI8C~QrM<)}n+>d@e)VW8!yLesqo#)SW|LwrhM}I1Wd3QFM z<~e`FV%^{Ti(1F8<;T(58}iXQt8%jSe98KsOKx6Jl@^`lb>?&%N6}_=7zv>t`>yoo z{kq=MpRY<6p&tj&tN#u?PpaR=6&!RtscR>99`x|f>hmv+>k{8S^`9Hp@qXY2k8AG| zud^^N3-HgAbcgY;yM?HCslUG2=03lZ(TT>RcZt{KIA8tujE~9-did9M@R%?6CSPvf zhpipbA;IbK+)VkC{q_H?J~o@<{TE$g`I|1PqKWRp%=&w*-Gk?oyPRF)^j|lh(6YX= z-rYP_SnpSqNbhq?toPFk=>3%cYP~Pot7D~Z=zlh!{@={+{=sEnexK^*mH)i?eb*A{ zea)iky(-$+_5aNJcO8WN*1$gTZ_fT7Kd)bJ`%!!Ev1nVbZ`E6&cWGJg+NTzt-=DGZ zFZO=sHec?|w%@qIkC*mg|CarXJ)bSQ#^*nv_r(SD{<*T=8G^7b{HxESlj{Fl=J$mq z())2G()<1e^uAwN?;}F*6HBD`H{63`Z_(%XU-)u|y!U$9*~|MGzs?Td`Taf{|6=cF zt}2n8OQiQbN~HHG1@yjUS??o4@BW2!@!!8c=f3Gu{Qb=1zT6@E znMa(xyq_8F`YR-?-!Ry?{y{8 z`|$6U( zer<{L{;>jj|7cn7BVvAUD3RXxDUsgaUqJ8MmGwR%^ggOYdVk6N#h~KvXP)xq4%yE< z>FnkG%y8e&++^cl?ETDnCDMCm0ll}E^*$oz_rpu1_svVB_w@?seVwx2M}*#ATSqHc z@!!9H+m~DP_wRREdk4RN|EjZ>_cKz%aDM;(i4y63c8T}OtZ_VRv4qcWWLGk4qg7kfW* zd5QG?;R1R;x2$(`KK%DHr$I|Hiij@85sq%Psoz>ciIF z!S83j1Dm6^Wndr*}X)1A6Fv1M+Nl$kJUA= zmFIW$!f>A7pLOG0{J&3dhcCD2`G z;lH1$Es@^$ERo)~Eui`;w*3F{tXTIah9kQQ!%-PHP8I8(t-p|}% z<6rFk%-JQo-d&HNoBo{2))0(np?k${{H>@zTBekXCAcn4u1dM=j`SEjMOlk z_cPa&Nbg-G(tASzz1NlXj?Rbwe&z!u())xG>3viIy{}f*`-sr{i#fM`6@5Rm+?QMQ z{mf0)-og8s8=bwppOG4d^L{2Nk={=&k=_q4p!Y+{dPnEOe?RlS66yVK6>c6W`uzTy zFL%iM_un{sd4AWZ4Cnd%Ashc*~|MG*9}qcve#FN`j+_f(WvD0l`B{3ErWgm z^dlVeIC_^p<@_eq@9Z3Vzv$CV>YD1#)t`ANtQ)J!PygX{e|}5ecKI!uc(;ptm-ze^ zO}u?beQu{db>rQ~gwbf~MN!eo#4GuqMSGX{{mN`Be}Tn2jK2jh)w|gHne% zqS)W3d0G(W+o0Qj_k7yBuKV?V*5$;{x0kzai`?5~CTh*oJ8&#_zugc;Rgv%4-eq22 zqp>qBuk4%U)4BQhT~s(KMDkrQe8Sxi?2wS={I4>HeOhO!X75^YyvjJ81p7j(j(yUfH1hWLh-F*MCAZ zcT-)LeRGaJKU~p->N)*({m0sU?ypWo(ct{*#&eM{xE+&rrU8VybzBtnUE$-|)GH4z zuz2R=(_J~bk6!05Zugz<{rdH|%%4jK+As9g`E&JicHa>0!``KSeeX~IPyDq{7~;Rg z%A-CjC{N``H|ig)aCOU8xPD%ArY~o3f6TM?o>)N!gsO;&6Z)=qk=s|O9fQ+_ahVY9 z>H4F0-i9v0gbFG^=$$vk#V1zyepULzoyGr9JvRZBk4mhHrn-C_)|F+!LGmDA+N|EO}kPJOz3eX{q{ZuwQ^+!vFn z_eQ?nXZiU;?KzucQL`83BGaMl`VUeUaO64aSJ!BgALTrS&k!9gahIb)`%a}xN%t@7 zVTsp6?^55-eSX{8ukZS8@~+_eJvBPib0a?vs=w~H<@{E7HRX=$&{gWa%*WEZ^fy@V z{#!i*dQ`n{q7QqQ`g;6tbf2e)A^!hU|5(3=eT~Xhm@vw>OXpHVU%fN0a(^D~Cyk`q zulq^qYKi~V`t)A!@4rxw6LVvusq>HQ)%ilSHO?>F1)n!UJ+t*tlR~~H=5*%kr}$(} z{dIr;bdBFa=BRJ7i=3{u1f^>!QTZw!w~!x%?7EumhoI9?kI)ZlhsL#kJeT-<{+WJN z-Vpu%6Fr4`YJO9BI}&$Ie96sk_18S>;@&#D?(oakk=&K5xUX412kNz|@>liTsrKm39K0V2de4sE zs?vvai!Sl=z@&OjsN`qQuQR*cv=+^*Kg89ycgXvK1N+;ddaSD6PpzWgv~Tj`ZvAcd zU$(yKD$<4W$F0JDRpS%JyFXoKyrY=$p6K^$y*K&xSGn21k4wHldqO`39cn)4{hyxK zm*Paw{_b|#RkyR$!#Ul}5cWT>_xam1y2xLSPA1lVZ``5IJ?h=X>$>kef3Eva`_Ml6 zQz6W|v&l5i`6CwV{?^F0j$g}WB%U zAH)99UB}+Hr@OpLU4(uN_fwcx{~dasRKJTWIOup%*G}#{=wVel4fXk##&wBrpZd>@ z>%aUS=5@Ca6@Cxnbve#g|2_MDl^68zuj}A3U+zs_|9u~}b|4b6U3s$NbERu5f3m-x zeeQS(Kk16557EbFbG-keODz8@{drY1(ZS66d#v65{_kD#sGD~ut$UZVYn=Y;<`Y_0 z);qfSr|%uFD3RXhmRRqn7ts4D|J8b5v{y&L{Zg1u|8M4Z|G+XZzfX1Z%75PczH5o} zzGhMNUKMR@^ZL6E!hUODUjLi3|Hsek*V}${ylYOhXj`vu)mx!=X<6_8e13n%#^0~| zn{Dp%X&xW!~gxvfhE%W zq!Q_Utpa)Za_cKz%aNf^cTq3>K zl}PW$7ts4LWxb>G;lH2RwnTbgtwehNv-^#aq2DL?qqCRicQ?HczIKW9{u}q3R>l85!B2d-L*Bpt z*xAebnc=>lxzonK*!!7FOQiP?70`QcS??oaexFeyz3)&Wy>D7T?;Dr(J|gt~<^-)^ z#ee_)Jzs9opI1|B@8I|E-*oo!enx5-&hOtpQzE_3E0Nx370`Q4S?}n4_`iSOt3-NV zw?ulcETH#_vff98-k;|Wua#my^L1Zt(f2dUti6NxGfSPlyq}R8hVy>roD%8%HQ`57lVqwpLxocJ7hoeq_daz zGsAs9bCZpKvG+6Ql}PWM1@zut*87N<-w!X5-Zw9i-q$Oj_jSs89}#+gZ5^#(#s5CR zw|%)qfB$}$wRiCQ_pds8c|RjH4CnXnpD2;uXO~FtrxeipiDkW`^Wp#geQJsHzIuuD z{*L~t-*w3q9^5qtNKXY9Hy??f>cXU4d=lAXs>HVk@ z>3!b9sM;Flh5oNuj^Wndr*{Vc( zU%7^xM~XhbzwXN&^8WpI&R(A1H7dh-et*=)zu52Jmy}5FR}|3uC(C+A=fi(~KeI%7 zKcGZ<-?f0=cPi_BMCg5u66yVyW8J!0^!>~;zT6@EnWvq-yr0pi4CnpKtv3F}-p^cA zBE2sxp!c4#-qHE+-_IOdBE4@@BE3&6p!W^RdLI#b|I-+^eii-w`xCz0qVH$!v-S>t z|9+3Nm-jPL!*Jfue5yoxZ!MADKUhHTr{5eO!t39u?60KUUYgR-WJ0 z3&VMSf7Xq2@&7)-9lqS6?`N*J_72|9e4(s&bUys&_p?f*_Y+E__X7*)eR^5%BSP<+ zlt}M?sdnpT(dYMH`ErN6fB(6&m-jOomEpXfx!=aW*ze!3E|K0ZE}-|1l=Y6zhyQ-2 zwnTd0vqXB|wt(KZF6(_n=si~=z5jHyTQ`fopZSh2cgTL`F=sFDXEZ9qc|UW5jeoKC zGiR4b?`;M2KDVrQbUys|GY6MQ@0*oK?`s#(`F{ENMx`FM%+eog_sFDmODoe%&0 z%tm8jB|NYGSN~HI{Rk(Si==1w)zT6@2 z-+$xm<@sHsGMwl4hiv?d{r>%PCDQvR3h4dPvfk18@SoqCN~HJwN~HIx1@yi{S??o4 z@6{#J`^#E3OYr{<|G<|!WIyvgXD{z(TsK6$%U)k8>RaN^N28M0SFT*Cw+#9P(2sD; zKmCW-{rN3<+vT@t;@vLpUE=dwH1YN! z^|_t;)Qxu^6Go${7ez%U6R+fd7VTZ)_baol`~?>8F#Z<2RPSQ%XU_NK7JdKTZS5WW zenz8L{`+D({sT4%Yj+&iV}|JjtE zC*1;z$2D_8=v{W1Z%>^+SAM&Jp<+vCY>YVO;P!IyVZ_Qa;W)~8G4XN6De+0hD~Q#6`K#d{BwB|f z51&aqfny5XPOO>nCU`;M^P=e7z!eqIMKGaS|B>lu97fgpPuf54xk58T%yEZ5cYY5T zk0*ZEGda0EV&!-28Z%h*{r6t;XOSNh%^(^Rwcmp4_h1hf@Ttt>@Dhj0Q1}Ih#xdr2 zokPF0opAh_Lw^uH<#>mKu$ESckPggEl+}m#jI-*ZfU#0qQ+YPl(I_$y#~kB~6L_M} zc&&}$Y#Et0<=hx?osi4B$o+Uv*{&lnXWMEzb?uYRVh*)$Q;vk=7aW^$q#Tp29+Tm0 zJ+|O{Pj9H+64u)W{#7c2!-1`_DI9G+>U#^Wep_);DMO+k@2#It^3TU&bJC<7$9dBJ90h?1BF#;jON2ri51R* zbHp*n+3+sJ3CD+F)kF7zG_ezhg5DTPIcG4Z_|uKvW2a2%*S>6FLeW5i6NPr}E636tnku;#vmfp{K17*63|!LFW6 zgnxovo^X!5YVpyexGp>kjNwg<6L?FwUOo)wc5s6@Pk+G5Cx#C-u7!_*)%FCgft%nI zo&z_-(PVT6&jDjNfi*7i^eDOlmYx#$M&rxiufxi7G5iGF0;llL;X~nQf7%7NfeE}C zlZD!w!t27w!VS)r#?=R)XIOdW;e%o26T>sjp2GUAD*3E{&xKX42H^^L9WW2y2)nfK zU9i@e6n?<$=|PMg+<`r2K%Rj$F3BNL^a?yrb~5;_aRUDZ?o>YTyYPi@bU5?+DC-A! zym1O|V!Q&LVjLa8+6t>5Vt5~T44lA+881E}s+eiK1lE30KG(w+8ZU)EXPm-!7(W2t zYy2SmZR2mjKQev@{<-nD;kS$*hTk=Q1Rl$RrE(vIH!yw--p2TGcu(Ue;G{;O zAHE2TVa+vH%YHQa!Yz!YXTc0-l)x7nr|`#NjiYX?Pa7xj=glWNHj2Jv_89)E zaSEsKXGt1!BR&CNr~Kg`nNM;;6#dLNnh{06hd(DD_^+_`7AZWs+V&YIM$rbayD#9a zV1_nI;O&i5cxPj6gr>n?z$bXX8)@H4W{;`s=cZe#dD_%=9!FNdFlQ&@k|`|GeK(VNUa z58ny@1al031Aboq@Ds4cI&I*(anu+^zlL9wKl~?nFa0QjQ1y12L-~-^e ziT;6qE+2R+Sh`B#UEp89(d;Pt0Q^fZhNr{7f)n@{_}6d>*TS#Bn!M-2zX4--5v=}6 z;7j0F;S|0aeht>de;v%fC_OWZmH~&$J~xWKW*oy07$@*|;or$0{we&rxSjmq9J~Uq z9P3$=>m>Nk*kgE0_)s{3cYv#5O|-ij=ixo!zsMgx2!2!k@F}p;rf?JdmV7#+NdJ@A z+wy@ggsDc9bg>q|@5&#(-hAS2<_B2$#69d)V5c8g|1;l*u}AZ11H4i`@GHj0!f(N9 zV=Y{@hLr`cZ@d`Z4wg>}?+Yt`J=7cr9}dRw8O90RW1Pa5!newQVH8~jM-{XMUJUEO zC568XyF7cN=zchdJ%*nS_Os9hyqfIrYq0t`f&XGYDO|Zb?`~xyWt6NdOgph z@SgHt%6tYZZ61CZo(9M8tMK|t3%?0(ptSJ2<`dn(_|Q?DMlrlDtUgcRP0XI&5LIkx z`~bYG@q;%+`yK$_ihpz?^9igvB=D*5hAIngHI9~XYnXowe+1qLpXesPx35G_8*-|B zyVC&tF?_@^$7f-uLwK?AV%UO;j&8tCsNRbox4~ppNxo4ZEDb0;WIiA8r~N)pVt1Kf z{}HVEtPQ^c?`yt_Vmp41eL7sr@h4-ZrRYsq<*Kd~WUwD`Cgeh1lvSm=jlxG-QdkQP z^;{n&RPWD^iN-rQllzg|ohXl;;wn|(4)8&CeP{S!IN{hEK9o4dN6#rvxA4K(HP&kM zamFz`%Q%7O8mI7i!Jj-n31f<4SbMD_-~_%3`;l-8UuUe2Tmrjsgztcl!Y3NV`U#Vd z>*oi|N0%Oj)qgR^(=gdNZTvLj^E>zu^Lf)a;oL$_?SB`0$X{b|m|d)1$8&7wL^<`* zn%D{M-H#*e2O1FN-XgPg@L_4Lj4^BsyFP@sHC=j77b% z#;C(MfqUVj@lB1@7UlI}>_Ib^8t1WJ1~VL$Q{lz1+N5wZtg;f0JB(8}gCy{Uz#1d0i&+IWAp5+sGJM60S;#^cQ&3FlXfbsS4iN;IeTKGi#Q_?mEMu!XGnX->! zO@Rs3Z0Dm78?$YXF7_PW4OU#iIsIQ5bL|@VBw~dxz$Xi6!o06Xj9&;j^^=9%`sg9>ae>I9W`M_>knuSl-iG|h{{oevJ)3EC>@L{F zY=2hU$Cx#z;y`0RWx9-Aj&-2&puW*@_)O9%6`ci3TMDhlF+ATmfzLBe;Y)%)X|E3c z@b$qTzBTy6cf+nPDfsc=4?h$9;T7hS!hbTmCaAv!f4FKr(>J`KvF5~Gjn%m0jAQuB z;18c0{NYQ2e-#=C{_t0VKYV}iho1`mqj)Y2{_sD7KfLw?yFcN)u_ldOV7kD~FZ;rc z^j{|At{FJV%^u(}bKnEv?Z0v(CjwEWa*erlsgZ#@bt0$mw05-svcxJjM&~+1V~$3Zus; z=D5l@fv-1C;ag#{sGI_a_kCb=5B5WeV~%ebr?7?GN9ka_1EP&C?UVQfJ^v8?2##^^ z#;qHE4m;ASd=!2K4)y$_vHahLyNDAGz4H^N9M$l_#2VPOV5LprN$@<`smSJV4;aH! z%_o5s7ILKUp4incY4}ih5ggNb$H5<(4?4092dS}KA|tDVpX0i4`b(1#)T(g9#i@QK9zaSevIAq z3H%e-^+~^1l=~}=7IJT9`0QY1D*Ic;{&6b!D)|tq6MnpHe4Z?XP=D<&kN2kVGpF~@ zYJ2d}JMas_RUhXL$H#&rjV)d5j@35sTH^M0pV5SBt%H3cwmgU4qmi&uW3U1C&}Wn3 zi?PKV3LoQ01U}?GYCx6Nyu|oY;w?x==wB1v8P&MRfU>Hlz}w*WakK3Rf5LcA_$p&X z47s}(_Qg(BT{sY~hGGt_{o-1VL(QJR$H2OGQjQrRExro$kJ~Svj{TF~Gw^aMa^ZsJ@IJt;Xup1g2eX?fitdN1rBEaf^xNqd;7xy555AN@w9Y1pbt< zMY$8nEbvLj+y+jc_u~I)yO>(uG3Vblu7$r3YaA1fXN^$ zQ*H-*{(>Ew+kb0++^7@^8%EK!M6uY1T>mwjx3wP7&+Z65Yh>D`vh?l}lN*chu2a6@ zU1toBqO8Tl3CCENP`!j76Jh$->Es*Sky1QRcIh^El(9%Qu*hBFc5^h_n=*sbs%V zKP)T@K&*aHoew9^t<0`>g<_4Vf_&8G1YRAM zeKE&cW>4XD&AtNO$n5H@&0w`P4{r;96OQ4%j1%}!;}ky0Se;T6{NcH<=H&!l0H<&Y zUu3KfzuGv4ml-E;c!!h1%dtN|S`E^D@Pl9sKLmdZPT=pr55Xy{@NNC5Vy(kYsJ_cZ z1NW2eiRET{(R}Xa{1?V*|6h#1v5K_!n(goAb06pSg#-5;k#!k3LiPRp$isA#)8Ni< zpS#rmgBH5y=}1+ldqT+R^Ii+Nl>--Y6&d@O3~yqLYZbDLcBib6Y+pENaetVg*P*(v z6)CvX4+E-)(p$)#!j(fv6WVYr{CK$P&q^?o>+9=Nv?C{<#yM(AUdh-K%+yhv1(Q#~c=N`t1G*?9{C?kMU*r1-tkv zta4(GKN=_SU*L6!Qw|F`ja9|Q?yUMHqBUUkiQ25N!u|9=u)DQj0zOO3zOnhEfk^Y% z&ocgC?&X2=+!WWN&XCJzc-stblVN?|z(Q_vhG%B@w>WHV^*<8(G?@L5+ov4?A8r{O zXB=~WvT*{>G*03A;7>!_f3k_owWGyU+v4A*417JiYmK_|a}_3WVVD!iCD=J+%G zSK?ZZw_)9P2}f>|fjVf7-Wyvcofu;1ACab{cdcjH{cwFEd_@{TkyGzTS8R{AFX!>0dL>!}l4- z@Ds+h@bmDV${+qEd;pxnVb2_m^54&s#$xzYe8dU-7x*3d!|EKTLxefjIEL4UUH##_ z@nU#8c$(6}+9$Xlo|3_C~PU7sGku1l}5MBu+VYHhW6n?`y2V zJIpwSk1|f+6N5io3pbI6I`_=r4|l_3FekjxJjeJv_;Ogc%3^#z4bN6u?!jwdI`slw zTLw=jR``msbo5o@JXvThl+P4O)_XJY_Vmg<=CcEO_@?oW*!zs9;{UMmuGk+p-VOea z@$T?c1x+;X+B---~{)bS`?Oc2rKGd%M&N$)xonXgbpIse{ zP2)0ZGn*e6i}A41CU72hnx(MqgB{)zcDD>=9b}w`k2Q{AeFtb0@=o9||EKWj_-G!B zm^1a>ep7s6cs6#8T`jD4ESo7U+>JfKp27*Nc}!z>rEv@|Gfv>Iz?+jch3|x?D=it{ zZ~PSer11*)$M81z>jk>r5ou1;B&B)&Tu}GLPw+|L1b)Lfh1baY^(&$s8^W&7*Y%&< zxwgZbV^?3Lus&NA>pk~2!JnH?>+b>B^&Q0Bu)huKJBTr?wKYX+dbhT_>PdVAc9o^? z9nOGtucdG;?8b%uYk~K`KZZMD_Z?o=jb8K7^ZmufTEnk0PT(71mnW>}^u1K>M)W6k z)khDH_rv=sfA|SFmJjWC5mwq5{sZj#0sbpI9iJ5LU%%+%ipjJcdjeO&hm$siN5cnV z*E+c-d@vlto5IsDC-5F-PvN8Blkw4)n~#T;PYln5Pr;tR+B2UDr*ISY(_no8dLG;W zCtGBm58?UP-I#94J69Ma0FO7G z0q2cRg!eQ)2|m^s4ON_EjBYAwjnPd-i!r*XSY&)Ue2MWH@Kwe$;m;X=5dNZZ4Sc6@ zEqsr09sDihS@3s^>*1doqtS|2jaf%4{$$)#p*xcAaA~YLR$`Yn7Q+f#5vRsmE6#C$ zp>L-Xc%pFvZwD)F3hN#36#Q4f`umm+jUJ2cJsd8`y*9AI-3QxbE_K4!iPKcsawr%kW<_EWb)iTfu!E((0ET z0y?e>l;g8sN3Q3eaLYw!0r(z^NI?BwI@ zt8F#V-m%7U#%Bt=Hujy!NMQo3d{T}{aH#WCSpB0g%{YejeumR1;m|xUzL-OyisUTI z(LNYuS2)zT8a@G@POSQ$4r^Ruj#}dcR-i5Jxk|jN)lS?6E8CF`gMehV&beDLyj9q;d+c{BgG->b0PE?u4pzmz# zW7qX=d~fngIDZ76ec{xu5#>I>xdIVeeINEQ8)rG~ZN5i3BDW@oXL@=5*veELv+wr8 zJB$ST@9~k=7IRq0?Mg)hvwpfj)L*{#L>6*uXM9;lU660MpJaHKG6>bIry=B6PhBAS zkbGHRU0{t1A*bKfT7PRkr=*=~?ACB7V|$pj*Y){Sn6=mS=bq-1lFI`Kignm^RBZN` z^8;blVRvsztI9Lw{3!F$ARh~}KD*Co!h4cLgFo5);nRXY4QhZ{!`*k_+F;gjH%~4! zAI+2J!K~+MO?0Vo0$*i5x>0U4j$y62s#^lzX7&`mKlqR0q7ONJCK7me_(^=IqFY~9 zz+qjG5Brh+fUDOKK4G2u9lSptd5%9DPlf*mhdlL}K{n50GkNk@a)IvaHK+9ZRIO)B z_1D_Om`94Lt&GuYZbxILlF`$QCsV%zjkjbZk1tdHFGpu^6_E`QBe7r~()E`_Dv7`ufW`?TmX>^u%t z-h}ZpaF{=@Gmfz@HcsFhj8pig;7>kZ3jXk|!5_Xe_``Pve=2xS@Q3dU{%~LLhaU|7 zwCmf!AAU6W!%qZ%SoeslKe~N7_`_QJWS5@xJR?rwXUr#J;4S1fAfLeR&#-=XPtQ2$ z$9>MHd6K=V3wkHdo-~R%>n{s_j{K()ryMWC&L6+mVD_i(8SgEaJ*nFtR&3+#nwZDH zq0SSGRpYh6WW^e7n8OAYZbKtj$6AlZxshPf1+k<`Q0lOp3<<#9B!DkLv^qy%n z=7hf1zGjSF?4m5SE9STWo8`r`Mjho;P8F#>|Q^gL_eh991 zxzMM^dCo5|j^T@qYvGR>C-7y)i{Vchr|@UsR?1odhwsVP4$^?ilm>WZ6D`4C_ngK^ z^_h-MLG=;STvs1)p5s=tPlXlQD}0~diCy`o9CsV9fK{JPe58$U!ChiHQv1GcvE4;I zaAK1wRq5aBb;!rUybR;x^z$Tn9&XpaZyeh>ZFD}N4`mL0n1@3j#&GDvTG)c?wa{1j zV0F^ z5q)AIx0zzcuDYwZw~%!1nvm_@HdPT_#yaDq)p*xVAX8}{F3=- zGI-TEhTkww;CGEvcr=5>sk`~sF^;(rCm1L2WaAXxF8Cw5U4lQnPw$};alN|{bkroM!dJJ!LGK%@R{(}@zFc}@L7l6@rV0G@A&8AbB_Gs zbK$$>4}Tg~yY!C#Mq}-X!|!{>@LkxYhg$ei;{^T*yj=B!UxD4dvl*Xr!uMd0;i_Hz zd>iMv?_rgdz!q{J!%u}z2Fxy>)x0StKPad4ucsAC+6eetFYw}_9?LTuQ6N?e;T`V-wb~SPT+a) zo%kf&!wcah*i-my_;Bpf_eJnDI6}Ku7{~Az;OmtSd;`2xY2jPp8{i1NE;r7@3RK1I zIa2KVdQ&fVSL~9#);Noh#xu#a;VZGD&tmSbS=bz<>ImY3$7<&Sr#PM~G#T?a?Qe+qp^44PpJMH_65c(&4DO)OeXEIu;yl5-FTgi|J?)mDOK(`d@jUJ z{kE~K9x2Kwy! zld$@dZEf^p`0K=Zju+s2h+~eQ!$IS}g*65V_CFe@@Jjdr<;hXG2hVN9F~{n#=F)^? zU0CCz^qa!&exg1K4`GYpEwDcf*TUPux^EJAXZTS#h4(U!>A3xa9X=e^ni3M-V@5YD2 z7IGgzdkU(L?xQLmP8ytrXJa_*2ZE2vT@SnVLJAY%Q%J0^B|Mq>RC7&p_V>(ZH|$Tr zF+LxFe*h=&bof~~g%5$Bmp{jG#xZ;b{0HKMqaJ>fIOUjYtcvTI?H|};_$=(Bh!c*F z8mF+Hi`)mnwD;54ccv)agI|Kj$REBPUIR|yyUZSOPu&lX!ydz(dDag3!l|TFt zKJSBd--YL^7=9A_uJVVUgPlM861=PYbzF9_P8|Ebmp7^Ao%Fj3rb#7IHrw;4u#e zEBU=(cG}Wk?-$MX^MN$Em*6hyM%TG_(YKPk)o%*Md*H3?;PDry#`TUHuzcSme;8%=)3%_doI{cdPTkvRO%QpAx zf%7qynYR2UW3S5Cf19z7%Gl3v9qY8}>h^ca()}C4?=4*=i%3RG8V|RB(P!3U%y}Jr z#QBhzVSC-uQ>6QQjJg!YA4pkhug3jY_#L}`5*)O98ceAETPE$_ zjYnn52ziJ5jeK1QeS5f_XZz$`%SUxxX&maRiZxi-*);kxdn-a)=V>pE^Au{axLU0X6&1qov130!`bAs ziCw<{-pu%8@MPo5VEilPukWF0ZdTC#Y7#y%9Nu>)u!Y>FT>Cs}2`m{r>%uhG&4)^x zxBPXDklSpaZf;Jy7k`bNLiqk$0;ky3|BE>+~*D3Zb~cYq#wBT@bpm zGKTehoVoX+Epd=tVHY^z`eW1qdARpJPs48PtQ;C!HN|=Q`oP*BxV8-Rf!kyM3jffz%4bTZT+q#hui_K# z|2JUuc`Rpw`buqFi9PgH^*+2qAaRU+EG&D%v9WOqD{P04gkT|eh>bgDx3+F!{<^*k z9G>ZQ&iFcQOwafn19R`Ya%UQ=Z7s0IsFvd#;{?78&gv&<`#S8QEnhZ{@xKpNehG&{ zX#3+C{~y9T(tw!jFPlAq6{ccOiGPdzMHy)OA7DatMw_nff5kq}U7~Mc)jtHXapSV~ zzSNTwh4o>LQLGama))O66RkvB;}i1P30B)PA-9|5MYV>^&-mr`uz6DmEE8wrgZhYv(`(e%1G5n-)0w0HM zPwJAw{l6BAR@74&XcZHzhoh>tko2+s~F{HED;A8D>r9byjs!kReY2=6tetJSd|LYXPY8ZeR5 zj6Q!kjFXtL2+vVTW?T++j&hF1te3GLp0R&i<@%62((J2RgF-)rehBBQ8qcFM`2@eg z=?0$%Kk3^-?pVu*s9zVynJw#gJhlz!7tO6PiPbM5|1Geez;)TDz$d~9yc=9ioN|1? zcm*88C*z~Bv5=dgb00FrM!A#Bj%&YOLj7=eJ-!uyuA@AMh1{vDNEi0F_~f=A<$=_L zuNGFO7>ga14Jk_`}!1ZmpnlHyFq8 z*Wj64PvEeRNa1f_cb|iClRp5zsQlsY!dhE2PlV6YQdrNmG{epJKQ({cqMyU6XC8hH z9z6Gdkg_d|+1xZs@osJTGyY*7`5RnozPWhd{#zZ+4ib6gwzPc2<1)NehTjLDN?QI^ zs{W0D+NIDE`*+d_+zD%~Ud(YmtUgRRJ_$Pw)3$5iM(P&BOW-CrftSH^;1vEcd?p-m zd=+jXjyd{Zx9@--F;3y9jMb^n!k3dr48H_R0}1>JjH{c=Ux%fE6?EQTVK+b0uFC0r zuLdWL*BbCVIDyB*DgJ7E9_~^`quBq!J@SWlg7?Rq!284Vv8V9iurAA26lCT--7j-^9uM~_-&PyXa3%w z&vUTrA1h5WGJL!JqI2dp|L+wiw%;GB3{o)=-=v-)M; z7vMudeFx`PW>4XF%;WFL4|=nZYtGpB&DiH=?E7Wxtr@#C9P()& zu;)4kc+B*SPiMxyf5zUOu^*7J9|(^+VBon;zZbq>z*j}*ZXY<$?UhM;7WVZ>OF+R$ z4(9f#oJL=3Zj@#ereN1S7{l75eTZ}k=lafD0>>QsF4L!ooiK?At|ZOtm3Fcd`HQQ1b)jng-0F8 zzE}R#Z5`tn-qcw2-yXgkAJyMN?ju$PQU4x6pFJwrC5IQ;377i)E*@~meH5NX{%cVG zr%16ctT{^IU^w*oF~+Lr$-xfS!fvi0pE}YO`1O+z69R{{wS=q zBZV)6-I!ML{S5drd}4Sp47zs@s?(*MD7?h+NjR?)0$I4v#7=_sS+2rq9QQb4+{x!- zmiEgqq59)?P8HmDEA+b>pD^29=5sfWeK7gE?@&DM?a|Z3q>G*>R+3*52MzxLmi83h zHICsm4>C={6OB`NYhz`&yKxL36#U^6V9og{$4p~aFzE@oE37=C{&5a^xYDl4PknEJ zCUKu|UP-Kz+2l)Hsj~HdlLXgJ?0W8t@k!v%>H_B%!BzOza(XR%wI%oh{24gG=N5Qh zV%7T&*gZdT?H*YANZ~%1I=IhH9)&HN==;Wb{C)z5I{XZFpDmK7ghNOo@DroW-ezih~TK2(b7=3e-Zqz(7{JMdz=UVX6VnA8*C zONbMWjbXW@9AOS!0f+Z*>d(r_-bej58UGtepnkKETViDp^?zUOdb2IH7~k9%GJFHP z19?@EeV&W``(^k8RwvnGSodGdafERKp9HT#9a7jrPHTPO3H0h2_$dFW81?&mH(B|i zZ87#nd}K~J=E3e+9X=b@zFzIOkUN+>?`GoJm^@?b_rqaMdIY{0TY~csVC@G}Sl=_d zC6mvW#2hc<^JU_M<2Nw>oaX*)98=c2!48i-%)HyLq!dsxj9XTxD#`Yn$;v`b*Y3*r%l=ht3io3Fdd44g&w{%4 zHS^*BpK{;tluZG%TPOLyqBJ+Tpx-wZ=l!XE=I*le@EASQS#Yh@IZbu`-z6WquYc{m zXCR%*a`kxzpS3~`#NT+Yk4vj}I&NRUb-fRgOP=Fp(((eKGJ)TK?+a;<^c-W?xZjUm zKI5@}3r^up;78<71-FDBgJXDm_zC&LyBnwQzVMUs=Qs%dp8PqEg1=9kaGVPNkT~U- z1wTtHomj|yQ|APt{xvq-M`QdYce!sBe#%qfL5soM0|PwfwgJvLJv;9x_mJ5clm0S8 zUZKqJS?jkmc|1J8W3u@@YIeG0NPeo*Vd;oMwwHTMHMQN1tYhr-hX4mo}A+CuI}W+&=z<1=P+@14D4?#Bb^ z$7It#mq{P$6yl!@q{;nsfXCc#`t-wCeHPM(~Wc-%n(rA7^f3KfY zy}lQtxnMF!oB939(qB60+?8f`OGw9Si|7{f`;Dc0Y*4ya2c2j0d6*NGuVd_q?#f!f zdv85+uUo!c9kT{M)-%69m|vcAn!zhY_H5>>`EX0@OxMoN^yEUGpQ^KhZ0~avMS0?F zGQ2~Ew<8~xZc>}Ll7bw*2 z=NbENGpx^Fg3n(wcKyy(u&=I%JZt*~8P;Ae*x#42?~vhxGJHaYXJxo6!;3O}Nrtb@ z@U0nMp5ezb{KE`uPZR2?zd;=M#f;Az86JD`fRFxrU4|=98Sq~(!&_x| z?+hQ1;o~x_|HCho`@xL8CBtWD_!AkvHp5@Z@Vy!SZiauB;ooOCI(489Yh`%D4D0{K z3-#P0W8XEy(=&W*hV^>@A?@iI`I~nU;kz@e|Iaey zssHyea9_sf$qfG_!*es^@=C`3*9@<7+CZM}|LQaS=>OgeW#uzIQ!_k0!$)QKytdAT;u zZ{%lpb8BN)cU@~o)Y{hF)>YHo5Or{LD;D%{%vRjd(b!qjQrFwq8P&J9wnmK$8$0T{ z=S1x-4K8kLT;Sr_bq%u{yK4sWrRd#v9Voh`y=``0KO*z&FLzdZdrMTazx!F!Gi@MA z{hYeasJpkLF>0+_SVOHln;W~LxsAQi{JNH&#;CEiqr11pw+CxYSMyno{*p&`rR%-r zH8r<%)1cP6j%Zd-Q%!f&)!f?A(pbZZ3=!oM^(UIsh+|i8SAAVeOHFrYU45hKL0_m3 z+d8AV&e>g2zrC|JYHF#&($U$d%GK1j_u$vx{atg~J2R)QH|o0=`V2bS8J(IM3ae>p zZkwAi?r0V068Q4H%dC#39qFS6`M;l&_t#4dc~_r7*-h!{?(C`W&aa{^`E9AgHc_5{ zSn_8zcDCpD$xq$eSzI4-O77~knwIwVxjh{Q?|+s!1npAlyDoLs<|mYWwJ}U zO@5Kf$BOT+>zZ3*yls6?XD9twBO^tGDrS7P-A3g~S6SaF*;29>R9Gf;)IF!Ov96(} zxvi<4I{~?OH%9!dpBwdb)y-~p% z_Ov;BS4U%gb6tzGs~6lH(CbcT$$@@youhPWepgM~{Q9m1&cUD0VVY|1>CRZ18y3Fj zjC-H9WK5QXJFJUova{aRlctAC%GBJ^T+`j|5@tL?bu%W$Qq^?%yeDHn%1)WCrV)KU zM}6fRGH}|!yrZT?%)NE>-OckGYoPh9b@g>*9(8tgIbky|H+P%F9o9=V-pJffCw4S6 zGH)|8y0bIeXVrIOLul`ec0;^P?VWRj7~3`X&g$uI>{7E^+UpwZiXT@R z=-boL)$DEyNw24oDcYMm8(Z7E8{HMu+1yscB2quUQPkYNpstzmK>^Y_wR584iql(D zT~7-WEnV%DUDL0lsHwC4tj0E}vZl4MwV{zEO8LRuZ7nUX6s>ek4WY>$bzRL3HLeet z2pTA}gXtIzb#>5wr^KkPyS@JKKqq`g{#bO+$Md zeXD6v<+12;pHc?*XaD&E{7@}(&U{UKJzAKlzJAVjKUt&ZOTq5M-#2Z|?)LGmwgj#N z+S|L`X)8V4#DKKco$2C^_O9lIArq#PLFYB9gteBsb-GTc&m8$55^;lgV0A1{b8KyOGqG7*6Ylv(H@uL_{y6Waj5T?Q~p>@@9lktzOfRT0@#$GGBM_qHfqPm_2&;43Bi@tHwTSrR|vu-2HMRTi79`9H*D6KlE9y^2K){oA1=8a(QYN?ww=z_b0SV(94 z2G_TsSZ@7R{b--n!!qtVLgP_K1v4i4j~jt$%lA|`^V4nQ+U7cD;EcSR z+Z&?61~zXCy;1ozvhiZ=q!XN<&EnjK-Arq4rKKe()QzZCO*zPpg+_ zC%artEY8W@^N#%N<PnN=TYDrb-0(ab}Gt9Mgp-R#J%4qe*XG&Fa1HiD?(}u{Joj^6Sn>rX`ZO7bonc6$G=J<2k>-$p$*34lF z?B7htU+WE1Ji8CSZ1$%8gPdq zM}Grl&Rx&iQpzO20?JIU?ju2ye`Ip=q0LBLYP&WldKS<&L0fmR9-Uel?fG>L4Kx&* z>n9swzpb;mW4^n%fDIVZQ0kf*xoE4?$$amVHuHpshIPT$VJ@S`$}y{v-llqO^(-ow z=CBFp31FuNW;XV0HFHU5>vjK=qPqu3)7`_=qur&oi|5UL^iM%LXUXu}j&8R3+)9jE z4SNjg(}gCevs?LF+*HxkSsyj9F?DDDLYtPEo-of^+_Tf}didw3--2lz=|Z=4LvTK& z-<-JIwIfr1^9<58__m%O?r+UQHA60=t^RG9?h^^WzNt%3Kdrqr+_XJyZEk0~pb_15 zN0N@}QDf&8HMh+Vmd;teel<0a-&rvxEll*Bce+e~mc}Offn9nHPw8x)G)d}}gKw}a zMUQDc9c(4oR%?QC#nOO*I_ZQh5M2%UxzjIi&9l6>^677ZPMmi?a5wWVz}+y?I|eqFzMErcxQDsS#1D?~T3Q|+P0&p7O;gO0B``k3PnI$_52<7Y&{63*?Z zn1W~Z@KDyREtYSQf3{_Yr$fV|j4Fq=n(Orjz&~1XZ#dLa>cGzv{xb6M&oVZ9*okD- z)zaA55pFKW%7H5kyRL*`b=x)b^BnyAS@3iBs=MSCJJEaYLES5EiEFB3C)|*^J8SBi z)JC}vy+-zJZoj;$i*wrbzDrw=`uF50qh5sc@TOz{d5hInpFOu_JZo~Reb(Tg60??p z+FB7-|C+k)ZoPYYPmw&{b@6nZP2b$mVsA@ay>;sD^Em^vMpJVqcQA9b7Efel6wPWT zcfD5#5B0P719WYTw0&L|kJTNlp?U)-L+h-l!z+OvCfkzho~I-p8ta;PFTB|!|s{(Yg2aD(-OuYQioq2pkrE^#A_REgbU3SJimu3?ApZ!-k^;b=!R2|oW6PrnB5^FQBr|aE& z&&YkwqE{{Gj@?jOgH21`#A}zXIjsnuiA(QL^Z@QaC*ci=T|7%GbANU8c}(`a$L`!# zy_&QSV*JhOPx`md>Kh)_?5zl|K^PP^e@sRikrp1#sQtk80mb)AxzkBqt47T{KigV2 zP-k^7)pC;tGcfNWwCUE$$CSY*P76YR)OWfX@jhAe+pJz*e?|)s51$q}=Ha{k|FQNy zV6Ucko!2u1)8-UtQ`$oKQ%&hIr0vW!r_+{fp*5xLG=uibsWy6~>u z{np}{yYE47!{E%uHLX|TjvY5#sCJ21?TG=?8+QiwG;-^{HP-R!K1FIu7gs&I0QZe978LHb3~e zROCIb&nypEbLfZN>RH_^Rer6S69+)uS@{s=TV;ODB{G;8T%EP(a&O%gJ34tyR!7>2 zx^@4&1KpaOc6&k-%zD#vH+%Lg_i4dR+eSEG&n~H(E4`&g^^3NkJ?z<9?iM(m=vqQ2 zvQ^_AQ%#eC@@0OCTbb6+UjA2pN)B?Jkzc1v_s(r}LZnKB$MF_)&gIg}yeoF+&4&iA zCfU*DVXsxqqXv4RxPB!y@A;;Nb%d!uM4&5MoLXC|RP4kTc;hTr|JDt10cUrw+_wHd z|JJ>9jbFKM{jO;WgXv|x(AHmRef?~s6?ka9ZUdM040+pH`*zO=ZX#&zpXy=QJ(rJq``NkMyFx@Gk=Pv14G6jQSa)hZs5pB+A9^&g(L z(kpv4^-++4!B+|6Fals;nC&^%7Zaf(Kl?zgb7vtt%Knvfj@d zHqM7`ad?}bKJq5p^@GtqeR7FLqu{ywsdon3YFmi5V|voDHW-@l=fy69v=jIUYx>(< zm%JVJrds>+kYU=32M3+;*9o?EQVf_}p1?|uH(RU09JN?9OyYpr`5Z-YP> zrN{7)JuN+t{s@fXnZ!CCx$$W2j$7t0>eqBctgc1$}fBcQ2nGzG0$T6FTjzFJce0Hlf8f^Ww-ewjKtYB74GcAN`(GR;xr^=EBF*jlrKN zGY{huET7JPeyCTwfpqcVwr8ojc-}5b>x50M{rmZ~JwaI?V{$hg0W=9&EG?2tvAvkf zVJ_4?n+sLGj5fc{igg{??2^=X$mW6_1$4<<=Rz7-xxi#>dPu{uu(}-kkQd?`94&c{ zTb7@Ja%Gq9#1}8m?p_<*vdKC&7a=W#>e+0#d&SPI)j#=E;^oQKngv$Gtaz?4m+#mk zqKz!4O6cXgXvW&j{2pci+31@cyOgBnh^^$RUDeO0DM6`5wOh4~;aV5}4bvP|z0Ehu zFQ0(~13QRl597$C|6IjigXwB)SbOlwEnJs&e)!&bWs&WN_7~SzdX+Ati%Tru<_D$C+)A5} zJ}R{U(`_D2tlT-1FzpUEoBiU~?_2%$(v`cH&#t|UpYJ(KKOVOqsk9C7q#7}8Kj2Op zJv_T+jsO1`Up~SYoMkVRtBSS={39G&KI$Elr4SrW?rPkoeyu^z4wwmqHE+N zZ2@+>xN`MIIua%!B(`?L<@eeD-)sMW-2VR_Q?j^fQ*SO`w*NPayMMa4+bXQ*@|j^_ zSHZm-cCRVYJsI!aD@;&LUC36Y%Rk@7th2-#;P&uucX@kdot^oGT^wo9)H*mXUgqP^ z+jm;%#e$SJ^Ww&yS7LLc(lo#PA$hi7dTpg`$k(>ud26f=-*?#_!_o7TtAc_3w07ZH z8hSswPPC(Qt4MdD)X!kC5^EmALVNZ}WjHzQ6p|1&hJ%OUTsFOv8R8AE+l(F?kGK8< zl)1p+b-R_^vvILhOW3P?C$tx-F0}Ch4C+};ft6cR9S0(Rggr#qHC$XDrXQ(8KEFIO zNpq!O)!upOXI{1%-Twcg{r|dMJJ;>ZUB7e3{%>c{#zb*5w3WFfuEWLQGxuz~4*$(# zmP5PO=CU?eS6JPs8tAgE{rqNUulTXN&^*0-`Lj=I;nRP8Z1ALle8In1wf>%17E-|p<{OGWbom*3M$QyOio zsjf+^Hhu9sx=);a#0DSEp0WmC0|UYKxygq|>YRe|2+CWp9^QD&W`*3ciH!H{MuQgY z;2HeLdFu1CNx9Yv%QJc~qv*EvyI6_zRB`e1viL!~z5q|VvC?C!bx`Lk56{_w-aC7W=He{Vx03GKR*xuqwwgt@d8vU#TYgKk`N zvp`wc9@_6)Wnit=XRJMzKgp`^#`zMOjfzu;o;B+*sWs=jtE)VEt2{`Q#_-Km5b>SLT<`b9@rkb~&w$bFuA?e4D$I8$hWk&-&x8P1nVf z%%dM-=|}3QPVQW9oWA{zM_%QFo1Z&B*bV<--){4SwbR%woJp&;Z@>6_8(nfYZtUKkf=k$6evuuevLj-LCi#`xETS`KS6_ zaqHr)@VK7eC3tG`04991iSM|iA^OOzx>Q>wifvx3z$xf~%Uu)@t zXz+^2n|gY<@^xeX&3ll$kL*Ho^Tq+TJ+Crf+^!}l=no7E;|MoD@V;+No5MBUKtFB$ zo%u)HIV@zA^{q$h_TYuK=ChB~uiMyxEn=&}-75ELpbQlvHJeOwB zUB$?wS`FA-)B$#Lv0nVtB|3O64S?KZKQ`)K2I!egS-wr=O-#+kTj_bCypf*IFq6+d zJHLME7CXG`1#T|3r}m27#r7(-cERVZ<~kN%(rbE5ie{F_Fih%67ps4cyml^d7Hpn4Yz%Cixw_ z!aKQ*X%D|I**M_s>$mJ7o&7{N?xe1A9E1Eaj~&SiYjEVb^cZ%%_l&h)Fu%ci!7)7# z<6mixUdA+Aj}N7ou$KFfdH*dg-pM_0`0foJeAO~5@0(1R=9cDKrY^WM>rLPsTg+{? zUI$F6ylW#I&!uMyYm8yw_WGIi$J!hA%uI>xr?sB0=Oc{HE_9UZWZ2CZ2icam!`4E2 ziDl9-gq25^_jT){v;SECTAG(;Q?oQriw*aDUhGL5pJa}i5zpDHm#vf0dWo$(U)(>- zQ=6{aR|1~7pPus4wp#6HillDv>)0ZDguH1-&wiYbFp;m@hUt<_6(PPeWW6Q00`I;I zjclRxD11&Y9CJX*R9QQwQi`JHbc@16!+5PGW>UV=Vq?fFi@*gkgmt{2A{XkaC~1A z4VF{`r*8-4%G8=M=|yoPOLxP(%vHh-G_ve%yKUHi_1=|d?6Jk>SmeounapIHigeZf zBgrr`iE{>Tpw_m?=0d)NVyHB4*!&TDbi)GtX=A>LQ;lQurql2q=1)JL299llbsF|d zb3Qn&+S2!=NTufQU{a66A2+Q-@VHSqAAhEnd?Jt&O@+Dr$lta51^ zn81@-p3$5)l8`prhQhgu^q8Njn$ku-u3Oig^#DF|XYl#da>*kp_JOEv(s4*bD>jOA z?Ir6~FVdGJ&YrntH$hw-{=mQD4G!QxZ~J()c;1fkjhh4fMAcsg=w9s6Pdjx+v~`>t=_N!K&G;q03V(AJ9aUTH6j=U=iRfvfn>Fb{jC zDc%^uLtj&V57#5+ucp>Px{oB`@!XyUZqZ+xu9Gxv%j*5}?X|1bHa-sw*%+bCHNYO( z-rYn372$!s$Uo9J1)G3pFW6oBnF13#a+>=*)0@|A7A0<(wqQE&>4e&w`Fk0554@ST zC;hZ8*z@T88!@&KDsIoS&)&Lf$Iag1jriudDfu{BVzLt##j?p#y6q}EZ8!u`{dj~xM_T%O)zPN9bm#mlKCVspZKd;za zX1s+R&6oS_o3|3>El%Yw!gSeRd-m#mo6vr(u#O&%_S=ry9QRZMsY*wcXWeIZM(haO zN~_2<)&TR~pR>;Afenl#NDU2iR~6T+4VF7y`NH~!tPZfEY51L$AuO;4P#%a)P9(Yp z4bHPXnf@GYv+~EEzhkYN@Qw|mrz;|@%{IpdYfkw+XaU>cY=ByNs8VyTgjCK9fp zTtViOWql?|78_1TKQZo;o12*Oly9C^@7r9(JJx8ii;r_>tTl)#3C|d*p0b~~o~%)6 z2m9soSLx!(>wD2I%2eTH`Rvr^#fe&rJz&_FR=T3lWkrSW+BY9?oNWCzH4TfV3dm~w z^a<&C)9R1>^{-U3p>|6TO{rC4b(g(?7BD0kT(e0rHt>w;3%L_A4I)~lmKtd`EggM7 zR=wud^7$7nto2}rG_?%U%#X}=>q&3tCc*8yc_nFo(!{kqMdM1kl-Lqhb2-%x=YVmY z;g$TE_A^(f_9EA7`5P`)#M}7DL9=%gT>->x7X>PW)7t)pTibwf$i+rSx z7KQbs8+L;5+HILHD4P{Wrat?iQ(icqEttUEPTqt@QPc!^oyzUhST+;~P)D*b8(I|yhE zr(Xfoq7ZEw?@tvG1ru*m88Rv*7mY}tu}^eN9S2SS8wL)!_HVf0r^Cwb8+nj z+jO+kF^Xk?^J72Ifu5#1;N`9Kr2xE(_WS3v^r=v4&EVBlJDJuz!ApEKjW5#(xpm>^ z0SAP5$F|+QgG;-3fo-h3VfnLDWsqBbd>eP_RIjCGL)z3NSE>N>o~6d^MVv}sdjZ3B zc1yBR58Fim+nFSEN2N{)lPOzk*JT>rvY*z+Z_Pn_fmP#YItF-=P8HsG!5%r#D7DvF zA$ws@UiRO#LNwR_`9iiAwm|Xx3zk`P=m+fw#^~)QZeDtk_c-bLnNL6UJ)e2<=?@nl zf2x~bbf5ap{34$->=3r$YW}4c7~4sRaVj18tN2wBxgJMm!<83s<8-+juUL+JQqLYgY)q3o6JBUOeNZ`?T5_T-Mfa z4@)*ZC4B?bnx}SQ*wVP8<0oeLq$XJYb`>sQeJ0LxZk=7RDK9nzdBtuvHn>~2e|W4v zzsJ~s$dljuv8O)y;Xm`lr_Vn98JnYY_T3-;_$NM+1};)@EOPPhd^9ATf_K#4RUpgb z37Gwn4r89U(|9^E>LB zkG;yc#?A*+0O#Am-fq124)$!b#~BxE{hjJKe8pY(bi~m2J*VDl%yW75fj6wzrfSddM0N=Z?Sg&EvM9gUyCV(vNQ|E@8%V-M;F2ue8njmUn-Py=8+q?pMKF;&S<* z*WbyXAFSuqKb9H2?9D=D?Z%XDAN663f8&)<~u6TvpuHAL<5}h9SnR`<4${N_`yU!MshGcQ|+c$o!fn=k9R@UUmzZ@tX z^fX9q%IP%n9AcdVJB4;3+V^B}?i%^DqG*&Z70&arZNwJ0Jo_a7AvRExM{>^wkACQ) zG}gt-7OO=2`eaZTznaOGvw2e}nJOHcc!b_=4V=E?dzx;q~>${hpS#6X8zlH!2x?i@r zU8nC@?StL0%)X9>4jF7d?v_?8cN*D#+SKF}U`nDDm22VL~`-cB^^jp2CWXEJRKKJ(}~XkPCN9$DaDxi#k=PVSQqo9lSS+%pha*uVwfbv4dTMavjOv0_^quvHJcwE z)lNqM=fG%?SIfJcFT;mwXKLuKH!0YEf_4z=}<%e(DpS`gr;!clAf@ zeQcdIIqegyVnE~5-nC`&Mn8-SC)Ev)e#qh{VKnAj&ZY+F)=^h5Quwj|bRu}0h^Z8di< zY?Zd>vekI$-kc9=sts%tBzW3et?AJZ)@}Q2NxX~A!Cu?c2Il5-{oU`b+nAm8-Pdp5 zslROViR<`PV(5jkMJ~A&UH&$d%}r1CJy_c_Y#JV_+i&72*>1paTdtC| z3cEDFhW}d&JU7R8<@ew zDNFS`ck7(pQ@?R9JwVvxB_32i8|oF+Lh2VuR`XPyPlDo&pab~-rQ-uI9rdM*+0ygc(qfh@UhFU8ee%)1^zbi zW9iFj&)Dy5vy*f2*%!+{_IP0}Ui)Q?7}G*mhCK-4N(sW(RqiLVCU=nt;~y zOTRJ*t@U)=Y`F1!+}6hH&wKrBoAZ4xZx%W{(jmyGS)~{2MpwD*4Z7srj-zuukA86r z^*cJ!m*w*uC)Q^9OIFs%wTB7)N+0y`@T)P_rO8#KQEN#;HBST(pZXhL@~Y z(OSLN@8M3Tk>`_6e!tkoXP}{Db9RcMZ>-HQWZ%J|#M6t!UdPn`V>0CzM{(r}P>-!VTfz zZh9ME_qT6K*+^BM*`aR)r7!N}6YnU`OA4a!fu7q58hIdP`f={LjEtQpFOac-MZ zlV^P4i!xtgvR4{f$|nomdFcV~e2x+>Cd^w%-%}9S7m+YlW%Kl{N80)l^_6?5c<%oB z5Ej<&e_dVf4onYuC%>~Uzn^~Z|6l$G4-^gi|8LpffWWWX-r64< zu>Ylh@3a5@O#a&tiT|4Yy#V}a0F)`yUnnSwzh$pqkG~^ef7A&XxMO^&mOl%ue+}l} zZ~0e!;{)mMSsVwS(iaz-dk-ztWVobjOF8jL-AGOc3WwE^2R#6Nd zv2C{hU$T|89M_Gz&G;?r2h!ig!S*2k8q3$rf7ke{f5VQS z<42A0_j6DldDVDFt~IT^9qhg1s&UnR@4VKJ&##fc&&t2)w`~7I-VJ#_@PPbtwtW3} z%n!#^<1zUQmRGkA6jQhS8}0LEq2IUd zA;0D0cDWymqV2e5+$F!y@|wwAlCKzl(-+Mb#}64#L-`r`=dJu(f8Wk`$af(>2Clv) zZ@)gjX8e1$uGe?$()r{AMT`6q)G|-_>IOr@=sa* zcDuey@;krNj-ORNBXZBUTH5{@<9KR&X3T%Y@&|94{~=#9|4pp#i}tr&$bZxLHFmw$ zUYqwPU0n8`I=O0p)9R8P{}%bDKWTqc&aTH!$a`V=K6!2BFMXw5-{ikx{Mx0RFUMbR zJPylGLOvzG{kyGx_*L_r+y?)K)t`>vXuNQYd_(SA`G@R!Igo$J_8g zAF{ko{zKz$x9hPL%C}wqkmWt{$3A8CwfQe%lSLCVXU-?H? zpM`uA@*P?0-;;mcmVcvF_6NsrF+Mu}dgH?W9tQmVzfu0nA1tcmH$PbvUsr#ys5ySE zaozE!jT_`!R{qjAK3Me0KW_ZmM;c(MArG91fG(0 zzGoqyhkQxa_OHk~-)qM>-y6p`-&=Ccj^|gr+5B+)TH_;GK2+@Qy}%FoP<0F+8f2Ak zx*UGA$nv8k%a0-XyKsJ+<_8(Ryvux;IEFv-P=4WZ__HF*pEdd1AF}F~16lRU(J|^5 z{1Ia8zw$a+^+%hm`lT20zROX+49Kcq#-aSg<)~lgWYsTQvd;gGEWeLr`Cs{}y#2~+ zWG!DO%l{@>{%|8`iu6Y?_T1G4-d1s;>-|0Lwokk855{sme7FCD}Gm1Fq7Cd>bw zWB9)(%jY9m{^Jiz>Ux0xHL}XrU7qSkvi$Fn<$p<*|3k9;A328q(@=iqa`?X>%l{== z{%^_he@B+zd<q;28JU>KpR@%l{@>{&zy&bvgX+ljZ*~lpnbq{!hvBe@)i;-;m|^ zo-F^5A+J>P_G|enS^n3_^1tC2{x`$&t&sOZ-Y3idLEs@-{*OXF4*8U+>gM`9F0G|7VWj|C}uUSB~NTnk@gfWcj~y4F8XzeDUUdJmr6dEdN_%`QIVS z{~lTX_Z`FkVJJUxIsBiH<^Pl{{}*KWza-25m1Fq7b`1abWcgir%c=i$vhs$@;eU%P z|GS}l&*kucK$ib=vd;g4EdSSJ`M(YMJ}iGA%m3nQ^8U#Gieva+CF}ERA#a7eO_u-N zz&*13?}xk$`H-y7ACcw%*fIQ{IEMdIvix5-hW|^l{9lvh|Hd)=--q%Cm!tkalI4Hn zYxD7y|1Glo?~vtx*D?GrL-~Qr;s1y%|HowcKO@WkIa&TM9K-*mWB9)%%kLvu^?$XN z_fL6^j2!+q$nw7(%6D82|NCV5KPBt@&&cwBNtXZXkZ;5CJF@&gkmdi;G5jySF7KZ{ zzd}ZNoz-H`V}UXu0s1G4-dI)?uv$MAnlmj5%y@PAI0|4Xv`Upa>V z+faVza`?X|%m3QfpZeb*%l{Tx{KX(lO z*JSy!{!bjk|0!Ai z&&l$C;TZm}L-~!%;s2H_|0{1j^}j}z{|&PIZ#stmolw5(a`@jT%m0!r|3_r`KPJon ziDURbbqxQPWcj}(%l|{jk1j|3U$MXC3qRz4ovigWTn_)+WcfcN>->+%@_$N}|MQS9 z!}2S#{NIq}|JE`5--YG(A+P+Mr~X&T^1mLqL6-l`khenKA#4A;WclB74FCI%;eSb% z|0Bone@vGDQ?mS@IfnnsP=4id_`fF0|07xLpGrL+FZo|1%m2D#_}>cU+b)OyU9$Y| zk>&q@EdPgO`9E?D|HqEu|C}se*JSy>3;EvV@c&4b|JAqU{nz?xWaRL_NtXX5x!}J6 zS^kg7@_!ogd02iymj5fV{9ikU|C_MR_}_L6|2t&)-**iEOS1eQlI8!%G5nu~@-vsi|2bLyZ^`n1PnOR|vivU| zzPKLXe~qm2b(h2cCRzTs$nw8Smj6An{O>!4|D|L2KPJonIa&U%LcVr6{NIx0{~?q= zx*YX?^;`1(%l{5p=f6vq|0P-e4?{i<%TLJie@2%7bI0(15td(ud>ir|S^ggaAIb8+ zXoTy7th`3n{@2O!zu_4EHyy+O7Fqsx9mD?~S^k$~`9E+B|Hq;H#O3gRN|yg?vi#qY z<@25_{|}Dgf8`zd_^5o9jPmfmPL}@-vixt8<$s4P|GSRif6p=eACl$&lq~-jAz!*2 z{;$dMe;3N{T@L??cb@v+BJ2FO$@0HPmj7kQhhg~*VQq3pxC6kmY~dG5qh4<$sSX|ND;N|1gvv zxg7qF$?|_mmj7$AeBP4f|IRV|KZf$fBYFSif0Zo%Yh?M~B+LI6S^l>j!~c$B_+OIc z|ClWQXCa@v9R4rK@_!S`Z(R=m4`kK*pT#ov`cy~S?^1nis|8=tbZ;<7G z(=q&SIfnl|viu*C<^Lq)Q!8eG5qg^@_m=X|B@{Kr)2p*Cx2Hr&wpEz<^Ret{NIN1JD0=%16lqb z$@0JYo_svye~m2v>yF`n!!i8tkmY|#mj9!Wk6jM`r)2rR2<4Y9hyNS0{I5KI>VK6i z{~Kia-wJsrEZ-%||2|p%myY58AS^!&`84D+vix5JUXtbiD&*^sZ^`n1N0$G4$MFB) z82%s0^1u4td_2MMzebk-4YK@iI)?w9P`>MO_}?ST|1nwqPs#FsPL}@*$MAn0%5Pi_ z|952hzbDK8;(e$7SIF|e>KOjl9K(P6&GxDOmH$1m{2zpT=yLc!Cd>a>C_i^O{9lpf z|BjWcj}*>--n?}?4YK_2k>!6$mj6St{2w`n|I<)@=5qMIAj|(HS^jUx@_$Q~|2xOj^Y27ET8ve z`G0T>|10f$JXO9*MtS&OBg_8|S^oFP^1md@|AAxpKMv(5E{Fd!vizTu<^PH-|JP*s zzi|xzw~pcek*xZ^_Tjw$^1n$|-f}to?~vtxKa?+B4*y4F`M)F={I?>@|1DYm??ZkJ z%NO5~w_pBO$@0JE82;DE`us-7J0b6q<$phLNtXYEkPkyXChPMjWcfdJ4F6}2;s2a0 z|5uLT|C%hHw`BRha}58Fp?vX?d_3iUg)IMDWclAA%l{r({`Vcj|6wRUayk5;kmdiB zEdLi|`M)H~|CM9-zjh4&_hk89`RJ+tb+Yn?%i({EEdRTqe9z_Ze?XT1bF$9=f-L{n zWcj}h`93UvAj|*aV|jn%f5kEUuafoowUD<$-X_ccZr~nS{`W&(hI~lY=a0zpf9x3k zPaMPlDOvt69K-)5S^lrd@_*wP{_jKigUeC>AIb8+@kBnp^1nrv{~faY?>dJ6Whg&z zIs6}y<^Py0|7T?RKPSuog=6@?bPWITdo0lZF29dt)&Et?d|o3XhyM+-{BMWy9hbxZ zK3V=x$vXctvix6?<^MY5+pzqOEdLK=`G0f_|M3fV{P;tKjPl4EA#al9e>-r8EdRS9 z?}fZ1YySsi`9E|F|3{AD|ClWQXO7|joGkyBWcj~x4F9*G{Lba@e@~YGwNIS--yqBX z7Fqtc9mD@#DBpKE{2!3z|Bx*ICuI3QCCmSrWB5OJ4FA_;`M)R2|KdAO{jZSae~m2v zo1uKm!6oJQcbHM0C~kmY~VG5qg@@?Dq1|2|p%mt^@rBFq0VS^iHP!~dyc_`f8}|1DYmA3}a~ zIqLt4-3PG$^1n{j`Wh~W|JW{+m;Xbu&i{y9wd0K6-!mo4|9QxlVfht#ZQF_8-?Jgh z|E**AzYELnLte3QSbu-0lI4FraDy!Wn;~z7yhGOhcgga<=NSI?9mD^UEdNK2;s2N{ z|FK=zANfCX4F8v*{L1CE{Fe1vi#qZ<^Pc^|0_@B z<0b#Aj^TfUtny8l!~Zr}{&&dozfYF`C0YIt9K-*iWB5NM%hx4Y{%=CQbvgXsljVQ$ z=~MqJWcgnw%l{r(=f6*u|3k9;ABTJzmYd> zWchyxd?d^N;`_q&K~`QPYyazH`QLC1|C^5Ce~T>tyN=<1k1YR7viu)7hX3PGe&TZY zKPAimHCg^|$?|zmmj4IG@W0Z_$4BL>WR!>hb+Y_#kmY}yEdM)X`QLR6|9g(%|Bx*I zr)2rR2>H_G@PAE~|GQ9r?{fHG{Fzh#TV$R8Hd+4n$nw7o`7kU$BFp~?S^iHQ!~a=W zejf65$Twv9zYDx4%kM+Tk0Gyoe?A`C|0-Gj*BrzDx?}j?Aj|)@WBA`8%l{r({`Vcj z|6wRUayk4TljZ-CEdSSJ`Mf2||D9v_e+=b|AIQf;{#VKJzebk-O|txNk>!8eG5qg1 zhW{m5{*TG>e-`q&%i;f$EdMv5{MP00|3Fs#-}vn5`EQcte}^ppdm%5w@&mH`ACcw% z*fIQ{gyp9pUxs`|mj9c;TeAG$g?u0KBU%0zpUcNX{#P8s|Egp7Un9%^repZuBFp~{ zS^jq&!~ZgrAGjR;56SX>PL}^mvix6@<^RSp{NIQ22bZJ%FaGX)Jmi0cEdT3d`QISR z|E6R3-*OE9dt~`PB+LIv$fquc|8uhZUxo5(m&5-ZS^n3~PW`Ww<$sGT|2rY?h2{HX z`9C1b|Dj{}KMKo_Lp~4rf-L`6f!AdDzX|y^SF3&-$(9m;Q94*z##`M)R2 z|Ki%I{}rjOvX*a><$s$j|2vN1e>W`O3;8hQBeMLT1fG)R|19M5kT1#F{uNpN zuN}kxjbr$~CCmSVW7Pjgviz^y$j4LuR~^Iu23h5sE{FduvivW}@_$H{|6{WJpE!p9 z^H6@_a`?X@%l|c5{_n{0e@~YG2gmUL=otRjelQ;o`QIYT|8B^8E{FdmS^keg`LWC4 z|BNjEw`86F9a(-K$@0JQeBNH=HL{kkljVPtEdN`M;eR_U-wAmc@&Q@?j{=X$@_!QY zX~^efZU2HS|Cf&8|H?7^Uz6qk&N2MoljZY~EdPs}7uN&)uaQ;0?sE9wAj|(AS^k$~ z`9CDf|B++(KMmz)E{FdMvix6?<^P5(|F>lMzjF-#_m1Iz<<_bH4YK@ihrHu*_}?ST z|3N4}bUFN=kmdiHtn6!LM%r(|vaj4c1>j^Y2pG5lYW<^RSp{NIx0^PVjK502q~Ab!~Yps{?Ezse?^x6YqI>`IEMdQ$MFA1R{dWatua? zBjlZscgZh&%H|i@-@EDuF3IwL5b|Nj$7Fr}ge?E3j^Y2zG5nvC<^Ret{9lvh^Oh|C zcaGuzF_bUv=Hn^S^h7{ z@_*$R{;wUw|2W7P4`lgYyqG^v{#P8s|0-FZUkiCF< z9R82U@_$U0|1+}upOfYP!ZG|`I)?vSviv@hRsUCC%KN9hMn(?*8)W(44&^&8hyQ)D z{GXC_{%2(Qza-25b;!42`5jsQAIS3m=otPNFQ58XA)`FKPSuoC0YKj9K-)@D8F+#{NI!1e{Fc`e}gRlTV(m) zb`1Y}p?u%v@P9y-|3k9;pOEGMlq~;ej^Y2@G5lYX<@cT}|BKI``d=Z-{~B5TH$(ZB z%i({QEdR%3o&O10{?Ezse;M+1Sbjs6|2wk$-#doihp_xH`QHrOBFq1F z$U7nLk+uJQvivU{!~cO}_&+4e|A}MxKPAimIa&TM9K-*0D8F$z{NIx0f93Bv^}j}z z{|&PIZ#stmolw5(a`@jT%m0!r|3_r`KPJoniDURbbqxQPWcj}(%l|{jk1j|3U-{v@ z|MI_1*7_PQhyQJ|{2!8a{zqi_KPAimdB~Sx`4w6IZ^-h0>lps;!t(o&SN`m&|5dX5 zuLo|B<$p8et&n%f+W#(D{`VZi|Gs1RUy|kj$T9pMljZ-EEdOVY;r}v}U%4FqugUWN zNLKr&^5^pLlK(Zb{I5HP|E*BI?Q;0vCCmRFS^f{m@_$H{|0Bonf9x3k&&l$2O_u+= zkndd%|Bqz(U;TUY{%d_TGIIFeB+LJjtn)u0%l|Q1{!c?b56dse@_$8^|7*wae-oD9 zhWr@vVwCq!{#OIn$nw7)@t|827T?~vtxpDh1Nviu)7hW|sy z@PA5{uS>H0--LYYa`?X|%m3oG5nu}<>w(^hkQep|GU6@viv@T{221ekLTl|{jZYcf6X!c zuRDhS4YK@iJBI%qvi$Fn<$vEX{2zw$BbUSfFtJ7oFabqxQ@P=4TY_&+4e|2bLyFUj(MO_u)~$MAn2 z${$>g`oH)`^6`-W6|(%VljVPdEdQI1;eX39{O^(F|Bx*ICn2A@9RAPA@_!Y|uU!uR zcVzir`$tdxuao6}i!A>;A@7Cd`(*h)Aj|)uWB5M`%a21o5BY*D|5t(6Wcj}d`8MQx zviv`g<^Rz!{4aj;;`)I96|(%VJBI%avixt6<$v2T{O^VGeV4=kk}UtHWcfcQ%l{== z{;wRv|7|G0b23IO(~!@|@_!L{NtXYs zkgr3&CCmRES^n=G!~cV0_KOjl9K-(>S^oFP@_!KWq08a_ zm@NNiq5RzC@P9>?|3|XUfAQz@{>c9tS^hUd-Xd%HHd+36$@0JF82VEA8g4F4Ns`QIVS z|9;3zm&5-dS^iH#`Kim{|AH+4_hg;_16lr8ekO0f{I8LfH^^GPNtXX@vi$EjhX38L zd@tm~kdMgne-d~~mjAPm&qKZ>Yx`GZ`M-7y|2K}||CTKO4~|j)AIb8+GR?SFE3*7wljZ-$G5p^;hW|&h>i^nb%=<6@n`GrJm&5-KS^oD!`O@X^e?*r5OR~=Y ziY))PWcj}j`7tbC%<}fj|0-Gj*BrzDI=SG#M#wuM?~>(zKX6Hw|AUYZLp~-K{5K)X z|EXj6KXVNK=VbZ6at#01Wcj=$%m1BY_n8FUj(M0KKvix6@<^MM1`>_0hEdPstChw2@uQ-PPRkA+67V=ie+hqCQ4csHk|9;5J zkPpfF{1I9Hj~&DRiDURbCCmSXWB9)$%l|c5{%;(^|9vQba5?J#BU%18ejy)U`QIYT z{|;IHcOAq3GL#><9R82U@_$U0|1+}upOfYP!ZG|`I)?vSviv@hRsUE2*}Q+sYh>i` zzd@G&?NGksa`@jT%l|1^=YK|)|4Xv`Ux$1fmfw-(|A8$3kB;Gg@z3S`)8|*nD381m z@+MjSw*z;`^1mDMUdT(bK7T-#|3k;{f8-eckIC|X<{19Z$?|_mmj5fq@P8Z1?_3W5 z_hk8B`{z&nZ;<7Gi!A@!j^TeVl<&J7{tw9Ve@K@96SDlDlI8!*G5nu9hW~4_{N9u0 ze=$Gxze1M(HM0C~hVm_!!~ZT>{*TEz{}ZzOpOfYPGUV&9{Dv(5cVzj$cMQJ|Vfkao zYyZOO^-(9w|7PG8S^l>}-U)e+to`qk<$viI{tq0({~=laPaMPlDOvu{$?|{U82+zA z`Hjor|CTKOEC1rD|24AwZ;<7G(=q(-gz{aN!~Z^6{+DF=KO)QjF34O#wg z9mD@!SbiV!$}gV!UnR@`df*0G{x?J33VDaD{qK_Hf6p=e?>mP7C0YKD9K-)HS^iJS z@_*(S{x3uMmCND(nk@g1WVL@P|8hQF^1nuw|8>XkzZJ^2T@L@dWclAC%l`pc{twCW zf8-ecj~&DRIa$80$?|^}^1aL9|B)>JtG|@@U+b%pk;DHcS^k$~o&Nz@{*TG>e;V?6 zSbjm4|0}ZmUpt2Xo3Q*gv~J z{O^!;{<~!PUy|kjFy!N~{Ddt3XJq+5cMSg*Vfkgqw;|t=<^Lh@ku3jlps`$nw7=%m0C6_&*NiCoYHoQ?mSDljZ-GET8ve`G0T> z|11ASK0Yd6C8Iq2uao6}gDn5sWclAA%m1!p_}_C3|A%DxKPAimMaY*fhyQD`{NIK0 zdzZui;@>>=zeU#hZG5nu}<>w(^hkQep|GU6@viv@T z{221eG9M4^f0Zo%YmVW6-7)-ckmY~dG5qh4<$sSX|ND;N|1gvvxg7qF$?|_mmj7$A zeBP4f|IRV|KZf$fujJz)|EpyAUn9%^CRzTs$nwAK82)!0!~c>j|HowcKMVQXQf;S^jSV zZ^`n17xI0`k7W5@{FQt>`GL#f|Bx*I z=VbZ6B+LIbS^jSv!~cCKe{ebK|KeBk@sR%&viz@;<$r@L|C^5Cf6Foa?~&#IkSzZv zA)mS&{?Ezse-+BFT@L?uWcgqFw@>}AljVPlEdM(p?}g?2WcfcJ%m1Nc_&*BEk3&8W z`GPF}SAo}L`M(MIHspJ<{6CQ8|Iso0FaDj2>jVB*$nwAL82&fN^1nrv|82+czZc5) zT@L?CvizTt<^P;4|CeO>zj6%!x1s#bcgga0K)vi#pWhW`i0@c&4b|J8plA5Sp+uaV_{gDn4> zj^TeNl<&G6{`bi8e@vGDQ?mS@ljZ-yG5lYL@*9`K{~cNW@5%DN`1eo!uaM<`)iM09 zIfnl&vi$Fn<^Le$LzlzQg_$R}j^KMOo3%l}2lmmy!1wf!5i{NFl;|2xO|BsI0e{G$Qhx~7m<$pKiJ(t7(k}Us6q5Rn8@P9^@|68)o|Bfub zk7W5@`H%DVDzA~Xe4Q-+n`HUlat#05VfjwT%a9Mq@_!U~OqTzXkWWKCCu{o`Wcj~z z4F6Y-;s2T}|96hz|DG(Lk7W5@{MC!=0shy>DqnXw{BMxue~&ExOS1eQlI8!%G5nu~ z@-vsi{{>n8FUj(MLze$rvi#pUhW~rV@W1lwr~Ws{^1mJOj?3YHk1YQOq5RP0@P9&< z|7)_&|As8T_hk8h40+`@^7d=_Dp~&5$@0J982&fI@~x2fLf$9K|3Tm(S^kegJ`VYm ztnHtX<^S9<{9ibR|4Xv`-#CWMl|7T?RKPSuo6&!3Rx|I{)3pE-vAbF%zjIfnmhvV7i>-~41ze4Y8ca}58Fp?tB) z#}nn@e}ydnTV(m)A` zIEMfGQ2yX@_!7fEdRTX;eQ#*4_praM`ZawCd>aBS^m$-@_*qN z{x2QF|1DX5AIYl!tG|`^PkD`u9R4@R^1mI*cU%tt`(*h)CF}gp$nt+lmjCOJZ^QCC zviv`g<^Rz!{4f5?ynp)q3K`{*H$vVd%l~%Z4q5(pL*5H{N!I5N$nt;a82*nO!~Zc^ z{?8o4|2bLyFUj(Mzq?}hSxm&5-7S^f{n z@_#~>|5LL3pE-vAbI0(1O_tw#vivXp>r?+LWcgns%l~F5-*P$p?~>*Jn5^?ZAvH(t zC(HkmEdNJj`9CJh|A}MxKXnZMmt^_BCCmRq$d4{Z{a^X*y#MmQPS*MwE{FeZviu*C zb^b?W`9CGg|9QxlVfhtV{%^?gf9n|j@51u?kXQcOQ~#@E`Ckv*Aj|(|$Xg-rkhT9^ zvi$EkhW~xX@V_L>|B++(KPJonDOvu{9K-)*D8F(!{9lvh|B zUk`aBlps`$nt;S82%5*@_$U0{}adXe;&#&Tn_)2Wcj}*%l{); z{#X85K3?*_>KOhv$SU7-Is9*v<$s4P|NCV5Uy|kjz%l$EI)?vKvV2{V<^Lw+TbINC zJz4%2yHo!wWcgnw%l{s^;J-du{twCWe;o2Dx!}JUS^h7`@_*?V{;$Xd|E)v55BY&C z|BL_O^m?d}<$pEgwU9T+{P?0tmj5ls@W1UC{&&dozwa3Smt^@rB+LJiWB5M}9N0+1iul`SY|K)#&tn=R`%m0!r|A!$Thvg?^`9CAe|G8uM zzX;1OL%t39jx7HVfsbVQUwkoKA7te!{!hvBe-ZMf%i;f;EdO_*{NCm8zxba|{cn+V{@Y~v-y_TaGUUUs{D>_7 zCuI3QbqxP!VflH;*CF4K<^L}5o-Dr)AwPz^^1tNcq5ZFt<$ujF{I5HP{|&PIZ##zn z9kTrIk>!8iG5jBf@*|hS|1nwqFUj(MO_tAFvi#pUhX2PG^Mx<$s4P|9c@X z!}0^N{2!6!|JX77pM>S7Azy}kMV9}Yz+1BX--Uc1@*`RP7yoNM9`e8982(os!~Yst z{x==N{}x&PcgXU;>lpr*q5Qz*@P9~_|8uhZUy|kjnk@e}j^Y14ls~u}^?&i#^YM`X z6|(%VljVPdEdQI1;eX39{O^(F|Bx*ICn2A@9RAPA@_!Y|uU!uRcVzir`~6e@>ty-g zBFq0y$a`V=K3V<`$nt;a82*pK^5c-tL%tx(|5e~MS^jTAz76@FEdLK=`G0f_|BFAk zxIW;2g)IN;j^TfUEdN_%`QLU7|9hc)-{tVXB+LIPS^m$-@_$K||0~Dve;dm0Tn_&a zWchz2%m3>CmXC-0uaV_{-7)-cIEMcnvivW}@_!WavCHBAlq~-jq5RV2@P9*=|CRs! z)c-13{x`@!{mG(u*Du@k8}d$AzDt(>eX{&79mD@YSbiAtX~<_}`M(IfB+LI*$k!p? zlI8!7EdTe8;s3!g{6CWAfAx@$Cm8SF3&-$(9m;Q94*z%LKd{ex-6!pSL6-l;-#GQZLYDtk$MC=A82-1&^1nxx z|AUYZT@L@pWcfb}<>xMk|4Z^ubc^EkJ)6(#_%+5mGW>b_H9Nm#`BD5Id4J_!m7ILD z@-4E;x5>X^pZCeq`VSp{nemAH72i`7U-6=yPx3byzjJ8wZ5+SZcp1vCT>fR2Z^*Z8 z`8SX3e1-A{mw%b%#s8W2=dW1#*ZqXG?~VVKJtqB*@xw>!FLwNpafkfPPg#HRm)rJ| z|D5py)d!28v7gVqA@4ob^Q*>%d0Mp};EsLdrG|YD*?y#d4f`+h@3;J`9^#_$P)jM@n`4OZ|C@N%kS9!y8LS_FTO0V|936_>YcSi96xGYbzC)Wk+uFd`TLsY z#}{o}H{`>Rj{{H1KWEF=f8X}kan*Q1{(|LI+qtD%{*Cr|EAnq!{{CMmiXB$A(?RojH{*HcZ_j;YI|19f5h?!Z`yN7$oI^D z6YKk;T|=+U+y6I>U-Pqe-z2At$NtkMtKHTktKC+Hd>ED=k=1USkkxLRI!3!~9+qE( zd`VWjctuvbVC@*~f{kOe3l3zp3#yg8|7sUB$jX~8N4ua+R=c1V%J*H4cEOOWcJYLK zX6=B7zG&k#WF7A{S?z#r;2l}*(0#}cAulfF{nPp@WVJ)9j?oUSIYv9QPF6d!Nme_v z|Mqusb7tKGOEtKC?6-Rb^T$?~^BmcOl# zcf#^rvi$9n?jXyD23bBd9jE7xP`>N(^xQ#~A7iron3B(*JILqH9gfp;M<~B>d3x?3 z%bz{@+@G(^`>Xn;N>=?+bBy|>?ilq;o2>eyPgeah4Ef0As9z>z)i3iu zmm^u{zxb-WKk~mumj8{Ax5!$)O_u*%vi$EkhX4Jrd>Qg_$R}j^KMOo3%l}2lmmy!1 zwf!5i{NFl;|2xO|SbEdTdpo&N(_{#UAbf8>9Sth_#AhzLz7Ee72!K|vx4MnMRQ67ZH5FF_Ck zaw$PuP)QFA7d+-`XB`u<{MGUr=G#>4Eur*%J)6s6vbLLnz2H%*! z{^QK&fxX`vvub2ky=#5nUaL~6!~D7B@P9>?|3|W}|A{QWuVne(djID2D({fBe@T}A zJ+l1o8^ixW*nb%EX~-+G{I3Jg$?|^@@@2@^WWD|kS^jU0;s4GU{_n~1|6~mR&t&<0 zCCmTf9=E<8;D3j#`K9IXze|??W3v38lI8!5EdOg`_`eMESC+&74O#wg$@2d|mj6ex z{687P|FbdtZ+$@Sf0r!(2O%F?4*$nw`CoyXbwz9j4QugLO$Z4Cc6#_)ejmj4H1 z_t4-&GF)2v_q_sGiomc#!cS^iJL{Hf*ezb4E7Em_xpN0$Fb zviv`X{2KNzKCpTH^1n@%{~craUy{||4f!zSBeMLT1fG)Re--js$meABFUazLX$=2Y z#_)elmj63r_`fI1=ObDEpN!%EHOw#W-JDPP-y+NZK3V<`$?|_pmj4rD_&*EtYs=yP zf-L`+Wcj}#%l|D|{_l+8|K1q>pULvO^+CD+C0Tjba`@jT%l}cBKeinHS7iCWChPid z$nt+rmjB0)pTqtavivXZ)2v7Sw~XO`o2>p$$onB5kmdg<@R%(BCn2APd`4D(O_u+2 zWB9)?hW|^l{NEVE|1DYm@5%E2U=07yVgAK(eE+|a<$w3S&H0u8eX{%?lI8!%82(Sg z{K|6pUz6qkoGkxWWcj})%m0lr{NEbG|07v`U&;FZ-~PAF`jmIb$l-sNEdK{#{?Kyx zKOxKiC0W;hMV9|tvi#qN{22B>k>&q|EdQ^@@V~fUvp)5=$e5438}c4m{tp5V$?|^` z@^Q$gWc62M`9Cv;|FtpvpOfYP${7By$?|_omj63r_&r4EdLi|`M)H~|CKTPUmL^!Jz0LA$@0JW;N1TfS^js(^1m16 z_brG2BeMLTlM9XoS^lrd@_!rhec1m%mj5TR{68DR?@QSK8uHGEF^2#9F#ljV{6CWAf9w9a{~faY z?~>(z&lvs>!~Buu@P9&<|5LL3ugUU%PL}@*WB9)`hW}f#{6CWA|0U#C%kllc_3xVX z%m0$B<8>{E{{yo8pOJO_YqI=blI8z8J|h2mXp!ZAJLH{^cgb3Rk1YTD#_)e&4F88@`9Cp+|5LL3pONK%Z4CdH zVgAZ;_`fF0|07xcpULw1N|yh{9k;$7;D3j#`K9IXzekq;eX{%?k>&rGEdM9Q@PBFy z|L0`+zb4E7UC8&A!~Y{${$IlUtL6Cq-~RW_`sM$Stm{7_%l|1^{?9@_5Bo33@_$8^ z|7&CTzX|(qLw*eTi7fvwfv;rwUwmZv`XDRskhT7jEdRU4@V{pa|NCV5KQe~@W3v38 zlI4G84FBh0{=#zjza-25Jz4%A$@2M3mj4%H_}_X^bAB|xO~!oqUy|j2mn{DWWcfcN z%m0xv{2v>`{~1~SFUj(M6Y{O)@PAL1|EDnjY&rZddb$67vabJtEdR%3`9BT$EbL#C z<^O^#|Ch$_e--v$hkPIM16lr`0-wq9`x5eN$XgF?&WG0DCcov=)BW$s?~XD2FOA`U zmn{DW#_)egmj7e2{GS-Z|5=z{TMqx{Wcj}(%l|$3Q%C9kgkJjZWwQJ~8N>f;m|uKU zb3WvMn=Jo3WclAC%l|%E{tt}d|IirzPs#FsPL}_xkgqL=|68*BKZN;5%i;fptndHb zkIt`uk1YR(Wcfc1`84cbk>!6)mj82O_`eAIFGIc!`Hn3A4}p(l`F{%eIpkNe{4XBT zoDccmGKT+cWBA`8%m1D+{O^e@2%7i;yoZhyQD`{NIK7d&}Yf zi7fv+ACvoElI4G&EdPfgABX)XWcgo_<^RkW{?}pudC1ox-;m}1F7Tc#{|_NQhWt#H z{};0SzZ%2;;$gSGKHz_gEdNVm_}?YV|2|p%4~*geILx0|4*#cQ`M)H~|20|uZ^`n1 zXAJ+3VgAW-_N|yh1$mf>B|0P-eZ^Hbo z(z&lvs>!~Buu@PAB}|8uhZUy|kj znk@e}#_)e1<{vDF|0lBiKa=Hu@o~BTEwcP?8^iyOG5qh7<^Py0|ErMCEQkMdvix6# z`D@GJ|BfvGuVh{S;^Uk3$o~#m{&z#(Cu{!!S^kg6@_%d$|0iMpX~^dxUy$YhD)5>t z|2HAuhI~)f>pzg?|Irx!pN!%EnJoW{N96vu$nw8Kmj9(O{O^bP1Iyw6kSzaaWcfcQ z%l{=={;!PT|2E9uSq}dXWchz2%l`{m-~X><`CmM;IUiv7-!g{(U9$WilI8y-$4h zvix5JUXtbiD&*^sZ^?T7JF@)W8^iyDG5kN0<^RPP-~X><`QI8e=TrW-jp2Wntoc35 z;eVej|EFa6KO@WkIa&TMjN$(}%->iJ|952hzbDK86IuSB$@2eV4F9jj@W1nk&H0f3 zeX{%?g?wx|{GXELe;ww}Ers8(%YyXlg|9fQl-#3Q; zgRuWFWcgnQo|EPOBIL`EugQA-8?yZ08pHpcG5p_?<^RbT{-4S6`AU}m#iMS0 zJ;47CS@TQF;eVGb|HowcKPAim8Cm|<#_)d`=C3S={~NOW-;(A3fh_-zWchzGhW}?{ z_}_YT?thmo{|6x-S`PomWcgo(`7_Jm|AH+4_heoF16h8b$@2di^42FeuV4GO$@0G> z%m1!1{O^VR`yn5Pd_tE0Rp1#}{?{R&hkQxa>tB)O|JoS-Z;avpmMs4d#_<10md|Ih z{J$8(|JGxg^Qrl5GUmho4q5&W$?|_pmj6?-{I87R|2)iJSPuVJWcj})%l{o&{_n~1 z|6mON@!SeL|3UectndGwlp&Y@J+kt?&r9EdS3T zzlQzsz#P1O`QIkX|Bf;IFUjifhI|dY~y8bJ2JDuk{U(@r#$nt+5@?+TlMBb-$-1)BQ_ibePe>H~xMfyFf``;pC zKJsqJdt~`P2s|Xq|53=tA)k`9{)#OBXU6cqHirLmvix5e!~Zo|{%^_he`gH;k754F za`=BH%l}ULdlAl`{O^+Gf1fP>2gdM!9Oh3fhyN8>{?Ewre?gZ2OENr!-z#JIzcxm` zC&SCz-x+mJ97Eo3-kMy!~YRk{?Ey}{tL4FUz6qkHst%T|A8$3 zPh|OjHiqAqu>UpWohRmBA0=7-_X79H%jC&j|9ATD>yQsaJ|=7Z6SDlD8pHp}82-=5 zxDIzozAud7|B@{K*JSy>F^2#9F#ljV{6CWAf9pxP{~faY?~>(z&lvs>!~Buu@P9&< z|5LL3ugUU%PL}@*WB9)`hW}f#{6CWA|0U#C%kllc^%=SUC0WPoS`PmQWcfcM>-yJZ z`M)H~|8>Z>VgDUj{vXKl|7Z;VPhtOa$XlP8``;$Z|1xlwEdP5U?}vOy*7`?e`9C&> z{}W^QKPAim+8F-N$?|_mmj5eb_`ePFcb3EdJz4%=$@>1^`mE-B$^Q;n{+Gt^zaQog zEQkLiviu*D<$pz%|1+}uuZ`jV+!+3^$?|nimj9=apDl;~SF*nUw?DgCzmC@->+k

XcE|952hzc+^ehp_)KQ{=nJoW{|B(CN zBFq1hEdR%3UH=JL{?Ewre;)E>*ndTq{~NOW-x|aJUD$sg@^i>9WcgowZvOSqBFq1F z$U7nLlC}OGS^oEp;s3xG{twCWe_{;(r)2p*Bg_BV82&HA{FUYKe@&MEN3#4sljZZ3 zEdPrq-}-uh{~faCmzKl-9$EhP$?|_hmj7e2{GS-Z|EV$jpOfYPnk@f!A>UgL|Bqz( ze+l!imgDa~?ayo0FaL*RUH=hT{!hvBe-`q2*ndHm|0}ZmUmL^!P1t`M@?*$PWchyy zd?m~O;`77T2U&TCto4^<`QJ5$|2<>)-zUrekum%qljZ-EEdMKG_&*Qx7nZ~SC0YLO z$@2e5md|Ih{J$8(|JD~Y=STC~WXy;EC0YJ=$?|_dmj6St{2v*^|FJRrpONMNk}Ur> zA>UdK|Mz71e+u)@mc#$z3v>VbWL^IOS^kg7@_!ogS=hfO%l`#g{x6N;|0?Xi4*5Rh z2eSM>1wNDI_a)@lkhdny`Ox~?WclAQhX188{O^+G|G*gj56SX>OqTx>WB5M{^J~lD z|C}uUw`BRhC(Gv}S^l4l;r}(vFP_qz5Bc9F%l{5p{`bi8zfYF`17r9hx~7m<$p<*|6Q{D?-|4YzA^kC zljZ-6EdLiFUs?|T*JSy>3-kAu!~YXm{&&7O_rD~||2|p%4?{i<`%lR7zaq>3nKAsY z!~XM-uS32e%l}>AJz4%ALVgVSnJoP;WchzJhX2LWZ+(5h{}x&Pm&WkFOP2qAviu(y z!~b!ZKd~JCPs#FsNtXX>vi#qY<^RqY{vX5qljZRLLYDtmvixs`^7S^l5M^8aiM|1ZYy|4Nqs?PoOS6Ab@5WclAE z%m1D+{2zw-Bg^6cm@NP2Wcj}&%l|c5{%?%o|31t=SPuVBWchz4%m3n;x&JM){BIk> z|Bf;I?~~>Km@NORkk2fK|8uhZUxoQ=%i;fyEdQ@$UH{@soAt>54q5(pL*6HA{{dP4 zkI3?WYz+S=VgG5!=OJH^<^L-1nk@e}A>W34PuA-{kmdi;82+D(;s2Q||BGkk{lK{|{vOeH~xovJw>^1n}(|D%wPEr^xp?$`9CAe z|JoS-FT?zmJPsZ^7Yz+TfU!MElCCmRo$cL80|1nwqS7H9l za`?X>%l|!D*Z)A4-)FM?zlOZ^70v6{{%x}SFUj)1YYhK;VgG)}$047P<$o1;Mwb6| z$mbznlJ)vmWcj}~hW{I5_`fB~|AR67Ka%D1nJoV=#_+%O{N{XWew&Q>@V`Tr|3k9; zACu+(lq~-%WB5N0^B0!G{}oyOugUU%N0$G4viv_7!~df({J)a*{lD{-&HCkkkF30J zIs6}z<^LqipIQ$8YqI>`l6C!eWchz2%l~u8uVMe&C0YI5kPkyX zBFq0t;3--DS0SH;d`?#Xf-L`+#_)e-4FA_;`M)!U|9i50K9c4C$r%1$!+d;z@LxYR zebz7iZ;|DHpDh1}WcfcP%m0Zn{GWySwdL@CL6-kZvi#qW<^Pr}|98gle{T%`&t&=C z`s&>OlB~RIIsEUF<^L$mA6pLpE3*7wlXd+!Wcj}*%l~7@&td-yS^gJa)2v7Sw~XO` zo2>p$$onB5kmdg<@R%(BCn2APd`4D(O_u+2WB9)?hW|^l{NEVE|1DYm@5%E2U=07y zVgAK(eE+|a<$w1D&H0u8eX{%?lI8!%82(Sg{K|6pUz6qkoGkxWWcj})%m0lr{NEbG z|07v`U&;FZ-~QTWeabsz!k>!7fEdP69e&2HVKO)QjIa$|#L6-k(vi#qMd>{5d zkmdi0EdS5O@cR<>zlOY1=U*QsS^oC|_sQ~q5b|Nj$K--zLYDtiWB6Yg!~Yps{x6K- z|B@{K*JSy>F^2#9F#ljV{6CWAf9u7${~faY?~>(z&lvs>!~Buu@P9&<|5LL3ugUU% zPL}@*WB9)`hW}f#{6CWA|0U#C%kllc_4UpA<$p=m@w%47{{dP4&&UNwO_u*lvix6% zd>i)Pk>&q^EdP(j@c$I{KZm^a4Y~hqvivUtcgga<7xI3{hh(jPM3(@c&Ad|Lt#V*01Ar$jIS;k1YSEWL^J? zEdS?Z`M(VLI_$q8%l{o&{_l<9{~_#u4EZ(W#WywUlmG3&9kTo{L*5N}pRDx{$nt+^ z4F5;Q@PAB}|CKTPpONMNoGkwr#_)d~=5H*A|68*BKa=JEl`Q{TFKy13{BIk>|1Mec zdzQoh0a^YJ$?|_fmj6?-{I87R|I8TvFUj(COP2qKkRL6F|7WuNFXp-bEwcPC$?|_p z*7cu|<^PN<|K}lJhW%G$`M)8{|E)3n--Z46AwP%wLYDu!8i82%58;s1~<|0l-qe@d4BGqU`zjp6??%wJg!|JP*se&p-@Rcn8iaRS^ihX@P8iWFD!@uOS1gmljZ-BET7M0 z`F}Bn|E*Uv=STC~WXy;EC0YJ=$?|_dmj6St{2v*^|FJRrpONMNk}Ur>A>UdK|Mz71 ze+u)@mc#$zTXX;WWL^IOS^kg7@_!ogS=hfO%l`#g{x6N;|0?Xi4*5Rh2eSM>1wNDI z_a)@lkhi|AIUibon=Jo3#_+#1hW}l%{2v&@{~=lakIC|XVhsOhVSa5n{GXHM|CTKO z_hk8eB+LJkG5o)V`Ng6+AM(FVmj4~H{O^(Ff1fP>2gdM!Xbk_SWcfcQ%l}o#*OtTo zEm{5_!u+G<@c%;A_y6v<=hweSmj6St{2zyW8uqWq^1mj_|G6>zUxfXaA>W34N0$GG zz(=zDKZX1p@+(>X7vIsG5Bc9RhW~A2_}?MR|DG}Y?~~>KkSza4#_)d{=2w=({~1~S zugUU%OP2q8viv_7!~b)bf3Y0j|BF{P=R^Lt$nw7=%l|G}{`ZXGf8QAXkIC|XMwb7J zkS{HV|7)`R--Y>m%i;ftEdM*-nfqUo<$s?n|A!$Thy5pH`CpOc|I8Tv*J1y8$k!p? zkmdg_@SZIH4{7jbr7qa}n8pHqMRkyxA;D3uO|4U=|-zCfcK3V<`jN$({%%4~e z|EFa6za-25HCg^|$?|_^4F8W|{>gIqe<92ND_Q=xzpFVP^1nlt|D`ef?;6AZAzA)U z$@0Gr`P_2&za-25O_;y69R453^1t=nx&Ljl{O^+Ge?R2Iu>XiG|0iVmKQ)H`RoH(P z@@2?ZWcj}dyd}&3UC8$#Ka%DDi7fxm#_<1Q4F9iW`QKhP=MxP7J7oFaCCmSwG5jBf z`6J8W|ClWQ=VbZ6B+LIbS^jT~;r~9&KUfa`Ph|OjCd>cgdvgCzcPmZ+c1A;Is8A6<^Pc^|1V^H|G$#ufAPJ|`2fTJ zmNESAlI8!9EdM7VpIQ$8XJq-m2=kYg!~YFg{-4RZ{ui?RZ+&0$`sIIzth`Is{ynn% zACTq$&=~%Y!v5os&q7|4<^Lk^k}UsMAzz1lOV;b(k>&s182%rO;s22=|1ZY){(mLQ z|JL_6=TrW-jp2Wntoc35;eVej|EFa6KO@WkIa&TMjN$(}%->iJ|952hzbDK86IuSB z$@2eV4F9jj@W1l|&H0f3eX{%?g?wx|{GXELe;ww}Er{*TG>e@d4BGqU`zjp6??%wJg!|2Jg$ zza`8616lqb$@2eX4FAu@@W1ui-2X0F{trSvv>g7A$@0Gn^JkXB{{>n8@5u$nfh@nz zWchy$dFuz8*RTECWcgo`<$u>0{`bQE{g97CJ|WBhD)5Xf|Lc&?L%t;I^{>eCe{Br^ zH^%UPOP2o!WB7k0%jYv${$GsYf9rM4`PBS28S~+Phb;exWcfcP%l|1^{#VBEe;(#9 zEQkLqvix6@<^PT>|Mz71e=vssM`QSZCF}ct=ZBj0%l{r(dEavQKP1clNti#i9RAm2 z`M)LW`tQi{|45eq=a65+{>2YBuV4PR$@0Hr4F5~A`nw??hI~Yp|C7K|viz??J`4Gr zto{XA{x6N;|H>HtugUU%XAJ-MWchp~%m0%x{J)0z#g8=SQ~tNe^1n}(|3k9;ACu+( z#2Eh1!u;BD_`e{_|0P-eZ^-h0OP2pTWB9)}hW}@>{BEst|4Xv+uI2E*PnQ3qFn?@0 z{IAIJe@)i)-;m}1o-F^5AwP%xFJ$>&{AjZt`QI{z|827RJ0b6fd_b1}qrhXb{GWt; z8uA%g{WV$s&yC^#!WjN9$?|_=4F9)e`M)R2|AR67KZp4j%klmHN|yiK*Ei=^{`bl9 ze@K@9BV+hK4f89@;eSn*|8uhZUy z$nt*>cu1E2qmYk7J|(NaBFq1oG5oKM;s2a0|5wKFe@&METeAG$8N>f$n18Yy{-4S6 zzw?IN|1Men_sQ~qU=07qVgAH&_+OFb|BNjE7i9UrB+LJmG5lW}!~Z>5exJ$mzxeUo z{}x&PcgXU;7v}dZhyNq8{GXF`{TF2Uzb4E7ZOHdw{{vb6pUCq6Yz)6IVgGB$J3ohhan%6wf+fN{!fkJe`O5+XJq-mFoyq2vix6@<^RSQ{_n&5gXQr5 zNS6PtP40h(EdRS?`QI~!|HCkUWI6nwkmdiBEdOh={GXHM|H2slFOA{<^L(-8}dF`>mQKi|IirzkBs5}m@NM*WB5NK%l|o9 z{x6K-|2oXySPuWUWchz4%l|7`{Z4CdrWXg7Q$@0JW`P}~&S^k$~`9CJ>`cKI6e@2%7^N=sY{wuQl z-;m}1))@Zp!v6b^pF@5j%l~4Ve?7Fw^1mJOPRP4tt-nW>|9xZlKQM;>L$dsz7{mW5 zS^m$+^1n8Q|I09cWjXv`ljZ-BEdS4B`FthI|Kg3ez8>IzhphRfy54PnQ3uF#l{h{4ahv_rFip^&gPs z|ClWQry-w({cE!PUy$Yh(ir})!v5=!??Zkd%l}j0Gg*FLLVgW->sOldq4l@P^1ovY z|4U=|-zCfcfie6alI8!HEdM9Q@P8KO*OtToIa&U1$?|_smd{7B{687P|7)0E{AzPP zG8^ixa*nb)FZOC_I`F{v}B+LI($j>3ak_(MrYtD!K zZyCe?wlVzgkmY~R82Er!{!hvBzYh7_a`?X_%l}Q7zqK6x zAIS2*^;^0BZL<9DlI4FtyiH*vi$FcyieBt1G4-dk>&r`82(Sf{?m}pL%tx(|5e~MS^jTA zz76@Ftk-`a%m1S>{687P|1(+s7r&kR-y+NZ4q5(}#_+!%<_|1~|3k9;pONMNoGkyB zWcj}`hX30ze`h)TKal1Bku3i&WPSg?lI4H#mganb;eX2*{&&gpe@K@9laNm>hyOFO z{9lCmOUvQ^hAjWjWL^IYS^l?vr+NMIze85uC2Rj4S^f{m@_%Ry|3_i}amZ&OugUU% z5qL?K|ErL%L%t>J_3y~?e{T%`561BSNS6N>V|@R=lI4Hvt+t1!7F4F8v5{>pOrzah*2Em{5_$nyV4mj5SX z_(~Bm zvivW}^1o{g|9fHoe#plmpOEE$6?jIL|8>acAzza9`d4K6zcz;d8)NvtCCmSVG5kN0 z<@1>=|1ZYyzx4;r`PBS28S~+Phb;exWcfcP%l|1^{#VBEe;(#9EQkLqvix6@<^PT> z|Mz71e=vssM`QSZCF}ct=WWgU<$sT?yl*-DACl$&B+Q>$4*zSi{NIvw{dZ*feGlu_rvV1<0<^RbT{$IoV;_c1(l>aTV{O^a(w^4lI4H*9nJZb|9!IjACl$&$Qb@l!~Du} z_+OLd|C}uUS7iCWCd>bgG5p^e!~Y{$eqYJ@{@?!NW_`*#WaRL_OP2qGFn?${{GX8J z|B|fhzaq>3Em{8WLw*eVpUCq6LYDtmWB6bE*Jgd{Z;>${c{k)eviu(e9+Kt%DCFai zPs!@9$nt+?4F79m_&+Dh|CKTPUz6qkmMs5w#_<0b=ASHw|7WuN@BB&bf0r!(`(*h) zFoyr*Fn?k>{IAIJe@2%73$pxQlI8!(82+z~;s2g2zt3d(U;JtAe~T>tJ7oFa3-kMy z!~YRk{?Ey}{tL4FUz6qkHst%T|A8$3Ph|OjHiqAqu>UpWoj=RJK1#Cu?*;CY<^Le$ z!;p{3TK|MB|EI?AzcPmZGqU_&7{mW1S^lrd@_%Ct|My}3!E*S2B+LKSpXdH}$nw8S zmj69t_&*HuN0!6?30eM6$@0G@%l|o9{x6K-|I!%#Z^`oiNS6PXkY6pw_y5+ZS-<=* z$vR%wa`-yU5B1;>so{|{vOe>8^wCvw4Y4teXp<^H$H^1lq+ zCCmR_$onB5lGQ&V%m1-4{GS-Z|0!Ai*T(RFPL}^mvix5e!~boVzq1_v@5%E2O4i?h zTJLPmm;CRL<$q}m|NCM7z;gIMBFq0VS^igK`9CAe|JoS-&yC^#nk--UWchyz`Pp*# zeaTS^l^FvN>P!zikZvyJXGpSq}dPWcfcN%l`>k{!hvBzcPmZGh_I_B+J(= zS^ghFezY9^pULvS_^aIi7Fqt6WcfcP>-tZ~@_$B_|MQS9!~QF>{NIq}|JE4(@5283 zke@?-A!8i82%58;s1~<|0l-qe@d4BGqU`zjp6?? z%wJg!|JP*seUgL|Bqz(e+l!imgD<>`>&hz%l{!+*MCHo|5LL3pM`uL_Fs_Y|B5XC z*T(RF6ZYSR{21~RS^i%FU&->n_`k!~2U&TCto4^<`QJ5$|2<>)-zUrekum%qljZ-E zEdMKG_&*Qx7nZ~SC0YLO$@2e5md|Ih{J$8(|JJ*j^P~A~GUmhok}UtbWcfcJ%l{!+ z{*R2||JWG*&&cwBNtXYckZ&!A|9i6hKZW^c%i(|VH@W|PvabJtEdR%3`9BT$EbL#C z<^O^#|Ch$_e--v$hkPIM16lr`0-wq9`x5eN$XoxTIUibon=Jo3#_+#1hW}l%{2v&@ z{~=lakIC|XVhsOhVSa5n{GXHM|CTKO_hk8eB+LJkG5o)V`NiKh=R^Lt$@0HLmj6An z{O^$za`86LzsWG9R6R(`u^YjyZrk1$nt+kmjC0B zPs9EdS^n2#`9C*?|BJByGUVHk@5u815co)z|EG|jLw+U8|Kie|5Bc9RhW~A2_}?MR z|DG}Y@00)a)6@N5@0GqD$nt+=4F9KLeq}lQpOK&agrd0febV2D$nt+nmj8RQ{684O z|8tmsu^iw3i@$Hq$Nxxu@ALTd=LK2*mt^_hCCmSwG5qfv!~Zc^{?Ewre-ZMfCRL$hA^bN{EM>r0j&C0YLUZ2n!-{Bf8+A-^&8 zJ${;gerSAK;uZNWPb`YNd_}sRx;j?tVjqyDaAH)2U<+r8$LVix#{~mR^UjNvv zN5^lIk>8f`lKhK_-{5Fm z=VwON{+GnBPr2sz-n%G%!sc%iV}HH=GgHGjQ*vieqJosVr|@4qDW^^e{+U(Y77_m_9e`>%=p ze0Bd#!|Gp<)xS>c{inph$ol#l-7oLok#+nE3%GXJs|I2k(IYTEbs3o_Wns?@86NtUv~5U1zE?R zJTUKHkdK+Z-M^ZwtACr=`!9)o{iBa>SpA#C-d{c<@4qDW zKmW={Hmv?RS^ew8-hWE${ew@)`&Ws*zdgwNPl>(1{fT-1jI91;V(&jB_Ws@{<^7Aq z-d{W_?>{8={^HSj|CFr$d1CM1CHDUElk@&MvG-rdI={QeZ1e-oHug z{q14iUnTbb6IsXKJTC7)k(CcWCGVdm_Wo63?=Lgyvif_UnfI^AI)3$8dH;&6y!F|6e>buBPZE3oj;#LjbMpQLS;wD@ z^Zo@{`IRjHJO3f?A0_tw4O#u|&&~U5vW`D`a^7E)m7mG#Z+%|gKS=ETE3*2F&(HfS zvW`Fag1o;XD?gIee@*P?zxRcC|AMUkOJe`}n@k$k@q16n`zK`Od$Rh^iM_x4qP)K* ztN)bP`$tdB`^%^0{Ufsaw`BDn6MKLAi}U`9to}n{?;kup?{9xe-ajC#e@#~ZKC$=X z2RwfLCuH^S5_^B|8F_#4%)GxxR{xT${%vCKza;kl(U&%?{!L=R%@I{zGE#?|oU`zew!;#q;w1 zLt^hQzC7=rlGQ&??ESmM-d}!2-d`v7{tH>>clZ3f|3X$i{>mm-|17chZxVZd`>XQ) zDzW#U$U6RJmiM2?%7+}A8 zV(+gKd;fu~{@yp_{VTGLU%e#nUy+r!zA^9bCiebGV(;IP)n9&7-oGI0_>-6B{R^`4 zD_Q<`=6U}pvG;Gt>TiE@-d~e-{L#zu{+g`(OjdvETk`%vV((v()nB|k@2|)@{@@jP ze??Y)B&+|L*w26OTl4+}S^by9{`H5?ng{Fn`0RH7{x=~j-;>pUPVD{Vx99!%taF?X z_2aY0y&s?T?fv-dZ0{eD)xRaH|CreO+uxb@S7i0$v!A^mpSA4$`0QfuACT3*CaZs+ z*!zp`&if~1_2aX5y&s=->;3rbSnuzV)xRXGf1B9*FNxhheAcR;e|+|-_v5ohy&s?5 z>HX#RHmv?RS^ew8-hWE${rId)@5g6PdVl--^L~7GqW8CdAn%`%)xS*a{fETf-&^JV zi^Sevye99*XV-au@!Gt9N>=|ovG?y1dp|zw&DW35Uh{r@)|sDwe0G@kU&uQD;~#2r z_0JM}|0c2b%;r;*&E)E&${q_e0GHQZ^-KJ{AAwWPwf3wV(-UiEqFgZ`@sA0Sp(jWXZL&mimd+D z&*c5x#NIzi?EQGwz4znU^WKkVy?Z~No$mb$vih%N`QQ2ZynmF~`|+%C@5i&hy&uoo z_I^CO+WTv=`p;zbw|*h-A0+mEJnPx}@$6;q$Fq*TAI}c<{)(*rBU$~|#D4yJznu5u zS-akkXWx21o;Bfa~!{^Gat{s~$Ac=n$6<5_p!k7vhu ze~+yGC0YI3#NK~N?Ec|dYkvLl>@)Ajv&Ot1&+hX6@+}Rke@<5aI;nd z_LTRx-^+H`!8gj|MAZ1e-oHug{dm@f_v6_Y-j8QZct4)q z;Qc4E`iFm%_fHdh|0=QfZR{xQ#{%c}C|GmG-`xj(g|4U-;$Gzs>k9)Vhe?nIOo~-_JV(%~i zF7L;^&c1%!d+hzV*Vp@T@2vNa$m++vs(!q|Kjiy=_mi6YEYr8~>^{r(d*t_74ifu) zmZ!uIO8dO~zDe@nGt$O1dheO%={C`u`N})D<@Z^R$hyyRPu6{wt@q0Bi|i-%`z#lU z{XWZmV!zL_b9Lzi+dBr~E$4X=1<668BMpb>C#280THrbxGEFZ@+hbokxk? z^J8MaZmm|s+P@;}`0K=e9b0$Ky%>CHJIz*ZlR4$?DsY z^?Hwqy}$jwd4EM#{~@vW5AK%tcm7S@KP0PvLstJjvG?PqVn6>Avif(4y}x(&yuWzA zyuU|QKkln^AGV3T|B~4INAKUT`ZtNazr07@e@X1VlpoNr`f*>S_pcLs|0%Ke5AK=w zuM&HI`(AnfDY5srJ9$6utMvY5V(&jB_Ws@n=KYJr-e251?>{8={^Eo3e%x2-{qw}$ zzf0`><$d!0IHV|B-oHug{q6hZ{Z(S`Kaq9(O_}$f$jWhF zrT0%0d;co2_ZJ_M_fHag|ADOIukN4sAIQpaU#0ht6MO$6vG-rd@_+Q9dH;^A<1ZeN z_wUHcabKnP4-gyvif@;k@v62 zI(~IW-oGL%$9S?Bdfps$h?0+*6}9~%KH~&<+!iX`#Zh7f0Wq!H)Qp< zADs8sWF3F>QF(t&R*w5By}$L*dH*1>_piw6FCLQjS7aT3@X)-!A}hyzmEM0%?B~Dt zF?s)jto}=4|N5IetYIC$*U$SWWaYT8()-Vey}$g}yuT)^|CHGKM-R{Y%a6k7`!9*zztJZ(to}`6?=K&f_g@m@_&M z@X2}qDzW#sACvc=5_^C9v3Wo4tMvY5V(&jB_Ws^5?_VVL{^D_Y{~@vW7oU>%|cMAr#GzQ_r4_WpOBT~zDn;uC-(kwn)laa^`8=Z|L7TcfBDS3 ze?(S4?yL0vV`A@be`(%dk=1`l?EQmh<^Anv=luh+`f*>S_wN&XfAO5We?nIOF0uFb zo}2dqts~`7OdjB@D_g@mbf1@vJSpA#C-d{d1@4qC*@!$RD|Ccwce%x2-{p-Zu ze@g8AgRjW@SBbs9{rtTDl-T>*UzzvgzDn<3CiebAV(;&LRo=fy?ES?o?>{8={^G0i ze%x2-{qw}$zf0`><=5o>bz<+okad1{FUb2ZWaYT8()(wLy?>L~``a(f`>Vv>eZ@5t&eU!M0b$U6Sy6?y-HtQ_}MdVl9z z^Zrp{@86Ks-~P6|zb5PWqeb3dla=GXO7Cxdd)_}t?ENdU`it+#`zx}JKX_%{Uy+sL zzDn=ECie5+`_8<7L011Iv48zdUe&OU-}|n-e?nG{`zpQvoY?!z@6P*cvieVny??aK z`^)di`$uH;b$@Gy?OtDtbW{A>HYh}-d}uQ-ajF$ zf0x+%d*7e;7eA2q_sHtUeU;w7P3--b#O~i{)v)?EiM_vkP2PV=jN`xi&;QpptbW{A z>HX`(-hWE${evIO`&Ws*zx}$r|CHGK+dq`|HX8h-oHxh{l!n@{gcGre<17lt4-d2AS=gxmEJ#2?EQ|Itt7{X4Rbzxe6Ae@9l1`zpPEnArR4#NK}*tAFsbdH;s2HXWp-hWB#{*8XGVfAkkdw+Sz`!9)c z{CEHP|N9NAANN&y|2nbvpAvij;J@Vk_{=)*Z~sBwe@g8A?YHIqxUbUtmx;aqkl6cs zf0*~UczfP|NbLQ^ALaeHuhRSHiM@Z9*!#<4-d`v7etc#USm$^5j=cXuR*w5B zy?>V2`!|Wbzx`kHetc$*_v15bynpj2dH;#5e%x2-{nNzWze?==#h>N<_{5k7wq4fBlzv|Awr7+*j%S{lwm1CHDRUS^aosy7#ZhI(~J|`&VS;xUbUtyNSJj zlGyuqWcA~j)!vV1M*I3F@5=iZWcA~|O7HLdP2N9B?EM?E`ti(Q@5eKHy?^w#d4Ek- z|Cy}&zgmBn_YV?#|B9@BJhRpN@yt~3AN+mZUy;>+O^oB~c$0s~_b>i`#%;xI|Hq6& z3!82$=Kq*SpZ(s=_ThWv+wXIyX8SB`fBVg$Z@YP>rtk6J-iOCYuiM9`CU}qHy^EXr z^zR?caBx@rOL{$F{^R*N*J1mM(tI4}f!trm`F6gZ(d`WQj|cPhbi#V^Oh@!CZ`OTl zp9kvv=!G)+=bQDX^`>j$<4rexw-tB>rH_BP3+T4ueDlv+$^XONS-O@!?#tJ|4adI| zUk{!!>El5+=Ow+KyZP3lsJLD{6Vk_H-wSkGvAer(O`moAzRh;rYv|(@yzZNO_|~HM z0KQJ#8|dR#`8rqk@~uVDT#wrd+{@?V`8+?1d;8X+cqKi=y>~u-n&-d1uWv1if4VvE zw-vZo&c~nfbylTsEsF2s`NzF&KJL%;PVVnp(=%Uro^dalkDp-g=mEYpJ(HEk!M$TX zp3mNa#AWz&o;Td<<>R&N?cL#9)5lWt`r_U!AHTrsTRzCQ7R8tG`r=-yZ16m{KPuZ= zJe%hY_dfafIIg#NsBbNbAE5uZSINiU^ZH&M=39&6o$STEMLr(D^`0K?Thp_NxnA50 zsx+-Z%ywH;CgW{fscRU>uf*8w-&`yxL*A3-^Y^IrFfce zEsEFiJmYuuKHkpjdwIHVP0yz0dhxsUY;e7&XJlK8ALn_-@4|gNhU+~%%eNNAFY!F% zch^3?kJoqiT;H0Wt&5SKec+kZ z`15En^R4OG+`PW{-K&qk|2ZC9lXByU8IkDaJ{3K_|~F$6xWO29s0O~>m9t*w-&`8^E~5seLkMY_4Z!oThp_! z*^A%J`FI_#OZf`lnw}NU_2PGFK0cT0Z7+OlQ9PaN#qYj+Ea`LcO5a)(@5|%hcU3F@qL4t_T6J% z6i?=P!_QWI+>7fyz1g>>_lEKM;%A{g-pcEH_-)^s{(i{oi=SQkcu%f(_g3Fp6c6Wm z@v}xB_vU&x2j5y0zt8iGpAGuJX9VE;`RWgRYf=0;d-1b8AK$_2g3qz{ac`~{KYQ~r z&4H?e0&pq#^)sacrP9YKil&0CaxEsE9>L?czydP-x-Wq`FJ$1FFv=>$6L5w{H({vd-6Q@&b~E$HVDrfem3LdVLZ>}yL@X=%y@nAvlJgs z;CkEXXB<90nCr#QK7722*SGk4-SkTH7u~S^jx+^7Pxus0y$}ES zH8M$nUd(?wH-0ex`Hq|Oe0#AA^Y6}eox=8QIzEo`(r}z--^{zcsKTjx z^UZa?z37MY{B!KZXKeVmGkftKPal7Cyei{irbAAe5rmK%R=FYq2tA0N-_g3rA0aVMUCyywzKU)TNazBT>5m#+u!k@WG* zoAY>kfzOoifzNPBe;Y6Go<<*U;CaJmK=^n+o*%pi(Z}6*e(;$MKJXbTI6mGp=;P;k z{_zM_i}(2X_)Yq-D1B>D47gsrCodaZFFwP-$BVdLyob)mi`k3M9Pn}Bdhwn& zAODN%#b*Tgcnr@Q-lOK@<-ES5JA7;Uxdg8--c#md&g(k}Kd*QY&l}zY=HnN*UOY43 z2i~WR^N;sz`S@49PCVn@$JcVbc#oBjFX4LeOnM)`&g+Z!MESsblF^H2$ou$Lo@cy= z$;Vx}UOe;N$7^_f@tz|ekL7w#1K*ndoaOb!dxU(vjO)cS)qUKV>&1I|e7uX-1a1Qy?DmBk7x1v;yo@tu3Rsk3GU;2czyAn6d#Y` zdB!umef%WXi}#TDcmuC5p1JMge{#Ke&xeoC=6dmrY#$%R_2NAmKAyz&;+fVynx6}& zKaW1ox2ESIaJ_g2wU7I9y?76Vk2mxB;+fGt9?JFNJqteW$MxbF&puwj_2NASKK8sW zcqX%tH}E{;Jpn%6&ew@&DEoLSea1cfKJL!-;+e-jUPGU8&%KWsd-057AAiR6;vRV) z|G@R)nZiCE!t;iE+I@TjuP>ef?Bff0eQ^)EkFVqP#WQ<-+?VGK_l*1aNv;>q*!A%w zo;Td%?c<;LI`K?gAJ61^aZk37FW`FX7yH(t*zo$|9%>)&&Gq7$vp(L%^Nf3*ecZ(7$$MxbFqCQ^A>x+9>eLS4!8PELm z@dLcRxaZWz>v(%}uGecXlX#XXZgeudW;&zSUaf36qzIQqCJ*NbOD`gjJ{i+d7%{3@>tp5f@@ z)jZF*htS7c`8x5;MITS(dU4O6j~3U9XC(T-b6jvfagUyl=du^iH1zR1Trcja^YPbQ zFP=f@<3o7fa1Wf1ui^E@GXs5m8n16_=Ua>7D|vnKj6WZD;d#S7W%}wMeEcQPGwvDk@eW=WJY&trM{vEk$H&K( z*B8%3^YQgO4(`eE@iXkjGt7JpdEUk+-&z!Z#r5KuV?LhG^M-p~d_0)v8P5pw@d{pF z+@s>-)x5rVrk9UD;CgXSiH}Efy?6$fkGpZbxCg|?fa}FGvwZvpuP^S|@bNsZ7tgrz z(dFyx{iAPf{{6P}-|2DuOWN>$>E~Su4R?R{T@FP7#=w{P-R(FxI;CyU2J`iw z5oKbGPfHUp|K_wN)<2;u=IgJYWnzqV`X9EJfHXSIKZw{8osYgb{>@3f zNpyUiMjS_fohi8={`2|n#mz~&*>a;n`nN7~tmonTFt zH1Hks)Pa22=?ya>Dsya~JudieD6IcpPbx#&vWiM-*1b1JmMLzc*iGx{?+*Ozn{J} zUVPrK%4gqkgcJO^uXp?G`H(aI{Jj42_1BEIxW^-&@rrkR;@ju_K6~Dur#UO1wrAgQ zgcJP0IWBRHTioLj&v?ZIL9Tfaf^FA;u)`a$0xph^6$jY z-hVIf9Y^?c{|@)ruYWL};}X}n#XTPJj90wl6W>00Uf{F){{r7}gg^K7`=9;#2je*| zagAHt;}Oqz#XCOn?UUylKD+;)`}e!g`p$TS6a2tAE^&=p+~X0?c*Q$D@$K`y{PXJt zzT*f#&8hsfJ^#FT;2f8@#x3sgh-bXw9iRC2`Cs1u7x<1NoZtt}afxf(;vSE9#w*_O ziJ#`Me%hYzzZdw9Bb?v|&T)xr+~OXOc*ZN<@rgfvQtRb@e8*37ct35=$1A}PoZ}ML zxWzpl@r+lz;}bv4LH_BU7x<2!<|zO4=O_4qb6nyYx46e6p7DxzeB#>|c)8~VzT*fd z_-PLIPamHgm$=3)?(v9cyy6|7`1X0Pi+VnvU*M-X<3HUK;RHW$j!RtQ7Wa6>GhXqI zPkj4AFZaE`PjlkG)Q=PVz&S2)ja%H~5zlzVJ3jI43%}g=0^f0jpXU7k^znJ%9GAGp zE$;D%XT0JapZNB9uk-uN`H$~7!U=xh9GAGpE$;D%XT0JapZNI?MW5;aA}`;ccO2ma zKX8sqT;mq^c*HYa@s3Y?`=T%RzQA||fBF7>f$uoN34Y)lm$=3)?(v9cyy6|7`1U2}$9Ejz1V3<&pVs7g+Mdt18n?K| zBcAb!cYNa8{gd7K%>KNU-agr$ea8__ z@B`<##5Hblk4HS?74P`OPir9N`2%&xiAwe#W2Q zXZAc^Gv4AJk9fu_-tmcVUzUD+#}Q8O1LwHJHEwZ_M?B*d@A$;eFQ9zBKVF0{ACEhZ zaDpE=$0e?Di+eoc8LxQ9Cw`tt>@)pej(!~B=lPtTzy87a^ZO*9$4ka*+~OXOc*ZN< z@riF={^i~m_>Lo-;0MleiEG^A9*=m&E8g*mZ(o6ae8*2~Dn4z`_h*71IL9Tfaf^FA z;u)`a$0vS%LGN?Vi?8@{-yKId!O!pWeZIb&@eSmEFTTplxBon!-e>w5e}13(^Z0}D9GAGpPivq)ZO_-&;}Oqz#XCOnEqeL(Uf?^9 zaDt!KWPRG6_dmxau5pWdJmMLzc*iHcebtxu_i4@8r|o(F?>NETBH8cJrPdu(;D`l{`?%5xW+B+@rY-<;vJv(`3=0E>HoSf@BbY~IKdB` z;}X}n#XTPJj90wl6W_kx%e^n~9Y;9951iu?*SN(!9`TG84g%+Ei3#}Q8O1LwHJHEwZ_M?B*d@A$;GZ$v-7;|M4Cfpc8q8n?K| zBcAb!cYNa8H>MxoafB26z&S2)ja%H~5zlzVJ3jI4b^7rgM>xR`oZ}MLxWzpl@r+lz z;}hS$3H|tvBb?v|&T)xr+~OXOc*ZN<@riHWlzx225l-*}=eWc*ZgG!CJmVGb_{6tw zMnAse2q*Y~b6nyYx46e6p7DxzeBxV5KfdD#C-{MLT;dwHxW^-&@rrkR;@dZ;AK!6= z6a2tAE^&=p+~X0?c*Q$D@$ILFWHu|5C1tr>rw=lprRXMDsnUh$4k{5)ab^XBn~*;RHW$j!RtQ7Wa6>GhXqIPy9TQ^z-@nB76CG+;M~x{J=RbagAHt z;}Oqz#XCOn?Yq3(`vTu_gcJP0IWBRHTioLj&v?ZNEM!uSK{xWqMXagRql;}!4t#JBHF zKfdD#C-{MLT;dwHxW^-&@rrkR;@kJ3AK!6=6a2tAE^&=p+~X0?c*Q$D@$F6e@$))? z&*yu@c!D1|$0e?Di+eoc8LxQ9C%%1O`tcn{IKdB`;}X}n#XTPJj90wl6F)Cx{L06N z;d4H|y!d`EACEhZaDpE=$0e?Di+eoc8LxQ9C%%3EmwTVrxqLnzcg7=};0MleiEG^A z9*=m&E8g*mKUpB^<3sS=`=WUHc-(P>6a2tAE^&=p+~X0?c*Q$D@$Cn^-1`FGafB26 zz&S2)ja%H~5zlzVJ3jIAI<23%|9{}i$K#G8oZtt}afxf(;vSE9#w*_OiElsX<=z+g zjw77l2hMScYuw@Bn~*;RHW$j!RtQ7Wa6>GhXqI zPkeieetgFfPVfWgxWqMXagRql;}!4t#J3+oKfdD#C-{MLT;dwHxW^-&@rrkR;@gj; zAK!6=6a2tAE^&=p+~X0?c*Q$D@$E;^kMB6b34Y)lm$=3)?(v9cyy6|7_<5n{&;0wZ zdii+VafB26>Gh4Do=?gdFL8}q+~X0?c*Q$D@$G+ox%UOW;|M4Cfpc8q8n?K|BcAb! zcYNa8|3*K);|M4Cfpc8q8n?K|BcAb!cYNa8kES2rafB26z&S2)ja%H~5zlzVJ3jI4 z$Iy@OIKl~j;2f8@#x3sgh-bXw9iRC2W9i3t9N`2%aE?n{;}-XL#4}#;j!%61arEOm zj&On>IL9Tfaf^FA;u)`a$0xr1@ATt4j&On>IL9Tfaf^FA;u)`a$0xqk^y52@aDpE= z$0e?Di+eoc8LxQ9C%*mo+b7#AAAkJh?_cNENE< ze&8IJxW+B+@rY-<;vJv(_Dkr;cO2maKX8sqT;mq^c*HYa@s3Y?`=#{bJC1OIA2`P) zu5pWdJmMLzc*iHc{WALT9Y;9951iu?*SN(!9`TG7C5l-*}=eWc*ZgG!CJmVGb z_{6tgdHZC0<>QZ^^YP^czT*fd_NE(~s{s z!U=xh9GAGpE$;D%XT0JapZNA0=*M>);RHW$j!RtQ7Wa6>GhXqIPkj50^y52@aDpE= z$0e?Di+eoc8LxQ9C%*kA`tcn{IKdB`;}X}n#XTPJj90wl6W@L_{rHX}oZtt}afxf( z;vSE9#w*_OiEqD!etgFfPVfWgxWqMXagRql;}!4t#JAr{KfdD#C-{MLT;dwHxW^-& z@rrkR;@e0+zT*fd_NE);RHW$j!RtQ7Wa6>GhXqIPkj5m^y52@aDpE=$0e?Di+eoc z8LxQ9C%*kY`tcn{IKdB`;}X}n#XTPJj90wl6W@M6{rHX}oZtt}afxf(;vSE9#w*_O ziEn>^etgFfPVfWgxWqMXagRql;}!4t#J4|4KfdD#C-{MLT;dwHxW^-&@rrkR;@cmh zAK!6=6a2tAE^&=p+~X0?c*Q$D@olCb-*JQ!{J=RbagAHt;}Oqz#XCOn?f);RHW$j!RtQ7Wa6>GhXqIPkeiyetgFfPVfWgxWqMXagRql;}!4t#J4|6KfdD# zC-{MLT;dwHxW^-&@rrkR;@cmiAK!6=6a2tAE^&=p+~X0?c*Q$D@$HY(kMB6b34Y)l zm$=3)?(v9cyy6|7__olG?>NE);RHW$ zj!RtQ7Wa6>GhXqIPkj4}^y52@aDpE=$0e?Di+eoc8LxQ9C%%0^KfdD#C-{MLT;dwH zxW^-&@rrkR;@e-MAK!6=6a2tAE^&=p+~X0?c*Q$D@$E0ukMB6b34Y)lm$=3)?(v9c zyy6|7`1V)m$9Ejz1V3<&OI+g?_jtrJUh$4keB0>9cO2maKX8sqT;mq^c*HYa@s3Y? z`>XWhJC1OIA2`P)u5pWdJmMLzc*iHc{WbdW9Y;9951iu?*SN(!9`TG);RHW$j!RtQ7Wa6>GhXqIPkj4_^y52@aDpE=$0e?Di+eoc8LxQ9C%*k7`tcn{ zIKdB`;}X}n#XTPJj90wl6W{(Z{rHX}oZtt}afxf(;vSE9#w*_OiEsaeetgFfPVfWg zxWqMXagRql;}!4t#J7J+KfdD#C-{MLT;dwHxW^-&@rrkR;@e3-zT*fd_NEZg7VOJmCdz_`nwq z{uTW=#4%2Bh6`Nb26uSC6JGF!4}9U^U(=669OD#cxWE-|aEAvx;RSE_z!whw4gEO8 zF-~!Y3tZs_cX+@PUhswweBt2V(vL$N;}mDOz!h$AhX*|21#kGk7Y_bE`f-S3oZ<`@ zxWWzY@PH@0;0+)6!ok0zABQ-`Db8?#E8O4?4|u{0-td7h9Q=FwafoA_;tUtK!VT{5 zfG51*4IlWz!6$$9zTIB=_%M9(_y>nL#wpHlfh*kL4i9+33*PX7FC2W%=X`Pke5N0V zIL0Z?aDgk_;0_OX!VBK;fiE2V2lV3*$2i3qE^vh#+~EOFc)=S!@P&i_kbWHE7^gVH z1+H*|J3QbCFL=WTzHsmg{W!!iPH~0{T;T?Hc)$~0@P-e3;ov`_ABQ-`Db8?#E8O4? z4|u{0-td7h9Q?=h;}FL<#ThPeg&W-A0Z(|r8$R%bga3qn9O4+KIKu_5aDzKM;0Z5y z!w0@_5YUf99OD#cxWE-|aEAvx;RSE_z!whwQ~Gg;W1Qj)7r4R=?(l#oyxBk|Caf&ls;0iam!vmi1f;W8N3kUxN{W!!i zPH~0{T;T?Hc)$~0@P-e3;o!fdABQ-`Db8?#E8O4?4|u{0-td7h9DF|dafoA_;tUtK z!VT{5fG51*4IlWz!RMzRhd9P5&TxS%+~5umc)|Zg7VOJmCdz_`nwqz6kv|#4%2Bh6`Nb26uSC6JGF!4}9U^i_(un9OD#cxWE-| zaEAvx;RSE_z!whwTl#T`W1Qj)7r4R=?(l#oyx$*aD^M(;Q>#0!5cpCg@gZ|ejMT$r#Qm}u5g1pJm3j0c*6(2 zaPYeKtB#~j8mN9 z0#~@f9Ukz67rfyEUpV+u^y3i6IK>$*aD^M(;Q>#0!5cpCg@ae=$03e!iZfi`3OBgJ z1D^1LH+e~c2Rz{gZ}`9$4!#2YIK(kd zafSZg7VOJmCdz_`nwqz7qX7#4%2Bh6`Nb z26uSC6JGF!4}9U^E7Old9OD#cxWE-|aEAvx;RSE_z!wg_3jH|5F-~!Y3tZs_cX+@P zUhswweBmIXABQ-`Db8?#E8O4?4|u{0-td7h9DG&!afoA_;tUtK!VT{5fG51*4IlWz z!B?Xnhd9P5&TxS%+~5umc)|Ub<4es!OC%oVdANaz-YxLs~ z$2i3qE^vh#+~EOFc)=S!@P&h~K|c<0j8mN90#~@f9Ukz67rfyEUpV-h^y3i6IK>$* zaD^M(;Q>#0!5cpCg@gZ*ejMT$r#Qm}u5g1pJm3j0c*6(2a1hgvLmcB2XSl!>Zg7VO zJmCdz_`nwqz83vB#4%2Bh6`Nb26uSC6JGF!4}9U^YtxTI9OD#cxWE-|aEAvx;RSE_ zz!wg_4*fX9F-~!Y3tZs_cX+@PUhswweBt2h(vL$N;}mDOz!h$AhX*|21#kGk7Y@E2 z{W!!iPH~0{T;T?Hc)$~0@P-e3;o$4jk3$^e6lb`=6>e~c2Rz{gZ}`9$4!!~XIK(kd zafSz8{FXmPk6x_KJbNuZ$>{3ag0-(;R08Bk|C zaf&ls;0iam!vmi1f;W8N3kTnvejMT$r#Qm}u5g1pJm3j0c*6(2aPTeY$03e!iZfi` z3OBgJ1D^1LH+Ub<4es!OC%oVdANaz-8}#E4$2i3qE^vh#+~EOFc)=S!@P&i#NIwp7j8mN90#~@f z9Ukz67rfyEUpV+q^y3i6IK>$*aD^M(;Q>#0!5cpCg@f-*KMrw>Q=H)fSGd6)9`J-0 zyx{|1ILPS7A&zm1GhE;bH@L$Cp74SB7^gVH1+H*|J3QbCFL=WTzHso}>Bk|C zaf&ls;0iam!vmi1f;W8N3kTnWejMT$r#Qm}u5g1pJm3j0c*6(2aPU3p$03e!iZfi` z3OBgJ1D^1LH+WrXPnm#wpHlfh*kL4i9+33*PX7 zFC2Uy`f-S3oZ<`@xWWzY@PH@0;0+)6!oi#L;}FL<#ThPeg&W-A0Z(|r8$R%bgYQc} z4sncAoZ$jjxWOGB@Prq<;R9bd_z8{FXmPk6x_KJbNu?@vDtag0-( z;R08e~c2Rz{gZ}`9$4*qBQafoA_;tUtK!VT{5fG51*4IlWz!T&-(4sncAoZ$jj zxWOGB@Prq<;R9bd_~G>95XU&h87^>z8{FXmPk6x_KJbNux9GBk|Caf&ls;0iam!vmi1f;W8N z3kN@nejMT$r#Qm}u5g1pJm3j0c*6(2a8S{YLmcB2XSl!>Zg7VOJmCdz_`nwq{#W{O zh+~}M3>Ub<4es!OC%oVdANaz-|3*I!ag0-(;R08$*aD^M( z;Q>#0!5cpCg@YeQKMrw>Q=H)fSGd6)9`J-0yx{|1IQZY`$03e!iZfi`3OBgJ1D^1L zH+Ub<4es!OC%oVdANaySLq862j8mN90#~@f9Ukz6 z7rfyEUpV-w^y3i6IK>$*aD^M(;Q>#0!5cpCg@d0)KMrw>Q=H)fSGd6)9`J-0yx{|1 zIQZ%G;}FL<#ThPeg&W-A0Z(|r8$R%bgP%b^4sncAoZ$jjxWOGB@Prq<;R9bd_?h(M z5XU&h87^>z8{FXmPk6x_KJbNupG7|oag0-(;R08`*hd9P5 z&TxS%+~5umc)|Ub<4es!OC%oVdANaz-FQy-dIL0Z?aDgk_ z;0_OX!VBK;fiE2V68dq7W1Qj)7r4R=?(l#oyx$* zaD^M(;Q>#0!5cpCg@bqL$03e!iZfi`3OBgJ1D^1LH+e~c2Rz{gZ}`9$4t^v3IK(kdafSZg7VOJmCdz_`nwqelz_z#4%2Bh6`Nb26uSC6JGF!4}9U^x6qG69OD#cxWE-| zaEAvx;RSE_z!wgFEB!dcF-~!Y3tZs_cX+@PUhswweBofEABQ-`Db8?#E8O4?4|u{0 z-td7h9Q-!=afoA_;tUtK!VT{5fG51*4IlWz!EdJ@hd9P5&TxS%+~5umc)|Ub<4es!OC%oVdANaz-d-UTF$2i3qE^vh#+~EOFc)=S!@P&ilNk0y8 zj8mN90#~@f9Ukz67rfyEUpV+(^y3i6IK>$*aD^M(;Q>#0!5cpCg@fNsKMrw>Q=H)f zSGd6)9`J-0yx{|1IGE_iA&zm1GhE;bH@L$Cp74SBk|Caf&ls;0iam!vmi1f;W8N3kQFIejMT$r#Qm}u5g1pJm3j0c*6(2aPSA| z$03e!iZfi`3OBgJ1D^1LH+7i9OD#c zxWE-|aEAvx;RSE_z!whw5BhP4W1Qj)7r4R=?(l#oyxz8{FXmPk6x_KJbNu zKTbamag0-(;R08;uxnm!v(HzgF8In z2`_lV2flFdXX(cwj&X`JT;K{fxWfaU@Papd;0p(Tj(!~C7^gVH1+H*|J3QbCFL=WT zzHqS8k3$^e6lb`=6>e~c2Rz{gZ}`9$4*op-IK(kdafSZg7VOJmCdz_`nwq{v!Q2#4%2Bh6`Nb26uSC6JGF!4}9U^1Nw1@W1Qj) z7r4R=?(l#oyxz8{FXmPk6x_ zKJbNuze+z2ag0-(;R08$*aD^M(;Q>#0!5cpCg@eCIKMrw> zQ=H)fSGd6)9`J-0yx{|1IQU!i;}FL<#ThPeg&W-A0Z(|r8$R%bgTGBb4sncAoZ$jj zxWOGB@Prq<;R9bd*y+b1j&X`JT;K{fxWfaU@Papd;0p(ThkhL57^gVH1+H*|J3QbC zFL=WTzHsn=(vL$N;}mDOz!h$AhX*|21#kGk7Y_a}`f-S3oZ<`@xWWzY@PH@0;0+)6 z!oi31;}FL<#ThPeg&W-A0Z(|r8$R%bgTG5Z4sncAoZ$jjxWOGB@Prq<;R9bd_z8{FXmPk6x_KJbNu|C@ds;uxnm!v(HzgF8In2`_lV2flD{(2qkL;}mDO zz!h$AhX*|21#kGk7Y_bD{W!!iPH~0{T;T?Hc)$~0@P-e3;ou+8k3$^e6lb`=6>e~c z2Rz{gZ}`9$4*ntiIK(kdafSZg7VOJmCdz z_`nwq{xSVH#4Q+~RpH}PBeZTt>?7r%$!#~xA8mpUHl$?AAf*9#2?{T{we+VRs0%$9lwF!#BbrZ@jLik{2qQEe}F&4AK_O{ z`thsyHT*h$1HXyi!f)eu@Vodu{678we~3TAulzIm@vHbX{5pOEzlq<%Z{v6HyZAl) zKK=lIh(E%w{B!#8tN1niI(`GciQmF+<9G18_&xkS{s4c7KfcksLTJ^ViY0Dp)-!moTpKYkUzhF`~T;5YGG_-*_Seiy%o-^U-|5AjF%mH&r+ z{3?D8zmDI)Z{oM`+xQ*)E`ATck3Ya4;*anv|1bUcRs0%$9lwF!#BbrZ@jLik{2qQE ze}F&4AK_R2CH?qS{2G28zk%PxZ{fG`JNRAv9)2HxfIq|^;a4vD@vHbX{5pOEzlq<% zZ{v6HyZAl)KK=lIh(E%w{44tLtN1niI(`GciQmF+<9G18_&xkS{s4c7KfcksLTJ^ViY0Dp)-!ms=r`thsyHT*h$1HXyi!f)eu@Vodu{678w ze~3TAul!s3@vHbX{5pOEzlq<%Z{v6HyZAl)KK=lIh(E%w{D1W0SMh83b^Hc?6TgMu z#_!;F@q74v`~m(De}rH8cl6^|@oV^X{04p#zlGn%@8Eawd-#3)0satwgkSmh^y63Y zYxs5i27VL2h2O^S;CJzR_^R#LHsIy4Zn`xz;EKW z@Z0zu{4RbEzmGq_AL9SNwEKr~9KFvtuAP(ZvyYB1vE#p&#BpTDj+wDulG5zNOmaBL zu2{GbQV~(+PP6AlxO;~kp5X%s*nm~CaG}BlOBF5%*alQM2ob=5N)`u123)X6p^`xS zN3mTHh+pb`e=~buZ0sTe=Jb3X>E+8GCC$xlv2%on_b@*^f&+L4&*3GU!Yg(X&0X&1}@Dfhp6}*Nw@D|>|d-wn!;o*lcKRkj1 zcm~hmC7i-5cnxphExd#G@Bu!;!xu3>Jc0vw2G8LooWd)34R7Eryo2}f0Y1XRKgRs< z2oB&GJcpNX3a{Wbyn(my4&K8D_y`aG1oOiqIDlvH9A3gHyn@&82HwIucn=@oBRu>t z=7&dc0MFn#yo6JD1+U=^yoGo09zMWFc=!>_50Bsgp22f?38(N1Uc(!B3-91Pe1MPe z@J}&6Jc0vw2G8LooWd)34R7Eryo2}f0Y1XRk79m!1PAa8p2JHxg;($z-oVvU{*nIs z>Kbm~7Vco@V|VlS$9oBO;Si4C7*5~}&fx+s;R>$d25#XFc0P{zVHXbJ2#(+iG5RTv&PT&mA;Q}t<3a;S>Zs87gK8g8Z7Y^YFj^PB(;2bXC z60YDHZr~Q~VCPeqA9mpoj^G$h;0(^;0xsbSuHgo5;SP3Q!u+rchj0YPZ~|v=4i|6< zS8xqCa0_>^^JkbJcHt0?;22Ke49?*KF5wEU;RbHu4tD+=^TRG2!Vw(937o+>T)-t< z!8P2#E!@G*UtoUNg+n-kV>p2`IEM?kge$m)8@Po#*!eW(hg~>?BRGZ=ID>PzfJ?Z7 zYq)`1xPzU)#Qd-ehj0YPZ~|v=4i|6^^BK$!yKo3ca11AK2Ip`Amv9Bw za09n+2Rna-`C%6h;Ruf51kT_bF5nWb;2Lh=7VcnYg!y3?4&exn;RMd$94_DzuHYJO z;1=#+=d+j}cHt0?;22Ke49?*KF5wEU;RbHu4t73=`C%6h;Ruf51kT_bF5nWb;2Lh= z7Vco@uQ5OD!XX^NF`U2|oWliN!WCS@4cx*V?0g>c!!8`c5gfw_oWVI^GsgU|3x{w7$8Z8?a1Ix630H6pH*gDgu%j?P z?7|@&!7-e`8JxofT*4Jx!wuZR9qf3RA9mpoj^G$h;0(^;0xsbSuHgo5;SP3u%n!S8 z2uE-XCvXPmZ~>Qa1=nx`w{QnL0p^EYID{iOh7&l0bGU#@xPoiAfm^tPoeAcLT{wgz zIEE8AgLAlmOSpn-xPe=^gPkenhg~>?BRGZ=ID>PzfJ?Z7Yq)`1xPzSw%n!S82uE-X zCvXPmZ~>Qa1=nx`w{QnL_c1^0!XX^NF`U2|oWliN!WCS@4cx*V>|A1g*o8wlf@3&= zGdPC}xP&XXh8wtrJJ|U<%n!S82uE-XCvXPmZ~>Qa1=nx`w{QnLU&j2f3x{w7$8Z8? za1Ix630H6pH*gDguoGf_*o8wlf@3&=GdPC}xP&XXh8wtrJJ|Vq%n!S82uE-XCvXPm zZ~>Qa1=nx`w{QnL|A6^n7Y^YFj^PB(;2bXC60YDHZr~Q~VCNq(KkULG9KkW1z!{vw z1zf@vT*D3A!X50q{OuET=RMwf{MOC&^7Egk|q<`A0Z!aD_P9NV4UVZDq?PI4#o}m}Xny+8$e7Ei0G^guu_rU*k zK7;cl`NpHg)pGgd=HcrDeU7hPKfbvhq*qT~U%d5jIXJ&bpQKl>>if4Jo$jB!vAjyJ zZZGp7dgT?hxU_et`|)COX^X&w@xqtJlSWCnu+N>CFkS@G_|kaNCuCg=-$VHf!llnMIGr*@SuL7AXe*+o+cfdtQlek=0|P9+2qJQMU$eA!!q zGC}X{$=(u_3FC#5y(I(^JQLJnI<~6=37&)tbBXNT{nNeP&IEnwr17Qkq)`&4cJagn zJ*qUmG@dj{LSPq7P0(9P6G-Dr<4L0=c=kM}Cg@8iO(2agjVFzgFdfU7Cg?Gx@ul&k zQ4*&16KL;)OB*~B`ZvL;(H}(#$^<>!g?+LwL7AXGR(4S!!81WGvTLRi0tuc8ddonz zl%Pz|t9{v0f-+&e@a&?ggg}C4f_}#+yE>5InV|O^%bpUHgo$}GU7qgsDVWfI0Bz$- z<4L0=T-e1E6ZE@C8ebYu8YN+37fnsjTS^m1<4fa7qa^tDtfnUD(WD8a@ul&kQMZj< zt>hd`(B~jcAdN4LCykO2m`i5wCYLt&5|j!0sP|6~DgExUL76aKT-Zf{1kVKhGTNt3 zB?J;Y6ZFgzyV{qaOwd~fcDXM>nV{d|cF|NqAi=v0vbSeLAi*<1f9tYGnMm*@C=>KK zjO}V)f|79GH`i`rLjNt+Hoi2TG)lts^b~z%Oz1y|x{~OrgnV=RIc1<9`lQ5my=iY{iG`<97f_{}J_Bg%-WkP>t%&R<= z5J>P$(4Ppqcq$=~;N1p$l!<49FF~207Ro+i?)5oI@FggD%5-d>8%XeU_yd>uv_$_P zr|i4d1pTg+#+SyEMoG9hEz;*?g1#!!_|kaNC<)W4-O7f3B=ZVSP3S-Twh5&1rSYUu z5_~zF3Hor-1k(7@c+#lb#;#U!4kqYxkS37Em&TJu>F}(}D}Q7-w+Fu*n~NJr@J!G@ z@tq#&zem{MnV|Q-u#0>N%7p%#gnh^cJ+f)^drpFq=S<|e5&{XH33_w8_f$e4!81Xh zjW1^-L7AZU_Uv+Bg1QZ|x3VFS;F+Lj8Qax?1W$+m_wAqbKN|PkGmhduc;Bi0&kw%) zLG!Qe-F3bDulL?nr}Q!`?Ejs*r*9wDi+|tx@BQlOXAcI?zng;(>BaBY-OK2|HhRyg z`L^v})c5_Ivc7kJ`;Pv4*8V@U`~LV3?Efvj{#pCKWB31Vzlpx}`}JqU{U6x*&7b1? zXPVo0?eF#Zz7+PJ*Ke!){`~nG-nYLO=X+Q$`%C>5yFb^z^VILvk>~dJ{a#PsexT7G zlk4U8_HaM?iQWI{WA<6r|MX|?euVQs*6W{j{r}~&=Jo$CyS%^tFX%7XUta&d<4paM zAO6I=A}`s$U+KI4#{K(G$+Px<`EzFfckJKS^!xQ6CGJ1fn?D!*?;HA|Z|kqy+l%(| j_tI@+0?+lIb;0*e|IByp+4uiv?$%xF=gR&cH}&9m;Hz?n literal 489384 zcmeF42b^40+5hhjn`8+k5C|m@GXa6nL+@}yCv;3G0&XT-k|o=+CCL)Xr6WocR7BJi zItqwFK*1dmDK?5q6$pw5hzg>D6!ZW7&Uw!4WjEvd`v3UO=2ulMnY;asPj z-kd*QO1a8H`OV=_`t^u=mb~feS4jU){MT5K|00Zp5#+aw@>EVW=b@b3^~+rT3r_Ln z^l$f^HC^&(n)Ugxh>8=^{iSyFPZ#=YOcWRTX%y-D`{hQv?4tEniXyUcb&+M<_QTwT zoR!~8y%lB>XNl)oeDZ`HUH(0ntM&AM)%JF--qZOccfMfcWiIcYE4*K?I+>t;*$$KX zB_dY6J2<9AREVJZ+R(c5VRqJYh0p&Z`D9m=kMA$#v$@N`|4?}oz@@$zSFSvVMPq$^ zufEXLSM@oaW5G;civ^}X*;nV7$C2fz8{yj}-8{DP3Us#!CxY6m@lyHy^_C~y0KKKs ztx!LUyncF?`2OwP-j@@`r*5+iouO_Q-(L$(^?r5huI=n<$Hp8>X;%&9k7{@3D1D!( z-2V4TZ>rzI{cJRy=ya77C-W4Bd-tDiaP*2T^O1~{}=hzqB{a1JO(|+E_+5I>6F@N6Z^OJuT z4E;FX=J`;M1-s{+|BCAWaKHOd<=0*9$Mb(XzxJ&==Z#a1RIWmAlg0l;hsF9&cWTcP z-_B6)p!f9nttfp+x8S10wR>D0LQsA;_;#J#>87{nA@<*+}e?{XH#=DR%HQrIoJUw>4*T;>%{lnaB z;KwCfq&=Y@gAR2c_AGkW<+EVy-9EoXzW)}Cz1^MnF2RW~Vx=g$op$B6mwGs-yCs3+ zh?leA_I})%qYM1y=s4o#`_Qikdwb6gUe~>6`E%WWTXXc%p9*2#ok^xy&L6T^_c#AX zEu&ZW<7n*-`DmR{Iq7=7X#LM6H!rA43r_VqbGnVAXnYPMA@pPK75==S>)rhMigXeB zvH!gK@6hwOx*c4>LC51dw{zz~5C5z_|I)ZF^6gXqxp5us2d@9P_AK%`3*#~m|13$j z9{r|Uh*F`}`5lK&G#)*Rye>!i>VIT>R9?`-zpjHve7QIJa(mCVc1VW=r^ho> z=n@e#V~97F_M~@6-FjB6|NyMehtjSQq})=h1O>|1IsUUK%ze#Wn}gLi(v*T%op`-p?#3lir()=)I|;_aQOA?_Vapk1LbjS1+RXRVsQP5_*3{ADi z-_P7`?d|_Pf^Rr`Wj`Y|pa=W@WBU75EBgLT_&(Tw&-?ca%cS>Qne={45xpN-(K|XH z{GT^%Q6{~wR3^RuWnDLa4R~IC%h@aQyLx9Z&+k96@h|m$<~m<)$@eo~D5Cc(Dtbrf zgMWT+EtB34DwE!KEu#0GDtaFhdS9bVdVkIRrd8?Rzd!5C9k8Ey%GoRX8SQ2U^M2+I z8~;-8XFgLVy`NS@?>!a0qw~SPpP5=Fy>DG6y??BT-Z!Y|eMsp2Z)4p0Rr2@mkNR>; z{=AyE_V$1OexI{f_A^q$VBXJMRVKa9DU;r36w!NaMepc*@b71KFO%NaDwE!;i|DTk`$P_1510`x5lzrXIw9q|7Bcg|j!-`(^+h`%p(zm0#X-@kvkOnU!p5xsx9 zqW2*&zt@*Z?|YR=@7om7`<4~G4+*^wFO%M1bpK*d>Gv~_`Em#BXMXDJmHo_M-_P7= z<6r9i%voj9dq)wyw^j5$B`QsbMg`f4`(mdY@S)y&qph@6#%JN9Tk8{rjXc>3!ug>HR(Z^ZKl3 z{pa_0oV_x?t9J(T{QiWEf2p5WZ}H`pd_Qwd5xsw@qIYyY_~-YoGU@&BGUdf%Z;djEJ4y-%pir&%r;NQ>0WzzflWzze|B6=TD(fg3l`>$7X>sQJDeS+`$ za!bCS`MR~Y|9<8sXRqvMq=vz~pEztsDg3(BPT`9<{J zUC}!_AN>27qspZB&C8_su|@R0Zbk1yLhpYb>DI53zkmO+FSq3TnR~6h{olXe5cs-qHEs-_Pt^CcTd;lis5udjD``&1;qUUA-`v=l7@G zIG6t4C-|l>x8(bo#n#^b`@r1{S{yCfcNjearVl7Mx!#A_cPzK@h|oJ_b--7?-v%)`*{_;qw~SPpP61Jz3)~g zy>C%O@0(ThJ|y&>DU;rx8{yW?lJ94J;>#VdpLxXDEBhIZ%3$8lTx;WB>ix{=Wzu_V z5xvi@=pCI8{{75>WzzfjGUL z2J`&>GaLU>Kd;{4%PskS=Bgrk|9nO7=zQ?c@9kyM`ypl0`|d^bzDq^#LqhMP%cS?; zSG#qy{=L`PEBhI#VKDD!t}c__JIkc^ z`XYMIRrHR|2mgL%&ob$KOqujPyolacs_1=4=>3I^Tfa)apIPe5E%|=tMr&{X{mgaF zUfIt`4TE_wA zMrAP1?+@7cm-_wtSIVUKON!|IGZnp~^T9vAHx$logx+h)r1zJ! zY?k5g4L{+_9k8Ey)Y&Wh8P^R_&-HIE7xgak=Oa+bo6DCk*INet0_b@hb2xgIJm&ny z)ot$_dv5UQ#&u3|=jzWa6xNLu<)=S*UC3|IyDq;4WAAox&my1Sg0Z&`sL$=xCpX%C zOc;%zUKAA_N4%WBEZVck?^kA8`SUE^di2eBsotgD&z$4SE&2Yv%i7!j{ftJh^6!fU zT@GHoA7Kf4z5!k4Nz7$cv;?Ihw~+j%M~=D_`r+@_jf@`9Hk^|CyAZCEYxWM>TOm z=(+wf-=3U5SAN@ppq6DdTuh^UhdO5-O>?CAKCrb z0Zxk$CPC#iI`Th;xn8F}oxVQl`)RxEit_R8S3Vb{@=e4+N7 z&at4$3v+?#PwM~mF$NbOzGzEkP)r2Ciku*mD7XNm9U zUcYTE=(}!njSBVK&G&!Z`pmxs)nE79QhqDEhH^)>%Syek_p$UY{q@(o|5i_*9#!uf z>BF8Sz8?P@-DfFcfdBv0Ki2PIU!!sr#tirE)43GUTj$Ix+@FX0Nh7KD>wZ$Y>BRqP zeR>xA`!CdET4t4K(%i#(bUq(#jq=NO(dUg&&vZT1q>%5ljLv-h6d%W_zwYm!&e2(! zquvQFa=H>q*HWVLRXl1wKM3h{HQf(Er=cF9AJh(wYhgSW`F#GFepTK8{r(d@g?eg! zQ+eAGcaDA0&2M#AKkee4oZWY0AM@vpz8><=f}tPB`(@kZqkI?ao_GE$s{g|_uLd2c z{JN|Cc>Zta$-Z^!ym2IVBQf^?z$Q7iCY z(fEY%E~HD1cN8<;WBq=u=SJWDVQx0?&|dmeA&$QT<3P~Jm_IXIt}&tm&SFGZ=d?ljqAVs9_CHA5EXw9<8?X8 zSN|jXew7#W@UQFO5nt|&UjMykTRRX5*)Bg$@tM-Kl|R8>Pd|6Oh@W&t(+B8d{4DRk z;3CWa3V%K<8tdTXx_hkM{{HV-^st+E$E|gjvum9G>*f<$R?$1U`KRw4KUXHb&n~mx zPb{MM@BV?MZ+@TT=9T}v`F+PS>3y}5>U~(Wfz9jxa1i!e zee?SJ&i)@iuP?U!=xEoRXu%d<->SDl&ytGX|M~p>q>aB{_s4JS`|UXPz1m+E_7ng1 z{mgB?-2d@C`~T;D#-7g>T+p!nh3D@BJ>e@h|m$W6C3|h?`N*_<(7Ou^MxXMzoMe|Au+$V zmPzjil}Ycr7Sa1o6}=A$y{}Owy}#yu)2j5}CwSJEJK+8MQ_f!5&kXkc%pErVrQXkc zrc8Q2t%%-xDtaFh^ZV2?>3!=m>HT9x^u9qw??XcGe;cC}tn}~SANA#y{CPER?d|{m z{XS=}>}RBg!TkRHsxs+)PMP#Rqln&XD|$!gga7^e?q$;ZT4mCEbrHQ+RrEe2^!_XN z5C4>YKXa!qx8(bo>#e>0_cKeJy|SOtZe}p=XU-^--j6Gj-VZLK_X8?=N9TioKa(w! z-v93YC8pB9e}CPVJK+8M@0`6dzq{#u5PzTGejEQ%zkmO7ne_hIB6|OHMejpmey=Z+ z-uEh#-nS{D_bn@W9};>WUM9W2=>El^((h*;^W_fM&-~QcEBl$jzMr|##=q42nX}5I z_l_cZZ>#8iNX+k3%B1&=%cS?Ui|BpLir$BW-rrbLD_H5@zyHveTk`kscUgP;zkmOh zvsd;rQo~?=|9(lC^ggppdOyC1-ltXcj?M@F`}av@()-F~())Y*=k;07`p@t0ID2J& zSMLnw`TYqS|587%-r~zG`F`e_B6|N)Mepc*@XzmEWzzfMWzzfJMfAQ$MejpG@9UIF z?|;&tdo07hr? zdf%Z;djEJ4y-%pir&%r;NQ>0WzzflWzze|B6=TD(fg3l`>$7X>sQJDecztsDg3(BPT`9<{JUC}!_AN>27 zqspZB&C8_su|@R0Zbk1yLhpYb>DI53zkmO+FSq3TnR~6h{olXe5cs-qHEs-_Pt^CcTd;lis5udjD``&1;qUUA-`v=l7@GIG6t4C-|l> zx8(bo#n#^b`@r1{S{yC zfcNjearVl7Mx!#A_cPzK@h|oJ_b--7?-v%)`*{_;qw~SPpP61Jz3)~gy>C%O@0(Th zJ|y&>DU;rx8{yW?lJ94J;>#VdpLxXDEBhIZ%3$8lTx;WB>ix{=Wzu_V5xvi@=pCI8 z{{75>WzzfjGUL2J`&>GaLU> zKd;{4%PskS=Bgrk|9nO7=zQ?c@9kyM`ypl0`|d^bzDq^#LqhMP%cS?;SG#qy{=L`PEBhI#VKDD!t}c__JIkc^`XYMIRrHR| z2mgL%&ob$KOqujPyolacs_1=4=>3I^Tfa)apIPe5E%|=tMr&{X{mgaFUfIt`4TE_< zlaxvCCzMI=Q;O*Qpo-qn`QYErY*Z$_zhC9%k&@5vZ}@Ttynlbq*(>wAMrAP1?+@7c zm-_wtSIVUKON!|IGZnp~^T9vAHx$logx+h)r1zJ!Y?k5g4L{+_ z9k8Ey)Y&Wh8P^R_&-HIE7xgak=Oa+bo6DCk*INet0_b@hb2xgIJm&ny)ot$_dv5UQ z#&u3|=jzWa6xNLu<)=S*UC3|IyDq;4WAAox&my1Sg0Z&`sL$=xCpX%COc;%zUKAA_ zN4%WBEZVck?^kA8`SUE^di2eBsotgD&z$4SE&2Yv%i7!j{ftJh^6!fUT@GHoA7ab-&#ZMZ+TBuRYg$eT~4*w7k4`hEM0_<1?vuzx+l` z@Yj2n_;>`Lj=V@Zm7{rFLol>gH!@SjQfS<=n3cvKT7gr4g!^XXElq@;MU;S<&%Y~W*8o)A4Sqnws0EhQl#OO zUGinf6oQ{W!$sFDd?XE$3Bmm%7#e3njsAhJaSo#z{bQaRdmfOl{t$Mzk1@^@A8WjfSj}IPLk({v8pEMo{cK{*h8M!pwBxg) zXhGnrs^}b;P@_LydZojtMt_+7YR^@g4PuUO_;crXpYdqo`#qDB+ZR?pY}c5zqMv^B znm>#DIB3?;IH=7QTwe!!xPVV}7Ki6JREEMb4vk&R@dk%}Q9I#ylSBUqe4gWP9E8=i zDui@kW~{6}d}M4@7X^&f(wEA!@r^QMAdWd!F;3uhe8#J90H@1HwJD=gyn)wpayoaZ>k%G(M~m$xnFpTa<4)f%G?coMO~Tv+AD96j(3#0ke4uPp)X$Xj;~@TROwuP->`G#6?0f{ZP(M2>uWROx|-5`7ubflmze)o z-4R}e6dy*>xiJH@F1(AS*%;RRljqnH-c@!IZ3piL#<1!wpXtQAn12HA4XeC`@B#2% za2`I&d}1!11goA2+z#(2A9w+*wCdQ;7-xyEG>(b&tta_RC;pmoLVSzyLgJ+yuKvV7 z;MiYz(kTzZM~az1AAyes6DH1|z@HK`5KqGg!g=`Du&XB%;U8g_C;Sh1IzE~RN0ILg zFowq(C-4NgPCg9gW^lbYOaH;jCx-Voo(>-ht6d3vBHRe);d;0UjwYZpcorDLr@0$Am05H5kWzGUG=uuBWy0k>h#!}pmze*j|#w_}eP zkSAb`OL9;Yy$sKhoeX|woWO6v9m)rO4?Z7`rXZ)`)(`ON#(8)><7M#2jiW>916chK z!@I#F;RHUwc;TT@)d|Ln;7;Sk@Y%*o;4c~H;cpm!AJ(2%dEO7}UvCiq0Dj!~0r*AZ zAHr`NKM22P{17~X1xslkhSxHF1m48>NAOO@KZXy1)vo9;)_wQ_ForePd{Ooz&>MDf z7H%^C7@i9=oKXUwZJdWc4Qm{AV|~szfv+~7=%^^V!R#@7n{gh#7yc4SV{XKU;A@mW z{J8lfpNOItjH9Vh^g8?%`M`gLzY6E!m1;ak)1pX^9qzt>H-e|gAD(EOhqp1-=4VIv zYxuE2S2Jj;Z5Mjfp=7sJoMdHBolovb^Hcsl$y_$4@j^)KY#4Ci5Oy!V4+I)82WH}Ziuf~BiGye<4P z9L>ZA{}znlz2H~i1U?l09h`?xf?tI-dC!Dj17mm|to}*h^WoRwJbVTG2CRwyDwzMH z{3%hi7?>ja>?pe3IEL>tPT(KGe~>@?6#S;Rjq>3PybRXnR;u4!;a6exa{|9*K6$u`eMvPw?jeh4xctA&^Bi`)bI8MEVE3uZHSFQxk=PShe|g%q z5#G*t8N4s->c%8G6?W}~>x>ilRP)cnpEh0wUj=J#tVwqu5M7vdw1IX(|N9m3ZbFN7_q z=x8B!Le1{{xCJJwYVwV~3rhnEdGp!RpB8)`!R|7_{y41qtO36a?`^({Vmn^PJ{g|Q z@ke8(rRdMF%2i!Ig!ds%g-pncvWBT{848h>6h^|Ko}*PbZP}L}>lkn6OzuZ!XQByT)3LKHNBlKV_W2GmZ1`>A{~oJ_BQl zVpw~vL*WFz9Q$E#9=^(09r+d5jU)UG_;7rp;q3om@^SrqpZVz01F-rp=6Dn)JEx7O zQa-Q22bs^GjT6o-WYqrmu!sCL7Khly>NP#bc21O0AFYg?;NJZ>!oI%&QRW>oTMZwU zqk0m24XidPTnDSHgyS2=dH7z~%hm5PJ{L_v&V3FmQUc# zu&d4sGf~x!#*5&6j2FX48!v%Rf~Vo1Cv8Jubl3%-EcuIKP> zu<8=d>Hq4OYhQqmC06({e4Kzb+z1~Js-542Pl6NpE_hQ|?Y!6cVfY8ekHJ4Sej5Hc zOqHv%q)}N15-a=$R#|zD-@}BOV_f8ZWKJ+9i`719d?NAN_>$jnnjWpRmcKBD7{3rQ z>L&}Cb9vj9-o4xErllI8167m;M0xs@cF@?v{wXw_^ZJmzB%~A--caZQt*Sp zAATbE!@n}0Jp4zqYl3l$+!5{v6@P}6&WA`V#p|K{7ZDG2=%`dyd4b(psGFSJVWM=m9$XRfV zKcVIn7r7r9*{4{ZYVR@d?7r(Fdc@C5T#gcsv?Ze zv(CgvEWb8mrln}UvGx`gGE*s8?{t(;7Gr|X_IB|C7(GTY$K}Qe{8i&Td^1cI)f3_H zz7LG<#C|Yw%+YI{hb?42O$X~85N&j6AHgT+`7!uB9OK}PTNnIG>`1HnVfbY@)bkI< z^8X9mNt|$eV4R1m*Rgqna!0~Sn}^qj=fJASc(@yk;jPRkffeR+=GuPF0(94%!2mg3Wc zm9Bh0WxtpTzCu2PnuH&JF+NKcLa4v?m&bTh_?bC`{#4t8kKTcw8?O2|GX)xV?;&Iq7^(Ob3#^rF<&Ob*Sb7(zPJ_$!H{)C##_|asn zK0OVlU2g5X$lIgO5v#ash~=X|JWO@H9@`bp!gC0GrLjesX=E1oSYvJjr_ZJMf59%^ zYk9|uw!%kZ|#p8l!EX9 z_Ae91I`JVBu5s#Wto49?c87O~GOJo!IM1joy}QKZ#$qEl%yr>iXDr9{qG%y;!Z89S z)GXr1Ixzj~=J}1`#qJVwl=&>-e9x4RE?;XtiYV8uBhpfMrjq?S{jhL-0Alrn>U%?738BfACAvtXJLP5?A97hla~-LpOR7hu&t;dm7e`U_S=bLo%oOm={e1O(~Q)Iw<Q!>=%o;l;)Y z9NyvN;csF8K4~>bcfO+Ri}GG z$ZX)QxYNw?z6+VElzn81H#Ej|nC^+~DJvw~9S&OD8zzMBaZoiETF zH)E(z2lii>%_5gl>x0^&Ea&1wU$}YZtW@3fIm#1UPdLuE{GWm^HhvoZim~#ukU4=8 z^f?ESn}2S_C-n8VVBM=(jy(Jvam-;Mvl)pV!cN_)vlyR;pSO#zz$z!^_=9l*zXh*J zoaeBR(O7+molx_ler({!NNrYF=6?Dg^nqIo*2HI#+1E9HrWyC1?$;@QF!NI1d1j*P zQD?|xQ@llrH&5{%DV~txlT-YAvfG$C5NZy?z9Y>3$L-S&f~UAktTo0l=btc6;1i7V zaBc9Xp{E3Ycy92AKMNCT{^%m#R|%}=vOk&4B3H|xAL;pvmi8_97MSeZI(Q%aXG`>; z`Mk}!?7`=8So29LWY$Xc!>3YQo8sy4v!o3=SqAIbLE#m6A#u#{Cj58e=^TH7b>Af% z|A0dsv_|iNEfq5FbF%h^{@sG!!EXkCU=CqV5_7IPyi1&LY>AJ{AOAhz53x!3hZraD z3Ff1lqdxe<9l=h6&W3SybN6SB7h?Z{aUTAv@iO>EW6kNe8)xCWjbr#Bg2TS$Fxb^6c>67hs|#J=$~y)hLinB$qu@fu{|h^wQ}Yz1 z`T0cY-HCIFGBY?ip1g>vYq;0~53}4lV9hmAmd_}RYv7AuT&nrcz1KKJJ{IT;x8_`n zkNRC9z2Tk%o3y07krSGICB_c5hLF~@zf6Hn)`komYe+=omZ83gwK>X19j ztdISE(h}VFGab=&yQTaaV14dHP`5-6;}5uJu%E+M%Sh03k@_;>&^yi1)H4r<=P`AL zh0I#UM1{TG+NtaM{3`f1rs|^a7zg`I_!-K_)$JAZ4r(8}_%e3(Qs>4D%%9;6EWZz6 z)iKYp9Ntd;T+4jSv+nC*##wkZW4+fN11oI|Z)lvr8^aC6d5&$&o~Q43H`d@CU>w7T z7$@-2!5=;eZX^$NZe#F=+u@Oz6W(Z^YJ3)aF|1oi`8MJP2de-r&$V{80_#)u)Ad_YqD_`KFm0V^&OxM$vc6={GW%9!$6v?54wd$1+}N;dbl^_B?zVta(ghcd2mRlE$|B=~dlY5m;~yS{_C9d_lZ?;!38?;%EOdbhT->PdVMc9o^?9UcX{ z`xHJ2cH=_-&4PEqU(X}0@NP=G9?!_;6T{~kPlqozPT)nb%M;df`tC~0GsvyjRUbV( zeh1cX8^`cNuOgG_uCyb=rd#caCAMkq^i-&&mIh00zb#0bxa|wX<2wTe6$3`910&Nzl1n8dmcW_ zSQR-w_*X?$Ib+7Ds>yg?xZRj>syfw}v8lSi_yG6|#*9`Sb&N5(sXECR-BisoMmJUSj8BBmH$Dlz-1ubpOU8U(ylRPYEqtr-bofr= z9NcR>1Af@J4t~lQjaI#4%sN{2M`PAPl+B!?vF3OmyR@+oR@js{Z@ih}4EGoMb~=IA zF;3vkV5QB&ddE8v|7GxQ=A(sYiuuIw@$kO*Plua~^}X)7=99qZ8!v>ffK_fDRv>Hl zUiTWa%XV{$gHJVZ7xtj}2U08_uDg7GiCy_CJfGs%QvBBx%dgtfeweaXbI*r-)=2TV z6mJ3(YG^~WCA=zGJOS%q!z)szwnBy(j|A^4n{ z^0~k`b{_6WW(Tx=1$IKsuB5*XR$8@1?*v|Omw2CyU40eXIZ*Y)R4=94EEeTR&7*mcyNW{;Hy zW*v6-rnIU&^PC@IJ{si1VAf~%8BKUkl3*|F_uylLKMk4=vxd9xz?}lKhP!#P%X~CX zo({8~t2NOD#tD46`RGPjWE{g_q;7cZMIqhbp@D6Q?J4M;*sTe(|8j64jl5-9zC7sQK>w6EIC*A^~w_qKEu{9ruwU| zXUrqTu#Jq-Yi3Jhrjijm8c(2pvGFF1a7Q&x1d#wNG~Gx$qtae$sp*2HrwuUGfRMO^UaL^^Ajl+~<6n zC)umIpwAZBlSVOTg|gsh$bVPjJjYA0^T+QEnEk1H#(M{5PwMuERhxUeCgzcFsPh=( zJasP2o78y|?1UQj$suIeC%b@aVIB)(8e-K|fxUAG8Tahw&oa}o??B!}P8ZUSw4$&N zcB)scd+tb>y|oJ`8ONN>g5M=hI4oo)rTS8B5BBZ*?2a^-Q+Ia+pIKbdd!`YX6NIgO z%}Bf0Nm*)F%yBL}i}VTnS>rtXWw=RYax64X;9KBRWJhZjGCIE#J4L#C=m9v)>yN`K zH|BW3csi_dv7Z}LH$6Lsy1i*WS$y7ul~2r3y@k!4@LI-scwKlTG4-sPU|a=nVVr?? zH(m+WxXiZtPsWZUhH0a61l%k;VJh5ed?Gy8cse}axDh_hxE)@ZDz=mMG`Pm)LZ2FE zIX~AphA%Xp4u94-fiE*&2w!QOhp&QLC~FxUz9&Dup9WN>G{7sHXc7Lp=QKvD&tz;0 zs*jlFy84K-9JiW%60Fcx<@@{&?8-OKakud@SoP_^N80!S+$p9bweRZ^+g;QRCpMW< zmBL=HT|O4(q!=HkpP!QF6ubVoact+b(fNcvlsWWa77l$F!=VqS!xmhxg}%xLtCOy8 ztNJi5V&~b)1+_(e^-JpJ+6%vs;@4sNxcWlu|JQnWhqCB)_w4(DvF`n97Eamq9K5>m ze0V+M1m3{-LRilV^B9Xfyb*TwkrR|+?)E0^TVW@vj_H71;c$=a1@~wiY4rZ^0`X{` z%Y#3s;a&!#M(k6FV-Bs!r{bT$7AV4B*H{cUBaySKO|qxLNA1)>ze}k5@nD?v9(NCO z?xox_C@bdtLHJB7_ouMtwmkMc=MYEqiG|Ec zu14-Gvr3B3m7fn8-x_z4Su^D`8XilYt5E;>T-LkE^DNy&>=(j$?1eRr^R2P#*+q2= z-yu=m!gokix1I2DeJ-X?^j-%;{nvUnu-XqO?2CN|;(S(T?)P-6<)im` zo!%53j?XP{%<&0WZAm!l;Lngx9`1(SI?nl-#xZ=EvHES1vHI-3Y#kJoE5Yur#Z=bO)IK-Lt|z z#(C^hjHBVS*Eohxh78H28D#Jr(@n=Yl`{yWkJM75ow1--AEA5`)fZl)$UNH>-bO{Z9QYVm@bB z2m3d~Xl)#PE3D5Jq#dP=cyGH2cC{sjC&71eP4D=_XB~RSAMO{uK*@VW4+@KzwfDc{HI};9;U;W7$@*Tcq#eh;ag#M?~G^v4&Q@4hJOsxeNmj{ zchg|kcGyDZv-l~{{MB6B;4_@X+6o7II{poLu^*^@mFusAd+dz&S*ERRDt{}M;c@k@LbVo%^>IPTn-VMQ9f;Mom{`7t5i8yC z#G&sR;h_ESJQ3s5j9q%2&N0t8ffM6}@I|onnujf9>H|^qi4=YXK7^W78#33E<{Go# zpo$WRTt8~9xY2Bj%}4dS1*V|l5qmJ!dJ^5?uOl1u`Zkm|5){e z&xKW8O-xt9lff)}z40V?DeTh1_ZjEmhk~7bjKWWpC;T|}g!7mIdCoY2UxBqh$isg$ zUIxEstPTGNI$u6nSmCGS8N+K~|0ESn;0<8SM|pT7Sas9)Kon}R$D`RtVpp{icsJvP z@F8$cY2i=8GhqGl*-W@jY2j{||DyyxQ$X*yd)Z->`9Num@27qiMt+#G*BcYL_2L5Z z`Jwq<3e)U#7^(9wSy>O^_cdd>Il2`lAOBupUDiv>N52l(-KM)04A6OPT{zY*s-wlh|x^vw1lwiu4F4<}AIjx^50 zdMe-)qSqz6hU< zVBL4&`6`C5z`mpW;jh8YAHELWS^nIEcffnVG5kGvFZsg{!IR-U{5ZUy{JA%uhYyuM z{0I1O`NRK!RnI&;e0SO}e+`%qnfG*V{5bukKvP%KJf#r!&EdSyJ<9ytd}!)wzv$=x zyie}`4I%g`uCGD)gqmN%>lr@@Z*DAoTF8X*IL|y|d9SFPXYJaPmQdwb$UN7_BOeS_ z@_XLww53q*7tHpXzBHK^;oYbkUFY6K?*oVaI0#l9WAZ%$UIr&{`hEN-vAh1_S{*!@ z>sh!3{xxyTVIlL9vFa3zp-$<3S((8JX+q|_--KT`z6*ZC_&#`qv1Ob2UElf0 z>Qq}^OWB8|?7vUh{a;vgIb}|A9qY8}>UKY6>HZDjkCyI7*i%~4c)0zGKC>Qa&QIYZ z&W6Mc+nbhN_ktA_h4FaHu7&g@%lsMJugM30_ul7C_-*t1JFKyYIjUH&{(?P$Eo630 zwfC=4`F{tiaE`Kj31hoBTp1E6Q(mj5%vB%Vr3fH7sw(6@y#oLKeq;I)WY&S3sqfm1;nQR=7Y^6Yf)B*hnH z&07AtM#zlstDBqC&ca_~r=W7>o^YIxUE{Kl!$M|b%S&@e|GmM=6si!4>%Vr(uHOZr zE30F;@QxBz*aU~z5pxBckl&@$fuVHoeZB;{v9oe$?68UEzo{~}uz8BNO7Yey-X_J{ z85h0_ZTTP(xBlvMGxNEYI=JUVZ2DauS07mW1F1MA+5IW{&{+qQ=_M$g$$Jo_=T0jS)NnA8{Vu(s&uX6RdrX zCZ~POo`nxHj^U}s)8W;5=vF=ne3IE0!i~mxxE)rW%ismD8y`CHTv&5;3}0cKz=vbo zjk@IF!taXHQH$}}9eWI0$ozxzz%}F_cu%vZ`}YjH82UBzce;N=`n@eZRVa*KNPm$z z?PET1st#d|#3d8%bMd~Z{6hMWUq~L-`4B7J{&tb5upc_WY$3h;4#alr-aO}`=lK{8 zqz|7bR?xd)wK3*cijO$q2+t0A_+GQ?KGIyLI>a0gVizYI;k~AG^(c1z)!aPC6EKm} zj6Q!kgp-)D2+vVTYFrL>j&hDhuAQ<^N!c$Ze+!wz%+4HDxKGZoi=m(TpRZ^L!9Tx z?BjVEJRCj_AB~NL%v7EGkSdn%6Pg{@f?h)XaCbevDS)n{EQf{62`fk!_PF?DK2FM! z)Pt|ERp&9R2Z!t9U_Hyl*f)W1qHy`_1h1w#b8T-}^KKSC0=^lJ;c3Aio&meHg36s@ z9K)x=Cv!c4!#*MpC)nNRVBF*vz%M9&_)1u7i{^>&d0HOUb1ltq^Zg?8$1S=ERz0)u z9dQ4-|5KE0VdTc9S&DaS%Xjb(^T_w%>E`<|9PYnI;q)MpS7sB-M?5OUo2GapczjGd z)aTTHOF->X*gp2}q!V~o*zKd?Ltyn`o?{y9G)&v3!wu9ehG)W!Z~`~Ov*0}30iOa# z96fL|am;ZZtUMF=V&gpg1!HyUSK-UaBZjYorGW~@)g<#)l-z%n|o7k2X_?fMbi zij&6c33v{iz)!>Zhy#8F?o>v@c@BWPRWjU{?qDK3JbQFM}U|-&I*z z-p9f2S$+chLHH|53%?3~4Nl;<;4^VgHs;5^p7ZcJFfRO}8t?94-A7q?d-!@T#BdDP zD=mBwd_SCrkA`o^aIy*CXEjbXP5plOM0AAx9`a1!d9do7Y|i(F;EZ?+^aAUi)i3id zfe!}t9h|S5JrC#2?*4F_EhZ8l9qsi zSyy0gkLq3NYt4;ep7|qo-Gebc+M}J8q0c$jcis{>=FoSUt|WHCBqF$yG_P0N$vgYH z%kFz+nf+M98&z;pDL$top?8p2pMRgWxkstooc_oQG$_ZceZ= zNSZldCBE-~olrB?MeYYyzWab*sHa`ZoZXjpzZq^-d%#^GZ4T)X~NW7)r9oWS=P z=i#5g=gXhEJ!KrjFB_}=e}*r|NA^D)M%=eS^pH-+6?K|b5S?p|Ao`xJI-F}xqFx=Hhgz!%}0 zz(>MbJM!?cup85AK5v6B!zYFtVbEz_=TygsZsUmDoh*cD8ALgsT;9#LVOgC4H1 zYw}ayTcAn2|KYrvSSMSPFL8BD8T#8K!F5;cdhUzyIS~GmE^vN0JPiNooaW#!T7m}n zDmcNX9p0N*^_~a2=SQxc2}>V&_&k_8xX(^5fi0Wpi^f^}7Q&$pH^T0-Me?+e33C$X zu3cXslh7{narOr}kv+?CJNXc5uCW5i&h6XuZ>aKrI%K{YD#dj3U3e*J!#%IRX|vF- z|I9ch^>gq=#0kesuw3#SVGdmehxc#lPkjI?ANAYs@V|}|^_zvvA}fQa@O`z#W?N!0 zz8S5{A0n4>H_-8hC@jHkn=!}a(i@cG7h_)9R&a2i+)tKSrEf!*8;-vKNCgyUZLe&Rfb z0(STQ@geNtbNxr*z5V6zGqW0fXd$z@aY*|N{$U({n__)0a1H8~C*krbefx_Mhw>dI zY*~)gVC`38cx^b0`#AUx?9$K2VeKmtj;-LO*z@p?@ZDmLy!Zkhl8(O8#`-@z@z|_l!8*Sb8`Gejc9$ZiPWNkLY)?!k$b2Ht09G5R=|QM%PYD z`OE$-Yzk*#zcb|zx@SRM`?mRYS!J|0~Id?klXl_w=Px8(n>_!DscpJfiP>)W@aOI~}(#z)$aki1Qp1;irkE6APL9bWR{Dtg+!fO07Sc-WB*MPlfv}1~cF9bkFD z-&~^WKeOvZg?B?CeR!86zsJmv?p^J9%P9DTb92$v%oBE^dWY{5|Gdv3qwif?$o$gm zM1?j!X*T!X**j*Q>PtT|o&K3r`cS73Kiiik^IRW~{GOGM$<347q94r_3Om8W`g|oR z=d&mFFdyy@hv%_raF}D2K8)3Ofo(WHkWDVQ>I;2&j(n+)-Jj!Fd#X}Kt1rWDRnz&% zms5UAF>Gmmzxk-2Q~h%!)LbxuV@LCQ#nK<$?;IC}kEG+ZMbvJ7uUWcF`=z_R-?_`h z@_CRGm9OJ*^ZUa`>zR4e^2KH3s{DA?{QhKquW(K?n2A}p%~$i`@3AvoJ3G^p3t4`u z&I+<^lD95J}loZpI=-4lo$QhSats$tTNS)ufobp{5q`pTV?(pZZ!KF z@CC+yPu2gA*cFtg{ylku+ePT_#{{mL*2kk$oK5j&Dc&>12d4PA6xXG=EybNFK0C#q zPw|oz>$^aqo;RiJ-%PPSe+fRlDZ75>D%c-Q*`H6b_IknR)s+416tAL(LhHBnQ#>)n zyQO$?ijPWhF2!9bK0U>krugatSaj4I=DW7{%{CJA>H|m1F{{CFxmr_1| zN^#9`eLiDTJU+!+rFf4N@0H5`(3E{@if5#lEuDhX=a*`V*T53!T-xC`wc1n zR*HX=;%8I*MvAMB@5^)L6tA0N{SCiR?#EO1?Nhv8il?SHm*UP8pOxY(Q+#8Jzn$U- zQ~Zk*zmQ`6ZM;y=*HiZQQas{>KA&|`tlt9&X(y!Y+oV|E%@00@r0n{;xxqd)Wj{H^ zZ7Dt@#rk`eA+7%IW8m{rK3Al8VT$!P6odb*DSK~+-%>o{ zlYKsGrFdM5_3uxHd^S(nqo&rbsJ3?UF~>|kq4pDpeDZ+WsV5wDKy7W*&2JRe*6L?> zYiHBU)`t45TpQ*#@UyF_rJ=Jc*U}!fw05<2);85g?KGjsJb8@g)y@}$_EckC;+xvh0(RzD*1ER;E;t*tq# z-PirB<(ue*n%2$Abwph~?F~^&ZhkE_?r3W0jAl3VM00b^-3?JgOM6#Ot#1p~+Rmm^ z8~i1Y?n>uJ%WG_E?xI00x%OyAcVlf=)Y;V1-rP{ji46KCJW(OhtOguAdphfK&CRu4 z9l5#&)q}oJ|Fw2RxsI8gQNiBP6E!yHu(WqHsB*P+ZQb}48q_(fts`~ndZVsuzR#e& zjghIXrLfxOrqiDYMa~IW_P#OHZ(W1Ox!dz09$1@Rl?1E zs;0*5#0f6x=Gg@q2Znhg;Mp4*M+t}RH z-kIXs`i8n(PiuAX} zd+z9RaYs{EPt@5Ep^f_HsIzXCvZ9Di?zoPI+Sa!E22XW#ev@%qU0pXfUQ=7ErEm?O z+0oYB9(9wtrMn;JSgqZwYiop`plH8<7uAZj(EvlhX(&1o=gdqZ7QuG!hu3vLeRai=rnKtH+8Q93ohv$l0^UFSUK;Lm3g=dwm1*HZ!9;JEd(#T^B|~(8g7#KqtJ8hE8rb#M{``F*}H{O>^&z?yiPTHM_Yj zS8rGRxY9u1p7zcrcUwq$-3?69-rUj9($>}BuAt7Q)>;;ky15OarnY&xCdLN^NbA(j ziHa*uZ;iR`W+qy?+9|uXprfddwGqqZ*Bnq!tgz}(0= z&0b+ek9>oKsb%wSe#vC|D%+l($NmN{pxroC=0%v4`LXS$!PQFEnWcjE7x)+TrR z_*Pp2*8y#9UGB7n9&ThnT5_kjxV^2jX@1Cr>7?Izttw%yrEVRr)9Euu{)a?d@8!~| zvC!(?nrmrjs?T-hwDQjFY-sWEtQJ4-cFt?+s+(nNtDA|<;;P8n%^J@>p{cF5yF)|J z+S%UGHlG>RE1zgquC+e08N`obIO)vIl^{%oVM6Q7ag*^sTLB~OG>pAgbdS2`c1F4G zdgN5cJ<~A1D{5|=+0?4tRA)nHC$qJqI<``M`wC`BX7ajOCL(utXfxK?(A-!!(R^Iz zMatx(+0QRnOx(KXn%I=k|C*NC-Gm_ylO$`zDQ(>y+~8-uFn_0Jk<)W#@ zCXX2`kMtUA-CXaCZ)i(huDz?9yHw{LY}!o6>>}NA>c^sq_OjkKwdLv}%?G}Ja&>iG zwVJHBLAPTf<7{qA>O^BVznz7G`?s+6q)%$KMrqYS_1GBeHWXLD{wzYFdT zVj-RB8(i0nV!8EO^rLM?H_N!|2#rUM3Z_i-A2$NimhY)>=BM38=0dilnsZx(kvF&m znp7D#O+K~ktlHD(-Z|yqGq>%cEtf1W>IYkpo3vSIn5#Wyqg(F$%-q`DlB;E3+Uh!{ z?~J^g+UleJ1~zZ=y;1ozu<>H;q!XN<&EnjKT}*3krKKe()QzZCO*z zcZ-*22fJKNEY8W@^N#%N<3QRDrb-0-o!(Lt9N5ZZf4|GhfZy6>YF;cn#ipWnZVIhqzgTs>ucxD zVg^@>I%<)WHYlCs;o9IHa8hP%Khjeg2kroLK43!4e~YrSELXZPWk?QZoQ^ABf?tfmb%vFWqg+}xSbY&{Uvb#*WiFjl^M3Ohd4 zfIAd9`Wq;9?t0diQYHZwP-c2{9|;=$Ba@pCZAR);+qFT_vw*e<+PaJN=+we!&&}1> z(@w>StY(|fjV@3nLP4!yq zSX400ViV32z;^Y_Z0y-;XOqy@>%xqS-KDjQ=gk88ry!lPWcY1I7u$Sp zB}T25JqGpZL=)86t^Cbys_5*fi|W~!x-);FRm)6wm}f2S-fm|-`18|m!8DF^q1(D4 zIG@sQPF(KVk*U9V2I=g7Th9&mx8|YR0hiHMVOysAM8dCY?9|gwOHVB~ZFg&{+u6=* zKzCh{q@#M&+POtdt#gB=V}`F^Z7t+?R*XqA6Fui0E)$@+p^<)ImtMz z?AO^};i*`!H2n1I`qgV8WHDQLb01kDx`~}?4?bq1Q+?MgQ$*uNjgMUg) zTl#8iMOgi7b6s6}_wdA#f7={TLfslM6XmbiNB)ZOQ^`eu#BrVj34=4dUR$jT_1 z(M0ZguMi&UXYh~DwKmZ9Ih{OKx3h-o4WJAyGop5{1bUF0Pfwz5f0XOc!&kFEu_=Q6 z33HOWGxR#h-|ss0#3IY)N00ZN{BTPng3y~goqDAM+@(5qGe5DL`iMJbXoBqQ=B*B| zuV(V<5~F)t;Fdl77)4CBCD%PqNjx;>np&froywt&(Ijf0+1A+T5}+ez@K2Mq{^4vM z%fB|^InBTRVL^%fdn8Ct@NQSYGq~33_L-^xo$SFPdI%FQKlFI$Dxv2;8j@~{`ZKJO znrKMj*UX)F1l>-r@Fv8MMXrNqL|4zoRyQ~KEjkaEt!?hM(+jWWsN3xmG)fxr2LDpr zTes(#n#U|=35zMImIu_1)&?G7{UsI7d?b<7x;NERr!oT_aX_Sa^3+3)b+q4+haWY0 zDo-6tu7$20dDN_Rn1M^8BW=%atF zo8YC-hPkw8j$5H!azCZJb1mk)S#XOwFbjC(!b-Tv~cRTa=ib`j(T6SqaLT>F^J6oEVO_VpUwHq57eB*RB zLwXS8T4pq{3P-1~4)B7)y;ZQs`NBEUW`o#SIJcKJ!QH(O@2I=Ht*?)iB(tzq2#&w}hY-C=vovuP%g|5>=oslRF(rRuo$o!Cr5lUSR1JzeMC zdq(ba7QJdgckG5*>up-{CSJRA&T2vMOk8@0q6csXItgz`?Bc0fnG4m?=P~K?Zo6|^ z^lH*Ri19b8KPhaV)i*q<*;^4_gD@y;{+Nt3BF#LUQTx8@eTpwgxx-0at48e{KigV2 zP-k^7)pC;tGcfNWwCUE$$CSY*PV+*4)OENT@jhAe+l(Gwe@62V51$q}=Ha`pp;;?z z+Nzt<787Q3mv{Q69AMLfmG6ZB>R$J-#g@>&Fld|Cidx)8!!@j}bB>*9P}3%ddkl6v<6yU0o24L+W(e1+i|6G0+VXY?mvv~Su zpOpuXt^L9^9$TKS3vLH-YjN4MZtgW3&&iMKY*-=RpU*!yR(Azgb{p$>U{~F1cfUnLc-QWJ zYjO4NJ2BcYIJ4)PHY#z)_8U%AJ4LMZ!~@eCcLsJha_fP0*754)%Xcx({X8BPJg~C} zt)JB^1~1%wP+YgW-fPd@!#!o{z1%cI?>EwQB>(rR;@ZFl4(tZb0vi#0$@)n)H~9Hf z;MgC%sW|x^+42@`Ns!ji%>e_Uu<4(}J6}j&Q*4UD7aDdP|+^`&Q9z_G~G43mi@iEnyJZ znsJY*rAa~mWqyiVn3m5`{#SlV4sx53U#C;|&TR}rq(+4M@fLK><1$wc#emQmT`KBK02-A3oKxei%^|sWg*nuzb##wIuZ5ZSN&hB2mZR3Cb zt$XPlzx=?)UDNah)5}JoZM@RP`q@V-aMOC-9$eZz^Afh zA3XcO2jBmJ;uY_Hu=|luyvn=JKKrp}U-|aOKJ=kizWI@lzW=*Y2lExn=KFS~xO_A9 zk1wNZm%7<*b(4y=H?G@o>OFJQ8vWFRO$yrm(k*MJdHAkbqnNr)XjXBH{M_)WwSTzV zO0VqhB{lSde62mt`Y)ZoOm}23&Ys^{`_ILuv&x21(kPL&Cb+@1>zfUP-MWkiNH+R; z!=CeDSRCHwyN|recK+aLpFX*dPNU%Y2WfN$>uPI=zGJ%6u|62O@aM%Yg0vC%2dF=bpcpj}PB4QLPJ|Hr5xh8(N#tVyk(v=Na1w0}hehVYrWeXDX{jqAhdb)9J$C z50sgQ=MpTRj()zWSHFRD@!_^*skwN;PD&euO}+gG`L*3a*%)JTH|+s*30W*v$)(s| z%;hi->YmMm>c5OWzmAFx9og)XGZ7$zA%^X z*e#+xSx$}6%XiU@wTt;Z%mA{dZ?^AJlDZ?dkSlgpzmTQ`r54pL)%Fb6hWKxo=4k3| zzEOU86%q_=C!#-$J(vFTR9;OU!~7$Uzvc&~x9q{u4Z9c1Pfu^&v9XiXS-rT~v(8O; zCtU`M8+TvKPl@dX3gB{+ex`%uE(kU(XqU~@bF{&T^Gil5_KHTH?J{Lc8YVC7j@b4t zUFO!@AKord;tWIU*2LJubaghYKX~~T&PzK!eDA!m$o50~i}NeJN~h7qDV8tugTBq& zN~@4QD)j)tx|37X2f2V0#T(RjlPd#P-Zxna`cyYH` z*y!ceVPR*&y&HDDDbjTr@7*g*QcYjTW~C+|U&?I2#5&odu0Qj`GuVz>A|TD za$da5$AFjcROx;}N~?KsanB2}`B7=AU;dChV=%q8()QTb*5C!}unyn-l--JB^d~n5 z1N&)x!?X1G{p>o?_Rg&$U5V0IgT+d$iwqO({wI~;1hrF0QrL4G+z{uo>7C4wZ+P8i z_1H6c8$&>u3mjgz%gH@^HkMindzG(-_9C^1_KW}z_N=wQ!mYcG9g#o6ZY1nHF0K#L zk2ENsU!Iw$xnZ!T@4WQYm#tN||KGR&U$^t;x*fUeckbB#?Fia)QCtvhVXnq?_&B_J z&z{-gzxlc4(5|<+tUa(RtbJ4~^pq|A{DNn%{eo<=14b{br+Ce}ICox1BaxUclpp%o zh?}*PxWT}DO&hCv&KB+0YB)EQy9Oq^P#ivvIh`n&swLi#KU0w+~mXKbxuQh9OZ3f4{tnaGed6K zWX1<}u|Y3(a1}ptp2q!bQm*yH@~j@rD!OfBFIFPmSzP=)EyI~o7B}AWbY7VHC3b_2 zVSJll3WIHop}2)xWIN6BW1lmkl|cUoQw!~u8Dnxd`?0dN%*K0g9$$aQlTTj!@5b%a z$9hNJ6}dbAWWTs%k4tUZNu4u(IplNYGiRw>{jtZ2OE&2g|Gpj_CG_o1=9iw#6lQHJ zWOGgP2i>^lW`eS?-MBxn#=v^6SFKN$KgpW#^1Oy-q~g$Fbj=3MIKS1;GiBnZn%b#k z#Vsh&Yru=Q+9uQm^{;;~mUq5*n@Veld9609_O133pY(0E1K;_cMuBa{B-!$%J67gx zZ?!>*C*Ft2#6Q^hbp5^Wt$*~B&pcEAksqnQGJonk$0uQFPo<@CKDJ$zZ*y~UCn$C2 z*?!!$DZ99vdE$L6{dgVC$(`%v>DzC8{8c`<@#*uOUHT9EcAG1#jmBo-NLsUf`~C~% zH+(2PfU4iWQ^#u5&p*|?cu)PCu6^qEH$1L4vEuvyPAUKYxG5|hH-&G%>ZUy9HpPF~ zA7N9@Khi|rei*4{N6EKxtCr<8>=;8)8d&cXEtN$!AQ`x}?|n15Y

~wK6zyY>CuQK!7&IyR*HxGrepBnFZ_qV3i;Sz6P#I^pm{3C80Dp`|z z>+!nXLZR3A+~f7@_7uRX*rIUF$>US#;c=MD-n55LnqiB(05p79lQarAuuDX`IHY^g z)Ui*mZa(+?<*T2`o&NL&pY&Xm;2XYR-W#}(V@{6sBrq!uPxl7Tr@3%f@C;GceylFe zWV=Mzczhb%96X;MW!&S4G+Iyw7-LLXZtU|arVik(bZ5}Nk?yoGC(k}RzkcZ!hpy}e zE)lk+_KE|)_A2#V?Pq!bZ9nbmU^kKoY-(D5sF+8>t?9XMWA^C|3T;{g&NsbHwMyoiyl;eUM+~r$F+;x(#_&JRYFlyK21<%v7-PY)rJnldLq`E@PT^ z$J`ropr`8yDbgS}0EPhu8e{5_Qr81uKui z>+3eyX8*B~vNXfYCRu656}#X0xY#{2KFJ(2Bc8WcFWYdTjrUr4zIbq!Cn;UG$^BO! zr2DnBuGWT`B56STI@ZW;25;KlvmfWripbY(#dJ!h<_zEdv2hQafp=eqMph}^)SlCe z`Bh<+`NWwnAk0VJ)g7J#Y@-j-AVsByKxKi+43zI#uU!y&JNO(Ms)u3 zmow}m(|K#NRc%1&rp!;FO$`4X-np5ZH9T_FAxP(AdV_aO=>EOCfo?}?fz$VV za${yz7+(n7~~ZJwij=H1WO?R*+lN^4~^%S5_6f54Oa z#@TIreZkH?y}~SVca~?wp2Um^n>2=(X^7emke$F*7Au-s3Og9~eA-qB?HlH^WWCT1 znp%9$XA?1R-h1vjoBDvkp|mT~%QMV}=lE=TX-}*$-2<<2D)Z+Vr=8^Q8`Bi{w`UmFZ4l1J@~++)d?xi=@-q?pK(sb#Kct5w_B`g=OEx}U zq^~=iUA<)&L7W|a$G_qYK8k?`0trg?7(q0xXykvv>SMZ-cs#or-JL2g}2!d|@Lz)&^M7^dOy$AuO;CP=2JEoJe#H8k}c& zTKqZMYUPhVf5&<^;T?M*p3aE0G+P~e>~hNQL=V`m_|}3XEzhjQ%;g5RY;CN+XYbh1 zAm6sf+xYHX?z_W9`xc4yv+w6^Ip28$`!3v|_^f@`i;Z{Qk+?W=kEKpNx=1*Oas!zU zmW_NQS?s|;`iUnvxx0zUOZnny?Y_-AykngfJNY;Z#(INjl5mfa+9~^q^T|4uwzFS8 zf0a(2yuAB%Ql2aVnYN?ZE6U;G!W6f*s zEuVj7!g>$3OH8G3VgfVR_Gp-vj3(x)72vNkK7v;nl-rtWs?(AM;v?l+Kc$_y)&D% zgda8w&@PPmt-NXWiv;u{pU*bI8{>}l5HgJ~+Ka63`LrNATEkrsq@mGJJl?y_!D>B{`C5+r#a&M+^4ueY-Z=8Db4*`Z|Yg#RHo~ zk+u%Ct^w_*thFW)#qA=Tr)T2(IW{Pono;ZTU%bS8Zr^pnw`V+~E0uo1g6#zKhSR>a zBZ2RFVr6kFeD)H)G+|G{t)H2vX4rnQxx9JLC(G@PzMa5WIG+t`Po8(%?BZwhr>w=p zf^kNr&OS=x&d@e3->ccS+IfZVk)FN$qP=a69x9}P!t^Tl!cqqny8w4>Xt_D*BHydp z>fl}|>29ynXh8n{$9WZVO?g^K+6`%GFWVPnV~Boqp09J|W<5Oy)1(Ewyp^W+<6ZRMKa-_Tg;H+@uddj^wC)LB;!9?HnVxmqKzx2| zfDrH4y1RF9Y8NlEkCj&}e|BmNa?g)%<4T>{wbX4$tD59W4Pf4~)VaNgQ|W6j;=!9; zlI+=qZ6bjEOcI8p(x8ONl&!V%GCiZRpEgo&-9dYSMdN4M2Y8VV72bH!ZaL5?wbxl8 zdtrB8_TRKXbl3p-M79@Jp?Kj%%d9)}!}bGD+wCVVUV4$YIO+Pyk3ai;pZwS--d}w9 z*-n1ZdG@>Wi+s$mL0E??`PWzA2~9#gZPK2qZ(JMg;=}Kf=Ua2!Ok*_gCW>2p6n_MAqqF=OS`AD>~lHtE{F z+k%H@r@O3tED!vhuO8P018nw?BmMZc;u7XA*X>KI_xiS4-~5hmwzuq2jQgc7msl_F z^!nTQ^S$-F_$M=Cl)X`?tX-JW<)i*Kyt2iemo~6b^mJ*lm$?DL3;sF;yi94HdXkc> z_V8D4=ZBqXrebr{Hlq0W_e}YTXqpgA)F}ogELGs@VgIbdK$uX`NWHR_wBo77Y}T;=h6~V zFDMnV*%wweH?DYv%dTB@@e+d`_?bsi@ya^b=bO(Slpd_&?6>dkSO>|T;aOReBmbJ8 zwA0h0W>Zdwk;f3r9M~bW6Vbl$iep#i!-}F&x>PvNu(s!}xa8R<`46!NHTik$+2D!y zU6jVMc-mr-=wF{a+QlzfvU)ZH3MEs6V^fGQ+O5Z*Z#`eY>Eo)ruK6)K_NdjzS8?%c zm+aZS^_e*n#BL?hdK)K=(2qbr3qSD%qx`#P>}JbeS+~;a+T}0bAlvfprF&L;N`YUf zf$+fFX!t^B1|EG>QFAN4e`)&BqUth2?Px6+s=!SfP(`_d&e7}h&{4(zpAeO zguRcovo5E7f;9~2eA>HKC$IElXmC>7@WlHp{z1gHoU|b8j(k_=lV{)g$q(Vz-r+H{ zeF&ELX=|2j2^TXNOgyajllV_QeD^+!&r8!4&O0XdNu{kzYLGr#PfJT;ofa$ODrv2` zd10-zK2KSTm#)our>54xRzZTNt<{pAcyHa-&uZdbtPZx?CMYmBpX={-az{jK$;7g-u^L)#o`Ax4r>COgE^V~IeSTBy&lV|o1b0%KxP%3=#saK6J-&cWu zK>TF-n%PzR?Q3>$E7|O6a0W-IF@`~MsKWSY_`|sU5se`6s zY4{}HI_05CeVaY^{cM2EzCVm_uwV4OaN^;6_4a(oeur6l0G-CAE=uH4bvuV`Xg^P{ zWfhx-$*=C(wImNp;3<*K<8sT-vpUZU*rP8z_p*^I{N(63mzRbiFuu$I@-z|jye7JU z*7Zxj{0F`DwBPJ;SybmuXA~|FyN7PK}O9Dy;wGe%57^fB=0sHgX{U} z7uQg~Z6kf{JrTCk|jp?N|`n$&ks*prY{!p3xr%I=aZ*iv~813v&rB1Nw4WsdW{X? zityoXdK+Kdx9>dJld3$kL*MO5U%|->w3ak~nJIN5Y;4L7mksOlCp}8zQhat)*!@c$ z_sYLrCOr~xdpr#y`hA&(^XzH3y_bIDMIPlpzjH~$^mfCazh=t-_$lQAmZr{MP zFWe3mC*!7R)G&_+-+jPekAd@HfZqyir+<2cgIZ`F{qK~pA$0r35@&jye#bk_nxTAn z&TUg_@{BKh<>d=Z_DYYI^1;GzUb?|MpQD763G)`xw+#gLl_ET=vf1`FB5h-d`tm$f zJa_;65f+y3fAL%%4oo+BC%=6zzn_1poPH5qe(sfizlhzc*_ikFR~RttfNy8<+fnI5 ztgYj=<3z=8Cc$hF8z1lEE4+CD#b5Znhtl5ys9`vL3o z|5*J`&Fr{2e%iR^_)W$o`G)=zpDE$p_)c;ZAOSUm>=6}ujQ?~LQ$4?vg9KXqU zKz`RdYED9(VaMxlK2$VA-U@jqaF2Y|>eoMK+v~V$JS6{^ z<<*^SudDy4ecpsTv;12Y_BT|>TE8Xv4=n$hpSQp3V}CruuYZHAydAhpzHh%P|I)HZ zfBOmbfBQS^PpkfFQEZrtcjWK+kd^;+`})wDlqXmhl^3 zW4<`98MnxP-}0Kt+9iMUhwbl^SUb{p{D|>5l%J5VS@}2rJv-hZ--LW0xOi<|UwwYX z_-AcdzhVD>_!;w^e5q}}h`(d&PySlt*V_5rB){GG>$|o+jvqB{lYhYSw|vUBk9@E{ zCUL25K9IleyY2Yf`8_tq{?qzQn196bhi_W@5b`DSpR)YY=j?Afk$>6vwLfj=^Xu~V z==`aY{|3tA_>h0_8T(r~KX2O;@^+}-A^*6Qzw|~spUJ;q{JNzbFUMbPJPh?mAs>@} z*XrZ^pO9bsy~e-(P%(A z$X6lXkhT0R`6sRZqt=-39DjxJ-tku(AIQIg@~^SR&;Eu5_Q!7;e^veAqT={<##P53 zH?EPN{+Lz$+J}n{`D4bfd;H;|M?N$Dig!I+49QyGk;`9W`Gov)R{r(RJY3AkYvVUI zA1=0`{*Ekvk7W5CjTwlpKthb^TYA$jQ3>ua3srz!v02!{D2QNvdY(84nIn= z{OFS9N1yy?$Bu8q{2;@Zx0??m$M9zw%FkR5e->o5$nt*>cu1E2qmYk7J|%1YXJq+5cMSg*j^Y23EdMu-;s2H_ zpZ8?>e{c-{D_@fLr^;8!D4*I#vixt8<$sqf|NCV5KX45H$D#bhhhan%6_4yOB{GU38|1-z% ze@>SFE64DEO_tAFvi#pUhX2P<9)IXq*9Z7tA$p4CC_+KUK^J^h*hP*|V|DC{Hvi$FbydUx*S)V^5 z%m1-s_&;$B|EFa6zibgWB9)h&rGEdOU@`9CMi|Ak}tzjO@$w`BQ!B+LKmSLE$eULzxi|0P-ew?g^0 z%i({IEdQru9se0w{x8Y$e;x8|sJ|o2{{vb6A05O0;w$s^>GLaOlt*5Myg`=#t-x)v z{O^Rk8}dF`pFbeW|Dj{}KXMHJ$7K0Ga}59IWcj}&%m0;Q_`eP1cP@wjd$Rnm{X?hz zmt^_hB+LJnWBA_<<$ErN{{yo8ACl$&ge?E3WcfdH4FBhj;s2T}zxQPMk3XdA`$rYB z{I8Mae!{!bjk|0!Ai&&l$C;TZno@7dybtNh00 z@PA8||CO&k^}j}z|0P-eHyp$Nb|~L*IsEUD<$s?n|3_r`KPJoniDURbbqxQPWcj}( z%l|{jk1j|1U-_E6{qny~*78c1!~Ygp{twAI{v)#dpOWSOJmkwze?^x68?yZ0I)?wd zP=6otiv5jW_@IAPviz?HF3Ix05%Olp+hi@jLze$t$MC=B82c}kZ5 zGsp0M8OpC*4*%C=`F|v<|5JH$-e2;+Mwb6|$MC-y%C}q&|2t&)-zCfc0a^YJ$?|{X z82*nP!~Z#1zOKpge;4w-%i;f#EdQ(a_jmpEqDDpz{~Kia-zV$%56JR=OqT!Ckk3Q? z1zG;D$nt;f82)cU{cXsPAus+|-ah$X4O}D3|9Z&FkT=QN{uWvOw;jX(j$`=WCCmST zWB5NL%l|Q1{!bjk|9L3Ca5?;6lI8!NEdP&W`CqB${U!gaj^TevR{4g@;eU%P|J!8w z-y_TaK3V<`9K-*iWB5NM%l{=={%=CQbvgXsljVQ$^{4(<$nw8Vmj7LH!GArn{2!9# z|2X8+P=7|2{|mDGUpj{Wt5AO(@_on;Wcgow!|C}@A$nw8Smj6A+@W1aE{*TG>e@>SFtB|i<4*$1g`F{xIk1j|1U;W0s{qny} z*75I<<$s?n|A!$Thx!w;{GXBK|J*VBUxfP0kZ(i2Bg_9o;3HZ77vB`l53=$aS=(PH z%m30b{BJmh|4p*|?>L74U9$Y|ljZ-wG5jBg@)MWC|0!AiugUU%OP0@jviv_dhX0kv z^8QizDjDVBf1ND!7zEdM)>;eXdL{2!9#|CB8M7a?D|9R9D#@_!e~?_Cc6 zi*G*lze(2dZ;|DHmn{GLAs>eNBeMLTkmdi>G5nu}`ty*lL%t!)|6SlcS$-cvehhh~ z%=<&zUnR@`nq&B1cMShavixs3hW~A{{O^+Gf6p=eABOTHm&5-tS^h7{@_$X1&s(zm z-#Lc=$56g_Yu+F7ze<+>HM0C~kmY}qEdN`M;eXpP{O^W34PnQ1&viv_fhX2Kr7v~53uaM<`-7)+x$@0HRmj5ls@V^_%_goJD z`(*h)CCmRgS^h7{@_*$R{%=G1oy+0>fh_-zWcgoxN8TUuzebk-b;t0(bPWI7WclAG z%l}cx$1aEeQ?mSDgz`(5!~YHW4Ij<(3oDIN|EpyAUy|j2Gvw`1zeAS)J+l1oJBI&* zP=6TmX~;288RJ{>e-U^|mjA1euS32i%l{o&{_h>b|AS-reQj0B!0^9D{uSHb zm=9T!<$uF5{BMWy9hbxZF8OI&KITV`$?|_nmj83I{9ibR|LahG<8t`FBmbOz9_CN( z$@0H==c)e{viz?)hW|Ck@V`lx|6Q{Dw?A}rGM+hfIs6}!<^L>{pSv9XugLQMNY?Q$ zp3a{q|7&FVUxvI%R{a)P{&&dozv~$O_d@-C$j2d{kmdg@@SH6F7a?DUd`;H+Z^-h0 z>lps;9K-)TS^gLAI`zLomj5-f{I5HP|IJXo<#PDnCd>aJS^kg7@_$N}|1-z%e;LZJ zTn_&?Wcj}(%l`ve?f;Q1|BH9${Q-vm702+uB+LIcS^oDz-gi0tACl$&B$S`J9R4rJ z@_$d(@jsB|f8|^9`pf?sS$RoT{RUb7x5)Cp?HK-dLj7*Yhan%4<^Lq`lq~;eA)kkQ zN!I$W$nt;f82)b@!~ZQ={vRBp{XdfBf8|^A{*?b!$MC--t9--d@ZbI#OllA1f1fP> zhh+IbCd>bcWB5N0PkD{3`gOAWZ;<7G(=q&Sh5GG~ z_d`A)%l}c}FKkSza4j^Y0_l%KgA{x8V#e@T}A8?yZ0lI8!-G5p^I+kd-%G4*%O^`QHoW`!0w7BeMKol6Cx7Wcj}(%m01IkD-3? z9eMrbf0Zo%YmVW6ovhC^|2xO<{}{>_t-L?we}ydnn`HUlCd>aWS^oDN!~bC@KXN(zpOEGMlq~-j zWcj}&%m0;Q_`h}x|Mz71U3veh|8=tR(&g~KNtXYeP`>MO_&*@a|2etfzXe(TugUU% z8}faqe;~{M;yd&9$p4CC_+KUK^J^h*hP*|V|DC{Hvi$FbydUx*S)V^5%m1-s_&;$B z|EFa6zibgWB9)hId@nDX)={!~c>j|68Ga+vV`TN0$Fn zvX1|ZEdQ5e`M(bNHq_sd<^O>!|BsI0fAPV*efs}S^n3^^1l(v zH(d_@J7oDkChPc5$nt+qmjBC;uS5L}S^n?H@_+9bejh^pW5{dm)AOTFmj8{wO|txN zg}fc|E?L{(Bg_B3WB5OC4F88@`9EDlI8!FEdTL)OuYX`m!ti! ze0R>}f1Rx5l`e<>EwcO{l6Cw?WcfcO%l~=Em!bZOEdMuT`M-4x|97GOKIE0}IrYCv zmjCs@C0YJALf#B{o2>2ckmY~ZG5qg2hW~xC{2w`n|6{WJpOWSO%rX35hVmt+m7LX$1(ixlI8!vG5jBr<^Py0|0j;& z|2&jmxE%g3$?|_smj6ex{IA$^TkJ3SUv&)sOR~y0Tn_(RWclAF%l{r({`bl9f8ZGY z4;{n*DOvt6$?|^_@~z9^|DG)W@eBF9{}rn8FCD}GRj9uX`99KkSza4j^Y0_l%KgA{?Ezse@mACd$N2!lI4H#?8W&2|7&EGue%)nH^}n8NtXW| zvi$Fo<$upH{O>!4|6{WJpOfYPD&%XI!~ZQ={vSg5qs!6$S3iF0f19l1-yzHYK3V<` zLp~1mCuI3QBg_A}WB9)a^_L;vhI~hs|A)XwvivVT5zY^?@)}v&Unk4|(lPvRIEMdC zvi$EjhW}l%{O^%|2A3vcgga<=NSGEL-~=*;s2N{|CeO>zb4D)Em{8W9K-)(C|`8* z{*eDwviz@+<$r@L|C?m_-*OE9+m7LXpDh2!Wcfb}`P}93e@T}An^1o1a`=BBtN&B} ziPPiXAj|(YS^jrJ-VgN$WcfcL%m1-s_&*8try*a4d_|W3o4{ML{NIIqAMztv{ulpn z-XHS6;u!u{9mD?`S^hU1!~Z5({!6$mj4aM@V_0(cU%ttyJY!4Cd>aR zS^m$-@_*qN{;xy%jmzQxjx7K8WcgoQKJ~vsmj6}9@W195{x`|;ze|??gOCqh4*$nw z`9BNg=Prl;E3*7Qk_-L2lD9|x*U0j}40)5R>MgST?~vtx*D?I>h5G%Fk3&8o%l}#6 zIa&TMLcR?7nymHTkmdi@G5p^-hW~rA{4cJa`d=Z-{~B5T*B!(EW+>lsIs9*v<^PZ@ z|HowcKPAimnPd3B4CPlYhyNS0{NIx0|ADOb|45eq#kIUY!0^A~82*=J`QIkX|6a)Z zE{Fd^vizTf@>7??{{>n8@5ws;2eSOHJeSvB{@2LLOS0-W$nw8Mmj7+X@V^u4cSAl5 z`G_q4CxNGA`9BN!JmgEV)_+Bo|7*waf8!YbZ^`oi;27=yku3i!*Yp0A|5eBEza*=C z!{zY5NtXY8viu*C<^Py0|0j;&|2&jmxE%hk$nt+pmj64l{NI!1|G_c*KRSm0wdeEx zkpE4x{O^Rk>vH(tC(Hj)C_i>N{GXBK|CX%dzaz`{trU=q08a_ge?EpWF7wvS$^-y^8Xm}$_sh@RliD> z|8=tbFCD}GMyTHmc{k)eviu(e9+Kt%DCFaiPsv*U8Cm|%9mD^HWB9)$%m0mI_`fB~ z=RH~e9~{H~%FVn#RlZ6_dH7!=%l|f6{&&gpzfYF`1IO@x9Li5z4*zFl`9CMi{}uUn zpUHn;XHAy>8^`c}>lpqY$!h;=xAOMO{{~rk)8+8LO_u+?P`>YS_&*}c|0P++e?^x6 zTeAG$hx{1o7q|2J%l|4_{?{DC|2kQpUxvIL@(x-4_X79H@_!KWVaUg1eg1^}lOMJI zs`)*24F6}2;s2a0|5uLT|C%hHw`BRha}58Fp?q;C?@#$(A ze;CS-Tn_&yWcfcO%l`#g{x8Y$f8`kduN}kxJz0KN2B-el$;wNY!~Z5({&zz8uFK*7 zfGq##WF7wnS^lrd@_!rheW-sR%m3oVygl;2;u!u{$@=_S$eST=k>!6UaF;Cqdm-=^z}9K-)9S^h5^!~Z2&{;$dMf8!Yb??d^6%hCQH$@0IvoAbhWBA_>Wcj~v4F8vo;s2H_zmH_K|J8eW`;^zn z$l-rUmjA6#zU^}O-y_TaDOtyVMwb6evix6%d>iWT$nyU{mj6e`@V~g9w@;s6A)`F< zGUN@i{BH$rljVOW$@=^OS^nD}C{FXG!0>VHX=|4p*|Z#jnl-B7;ga`-2mnrA!{!bjk|0!Ai&&l$C z;TZm}L-~!%;s2H_|0}~&|7&FVUy|j2!!i7Chw>el!~Y&x{`bl9e?*r5W3v38IEMdI z$MAnimj7F_{6B>J=yJ6GmCxkum;ZILmRGtQ{zYOJ9E{FeXviv`i)&HsdBYA(x{~B5T*B!(EW+>lsIsEUC<$sqf{|99G zKP1clkz@Ejb`1aLWcj)#%l}=-_b!M3N3#5{{z%?_Ew4sK4*wfu`QIn&_z%ePe@vGD z(~!?Y{RLV6ugLO$?HK-VLj7&Xk0CGqWZpjcUkzL%%l~@F%aAw8+Wr<<{JHUy|kjo-F^5WcgqDNAv!Y|5eBEza*=C!{zY5 zMV9|A>X&q_EdQ5|;r}YsUx$1j@&j4^7o*ejp+c7b)sWXhUXly`YmnuC z(=q&SIfnmjvi$EkhW~xC{2!9#|Hv`?pN8@?m&5-#S^jUy@_$d3&quQSFaGq!`2hcG zWR(z&oTV(JBI&bvizTu<^L+=YnQ|SEm{5_LiwZ1(f(Ke zOx}L^-zFFQ*CEUQK3V<`Lp~1mCuI3QBg_A}WB9)a^_L;vhI~hs|A)XwvivXpv2cEn zmDkAH{yJIymyY3o!!i7ClI4HLG5qh6<$s?n{|AoY|2UMNxE%gZ$?|_qmj7F_eBP7g z|G_c*ul#7dJ6L$dszlI8y*i!~Zr}{&&gpzvmeK4@3Ep%i;f+EdQ5e z`M)O1=Pg`^7S^gLQRNf!*zv3AFR~^Iu8d?4~9K-)6S^l@l^1tI4{`W)qfy?3l zkSzb_Wcj}&%l|c5{%;(^|9vQba5>ul;>Ys-kpC63{I8Sce@T}A4ae}m=@|ZZ$?|_l zmj9EGPhAfG=VbZ63gy=>hyOdW{IC7fr~cQ;^1n%z|Lu@>L;W6E{tw9Vf9M$gk3#)% z$mbznkmdg>@R}_DHzD7Kd{37D2eSM>I)?wnpS?Ig;D3cI|Lcz7e@T}AO|txNIfnn; zP`>AK_}?eX|0!Ai&&l$CNtXXB$MAm}%I{nb{|{vOeOYhBhy1UR<$v8V{4X8D z|2A3v_sQ~q6!Njl;s2B@{}-YB(&g}fLze%QA3ycKN|yg6S^hUe-VXIU=en0&i z?Rgtn{`Vcj|3Rof4EZ$VGqU_&1YVMV=%e=h^YeCp9rAU^w`BRhBg_B2WB7k?4F8X0 z`Ct8syg$M4zebk-C0YJA9K-*1DBp28{O^+G|ClWQr)2p*C(HkZWB9)gxMk|0}ZmKazF)i=WKf zBmZk;`Co>-Nml(9S^js(^1tgC{`W%te#plmpOEGMEbyEx{}&-&hI~!d`ftecf9n|j z?;OMbJsG~g!F(_N*;D^3Wcgns%m2D#_}>iWTP}zHZL<6ylI8!HEdQru`9E_E|Cgcs z%H{BXLze$rviv`g)&3vJ^1t}!^8NtB|B7SyUy|j2n=Jo(A@92!{twCWe-g@1T@L>j zWcj}*>-ZnY^1t%u^7_mF8d-TsR{aK9{&p+@RTh7XCa@5 zd`Z^&ugLO$?HK-V9K-)DS^gg!qy0aU<$vX;^8S?nRmbqZB&&SG^ZLvG zDp~&59K-)QS)X5qydClmS^oC|_sQ~q5b|Nj$7Fr}ge?E3j^Y2zG5nvC<^Ret{9lvh z^Oh|CcaGuzF_bTUCht%AUm?r?CRzTs$@0HTmj6A+@P8P}k6aG_CuI3QCCmQ>S^h7{ z@_*$R{;wUw|2MO_&*@a|2bL5e?gZ2YqI>`hI}9D zAIS2*nC0z}{}spZze?8U*FxS5d5bLnJAu1o`QHn9KjcGl!G9yN{2x1p{}adXe@d4B z3&-$(NtXX>vi#pThX4Ce{@`-7|3|X?FaMRif8~FZEdSeN`QLF2|NEi*z~%6NM3(j|68Ga+vV`TN0$Fna>0Ky zvix6?<^MY5+faW;mj4H`{69K||HZ$Ww@;s6A)`F$@=^O zS^f_l!~cKPSuoC0YKj9K-)@D8F+#{NI!1f9)@w`d^aef0Hc#TaMv> zHb??b4640-KeKRrL{Wcl9++$78YR><2S z?~=9sJ+l1oJBI%Q$MAnhmj4sS@PA5{|8uhZUpR*U>rj5*{#VKJzaF?G z%l}5mn;~zLwf!Bk{O>x3|2@a>zfYF`BggQ6OqTysvizSphX2b@e&urbzb4E7BU$~Q z%3sd=Oa9l$^1tpF{x?JUmdoLPhb;fQWcfcJ%l{!+{*N5P|FL8EKPSuAHCg`eLcVu7 z{6CWAfA!zW+pp!-$jIS;gDn61WF7wjS^kg7@_!ogd8of2%l{Qw{;wUw|4pdB4f!$T z#lM}mPySZ}*U0j}9`Z8eO|rJXMV9|<$MC=782)$3@_*nM{twCWe@vGD6UXp>9?CCV z4*!>A`M)R2|07xcSN@&6zvO?_G5jydD&KH9{BM!vf151-dt~|FC(HkVWB5OG4F9KO z`MM;_|4qoZE{FenvivXp-BbT7Wcgnw%l|G}$G=CG|3k9;ABTJz>d(mXe?k6*XKX%z z`Mz`v|5u^@I^_G1AIS2*_}SC*p+c7b)sWXhUXr!_4YK@iI)?u($MC;Rmj6A+@V`%% z|3k9;A328q(@=iqa`-G*E{FdO zvixt7<$s4P|GQ-Q-*XKA`;OuNm@NP2Wcj}e`P$|1e@mAChfx0LaKFy!M9K-)ES^oFQ@_*nM{*OcXiOb>tlq~<(Wcj}(%jZ2={vRB}|H{wh z{iE_#GRnjMI$8dgWclAB%l|f6{&yV1|E^>BKP1clDOvt6LcVl4{9lvh|1Ol@yBz)( zKY!|fldR+4BFq0SS^oD!J`D9oWcfcK%m1lk_&*Ev=OJH*d_$K1yTE(0{62*I81l-$ zpZABhze<+>HOKJ3?il`;WclB64FB6?`QIhW|DI#`KMdtZE{FePvix6?<^P&2pSNWB zzjF-#kD+|=ALRWZ|EpyAUn9%^23h_$$@0JD82+~%!~Z^6{*TG>e-`q&%i;f$EdMv5 z{MP00|3FszU;e`B@o$jjf151-yCLs~`UA53ACcw%*fIQ{g!ul;urJ&kpC63{I8Sce@T}A4ae}m=@|ZZ$?|_lmj9EGPhAfG z=VbZ63gy=>hyOdW{IC6or~cQ;^1n%z|Lu@>L;W6E{tw9Vf9M$gk3#)%$mbznkmdg> z@R}_DHzD7Kd{37D2eSM>I)?wne{^wv!2b$a{?{GD|B@{Kn`HUlat!~wp?uHf@V`%% z|5LL3pOfYPk}UsMj^Y0{l;61={vXKl|45eq)nCf{L;lyu^1tpF{+Ev7f151-`(*h) z3i;UO@PA5{|BFz5>2mnLAdJ6 zJ#xW+{g97CJ|WBhS>QQY{x3ql4EdT|@ZW|k|F@3e|IRV|-;?Ek@t>UfUm?r?8d?6= z9mD@-DBp59{BM)x|Bx*I$7K0GCCmSrWB9)ej|J!8w-wS!)j|GQ-Q-zUreAzA*99K-)| z-*-9uACcw%lC0yuBFq0RS^n=sehl@CU(f3=|EpyAUvmuq>tua?8S-|>J7oFa3*0Bm z|3S!yAs>_V`4h7IpE`#BGsp0MPL}^G$MAnmmd{(V{NFi-|Hn|i_^Zg7{BM%w zf151-yJY#_a}587q5R0@@P9&<|5LL3Uy$Yhk}UsMj^Y2>G5p_?<#*-3KJ~v&R$jUs z{x`|L^u0y#?dEqUl<&G6{tw9Ve@@o%Uy$Yhnk@gfA>W7k2eSMx{+ql#^1tF3{#VKR z{94GHA#ai8eR{vXNmzue^gEB~8h`QIkX|Bhq$-w)*nE{Fdkviu*D<^PN<|L0`+zi!`M)H~|8>Z>q5h66{|{vO ze{>B0i~lxnpFY1rMtS6A$Qxw&-wNC&%l}TuyCLtB_4xy`{2w}o|0Bone@vGDGsp0M zPL}^mvix5;hX318e&=%dzbDK8+JATIe@T}AO|txNIfnn;P`>AK_&*@a{~=laPss9r zN|ygK$MApd82+!x@_SE~|HW^d`d=Z-{~B5TH$wTQ%i({AEdR%39sdbg{?Ezse;M+1 zsJ|i0{~cNW?;XSML#TfYdF{VHJwNJX`QHfKB+LI+$lD?BlC}Lkvi$EmhW`V{@P9~_ z{}adXe@d4BbF%zjIEMf0P=4cb_`fB~|H|Ju^}j}z|0P-eHyp$Nb|~L*IsEUD<$s?n z|3_r`KPJoniDURbbqxQPWcj}(%l|{jk1j|1U-=*M_RIe|S<5S34*y$Z`9CD<_>ai) ze@d4B^N=q?{S{gMZ^-h0>lps;Lj8TnE8A25t7Q3K4_uPveMzLhe?^x6Ysc_^6Y6h6ehhi>TY3BBe>HH8EdT2vFGJoW zYx`Sd`QLU7|2vN1f0r!(2ae(YkSzblWcfdF4FBh${KDn%e@T}Ad$RmLlI4HpZ|40a z|ErGSe@RyPhRfl9i!A@!WclAC%l|%E{tq0(|Dj{}KPAi8C0YJ&LcVo5{NI!1fAQO= z{#VHIzfP9_U9ygUk1YR(Wcfc1`83p@k>&q_EdQ5|;r}YsUx$1j@&j4^7k}&Ye5jD+ ze>LQ_ke6g_e}gRln~vds%Q5_KljVQUG5qh7<^PZ@|3{AD|1^}Jxg7q_$?|_omj8RQ zd_I!pfAP03&IkBkBddJf2mnLCd>a_D8F|({4f6JQ~#S}9sd?t{&&gpzaR2ps6Qgh{|Q_x9S3Z~bhqk{;mj5-!@W1XD{+DF=-*OE9+hqCQCCmSw zWB5M|fj^TfeEdLvh;eV4X z|J!8w-*F88`=R{6|B@{K zn;~z9`W>?T?~&zy-!c3jg!;pfPeVQ<%l}2-C0YKjLcR|9mMs5wWcj~$4F3;~;s22= z|EqsD?@uuNuaV_{NtXW&$MC-$%6D82|GQ-QKPJonDOvu{$?|{U82+zA`Hjor|BfvG z_hk8B{O_m!SIF|e>KOjl9K-)6S^js)@_!KWq08a_m@NNiq5RzC@P9>?|3|WpfAN3h z?UDaAvivVY-XyDji!A>;WclB94F7wfem~^nkWa|+e-?O7mj8>8FGId2YyCH5`M-4x z|96hz|DG)Wi^Hk^6|(%Vk>!8gG5l|a@-3Ic|2A3v56SX>OqTysvizSphX2b@e&urb zzah*2Em{5_$ZG$OWcgqGpLu_P;eW+3{4dG!zfG3^y^!}^4*!Q_`9BHer!I&8bMmvD zqWF@o&F6LeTH_5F{=DUy9bdBiIFRLE@dtVPl5bYNB&&Rb{HN^mp6T28q2n(y9+3aK z_a^ra@zi{~%S-v8_>-&o0%SU#759N0*|02r|$e}kG#>=m;8Zei{hc$!^NlV=ks5hw;s#+GseX? z+H&m&_yg93y40}clI=(OSK5D(f4}8lY~HoWwo1jNragBc|BUf_+x8re{0GRNv3?P` z@kCL)=~K2|gq8o&o?RDQe#!C!`N7+5zuJBt+PY$W#bbLt zc)Te7y#4=@t?bNk-PoGCl>egTum40*n7XO{=TZJgtX(1hRoh>WPRu*Uj~O2vKV^J$ ze971jO8i=y)Lwm-=~YJ6#F^Iph* z8OvMSIE3S;ji-*^WIQLo>m9bdU$^~B{+RKljd@D8-J1UG$vHa^;3@g4)vy0O+g`_2 z;|2N0EU((eEM5Ia?ekXTndRTID2g3f>$fNWf#qNG^F`5pP2OJRJ+ks);4%6Bx8V5M zul*ta_IDJ;*Zr#P@<;OW#8vY5e8|fGx@{Brv&L`vd{H#XKV$sJ(bk9jTgGpEja|nb z*Ng|`zi)ZX4&Ipj%^xm`Z}`0V;`kBcWhlQQU$gRWe$5vZ$B-AV&Finc7Pvvy=QoXi z)|T}f_Wy^UvHNcFC2MG2*Rk~{f35LrKVjoiYm&e2yY2Y*ZJf#&?S&?N`5`Br9*Y9Q}e8S^a`;DBp8A`UOL>`o$CSH(5X6k_rSynR}Jg{*#P)iL^^HOJ_O*2(H;HpuE{HXWm%*>arvm1OlRM`ZOYCuH;^ z(QllSwZ03Nqu;n9tKYaGtKV38{pt2r$?~@(%im_m+o67kEPs1s`P+A#?z=<%VaTT; zpOJOE7lD^#9q(1h*CF4Mwf}Zx9q+y4bl>eb-FK69-%))--k<09-DLStlI26gF??u; z@*S6_`);!Q7?b74l>BJNt_KbCgRJ|Gh2wPJ9m;Q9p6%Sq(|E=S6-|aZvca!CR z@g=AJSIF|eMwb6|$MC-y%C}se+DEedACl$&m@NONWcfdHobJ0r`IXDleK%SDZ^`oi zNS6P_m*(x4{}spZzv>wNH^}n8Lze&jkPloA|3_r`KMmz)E{Fe1vi#qZb^H%x`CqB# z?UDaAvhtFw`VF%DZ;|DH+cEs_g!DOvu{LOu`qlC1S#k>&r|G5p^+ zhW}f#{69Fxxa*ND|0|E?{rQ_8EsC!)->Z({e@RyPhRfl9lPv%HWcfcN%l|Q1{!bjI z{zE9gaCz!KkmdiHEdO_8`M)R2|AS-re{>B0YhRZ4hx~7n<$ovSU6;fEK3V>cLiw@F z;s1;*|F>iv{~cL=AIb8+@}|7L%4=lRuao6}gDn4>j^TeR)NhBpAMycN{*MBW$?|^^ z@@dHDWUc>#EdQ5||6ju1KYY5k9{0YueQPM~RZ=6xN@UWPMoOa}EJ`NIcNJwwH7PZv zw4@kCRzxGkklNEunTSTjA~F$8KWH{$i1tKk$&RrjLTVeD61g6gyF#Qj=z5aeM|NCIh&m}ki z2VnX?0n`5(nEubf^uHE1|5tAQT5|Kh0n`62nEoHY^#2H^|E;k3e-bwTd!L;8KLFGJ z!sTPh&Ho9Q{#S1PTypb&38w#hFt7gsOutWH`hRhG?{?km=l&U({^wx&KM*$mhi?Co z%O@_Mg6V(dcn+rjwaXVSUxE4h*I@d;5jOuDVe@|rrvC?F^Zy8@&nGbbKMR}xz1w%^ zlk+pM%{Tx1VER7>)Bg#W{?EYlzY;e87jFJia`S%;rvDo-{ojG<{~k>L55ngEQP}*y zfcf*k-|yB>|A%1aBgxJGF_`{O-Tay4=6?;Q|64Gx{|-$5k6`+La{0yWA3mjf{q#Qr z)BnD(`JaQ?KXCcj{{~F|_h9;ebot5ce+JY4 zaK~;v^uH%;{%2tJ_gy}6c>$*XrQ->h{!d*#bNL+1{u)gG7sBTMQrP@of$4uEZ2oV- z^nVYg{|907|K#SMCAXjd7cl)F+^IXi^nV1V|6?%yFNMwjnVVlpZvNL``o93v|23HY zZ@~1w5jOv~!sh=GOusK+{`}8Aty>@SKG<^ee*mWcg_}Q?-29({>HiAM>%Rum|1FsQ z?_GX$`?p~Fe+JY4i?I10KD}EX`+H!UZ~4IGLood>9FM{DzjXP;ofTbJ+M{s%DqZ^88cBy4`4-ToJs_dg?jf8=2LKXg0-)BnQdW0z0BT>lhI|7XJH zeHkvL{9g&1|64HqKZ5E1+2t3>?dN~*GrRTE{~XNY4J0@J3o!kk zgL(aHF#TVF>Ho&%TetrXO#csH`hOHQ|68~J$>qJzO8w8k^gnkz0Mq}W%SSFBgSq|^ zO#dgs=KoaK{GWm8e=ThOFTnJF1*ZRNVe^0M=I3=P3{x5{h{|%VF?!olGb@@qh^Zx>-|Ji4E>*w+M zV9U+_A(;Npz`XtynEo%o^nc~@joZHg)Bhcq{_lm&|AX8A=<Hk>R{4a&g{|T7>SHkB198CWgVEVrlHvcznej~a0zXj9(6PW&A!1TX& zx9)t=|4i8YAAmW3D7pDxfa(7jO#i1~`ac8H|4P{Wp9`D+D=>ZCg6aRkC|IY2dclpWXXE6N_cTe9B zJuv;xT;6y20L=9d!SsJ5Z2lL*=KmN>|EI#{{|rq3=V1C@3!DEdH-9a;`M&|v|09_G zpTP9_0;d1r#_R6~^S=+~{9JPLe+Z`kBQX6h!SsIurvFo6^M596{x87ve*>ofJD2Yz zH~)`d`hRxwFOu8O|Lk+S_0#_`nAg7q)BhRx(GQK^Tlj17{p<3D+kXkB|7$S)-w2!k zjoW|g@}tXJF#SI}zJTd}_&oRi05k7{x&9nX{|Cb6|4`WcAA#wADQx~v!1R9xrvH_& z`M+@Umy( z|0iJjKNU9r=Wc#2x%s~Uf5A=he%w38zYl@w{~k=Ak6`-W3Y-5IH$U97J0J8v1JnOL znEnsJ^nV1V|AnymKNdFsXJGoj0Mq}q%Qupn|64HqKe+iv$<6;W_!eIsKVK0)>@fI( z^!g9M^nVPd{}Y$b-2N4q{?}mozYsS6mu~-+%eOAyf$9Ij@exe_TbG|)egX6S7w*-a z5BlE|HvcnW^S=+K|3hK(e*~ugV=(ofTQL3KgX#Z4*!(}a z`De-P=YP0&cRuKU4^01aF#R8Z>HkpJ{2vLM{}V9%pM&ZD(&a13&HoLU{_ouUz2xS9 z3#R}5FHHTJU48=7 z|1+5WUxdy7aG&e%5A(kVrvJIH`9A>D{}Gt}7sBTM#Lb^dZvM}}^nV4W{~Iv<--7A? zPT2fEy7{f-=KmQ?|1V(rpN+cnLI3+;`kxD%{{vz3e+;JoGcf(HUA~aq{9l3Tf8*wF zB{%;MVEW(tqSXHkO#cU9`ag2{*zI3}>Hic=|7XJHf93X{yL{#HHJJW4j<;a?zjOKC zHomxBQW+(IAum1q1|3_i-zZEwBPhk2V9+3Lq1JnOLnEvO&=KsjeFC;hr$6)$D2h;xr znEtQ8^nWdE{%_s{{O<{y{{t}nAA{-t)a5hD z&Hp)={x9A9mE`7s1E&8cFt7g^O#gdd(!GBA-v=`vfVuw=O#cfo{T~aP|E1f1;_|u6 zYcTy^I$nY4|Jvmnmv6y*{W~!I-wT`n2VwL72&VsMVf*=i0n`6p(Vb8Fp9!1)12E?g zB{%;^VER7;)Bib`{x87ve<^JKZ`}Mwa`S%&rvG~|{cpka{{*K0XJPaIB5eNmzqC6a z^nV1V|E0?(lAHfCF#WIH{DtJ^{~ApHkKlmOg6a1KO#gdd*1cZleK7aW!SsI!rvD>h z^S^NWk6k`?^glfC z`uoBB?}Ir%m)!gxfa(7PO#f$K`acKL|617mU%B~f$<6-;O#ioF`hNh^|09_Gx5DQC zN!a}FJt*~m0H*(i%g2(N{}V9%uiX5(BO1?KBtgX#Z9*!*vV&HpW!{vU+R|09?_ zpTPA0ENuSw9^9Qz&dHio^|0iJjKLgYMO4$5gxcN)T&Hpu+{%^qae+Q=j zdocY!2%G;$Ve|h2=Fk6r{I_uX_i*|@1T!B=ZvKzK^ndE+&m=ehYcT!af_eRSVETUq z)BlspFK&N(V2-_h`k#U6e_z=A&%x{;xP0vL5={T6j%Q%{U%7nl@&%avOECRk37h|G zVe@|jrvE!(^M4Pf&qpx*Z-veOi<=)F(w$HG-viVC5t#mu!SsIurvFo6^MCH<*OHt6 zOECRkf$4t(rvFzb9<|XJGdCT|RPo0jB?@;|ZAlPhCE9`5est8chEe z!sh={*!*9C>3<_^{%^tbe-Ebr2VwL7to&rTW4ax z!SsLVcm$^Zh0Dh-pMbgkDVYAxgw6j-*!-V^>HkvL{9l3T{{~F|8)5T*@8%yQH~)`d z`rms*>VF?h{|8|DKNL3q$8LTpx%oc@)BhQm{?}mozW~$!rLg(G5;p(0VE%kRg6aR+ z-Imny!W-K{~4J6=Z*(p`ag8}$mL@&*I$C^|3ujQp9-7*Gcf(Hh0Xs3nEtQ8^nWdE z{%_sY}{^!Ex|H#cRBsc#{F#Vr^>3;>L|8p??uZ7M3 zg|PX*0n^t#nEtmeKS^%>U%>P~dsMf69HiGO>tBKC{{l?^S1#YU{Tnd- z-+}4>UfBFUxc!eVzqmYnUAI2^pE>S>>3{C>fy+l=uD<}&|FN+7UkaQ56EOX+gw6js znEo%o^nWRA{%_p;Mso9i3#R`kF#W%P>3?t1oiF;I37h`|Fy{{?H~$MT{U3wr{}fFB zXJGnY37h|OVe@|lrmtHt{Xe+;D7pE60@MHS^{M|oF#XTL^nU{8^`C<2{~S#J7cO79 z{nudn-+<}=R@nUCx&8MpKe_x2rvKp^()U9TO#d^N_gy{!bNxdw{T~UN|AnymKL*qP zsj&G!1JnOGnEuzo=KspgUrTQOZ@~2b2&VrhFnzv&>3?|i_4kAM-v@JkF1h(X1k?W! znEsbw`ac2F|EaL~KNB|p7hw9o0n`7T%lDF-|3@(WKfC!C$?fNV_Kn^8>Hiqa>tBND z{|rq3=PqBk{g+_+zXsF)jj;LOxc#>-Kf1gH)Bm&M3z+_g$GGLTQ~nCx%nR+m-;^f z^ZFNH`ac2F|C!6@ZvPrg|CeC;zY;e8*KYrf%l9rnfa!nh_ynfkXO~}G-kWykgX_=0 z^uI4`{^!Ex{{T$?3t{tr45t4RF#VqjoBwk+zn0wmUx4ZV7EJ&5VETLn)Bjf3{J*&Q z;ql%1p#K?|{`bN3e+Z`kBQX6hgw6l4u=zg&)BgpS{;yrWk=*>>g6aRk%|A+R{-448 z`9Juk^!g9M^nVPd{}Y$b-2N4q{?}mozYsS6mu~-+%eOAyf$9Ij@exe_TbG|)egOxL zCv@k7{`Z8<|4i8Y?}O?8P}uw*f$9GkO#e$^^MB^%SCX6mb1?nifa(7hO#k;_`hO5M z|4(lIS#taNAD-Bq5BlE&)BhYy{|8|DKNL3qN5ba+1WfofJ2!tX zx%uCM>3{#5Q~z@?{U3qp|JdadxBnDO|0^*4p9`D+wcCH;@{P+IF#X>--h=7?!R1Gn zpTN}r45t4VVe>yc>H7P_{O^J3e=cnP55V+)1g8Imu=zi6^QV%V|1&WCUxDfW22B6A zVEVrkHvf-qek-~8e+JY43z+_APwvhK{qKY6e=cnP4}{JCF_`|(!1TX%`9gB@e+8!h zjhnxf-26X)>3?sQ`k#U6{{T$?M=l?`{YxFTnJF z1*ZQSF#T_Y&Hufde~{e#Z^88c1g8Jtsj2@xF#XSj&Huiz`9A{F{|T7>S1zARZvHR8 z^ndN4^6{V&1ve1AmoHqt1k?Yu z;|-YpH!k10d=KX9KY;1~QP})%h0XsHnEr>SrT+K8^uG_L|GBXFKXUU6$<6;UnEubf z^nU@S|0^*4UkjW6TQ`3vx%qzp)Bhuw{-448`F{b^|M2wgd>EVmJz?{I0H*(AF#Vsp zd?va1KL^wQrJKK!-289A^#26r^*@8@fA3qn*H8cZVCDlb_aB1ke*vcdV`1~Zbo) zz??sn-25Mb>HiE&|L0)(zW~$!rLg(Gaq}C=&Ho*k{_nx`zXj9(6PW&=h0Xtqu=(Gw zy7NK*M_~G2x_lzJ`9A~G|Ju!8NN)bG!Sw$K=JjvE^!oy)|GjVPUN7@LnEU5o`acBI z|B6EOX+-2A!Z=Km5*|My^C{{xtQpTPA0;_}|Jy4TPB zGcf(n!SsJ1Z2k}3{v(%9Ts{TU|H|I?^YyR6^nW94{x`zr{}xRD55ngE z5lo*?VETU+HvfCi?#?IYXJDIe{`bN3e+;Jo6EOXsf$4uGZ2m9Y{H5gP{~ApHH(>g| z1JnOKnEoGx&HtmY`F{cP=YRh@y7kllA(;6{a`S%-rvFnne9v1JnN_ znEsz!esTMU@9bVb{m;Pkzb|b5=V0~^Tt0Sr38w#3$1^bfuUtNN`2x)TC7AxNgw6l8 zu=&3M)Bl~Y`M(F#=OdW@x5DQC#m%=b5VrfZ=zkAP|3_f@KL*qP37Gy*h0XuDn_o+A z{x8Awe+8!h4VeCK!SsJ8Z2s?s&Hodae)qmB^*;wQA4qQgkHGZ5bn_>YoBtJ<{%^p% z{tcM^@4@u{=<<`>{|u)8;W^!U=zmYx{LjGb@4I~D@&Zi%OUDy1{hzvg=JGk1{WX~W zFNDqirLg(G0@MFS*!Hi)~{}00E|H;iiOKv~^FJSsVcy4!o>Hi2!|HokZUkaQ5 zGdI7I-2AV>^nU@S|7$S)-+<|VBW(U}h0XsXn0{Zt{P~}Kceg&~eX!-`{{T$?3pal( zx%oc@)BhEi*MAMB|64Hq-@E+i_HV)T{|u)87h&^1d{4JN_V>Ux-|~UWhhX|&I39!P zf9djx%V%KrS77=-7dHQEVe@|hrvGbU^M3=T|64Hq-wB)lM>oHf-26X*>3{!uss95o z{U3qpe<5uCPu%>ea{%>8rcl#f}^uGnu|C6x!eRlg_T;8wK_eTz<|3k+k zF#RuFK6d#895AL}`acsk|0`khe-5VqOJVbW1*ZQSF#T_Y&Hufde~{e#KZ5Ch@A;|! zeK7qWfa(8G*!&;6`K9FM{}fFBXJGnYgX#YQO#hd{=Ko6A{NIA<{}D|8&n~}6Za@Ef z-`B05{^wvGZy>q(Ux4ZV92_ueF#TVF>Ho&%TetrXO#csH`hOHQ|68~J$>qK8PyNrp z^gnkz0Mq}W%SSFBgSq|^O#dgs=KoaK{GWm8e=ThOFTnJF1*ZRNVe^0M=I3=P3{x5{h{|%VF?!olG zb@@qh^Zx>-|Je_8>*w+MV9U+_A(;Npz`XtynEo%o^nc~@joZHg)Bhcq{_lm&|AX8A z=<ZJe*)A03z+`*Uf7*4`kx7#{{t}R4<$GM3o!j3gX#YiO#f$K`dC z|IY2dclpWXXE6N_Ka{>7dSLpWxxDZ40hsF_g6aQA*!(Yq&Hpi&{!fL?{~4J6&%yM+ z7B>G^ZvI+w^M3=T|3@(WKY{7<1x)|Li>|*P%>O=^^K;3~{~?(EkHGZ51k?WsnEp?N z&HtIO`M&_u{|%V_?_9o@-26X+>HpcyzesLB|Fa+N)=&S(U|#jenEs!I&Hvs@y7R;N8QA8V|2dfc55V-l z0Mq|5nEsc-=Kn<4{GWsA{|Ze18<%e-H~;rw`ro?wC&|tK@FS`JBQURj0jB>GF#Vso zeD3zI!9ViQ_Hii?|My_}d<4_~ zR@nT%xcOn(oe%n-f$4uAO#g>q`ac5G|3cXO9}AoRGcf&Mfa(9*XS^uKla z$>kR?{SQChoe%oo6E^=dVe`Ka{=iM~nF7)Gp|JTs0@MF7nEsc-=KsviuOv7B=V1E3 z0n`62nEvm<^#34i{-50Zv*h;kKfJU%AN0QmrvEvZ{tv+Pe<*DJkA%(t37G!R!SsLW z@|EP~{{~F|cW(Y(a`V3h)BpZYr2gk%`ac5G|FO#_ZvQEm{#Ri7KNmLtYq$Tx3*!;hM>3_EB&Zn{Y-v`tG0hs;|h0Xu5 zn_o(9{!hU4e*vcdD=_`vfa!lDZ2s@v{Db7?e+#DnCougFuSosxf$4uHZ2tF!&HoXY z{!hU4zjFCpa`S%yrvGalAHerF#SJ*>HitbpZ^yy{SQCcoeyL4 zzb9<|55V+)45t56m(L_O|L0)(zjX6glAHexnEs!@y#8k}{qMc1d;Rpk4`x09bN?Zj z{uf~SKNdFsOSk{T<#U(UVEVswyaLnzwaYgy--7x2cVPOz7dHP7!sh=GO#jcq_VfP& zrvJTHcjuG-XTs+H0L=MA$<6-}nEube^nVVf{|hkvUkaQ58#lj^-2C5x>Hi)~|64Hq zKY{80S=ju)2%G=?pX$yB{U3qpf9djx)e<8W~zXsF)Bbe8}1=H^fnEvq`acpj{|j)y7`uGt@(N7S8o1Xa`S%)rvH0zz&L>E z_X$k@FD~!>O!xY^e+H)iIhg(rgw6k<+kfQpiOZ*8`d>MogXw?m@`cM+V7~q}nEr2s z&HqN&{NIA<|3TRNKZ5D=2~7Xb!sdVPwcYvT{0waK&Hp}_{*S@*e*&ieGcf(Hgw6kj zo4=IY{9l9V{{~F|cVPOz2h;z9u=#%!HvcbR{`~L%Y`1>;KLj%$NpAj+!SsLX=FcQI z|7$S)--3DlcVPN|1k?YM%P(&K@N?bkr~et4{`ZB={~XNzfy>7(FTwPG>UajG|CP(< zE?GkVEVrkHvjiv`g{b_|5n)izqt9~b=~=-|2;7MAA#xr7)<{s zVER85Hvi{tel5BAzXa3&6`1}vVEVrW)Bl~Y`M(!7|4(50-P@%8=V0ao$<6-}nEsb; z{zP)~zXH?$4Vc%z0n`6InEoGKescSt!Sp};e77F@-xD_fGcf!6E+4tP0Mq}{@dQl& zr!Jqld=6%R4W|DKVe@|}Z2qsn^uG}{|F>ZJzX#L*gRuF3a`VrU+t2?CnEnr5-<@Cj zKLXSLF_`|B!sh?X&95Xk|7$S)Ux4ZV8chE;VEW$(oBvy3^Zy8@-xn}{{%60?t&e#h zY`OVA0Mq}%%^yo{{!hX5e+B0CUxVrY7EJ&5EofTbJ+M{s%DqZ^7pC&7;pJVe|X! z_P@Bi|I6w7BM0B-tKHh{y{~KZRfA8iWBsc$$VEW%{Qvds4`ab|a?xqm#9(^7PoBv}szm(kkpMvTC3{3xP zF#TVE>HkvL{9g&1|64HqKZ5E1+2t3>?dN~*SGx7n{~XNY4J0@J3o!kkgL(aHF#TVF z>Ho&%TetrXO#csH`hOHQ|68~J$>qIYP5sZn^gnkz0Mq}W%SSFBgSq|^O#dgs=KoaK z{GWm8e=ThOFTnJF1*ZRNVe^0M=I-v`tGT-f{{ zx%q|U=6?yM{}V9%ufX(w4yOOLu=&3bHvczZ`nm_x|JLOv$<6-@nEq$K)~%n%>w_&f z|A%1uKLhjnS77?T0Mq}K%QtTS22B5VVEVroHvbQ9|D($Hi5#|1V(r-+NPc zzUY4@Z2k|xoIjM@{4c=te+;JoQ!xFXf$4uGZ2r%M&HojczHY(v|KReY`O)PkF!eu!>HkI8{15NE{{ArkdtmyX3!DD~F#R8a z>3<HkUC{67nu{}(X*&)(IYPh<1H z52pVEF#R72oBv}szm(kkpMdHA0!;r`VEVrS)Bi@;{NKCz2g%L<7EJ$7VEP~SssBAN z{m+EW|Gu#KKLXSL37Gy@E}u(o{x87vf9>XPBsc$eVETUn^ZJMX+O3EF_rdgk;PMfe z`xjvPUxMlXMA-bFy8UM^U$}e;rvGcl8!-KET)uVr9?aK&0Mq}Yu=(E#oBt;;{SUvN z`riZ7|2~-h=fdXy$jvV#H~+_A`acKL{{@)-ufX(wEo}a8-Ta;8=Kldq|Bqn$e+KjC z{{>9{!yk0#!`S@q37h`|F#R8c>HpN_Gs(^WIhg)0-Tam0=6?gG|0gi7{~1jGdwf$9I+HYF#X>PoBs!4 z^Zy8@|7T(Q`F{b^|K7X1^GW|RVe@|g=KP`L=Klyx|7T$OKL^wQ1(^OXh0Xtso8L%o z{_nu_e-EbrEtvkF!1VttZ2n(_&Hw%%b?1ZrkHF7*SP1uyewQwvNN)bm!1TX%^B0nv z|7$S)KZ1GvTQL2;fa!nlkGt2)ybtF7Ihg(r!SsJ5Z2lK+|FO$wF0a7!zjnL;)BmN* zS1#Xx`T83${oe|k|2tvxe-Ebrt+4rj0@LRUnEr>u_4kAM-v@JkF1h(X0Mq{onEube z^nVVf|Fy9BzjE`}lAHexnEr3U^#1^+|3@(WZ-veOld$>U`;*lF0hs<5E+0#7{!hU4 zzjE{ElAHfaF#X?ydHoMy`h5b^|BK6ef7-o%?w^6_e-5Vq17Y)j==LAEeB$ycnEqFe z=V1C@yL{pD6_~Go4W|DaVe`KcHvhL^`hO5M|Bqn$d;-(|v#|N!drx;hIX?s2eDl8# zrvGCw{hxs8{|rq3D`E40;pQ(TH~-gQ`o96w{~ehA@4@u{AZ-30h0Xs9m_Psff7Y#^ z{tv;-N0OWWV=(=ny7@E7&Hoxq|F>XX{~ehAAHnqh3`+&xyu(|_AkNoe3VFPqK9Jn}AA#wA>E=%)H~%Xz{ojCj{Tnd---GG@(d8$%{~1jG!?9Zr{qG5z z{~4J5eV311UV!O;>39OB|5KOGTs{Z0zXsF)g|PX*6gK}?VEW$(oBvxd{ojM>|3TRN zKe_p5$?fO=1x)`3@9WMl{U3qp{}@dFOJVbW=H^$DoBuVK{x87ve+{Pp8!-KEgw6l0 zu=#%k)9(wIKmW78=+?))54PO=AAsq9;pUGeH~*(#`o9A6`me$Ce+#DndzT;G{w{vO!oTRw345KR9I$73-4FI_%y`3%hd3QYg!!sdT1Z2m96^nWdE z{%^qae+#DnJ7M$x=;pVQoBt;;{qMg&^?v}S|06K{FNDqiiJL!_-2AV=^nVVf|4T6a zUxDfWTG;&G2%G3{gE)c+os{`bN3f9U3qBsc#{F#TVEdHt7Q`o96w|EHksK{BOYlI4ZvIYk^M4Pf{}(X-{?q$VcfROmE%1TbG|CH~%kS`k(zxw|*Y454PO=AA;%s z49x3af$9GOO#fFd-?;r7F#X?w>Hl8X{6Dz;k1oHsJpA`=ee^$b+y~SD+~ot8kHB1i z0jB?BVe`KfHvcDJ`dOoBunv|K8;%m!HA(Km1+#e&~Vef9CSO z%Libte+Z`kBVqHu5H|nEVER85HveZ}`acKL|617mU%B~f$<6-_nEoHZ^#25=&lfQL z52x$z2lKxV=KNf8^M44Y|06K{FTwPG0;c~{Ve@|`Z2m96^nU}U|2voOB{%<%VETV{ z^DmOy&;RW2yYHi8${~MQY zB{%=~VEW&>`6tQE|L_l~|06K3e*vcd6EOXsxqR;Sufg z0Mq|1nEvm<^!W&;|E;k3e{u7}N4xVu|1&WC?}O?85KR9^VESJOoBv~B^M3}W{|hkv zU%PxGx%s~Z)Bl5;f0W$(KZE)6fACM~^&f)i{}@dFCoZ44{VOp2ufgh|CyU# zNpAkn!SsIvrvF|3TRNKe_p5$?fNV_~-6?(ElEo{^wx&KLFGJp|JTs5;p%Q zVER7?)BmN*SCX6m8!-Lfx%qp^&Hp3#5oHLsn#B8gg>M!){7bi9^XD#4jMo=TKXNer z8_N7!#`zOBe+vHI*!R#`{P#oQYmwLBKZ*G*o)!Oo3;yfKpEHm5+X&w_^3lz2CBGK) zGx%N)58<|T{PX=^yY=w+8QAh`G0(xzkNgQQj(@+8{C~wiCVx8eU9)SU6uu$y4E&Lp z-*CrkVFP~9BSQF?!L^XZ6ZL0t|Ch&8Ig7vl!uWsBxO;c@Hu0D5iP`OL>^S~US>Xkd zpGuCuzen8m3!mHNC-A?6Lp-MDV=(hJvi0?c-TwV+9X}Sl0{u! z!b>7o;A!OFiTu7V>GDG9ggcD!Hsif;bsW+D8j@EH6x z<1Q~F|9m_?&(93Z{oBZ|k2&Y(H;>m==5Hd~{(SvMF!wKd>G9{0ZT~NbuG=_9{?*7o z1kU23jJf|dvi6@NYk&C(>G7J#dc6D=>G3X+_4N*J*)jW;V4janWbJPwYk%>HY5zL1 z_Gh|aFI{#|74 z&p#>cuOn;!8O-y$yKUNk1~Z?0a+kAz9$EXF$l9OXF72-(Ykv#o@tfPH{VkaJxS#gV zB5VITvi65hN&Bafwf_L-@z-}q`ww8|qfbryCy}*(8CmdH>F7|0uHdSCO^<0A~O2Gt&Mwn8&Z~ zlJ>8`%zK}i_75U!|1`4p@4)QOKP&BDf_ePuUDN(0nE3@v|NEbv_Lq^hzX7v98>Ia; zn8z>gmiE_R<|i=wd!Li`7m>Ap4Q79cf9|UP6`02_ZcO_tF!Ljr{g=pk{)h3;W$j;r z*?*3#{nO9un8zR9BkiApneV~uKSkF5JpMVZ{WX~VZDj2)KR@ly@0s?OVD@jp>_0}< z{_G3V{tC?gLuBnQ?v?gu_fGo@F#9)P_U|KWzx`!L*FOcbe-~N%hxbYQ!zk?^g4w?U zvws^|`_GZJzx<+(+22Ig{`|ga|2eY$`Iq0XWA-n=?B7Jz{x-7q7xz#5*O9e9dqCRX zM%Mo9i_`u&nEk8B+JA_w{lob8L}RXh8Cm;7k@g=VYk&CCw0{O>|01&X?;>k|{$*)@ z9a;O&V4mOI1JnL9nEB*EUC#b_WbJPvYk&6TX@3=2`&%%N-#j?&Z^6vRUy=6DB5VIT zvi65@+CPn~{Rc3QzkW#Ce*iNdeP!A|iLCw0$l8Af^ZJ)xmG&V*Qg4tihzsKwP8!(Sw-<0+@VCMZY?H@(f{wlKeAHeJ%K0NJTgL(Yw5o!M# z%)IwCY5yRy_D>^g{|?Ol{A<(xC78#bJ~HiJf|*~y^uPb8w7-n3{SBD?+1I80HJHaQ zCux5TW_|**zxVZNe-T;x*I@RCZ%F$qFppn6I_D(K{hP?z-$vH{;#<=Gb!6?&o|g8vk+na2dfGn+ zvwsy?`wx+|fB3Cw|1z@nhi9byhsfF=s?7IUfSP)nfJdp?H@(f{wlKeAHeJ%)@lD5%;Q(jPy5$k=DqJr`v;M=e;Qf) zcVPDC-=Fp`!94!-1!?~h%=`kT|NS3G`^(7M-+P}*OCdHmuC7Au^$ol@9zPMu^fB2HLe+p*4 z2ebbaS^M)JN&9Os``gIcU;b#?pD)w?63l-4Zgu!=WodtSdD=e&v){g3So`g} zgth-1S^c~E?qBJ*@8;G1e3kZ}BkP}k`71hRzkRo>_S<*4YJVG9`>(!xRr>9_QMEsN zW!m3H*8c1#(|-GIP3^bu($xM#WbGfms$*V%`)*3@53f%950SM${8ZX+-)*S<_FabB zzl*H>`8w^dBWwQ|%=5c@P1=73Gq>-S(|-FdIqh#EYk&4LX@3=2`&%%N-@G>MZ^6v% zyS=pEzROGd*O9e9{9M{Ujja6#Fps}}UD|&DGq>+n(ti6cCGB5E*8Z#SJ`(@RpHKUD zU><+@`m}!sW^UhYqy6?>HriiD*8Z#So{|3I7t{U*%;VQ@Nc$TwbNg-)?YHj|(f%s3 z_8-9XfB4I3{~FBWS54Z#1~a$scF=zNE(h(OM%MnT?_QAg=f9fvFTp(i^o?o%63pD5 zt*`y|EPd@SBWwTFv+t!p`}MTH2J`sko6`Oo%-o)BuKo5bbL}r8YyZ`=$E81P)BXy~ z;}>sE`ztVWd$zRp+q0y#fB2he|JAdfrQe>-tna_+Z*|P$58smZPr=OX*}mFu&+^s& z{I}Eot7q>@zdajQ`^(=+`}4P^{Uw&0{R;WMWA@v#-L&7H<)-~@WbMCt_L}tDv(dCa`~9@Pjja9I zAEf>EY%T4#XK88wA+q)l|FC0Te|t8S_J?<;{fEffAO0xqw`Ut^zdg%H`*)GGKmX&j z-<}Pm{bw-G@9vQHpTW%S*)rO1&yvypCbITtf137Jk+r`C^Z3ns(*73A+@9^B{q`&m z?O#XM{_y8%|1`4pAHY2R`n_rY0nFTxqY@+`|Y#D+FwQ1{;SXaO8@W! zY5y9`<5wR{``2LRy*BM1MArUkWbNO9`TooQI_+PAdHm^z(*7lwxqY@y*KePt)BZBD z_FsMWP1c|N_q4wT^Z4b5)BYOF+&oC z-D_&cWB!;&boW`tAKO>=J@P)w>|@gVEQ`o`pJf~Q9&sPuH+cr%>}%r2IEJx9^LU%+ z6*K33mAucgyq4Z)xd-z;OS`X9@3S05*841%k@Y^yePq4QvVTLD^FB+vuTqbf-7LM& z((aqo`z+^R-ZxoC*6X?g^Sov^Pp@+sS>I>8uabXn>GitfasLX;e>d7hw*C2YsrT{D z3o!RTMOM%9Pe}V~Fpt+pR?o^?q@M7;O1|F7Ez{S#1M~GBBWr*5iD`cYX8$3w_7}HG z`*~j_`^Wz&?Qg*B-$&MdyQx^u{}jyrU1aSa-a75)eU|aIJ z{zGK#AAU;Ozl^N?;SOm(@2g~g_|&w224?>vvi9#HYkz*nw7-t5{bw-WPrR>^{pUNS z{gY4YnEms}+TTRh{_NA!{wlKew_x@+d3SvFw_xVuJE#4#$lAY-to`9L(*9{=?LUBd zeBM{d{=;3;^^ZO??Vm)}{$*tCKZEIi`B`cI4$OYuSIPd}UDN)-XQ%z+$l6~=*8UdE z{$h~!H(>VjzDo8tcT4;GpOf~FB5QvYS^E!Q_7Cr#_OHS0=Y5szU*DMa_dYl6A4Jyv zX=Lr+f!UvbUfRC|v!C}>vVR%>aJN7Im|wv3-~L?J{xY)mH(>T>pP%;EU>=|MRkFXn zXWD-Pv%mKRX@3z}``2LhhkK>{6`1|Juaf=Mz0>|9nEjW?y8hu8ru|DW`_GZ}{WrZ& z$L!~QmF%C6(*8Y|{in#UxV4-M%MoFzG*-2t7Lz9zqEe~X8$p=_GkA``ztW} z50SOMctG0E`zqOAd~w>p0keM}S^LA6r2SJc`*)GGe^{jbyswh|!!J$yS77#UBWwRT zvietkS;y>eB5QyCz_g$DRkA;SP};u$vwss=``gIcUwnDmzmBZ^*@M%5-dD-~>?_j# zIhg&c$l8C1to_4r+P{pf{ox^LKkut#fB4F@e+Fj%BC_`HB5QyCRcU`6S^LjmzW;b% zCHv10P5UPg>zMuX$lBjT*8c3P)BY;5_P1d6^S(;PEz<1+1^Mb`dxWbF?RPy45l zwf_KSKkut#|KSm7|LAMd{z+u*Uq;scGnoFDUz_&t!0hLJmF(X=GVLEcD(xRf*8V!O z_P1d67hjk5H(>VjzDo8tleEA8^=bbovi4Vzwf_KS|L_~q{xz8Wyswh|>qn>ky>CqW z2a&aZ8d>{yVD{&aN&A;z_Vd0<_Aeis_FusCzyG+jzl^N?4VeAeH0`g!?B{)z?5`i6 z_MgD)?|oC+UqsgaHJJV332A=?WG5edy+Mho&?dN@!?9abF?O%Y|zlp5gWD%>H>~?QbG$fA&3Te-&B#TQK{1UnTq7=cWDQ?@jw>k+pvvS^Gns_D>^g z{{hT?-dD-~!}HVr(f6hOlgQe?jI8}1+CTV#w0|5~`|HTs z--6j+{9xMOfZ5OcD%sz>FzxRz(*99o?XMzh{{hVY;SZ(#YcTtHUnTq3FG~A+Kb-at zB5VINvi9%5?9X4E_AkNg=Y5szU%n*mzkum~|3}jPGP3qJVD@J}n)cUV_Vd0<_Seg_ z{{&`#@5j>qBC__c!R!w|p7vK@_Vd0<_E#@W`;TDuUn1-IAO1wzzXY@Y99iFg)0cJ3 ze%@Ef{^`rp{ymuer^wo$|L3&72D877to`LG?dN@!>@Q!D_HV)LKStL6?7yV_6`1{p z$l71LGVSMmmFzEmGVR}h*}sph{oz$<{}jyrU1aSazB=vaeUGqm?LS1;{^8H1{maPOA6}RC^S(;w0{X^Kkut#|MD$q{{>9{`@fy`myxx<0kc2*owUCOv!C}>vcG<7 z+J6GGzqd>Ki^$r)2D3lBE$z4OOt<#~`*~j_`>VI7{YNnSFOl{958sjYFTw1$@66Ws zpM7Vw_Vd0<_D_E|?camhe~PUA`R}FuHJJVOoyFR3-x;j^yswh|+Hc=kr~TP` z(th4o$^Pum(*8M^{j12@e~7I8!#_{^?K{J?KfE{X=Y5sz5C1LgpMlxGh^+m)$l9MD z(|-HTChfQHOfu&CpZ8U=|NOqRfASX{vwt30`+r9*{S=7|HHTzuKoXJ9D26tTA2T98a?Xf-S+Xvq}%U!vu^v` zZGZ38p|6GbsMBQp^(S=m?HQOlzAD1Ugqw$}`uO`hBP?!dzqu9`ZvI2@IyY|n^WuCv z&fTy-kMm=AJ;eQyZ2ScJFfb!1$zdi zj{mrYQ9M6azg|!NCwgb`TI#qHUcWszR>#eF91Pm#QCvjBbzeI_6$NDe}&gM&2?)CufqAaX9nuH3)WlS zMYqO3t8t#~8Gkx{8NJ0_b!!NpgyYyV`E)!Ry+ewN@JTpt_6$88KaJk}M%^010oT`_ zd8gwyaecFU=++Rv4cFJ6QI`yy=Wx$tYj`@&n>|xb$NjM0^SyLy2tS4EYtMkw@z1!v z?R|7>2p>YPJ+n>6U9sN7eRXSmHZj&~&sfv(#aQp|0lGDWzrlI7XQJtN0j^6^=+^ic zY4qAN%yhg7*Jb@c-5SD;Sg$>EOvlr(-sOXJYkbBq)@#oQ)A4%vTt7s&#?SQQIQC30 z9e;=QRu9#!@y`cbUwa0Zjt8K3dXsLAKI8h@GqZHeaDB^1=++Sa3hT9JTUwej>j&H|$^GEB}_-7&3YtMYr@n&4#?6JBvem(%} zwP!Tx_&2=H@Oa%C!sD@Cd!~|(6|T$q3A#0e*Wx_eGmvz=7uUCal5UO9rp9{hnMKLK zdJj)YwuWEAdA4T^>3A^KyL*~$4dE>~&-P3p9k0UmZJwc92& z!eemW?3p_{mgrqRTepVrF09v{k)vaS_11IU8lTOL>ub-n(eY8d&g!|kHGUog*Vmpw zqvLK^@AP@PHGVDy*VmpIqvM0PzUA|EYkbBwuCG1gMaONi-r@ziHG~IZz4lBN9XDdV z!x!q-5dH$^*`A@ISg^KpIcnG-r5kM%BJ zt6Sr<^08ifMud*n;riCE)2;E@_E@hy(?Q3F@H(s4>(&q^Sg$>ULB|i`x=i1oTSIsy z&a*u;LB~6Beal9-hVZ{|p6wY2IzEcmS-erVhVZjE&-P3L9rwa|hi}rYA-oai*`6Vw z3kzgf4&zx(4j_L+Yj4@Ykn|IJv(*W$d{XY_SE553{7x;1{D3)j~^Q?KLYxW4DN z>DCY)hwE#ff!FbVyw3KWx;2DHpi?nx5m$p;riNV%yqmQ*LU~(x;6g& z5ZBi}6RzW9vEJt0x;2FRV!iemZXI{Pde;Zt8p5C8Jlkikbxg6|<$H8%2p>eReMVZx zkK?-7_uA{Y1J-MwY1T2udhL6_bvy>^wa*~y_(Aw=-7$5dHw`wa?J%_*k6h{G?mscZ1-(*=JsL z+z015`-pB0VUFu-pHbCu6V@Bzzj5feGuCULDb?{ZTwnVh79DTI`3(Q6Tf5(13s;Lv zf?vNnZ#P_hKZgc4VY|~U{QK4GydgAK*Yo-we|&YGZwU68Q61lT#j*G5d|XdncD1e> z!oY36F;206Pxwkqy(4~o&eiq0A=qb3b$ohUug!lFHr^S(zVGTh-w<|g{;jdD)@`?c zFRiRLSMzQNl{qA{f4mmm+RZ?clMdx__y4v@3XPras0uRKXJP|&i!#+F1O;$ z?$?{){M%EEOXr&LV@+#XY!JP_11Su zwua|nz4jS89nVK^bywXQuOrqw{_J%7|Bdxd@0M!KxSwtf;eX>i+h>?`+!E_OyMM=c4X&?!=19j^V7+aj zTjQUzxW4uoAssKmdJhlOt?_$-uwMI2kB*Pvy6hgTTSK@B>$T6|==goCw|R(ejepO_ zaqKfQI(`r9T|ZQ}hVV38U;B)Ujtkbiyh*o)@CsaC`%H?C2jV=}kI=0l{0i1}SWx5odD!}Yb#ROomC)>}MQ zw}x;htk*sRq2pb+zQf1s))4NE_1b3^bbLD2n?F&vhVWdh*FIyQV~^{SJz2Mg@CKY` z`%Hk2_u_Sir|Q-ao`Ch*J^VUujrE?NrdvaJ4ScqH?seFAL)rVQeTHrg;R9H&-6OB# zU$EZ8Gj(eS_riIzd)jq;Kd$fY*}66UJs;QC?m^e_y|}*3T(`#Sh4W_jjO+Lntatrf z-5SCpaNg`5Zyo=J*SUP2ZjIkfhV|M#**YGJ_14eVt?@g+aDD9_Y8^MndaD=c)(}2| z^KAD#>$ryXPG6{7<8v)=eeE7)9bb&~mM_w+A-o&c*X}9S@qDbec!_R}???37J-|9X zgzGX~>edh*fc4rvyE@*6_2w_tts(pbj$`-O>iBK+W-r&RA$$X_uiX=?)pLpw}$XuTwl8fQ^#|$-sW|>HGXFx)@%1n>i8X8-}UQtYy5XAtk>>w)Nwnk zclie08owJ4>$Q6lb-WeVrEYX<{C5wWXS;_`$Gh=5t2gS_5FU>8+C6_ddRXuDO}e#v zu8aL#vU~J&JOjPun{{gle~9(kJ#{+%9_uaMqFY1w44gN+2TsRxaD9hw)vX~s4A-}} zOSgXqu5bSKbo(uE-s~PT9UH7S`(51{|Ne>dX7_~Y_y}HS*z4B#?^IZ?-NU8hky!8f z_jPLsug3MYd#-f+KX{$(yLD^)cUqihyGKgLf8cc<4!SiyhX~i#?rG9-Z>)Fs9^D$k zZ{g>a-GiiKj`cS0)vfXUi1Tds4C#0uuFLv;x;2EmW4(5dkB%*_@ACb+HH7cOaqONP z9lwU&`h&VPgfY(Bq)oT~E!JCoDBb>SoHx7YMaSpkJWoHYTjRe|;riM=Dmq??>sy|5 zYY6YbdhMPP9S_2K?fbiR+zRWpdq8v)Snu$ox;2D%;`-V>8#KNd44*ylR zcE7(C|2y4}|A-rI6aV*gjs^D1PHSZTYP#Bd{`E7DY-1Du&$j0VarC=i!YuxJ8~g7Oj4fX0gRYK$byBYq9^X!* z9fyCN$+4gP=ku+@)k(VAa-~81-2l0*=SlJZ<@TF6?3X9U|2Gky#oyP$Pl>;`XL{MN z%}Ue8Y0UQcj+GslhN zlY2dtdp$W`fSu20#N&^I?fg7Q*j|4rY_I1Vg>Ahv;ct!1|Gmu2v-P|fxv{NxC2Z&O zwT}7sRGV-4TU@?(+=6XAPml9&jKA72ju`H55Qnk-(OMeB!F+l}*ST_BJ6<|oJ8m5B z93LFFj?a#-77@4c_1ZJ)Y>;!uL&t^V((%-B<+ygdbi8)lINmuvIBp%E9n*iVH-qow z+%ey;|1Vc}0T*SN(!9`TG< zyyFvpa-g3&-WN{?{wd#agcJP0IWBRHTioLj&v?Z=YOeu_8mt! z!Jqehw@+Pv#-D$#|NQZ5##`Lu5zlzVJ3jI4^S_=wAJ5aAl~3EV?>NEU+TvZPVm#5oS%OG9GAGpE$;D%XT0JapZMc%^Lo-;0MleiEG^A9*=m&E8g*mKmMWC%l-I{pXTs>+Mdr>f*&}?C9ZLcdpzP9 zuXx8Newu^)(>*Wn9Y4)c{^|V_{J=RbagAHt;}Oqz#XCOn?F+r!^8(*-gcJNU2m7bb zPmW7m;}-XL#4}#;j!%61{O3hI-_I}b)12|2?ul@MA2`P)u5pWdJmMLzc*iHceUX>@ zUf`!W@n7o434Y)lm$=3)?(v9cyy6|7`1VC#?t6jnIKoeJ{(t)XJaCRnT;mq^c*HYa z@s3Y?`~2tmefIvxcO2maKX8sqT;u20Pd*<{&-jREyy6|7`1uz_&wt+28VsMlo_8GK z1V3<&OI+g?_jtrJUh$4keEZ@r_rAb){Itfzr_WDxR`oZ}MLxWzpl@r+lz;}buv`SDUezT*fd_GKoe1V3<&OI+g?_jtrJUh$4keEa<8VSo1XAHL%VC-{ML{QUa$=RdDzyv02p z@r+lz;}hTho0qTe3w*~BPVfWgxWqMXagRql;}!4t#J4X=KfdD#C-{ML{In*|)Arfx zk6Ya15zlzVJ3jI4{>kBd_IO_4JC1OIA2`P)u5pWdJmMLzc*iGxo`~f6dc62jw@GhXqIPkj4|^y52zT2t|9d%m6t ze&8IJxW+B+@rY-<;vJv(`3b$xJukk}%YD!Dk3Ek^j3@Z{b-vI0=Zu%Q#x3sgh-bXw z9iRC2m0#|Cf$uoN34Y)lm$=3)?(v9cyy6|7`1V!k$4_f`K5fs}Gr|de;2f8@#x3sg zh-bXw9iRA<1;jtq_dI{zbMO7Dev<#We*FA8_2>N`jOVz-HEwZ_M?B*d@A$;G=;gi_ z_>Lo-;HNcNpSI`ok>e8AxWzpl@r+lz;}hThyO)pmY0cQD?fLlcIKl~j;2f8@#x3sg zh-bXw9iRAl{>SIu7hjEj{5;RX^Zp6rPiyKvZO`L5E^&=p+~X0?c*Q$D@$IX>e7rC4 z9Y^?S4dAEkx%Yu{T;dwHxW^-&@rrkR;-@u=KYjc!@Eu1u!4I6{64$uJJs$ClSG?mB z-~N00@$)<(&(}9%{Ams6PoKXB&hgV4&!67E#x3sgh-bXw9iRC2HC{fR7x<1NoZtt} z@$+2Q&*!sdyv02p@r+lz;}hS$CjI!1Bb?v|&T)xr+~OXOc*ZN<@rj>bc=~)jp69uF z_C0?2{5-80{Jf*&}?C9ZLc zdpzP9uXx8NzJ2YN`(EHXj&OpX)_8x~p3hf~OI+g?_jtrJUh$4k{5((7^YOm;Ixipp z(;D?p+w*vY6a2J>{ipZOafxf(;vSE9#w*_OiJxD<``q{9>%M&acO2maKX8sqT;mq^ zc*HYa@s3Y?`+6_;zQA`J;RHW$j!RtQ7Wa6>GhXqIPkj6O^y52@aDpE=$0e?Di+eoc z8LxQ9C%%0H`tcn{IKdB`;}X}n#XTPJj90wl6WLo- z;0MleiEG^A9*=m&E8g*mZz=uwjw77l2hMScYuw@kHGZDw{CWSL@e$8>#XCOn^MrlRf8LA7%je^cBb?v|&T)xr+~OXO zc*ZN<@riHW?&aPW_>Lo-;0MleiEG^A9*=m&E8g*mZ{MDNe8&+^@bmhC&-YW#c!_J= z;vSE9#w*_OiErP5etgFfPVfWgxWqMXagRql;}!4t#J4x-$9Ejz1V3<&OI+g?_jtrJ zUh$4keEW{{<2#P<^ZJ+1_xpqK96zr!@w|V{c#C^H;u)`a$0xphC;IUnM>xR`oZ}ML zxWzpl@r+lz;}hS$GyV9EBb?v|&T)xr+~OXOc*ZN<@rj=&l77A)Ut}+zk2`)|zx8?l zgz*Q?afxf(;vSE9#w*_OiErQK<=z+gjw77l2hMScYuw@?$m$=3)?(v9cyy6|7`1alD z$9Ejz1V3<&OI+g?_jtrJUh$4keES~s<2#OUf*&}?C9ZLcdpzP9uXx8NzI{*n@f}C_ zd7Y}~`~AUqj!RtQ7Wa6>GhXqIPkj4c^y52@aDpE=$0e?Di+eoc8LxQ9C%)zM<2#OU zf*&}?C9ZLcdpzP9uXx8NeqR6m`Tl+Jy>Fjv&%Wd5b=IE86UHAn$0e?Di+eoc8LxQ9 zC%%23mwR8}JC1OIA2`P)u5pWdJmMLzc*iHc{SWlxJC1OIA2`P)u5pWdJmMLzc*iHc zy-7cQUMKMRevcSW@B`<##5Hblk4HS?74P`Ox9>|ozT*fd_(^=HthU@AvZgxZ?;X_PVl zU*J2AaDpE=$0e?Di+eoc8LxQ9Cw^Y1^|ROi2fTbf?l{5;e&8IJxW+B+@rY-<;vJv( z_5)w;eSz;d!U=xh9GAGpE$;D%XT0JapZNBJ=*M>);RHW$j!RtQ7Wa6>GhXqIPkj5q z^y52@aDpE=$0e?Di+eoc8LxQ9C%*j<`tcn{IKdB`;}X}n#XTPJj90wl6W@L){rHX} zoZtt}afxf(;vSE9#w*_OiEkzS_>Lo-;0MleiEG^A9*=m&E8g*mZ~qhh_>Lo-;0Mle ziEG^A9*=m&E8g*mZ~rs>_>Lo-;0MleiEG^A9*=m&E8g*mZ$FHFe8&+^@B`<##5Hbl zk4HS?74P`Ox3}oWcO2maKX8sqT;mq^c*HYa@s3Y?`{DHCJC1OIA2`P)u5pWdJmMLz zc*iHc{RsN;9Y;9951iu?*SN(!9`TG zIL9Tfaf^FA;u)`a$0xr1X!`LTM>xR`oZ}MLxWzpl@r+lz;}hS04E^|yBb?v|&T)xr z+~OXOc*ZN<@riFgmVSK45l-*}=eWc*ZgG!CJmVGb_{6s#M?b#f2q*Y~b6nyYx46e6 zp7DxzeB#@Wryt*OgcJP0IWBRHTioLj&v?ZIL9Tfaf^FA;u)`a$0xqE^y52@aDpE=$0e?Di+eoc8LxQ9C%*kW z`tcn{IKdB`;}X}n#XTPJj90wl6W@M5{rHX}oZtt}afxf(;vSE9#w*_OiEqDvetgFf zPVfWgxWqMXagRql;}!4t#J6|o$9Ejz1V3<&OI+g?_jtrJUh$4keEWs;<2#OUf*&}? zC9ZLcdpzP9uXx8NzWpNl@f}Av!4I6{64$uJJs$ClSG?mB-+nRu_>Lo-;0MleiEG^A z9*=m&E8g*mZyo*kjw77l2hMScYuw@IL9Tfaf^FA;u)`a$0xr1D*EvqM>xR`oZ}MLxWzpl@r+lz;}hR{`tcn{IKdB` z;}X}n#XTPJj90wl6W@OI?UU`5kKcag z;|M4Cfpc8q8n?K|BcAb!cYNa8ucaT~afB26z&S2)ja%H~5zlzVJ3jI4UHb7IM>xR` zoZ}MLxWzpl@r+lz;}hS09sT%@Bb?v|&T)xr+~OXOc*ZN<@riH0o_>7C5l-*}=eWc* zZgG!CJmVGb_{6v0KtI0Y2q*Y~b6nyYx46e6p7DxzeB#?cKfdD#C-{MLT;dwHxW^-& z@rrkR;@fYeAK!6=6a2tAE^&=p+~X0?c*Q$D@$EO!kMB6b34Y)lm$=3)?(v9cyy6|7 z`1YIW$9Ejz1V3<&OI+g?_jtrJUh$4keETi*<2#OUf*&}?C9ZLcdpzP9uXx8NzWrAE z@f}Av!4I6{64$uJJs$ClSG?mB-+mkY_>Lo-;0MleiEG^A9*=m&E8g*mZ@-;>e8&+^ z@B`<##5Hblk4HS?74P`Ow~>B)#}Q8O1LwHJHEwZ_M?B*d@A$;G-$6gV;|M4Cfpc8q z8n?K|BcAb!cYNa8@1!5!afB26z&S2)ja%H~5zlzVJ3jI4chQgUIKl~j;2f8@#x3sg zh-bXw9iRC29{u=^Bb?v|&T)xr+~OXOc*ZN<@riH0n|^%95l-*}=eWc*ZgG!CJmVGb z_{6v0LqERb2q*Y~b6nyYx46e6p7DxzeB#^hr61pMgcJP0IWBRHTioLj&v?ZLo-;0MleiEG^A9*=m&E8g*mZ-1D6e8&+^@B`<##5Hbl zk4HS?74P`Ow?9HZzT*fd_$9Ejz1V3<&OI+g? z_jtrJUh$4keEZ|{<2#OUf*&}?C9ZLcdpzP9uXx8NzP(RBzT*fd_NE zIL9Tfaf^FA;u)`a$0xr18T#=ZM>xR`oZ}MLxWzpl@r+lz;}hThEdBV7Bb?v|&T)xr z+~OXOc*ZN<@riGLj(&W{5l-*}=eWc*ZgG!CJmVGb_{6tAPd~on2q*Y~b6nyYx46e6 zp7DxzeB#?mKfdD#C-{MLT;dwHxW^-&@rrkR;@kg5KfdD#C-{MLT;dwHxW^-&@rrkR z;@kgDKfdD#C-{MLT;dwHxW^-&@rrkR;@e-KAK!6=6a2tAE^&=p+~X0?c*Q$D@$Ccp z@f}Av!4I6{64$uJJs$ClSG?mB-~JE!@f}Av!4I6{64$uJJs$ClSG?mB-~J-~_>Lo- z;0MleiEG^A9*=m&E8g*mZ-0q?e8&+^@B`<##5Hblk4HS?74P`Ow~c;$#}Q8O1LwHJ zHEwZ_M?B*d@A$;Gzf3>A;|M4Cfpc8q8n?K|BcAb!cYNa8U!fo0afB26z&S2)ja%H~ z5zlzVJ3jI4|D+$^afB26z&S2)ja%H~5zlzVJ3jI4uhNh2IKl~j;2f8@#x3sgh-bXw z9iRC2f6Bn~*;RHW$j!RtQ7Wa6>GhXqIPkj69w@ zIL9Tfaf^FA;u)`a$0xoW^y52@aDpE=$0e?Di+eoc8LxQ9C%*k{`tcn{IKdB`;}X}n z#XTPJj90wl6W{(0{rHX}oZtt}afxf(;vSE9#w*_OiEn?GetgFfPVfWgxWqMXagRql z;}!4t#J9gkKfdD#C-{MLT;dwHxW^-&@rrkR;@jV+AK!6=6a2tAE^&=p+~X0?c*Q$D z@$DbbkMB6b34Y)lm$=3)?(v9cyy6|7`1TL!$9Ejz1V3<&OI+g?_jtrJUh$4kd^_pK zcO2maKX8sqT;mq^c*HYa@s3Y?`$zQSJC1OIA2`P)u5pWdJmMLzc*iHc{bTy^9Y;99 z51iu?*SN(!9`TGIL9Tfaf^FA zeagS%<3nHYh7Ww<;Gci4|LNm>F&yF;r#Qm}u5g1pJm3j0c*6(2aB$I&LmcB2XSl!> zZg7VOJmCdz_`nwq{ssLw#4%2Bh6`Nb26uSC6JGF!4}9U^U(%059OD#cxWE-|aEAvx z;RSE_z!whw75zBGF-~!Y3tZs_cX+@PUhswweBt0<(~me~c2Rz{gZ}`9$4*oy- zafoA_;tUtK!VT{5fG51*4IlWz!6(1e~c2Rz{gZ}`9$4*q@mafoA_;tUtK!VT{5fG51*4IlWz!GAzM4sncA zoZ$jjxWOGB@Prq<;R9bd2$*aD^M(;Q>#0 z!5cpCg@gZuejMT$r#Qm}u5g1pJm3j0c*6(2aPXhfk3$^e6lb`=6>e~c2Rz{gZ}`9$ z4!!{WIK(kdafSZg7VOJmCdz_`nwqUeJ$2 z9OD#cxWE-|aEAvx;RSE_z!whwGx~9eW1Qj)7r4R=?(l#oyx$*aD^M(;Q>#0!5cpCg@Z3lKMrw>Q=H)fSGd6) z9`J-0yx{|1IQSy;;}FL<#ThPeg&W-A0Z(|r8$R%bgD*-y4sncAoZ$jjxWOGB@Prq< z;R9bd_%GQ=H)f zSGd6)9`J-0yx{|1IQVbq$03e!iZfi`3OBgJ1D^1LH+$*aD^M(;Q>#0!5cpCg@ae= z$03e!iZfi`3OBgJ1D^1LH+e~c2Rz{g zZ}`9$4!$D&IK(kdafSZg7VOJmCdz_`nwq zzB2td#4%2Bh6`Nb26uSC6JGF!4}9U^tI&@_9OD#cxWE-|aEAvx;RSE_z!wg_D*ZUb zF-~!Y3tZs_cX+@PUhswweBmIXABQ-`Db8?#E8O4?4|u{0-td7h9Q=3m;}FL<#ThPe zg&W-A0Z(|r8$R%bgRe$E4sncAoZ$jjxWOGB@Prq<;R9bd`0DiI5XU&h87^>z8{FXm zPk6x_KJbNu*XYL~j&X`JT;K{fxWfaU@Papd;0p);J^eVuF-~!Y3tZs_cX+@PUhsww zeBt10(2qkL;}mDOz!h$AhX*|21#kGk7Y@EA{W!!iPH~0{T;T?Hc)$~0@P-e3;UK0T zhd9P5&TxS%+~5umc)|Ub<4es!OC%oVdANaz-*QOtbIL0Z? zaDgk_;0_OX!VBK;fiE0<9r|&IW1Qj)7r4R=?(l#oyx0r5}el#wpHlfh*kL z4i9+33*PX7FC2V5`f-S3oZ<`@xWWzY@PH@0;0+)6!ok<4ABQ-`Db8?#E8O4?4|u{0 z-td7h9DD=%afoA_;tUtK!VT{5fG51*4IlWzK|((cag0-(;R08$*aD^M(;Q>#0!5cpCg@f1W$03e!iZfi`3OBgJ1D^1LH+e~c2Rz{gZ}`9$4!$M*IK(kdafSZg7VOJmCdz_`nwqzBTQ=H)fSGd6) z9`J-0yx{|1IQVw-;}FL<#ThPeg&W-A0Z(|r8$R%bgKtki4sncAoZ$jjxWOGB@Prq< z;R9bd_zv{r5XU&h87^>z8{FXmPk6x_KJbNuH|WP9j&X`JT;K{fxWfaU@Papd;0p)e zk$xQF7^gVH1+H*|J3QbCFL=WTzHsoJ=*JZg7VOJmCdz_`nwqz6e~c2Rz{gZ}`9$4!#%tIK(kdafSWp&y4h#wpHl zfh*kL4i9+33*PX7FC6?2^y3i6IK>$*aD^M(;Q>#0!5cpCg@ZTg$03e!iZfi`3OBgJ z1D^1LH+Ub< z4es!OC%oVdANaz-51}82IL0Z?aDgk_;0_OX!VBK;fiE2VQ2KF*W1Qj)7r4R=?(l#o zyxQ=H)fSGd6)9`J-0yx{|1IQXCF$03e!iZfi`3OBgJ1D^1LH+Zg7VOJmCdz_`nwq-l89e zIL0Z?aDgk_;0_OX!VBK;fiE2VaQbnGW1Qj)7r4R=?(l#oyxz8{FXmPk6x_KJbNuA5A|Fag0-(;R08$*aD^M(;Q>#0!5cpCg@YeYKMrw>Q=H)fSGd6)9`J-0yx{|1IQR+l;}FL< z#ThPeg&W-A0Z(|r8$R%bgPMLE;uxnm!v(HzgF8In2`_lV2flFd6Y0kxj&X`JT;K{f zxWfaU@Papd;0p&oiGCd77^gVH1+H*|J3QbCFL=WTzHso9>Bk|Caf&ls;0iam!vmi1 zf;W8N3kPr0k3$^e6lb`=6>e~c2Rz{gZ}`9$4t@&#IK(kdafSZg7VOJmCdz_`nwqej5Ea#4%2Bh6`Nb26uSC6JGF!4}9UEp&y4h z#wpHlfh*kL4i9+33*PX7FC6@I`f-S3oZ<`@xWWzY@PH@0;0+)6!okm=ABQ-`Db8?# zE8O4?4|u{0-td7h9Q;iBafoA_;tUtK!VT{5fG51*4IlWz!Ox-}hd9P5&TxS%+~5um zc)|Ub<4es!OC%oVdANaz-&!HcOIL0Z?aDgk_;0_OX!VBK; zfiE2VT>5c{W1Qj)7r4R=?(l#oyxQ=H)fSGd6)9`J-0yx{|1IQV(= z;}FL<#ThPeg&W-A0Z(|r8$R%bgP%`74sncAoZ$jjxWOGB@Prq<;R9bd_yzRi5XU&h z87^>z8{FXmPk6x_KJbNucj(6Zg7VOJmCdz_`nwqehK|J#4%2Bh6`Nb26uSC6JGF!4}9U^ zm(q_z9OD#cxWE-|aEAvx;RSE_z!wgF8T~lKF-~!Y3tZs_cX+@PUhswweBt1i(~m}{W!!iPH~0{T;T?Hc)$~0@P-e3;ow)&k3$^e6lb`= z6>e~c2Rz{gZ}`9$4t^E=IK(kdafS)IL0Z?aDgk_;0_OX z!VBK;fiE2VYWi`AW1Qj)7r4R=?(l#oyxz8{FXmPk6x_KJbNu-#|YOag0-( z;R08e~c2Rz{gZ}`9$4t@vyIK(kdafS zZg7VOJmCdz_`nwqei!{X#4%2Bh6`Nb26uSC6JGF!4}9U^J^FEoW1Qj)7r4R=?(l#o zyxOrXPnm#wpHlfh*kL4i9+33*PX7FC6?H`f-S3oZ<`@xWWzY@PH@0;0+)6 z!olyQABQ-`Db8?#E8O4?4|u{0-td7h98C1%5XU&h87^>z8{FXmPk6x_KJbNu-$y?V zag0-(;R08$*aD^M(;Q>#0!5cpCg@ZptKMrw>Q=H)fSGd6) z9`J-0yx{|1IQYZ#;}FL<#ThPeg&W-A0Z(|r8$R%bgFiw)4sncAoZ$jjxWOGB@Prq< z;R9bdnCZtMj&X`JT;K{fxWfaU@Papd;0p(TlztrI7^gVH1+H*|J3QbCFL=WTzHsoz z=*JZg7VOJmCdz_`nwq{v`c4#4%2Bh6`Nb z26uSC6JGF!4}9U^PtlJ<9OD#cxWE-|aEAvx;RSE_z!we{`f-S3oZ<`@xWWzY@PH@0 z;0+)6!omMSKMrw>Q=H)fSGd6)9`J-0yx{|1IQU=b$03e!iZfi`3OBgJ1D^1LH+e~c2Rz{gZ}`9$4*oa#afoA_;tUtK!VT{5 zfG51*4IlWz!T(M_4sncAoZ$jjxWOGB@Prq<;R9bd_zU#o5XU&h87^>z8{FXmPk6x_ zKJbNu59r4sj&X`JT;K{fxWfaU@Papd;0p);2mLt2F-~!Y3tZs_cX+@PUhswweBt0P z(vL$N;}mDOz!h$AhX*|21#kGk7Y_as{W!!iPH~0{T;T?Hc)$~0@P-e3;b5a5hd9P5 z&TxS%+~5umc)|Ub<4es!OC%oVdANaz-U!fm|IL0Z?aDgk_ z;0_OX!VBK;fiE2VpY-Dp$2i3qE^vh#+~EOFc)=S!@P&iFNe~c2Rz{gZ}`9$4tDx+h+~}M3>Ub<4es!OC%oVdANaz-U#B03 zIL0Z?aDgk_;0_OX!VBK;fiE2V4f=72W1Qj)7r4R=?(l#oyx8q#uVk#wpHl zfh*kL4i9+33*PX7FC2VGKMrw>Q=H)fSGd6)9`J-0yx{|1IQW0)$03e!iZfi`3OBgJ z1D^1LH+Zg7VOJmCdz z_`nwq4*GG3W1Qj)7r4R=?(l#oyx8rXPnm#wpHlfh*kL4i9+33*PX7FC6?G z`f-S3oZ<`@xWWzY@PH@0;0+)6!olCAABQ-`Db8?#E8O4?4|u{0-td7h9Q-}{afoA_ z;tUtK!VT{5fG51*4IlWz!QZDJzxF9V?fE)>1HXyi!f)eu@Vodu{678we~3TAul$40 z^*;UA7sjvR*YNB34g4m43%`xu!SCYt@cZ}!{2~4bzw!_1$FJho@ay;u{3d=2zm4C) z@8b9H`}hO=A^r%za?+1q#joMl@f-L}{1$#2zk}b!@8S3H2lzw$5q{+#(T`unui@A6 z8~9E97JeJQgWtvP;rHF;n(pS_)Yv4ejC4o-^K6Y_wfh#L;Mkb z<)6@xU&XKC*YO+pP5c&q8^43!#qZ(w@dx-r{1JZTBl_{H_%-}GegnUW-@cksLT zJ^ViY0Dp)-!ms>O`thsyHT*h$1HXyi!f)eu@Vodu{678we~3TAulzIm@vHbX{5pOE zzlq<%Z{v6HyZAl)KK=lIh(E%w{B!#8tN1niI(`GciQmF+<9G18_&xkS{s4c7Kfum z<5%%(_;vgSeiOfi-^TCYckz4pef$Cb5PyVU`M31rSMh83b^Hc?6TgMu#_!;F@q76H zFYWGOT}kUZj{BZ9?7|L#1PE_SUcdwhlY?jGvClop@S>HIYDz2GVuW>eeRjFZ+`FrL zW)Ulml$GLwVk9VBP)zB9VkC&EHSc21EVTUx|;vBUr&Rcn&Y&6kfq=cmr?Y9lVDR@DU!~!~F0FR`3j-!%H}YSMVC% zz*~3+@8JV{gokICA0EL9p22f?38(N1Uc(!B3-91Pe1MPe@EObxk6;DQ;5od6Q+Nfh z;SIcnckmuQz(;sE#Qg9GR`3j-!%H}YSMVC%z*~3+@8JV{gop3J{O|}?@C=^AOE`sB z@EYF0TX+ZW;RAexhwsJw@Ca7$44%VFIE7d68s5NLcn9y{1AK&s&tiUf1S@z3&*3GU z!Yg|d-wn!;oDY2yoNXM7T&>o_y8Z_;rlT^Jc1QGgXi!PPT>{2hBxpQ-obnL03YGu^OzqV!3v(i zb9f1-@CshT8+Z%v;5~eRkMPjJ{O|}?@C=^AOE`sB@EYF0TX+ZW;RAexhabTF@Ca7$ z44%VFIE7d68s5NLcn9y{1AK&se}MVn5v<@DJcpNX3a{Wbyn(my4&K8D_y`X_i230W ztl$|uhnH{)ui!Pjfw%Au-opp@2oFDm`QZ_);2AuJmv9QN;5EE~x9|?$!w2{X5C0JJ z!y{P1Gk6X!;S^rMYj^{1;T^n(5AYEl{t@PfN3eot@El&kDZGN$@CM$(J9rNt;3GWz zFy@Cxu!3js9A3gHyn@&82HwIucn=@oBRu>F=7&eHf@km?UcxE7g4gf{-oiV04eTeyRrkKN7R@Am@i!XX^NF`U2|oWliN!WCS@4cx*V?0g*a!!8`c5gfw_oWVI< zz$IM4HQc~0+`-N#FhA_VAsoRmoWL2J!v$Qz6T)-t< z!8P2#E!@G*pJIO4g+n-kV>p2`IEM?kge$m)8@Po#*!eTe54&&(M{o=$a0cga0he$E z*Kh;3a0feoj`?914&exn;RMd$94_DzuHYJO;1=#+=QEfecHt0?;22Ke49?*KF5wEU z;RbHu4t73^`C%6h;Ruf51kT_bF5nWb;2Lh=7VcnYg!y3?4&exn;RMd$94_DzuHYJO z;1=#+=X01JcHt0?;22Ke49?*KF5wEU;RbHu4tD+m^TRG2!Vw(937o+>T)-t^GsgU|3x{w7$8Z8?a1Ix630H6pH*gDgu;XEV z*o8wlf@3&=GdPC}xP&XXh8wtrJJ|6tKkULG9KkW1z!{vw1zf@vT*D3A!X4}cm>+iG z5RTv&PT&mA;Q}t<3a;S>Zs87g6y}FrID{iOh7&l0bGU#@xPoiAfm^tPoeAcLT{wgz zIEE8AgLAlmOSpn-xPe=^gPkenhg~>?BRGZ=ID>PzfJ?Z7Yq)`1xPzSw%n!S82uE-X zCvXPmZ~>Qa1=nx`w{QnL_c1^0!XX^NF`U2|oWliN!WCS@4cx*V>|A1g*o8wlf@3&= zGdPC}xP&XXh8wtrJJ|Va%n!S82uE-XCvXPmZ~>Qa1=nx`w{QnLe}nm97Y^YFj^PB( z;2bXC60YDHZr~Q~U?;@Qa1=nx`w{QnLU&Z{e3x{w7$8Z8?a1Ix630H6pH*gDgu=6#{54&&(M{o=$a0cga z0he$E*Kh;3@XybFb@tz9zdZZJ*>lhT@7cfJ`?q`le(%?3|8sUc`@gfnd3ycrba4Lo zIyrxF{&(j+-hA}t&Gqv7Ti1`$!S%y8(zg~Sr;o2*xqjpI2anRl;^wWJMe^X$KU}5f z3w?X_VLEu)!@u>xE3@z2x-aWzedQ`iZu+p$+h0Gnn+#58a5Ff6`9}ZG!>c!L2CrQ$ zU%O5huRcin!(M)C@$gal=w|Tpo3GwJc537Zy-3!4^IGS-ZSSTzU5C2|{=f4XoF~b* z9xkqy%f~klUK{9heC7Jl&GjI?di>hr%?HcD`Azyby?R;SzxD8R|M>OgReE)MnFrB} zFM5khdw04YFD93^P$rBQfi%7}o`ef~?8JoeLP--y<4fa7nAk;A6UK|%Fp-CpJQPUd zOXEoh>wklr(`fzBJx#kdyH2(@ae87D}2x8ebYu!sY$`qUmuZ_$GLZ`=>|r zvqZ?E(#=gCg?Mt+EsxB&jh{7E}BYE5_}W-t;{Ppm7pZ}Cg^7gWN!(c33_i| z_Lkt8FkX1Fw*)1@H^Ey>$9A=n;7hnLm&o4TKi%u?OwgB3nm`&~8c)L1E}od6N0la! z#+SyEpzNZl33^Lulr(`fzBHZ$-=62x1bykGQPKp`_|kY1rehh?1U;rSfi%7}o`k9W z1loIbX@hS<|0Xy!`lBepGeHk`VGj-@cqZtNm0hGH_$KH@cFk0RlHi-5w^XvF1kVJ$ zI*=_TcqWV&zFjnxpd|Pv=y!}~S1Sp=33|`5>?y&MFfnhY%hSC+1rz!Yplt$ad}%xh z7k2T)1pO|OCXmLL#*;9yi>4;%Eu~S?1k(7@coG78R#Ox7XwoQY0%?3{yxYdE_T(H) z(B~kHk|vPGm&TKz%q6pTlS>-{37!f1S?`}7^7OmQ2G4}?;=(Rc5_}W%%V-asN>CDf z6ZFgzyE>5InV`2+c6lJdGeN(_?V_m!CBeT9vbS%8lHi-5zjfJXnMepEcqZs`7~9o> z1W&^Kz+AhD3H`TN+XT}1(s&Z4r$h9WF`@tb*=8b*k|vPGm&TKzCDf z6Z9v-E}lwI68zg>pJn3P5J>P$@D`qZ#N6w1k`PGnqzR<)rST+8r*TL- z?LVaN`#EKO@Ba2r`s-=?|HSV5FTZ2|f7I)rw*N~bv;X({P4unbuWz{jt9E|#TZ;Zj zb9>wV-JTyvVefhUwz}`npReH;?BBilKGw_rQva>ppX>kQiNBj8$M*OAUQgbBsL?+s z*UR7O;ePaEyZ@8V*=Je*-JiYt5zhZeuYcP0|1W#}|I;q-umAJzhCLQ{>J_LPs!8v|H;EIWzTdC^C~^O(-u#*9o!9k4Z|kqy+qdoK?}gjO f1fJ_Rbiwydf8 Date: Sun, 3 Nov 2024 11:35:22 +0200 Subject: [PATCH 16/23] WIP: Added rule enricher --- go.mod | 2 +- go.sum | 4 ++-- pkg/malwaremanager/v1/malware_manager.go | 4 ++-- pkg/ruleengine/ruleengine_interface.go | 2 ++ pkg/ruleengine/types/types.go | 5 +++++ pkg/ruleengine/v1/failureobj.go | 6 +++++- .../v1/r0001_unexpected_process_launched.go | 2 +- pkg/ruleengine/v1/r0002_unexpected_file_access.go | 2 +- ...r0006_unexpected_service_account_token_access.go | 2 +- .../v1/r0007_kubernetes_client_executed.go | 2 +- .../v1/r0008_read_env_variables_procfs.go | 2 +- .../v1/r0010_unexpected_sensitive_file_access.go | 2 +- .../v1/r1000_exec_from_malicious_source.go | 2 +- .../v1/r1001_exec_binary_not_in_base_image.go | 2 +- pkg/ruleengine/v1/r1004_exec_from_mount.go | 2 +- .../v1/r1010_symlink_created_over_sensitive_file.go | 2 +- pkg/ruleengine/v1/r1011_ld_preload_hook.go | 4 ++-- .../r1012_hardlink_created_over_sensitive_file.go | 2 +- pkg/rulemanager/v1/rule_manager.go | 13 ++++++++----- 19 files changed, 38 insertions(+), 24 deletions(-) diff --git a/go.mod b/go.mod index 209de451..c241777f 100644 --- a/go.mod +++ b/go.mod @@ -101,7 +101,7 @@ require ( github.com/felixge/fgprof v0.9.4 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/francoispqt/gojay v1.2.13 // indirect - github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fsnotify/fsnotify v1.8.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/gabriel-vasile/mimetype v1.4.3 // indirect github.com/github/go-spdx/v2 v2.2.0 // indirect diff --git a/go.sum b/go.sum index 33fa07b4..a351bb89 100644 --- a/go.sum +++ b/go.sum @@ -269,8 +269,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= -github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= -github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M= +github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0= diff --git a/pkg/malwaremanager/v1/malware_manager.go b/pkg/malwaremanager/v1/malware_manager.go index 728ea60e..a026d576 100644 --- a/pkg/malwaremanager/v1/malware_manager.go +++ b/pkg/malwaremanager/v1/malware_manager.go @@ -83,7 +83,7 @@ func (mm *MalwareManager) ContainerCallback(notif containercollection.PubSubEven switch notif.Type { case containercollection.EventTypeAddContainer: - mm.containerIdToPid.Set(notif.Container.Runtime.ContainerID, notif.Container.Pid) + mm.containerIdToPid.Set(notif.Container.Runtime.ContainerID, notif.Container.ContainerPid()) podID := utils.CreateK8sPodID(notif.Container.K8s.Namespace, notif.Container.K8s.PodName) if !mm.podToWlid.Has(podID) { w, err := mm.getWorkloadIdentifier(notif.Container.K8s.Namespace, notif.Container.K8s.PodName) @@ -93,7 +93,7 @@ func (mm *MalwareManager) ContainerCallback(notif containercollection.PubSubEven mm.podToWlid.Set(podID, w) } } - shim, err := utils.GetProcessStat(int(notif.Container.Pid)) + shim, err := utils.GetProcessStat(int(notif.Container.ContainerPid())) if err != nil { logger.L().Warning("RuleManager - failed to get shim process", helpers.Error(err)) } else { diff --git a/pkg/ruleengine/ruleengine_interface.go b/pkg/ruleengine/ruleengine_interface.go index d512670f..1b93d9e8 100644 --- a/pkg/ruleengine/ruleengine_interface.go +++ b/pkg/ruleengine/ruleengine_interface.go @@ -92,6 +92,8 @@ type RuleFailure interface { GetRuntimeAlertK8sDetails() apitypes.RuntimeAlertK8sDetails // Get Rule ID GetRuleId() string + // Get Extra + GetExtra() interface{} // Set Workload Details SetWorkloadDetails(workloadDetails string) diff --git a/pkg/ruleengine/types/types.go b/pkg/ruleengine/types/types.go index 49f3f630..da8df1b0 100644 --- a/pkg/ruleengine/types/types.go +++ b/pkg/ruleengine/types/types.go @@ -2,6 +2,7 @@ package types import ( eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" + "github.com/kubescape/node-agent/pkg/ruleengine" ) type SyscallEvent struct { @@ -15,3 +16,7 @@ type SyscallEvent struct { SyscallName string `json:"syscallName,omitempty" column:"syscallName"` } + +type Enricher interface { + EnrichRuleFailure(rule ruleengine.RuleFailure) +} diff --git a/pkg/ruleengine/v1/failureobj.go b/pkg/ruleengine/v1/failureobj.go index 10fd1bf5..66b73878 100644 --- a/pkg/ruleengine/v1/failureobj.go +++ b/pkg/ruleengine/v1/failureobj.go @@ -17,7 +17,7 @@ type GenericRuleFailure struct { RuleAlert apitypes.RuleAlert RuntimeAlertK8sDetails apitypes.RuntimeAlertK8sDetails RuleID string - extra interface{} + Extra interface{} } func (rule *GenericRuleFailure) GetBaseRuntimeAlert() apitypes.BaseRuntimeAlert { @@ -44,6 +44,10 @@ func (rule *GenericRuleFailure) GetRuleId() string { return rule.RuleID } +func (rule *GenericRuleFailure) GetExtra() interface{} { + return rule.Extra +} + func (rule *GenericRuleFailure) SetBaseRuntimeAlert(baseRuntimeAlert apitypes.BaseRuntimeAlert) { rule.BaseRuntimeAlert = baseRuntimeAlert } diff --git a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go index e8825ca8..976008c4 100644 --- a/pkg/ruleengine/v1/r0001_unexpected_process_launched.go +++ b/pkg/ruleengine/v1/r0001_unexpected_process_launched.go @@ -146,7 +146,7 @@ func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventTy PodLabels: execEvent.K8s.PodLabels, }, RuleID: rule.ID(), - extra: execEvent.GetExtra(), + Extra: execEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r0002_unexpected_file_access.go b/pkg/ruleengine/v1/r0002_unexpected_file_access.go index d526729c..9cb25d28 100644 --- a/pkg/ruleengine/v1/r0002_unexpected_file_access.go +++ b/pkg/ruleengine/v1/r0002_unexpected_file_access.go @@ -182,7 +182,7 @@ func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, e PodName: openEvent.GetPod(), }, RuleID: rule.ID(), - extra: fullEvent.GetExtra(), + Extra: fullEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go index dc88f4d8..42b6048b 100644 --- a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go +++ b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go @@ -149,7 +149,7 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti PodLabels: openEvent.K8s.PodLabels, }, RuleID: rule.ID(), - extra: fullEvent.GetExtra(), + Extra: fullEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go index 4692bd48..bd6cecf9 100644 --- a/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go +++ b/pkg/ruleengine/v1/r0007_kubernetes_client_executed.go @@ -184,7 +184,7 @@ func (rule *R0007KubernetesClientExecuted) handleExecEvent(event *events.ExecEve PodLabels: event.K8s.PodLabels, }, RuleID: rule.ID(), - extra: event.GetExtra(), + Extra: event.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go b/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go index 72811154..f69bfd9e 100644 --- a/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go +++ b/pkg/ruleengine/v1/r0008_read_env_variables_procfs.go @@ -114,7 +114,7 @@ func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.Ev PodLabels: openEvent.K8s.PodLabels, }, RuleID: rule.ID(), - extra: fullEvent.GetExtra(), + Extra: fullEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go index a704fab5..b99e43b3 100644 --- a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go +++ b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go @@ -146,7 +146,7 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve PodLabels: openEvent.K8s.PodLabels, }, RuleID: rule.ID(), - extra: fullEvent.GetExtra(), + Extra: fullEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go index def050d4..037996d0 100644 --- a/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go +++ b/pkg/ruleengine/v1/r1000_exec_from_malicious_source.go @@ -106,7 +106,7 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType PodLabels: execEvent.K8s.PodLabels, }, RuleID: rule.ID(), - extra: execEvent.GetExtra(), + Extra: execEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go b/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go index 71a376c8..1954fa7c 100644 --- a/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go +++ b/pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go @@ -101,7 +101,7 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventTyp PodLabels: execEvent.K8s.PodLabels, }, RuleID: rule.ID(), - extra: execEvent.GetExtra(), + Extra: execEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r1004_exec_from_mount.go b/pkg/ruleengine/v1/r1004_exec_from_mount.go index fbc47998..8f3d9c7f 100644 --- a/pkg/ruleengine/v1/r1004_exec_from_mount.go +++ b/pkg/ruleengine/v1/r1004_exec_from_mount.go @@ -111,7 +111,7 @@ func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event ut PodLabels: execEvent.K8s.PodLabels, }, RuleID: R1004ID, - extra: execEvent.GetExtra(), + Extra: execEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go b/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go index 15824227..282d1a1f 100644 --- a/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go +++ b/pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go @@ -129,7 +129,7 @@ func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.E PodLabels: symlinkEvent.K8s.PodLabels, }, RuleID: rule.ID(), - extra: symlinkEvent.GetExtra(), + Extra: symlinkEvent.GetExtra(), } } } diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook.go b/pkg/ruleengine/v1/r1011_ld_preload_hook.go index 0a093529..1bc29e60 100644 --- a/pkg/ruleengine/v1/r1011_ld_preload_hook.go +++ b/pkg/ruleengine/v1/r1011_ld_preload_hook.go @@ -140,7 +140,7 @@ func (rule *R1011LdPreloadHook) handleExecEvent(execEvent *events.ExecEvent, k8s PodLabels: execEvent.K8s.PodLabels, }, RuleID: rule.ID(), - extra: execEvent.GetExtra(), + Extra: execEvent.GetExtra(), } return &ruleFailure @@ -180,7 +180,7 @@ func (rule *R1011LdPreloadHook) handleOpenEvent(openEvent *events.OpenEvent) rul PodLabels: openEvent.K8s.PodLabels, }, RuleID: rule.ID(), - extra: openEvent.GetExtra(), + Extra: openEvent.GetExtra(), } return &ruleFailure diff --git a/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go b/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go index bc51c0dc..c2e15288 100644 --- a/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go +++ b/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go @@ -129,7 +129,7 @@ func (rule *R1012HardlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils. PodLabels: hardlinkEvent.K8s.PodLabels, }, RuleID: rule.ID(), - extra: hardlinkEvent.GetExtra(), + Extra: hardlinkEvent.GetExtra(), } } } diff --git a/pkg/rulemanager/v1/rule_manager.go b/pkg/rulemanager/v1/rule_manager.go index 56ce6156..d0c0a762 100644 --- a/pkg/rulemanager/v1/rule_manager.go +++ b/pkg/rulemanager/v1/rule_manager.go @@ -64,11 +64,12 @@ type RuleManager struct { clusterName string containerIdToShimPid maps.SafeMap[string, uint32] containerIdToPid maps.SafeMap[string, uint32] + enricher ruleenginetypes.Enricher } var _ rulemanager.RuleManagerClient = (*RuleManager)(nil) -func CreateRuleManager(ctx context.Context, cfg config.Config, k8sClient k8sclient.K8sClientInterface, ruleBindingCache bindingcache.RuleBindingCache, objectCache objectcache.ObjectCache, exporter exporters.Exporter, metrics metricsmanager.MetricsManager, nodeName string, clusterName string) (*RuleManager, error) { +func CreateRuleManager(ctx context.Context, cfg config.Config, k8sClient k8sclient.K8sClientInterface, ruleBindingCache bindingcache.RuleBindingCache, objectCache objectcache.ObjectCache, exporter exporters.Exporter, metrics metricsmanager.MetricsManager, nodeName string, clusterName string, enricher ruleenginetypes.Enricher) (*RuleManager, error) { return &RuleManager{ cfg: cfg, ctx: ctx, @@ -81,6 +82,7 @@ func CreateRuleManager(ctx context.Context, cfg config.Config, k8sClient k8sclie metrics: metrics, nodeName: nodeName, clusterName: clusterName, + enricher: enricher, }, nil } @@ -150,7 +152,7 @@ func (rm *RuleManager) monitorContainer(ctx context.Context, container *containe WithMountNsID: eventtypes.WithMountNsID{ MountNsID: watchedContainer.NsMntId, }, - Pid: container.Pid, + Pid: container.ContainerPid(), // TODO: Figure out how to get UID, GID and comm from the syscall. // Uid: container.OciConfig.Process.User.UID, // Gid: container.OciConfig.Process.User.GID, @@ -271,13 +273,13 @@ func (rm *RuleManager) ContainerCallback(notif containercollection.PubSubEvent) } } rm.trackedContainers.Add(k8sContainerID) - shim, err := utils.GetProcessStat(int(notif.Container.Pid)) + shim, err := utils.GetProcessStat(int(notif.Container.ContainerPid())) if err != nil { logger.L().Warning("RuleManager - failed to get shim process", helpers.Error(err)) } else { rm.containerIdToShimPid.Set(notif.Container.Runtime.ContainerID, uint32(shim.PPID)) } - rm.containerIdToPid.Set(notif.Container.Runtime.ContainerID, notif.Container.Pid) + rm.containerIdToPid.Set(notif.Container.Runtime.ContainerID, notif.Container.ContainerPid()) go rm.startRuleManager(rm.ctx, notif.Container, k8sContainerID) case containercollection.EventTypeRemoveContainer: channel := rm.watchedContainerChannels.Get(notif.Container.Runtime.ContainerID) @@ -347,6 +349,7 @@ func (rm *RuleManager) processEvent(eventType utils.EventType, event utils.K8sEv res = rm.enrichRuleFailure(res) res.SetWorkloadDetails(rm.podToWlid.Get(utils.CreateK8sPodID(res.GetRuntimeAlertK8sDetails().Namespace, res.GetRuntimeAlertK8sDetails().PodName))) rm.exporter.SendRuleAlert(res) + rm.metrics.ReportRuleAlert(rule.Name()) } rm.metrics.ReportRuleProcessed(rule.Name()) @@ -480,7 +483,7 @@ func (rm *RuleManager) enrichRuleFailure(ruleFailure ruleengine.RuleFailure) rul } ruleFailure.SetRuntimeAlertK8sDetails(runtimek8sdetails) - + rm.enricher.EnrichRuleFailure(ruleFailure) return ruleFailure } From f65d46d25264353f6ed890898a543ccb434ff913 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Wed, 20 Nov 2024 16:51:06 +0200 Subject: [PATCH 17/23] WIP: fixed merge issues Signed-off-by: Afek Berger --- go.mod | 26 +- go.sum | 46 ++-- pkg/containerwatcher/v1/callbacks/base.go | 34 --- pkg/containerwatcher/v1/open_test.go | 2 +- pkg/processmanager/v1/process_manager_test.go | 44 +-- pkg/ruleengine/v1/r1011_ld_preload_hook.go | 251 +----------------- ...12_hardlink_created_over_sensitive_file.go | 3 - 7 files changed, 72 insertions(+), 334 deletions(-) delete mode 100644 pkg/containerwatcher/v1/callbacks/base.go diff --git a/go.mod b/go.mod index 18cbc0db..99eba93b 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/google/uuid v1.6.0 github.com/goradd/maps v0.1.5 github.com/hashicorp/golang-lru/v2 v2.0.7 - github.com/inspektor-gadget/inspektor-gadget v0.33.0 + github.com/inspektor-gadget/inspektor-gadget v0.34.1-0.20241118163702-0b117898586a github.com/kinbiko/jsonassert v1.1.1 github.com/kubescape/backend v0.0.20 github.com/kubescape/go-logger v0.0.23 @@ -35,8 +35,8 @@ require ( go.opentelemetry.io/otel v1.31.0 go.opentelemetry.io/otel/trace v1.31.0 go.uber.org/multierr v1.11.0 - golang.org/x/net v0.29.0 - golang.org/x/sys v0.26.0 + golang.org/x/net v0.30.0 + golang.org/x/sys v0.27.0 gonum.org/v1/plot v0.14.0 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 istio.io/pkg v0.0.0-20231221211216-7635388a563e @@ -77,7 +77,7 @@ require ( github.com/containerd/containerd v1.7.23 // indirect github.com/containerd/containerd/api v1.7.19 // indirect github.com/containerd/continuity v0.4.3 // indirect - github.com/containerd/errdefs v0.3.0 // indirect + github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/fifo v1.1.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect @@ -130,7 +130,7 @@ require ( github.com/google/go-containerregistry v0.20.2 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/gopacket/gopacket v1.2.0 // indirect + github.com/gopacket/gopacket v1.3.1 // indirect github.com/gorilla/websocket v1.5.1 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect @@ -203,7 +203,7 @@ require ( github.com/uptrace/opentelemetry-go-extra/otelzap v0.3.2 // indirect github.com/uptrace/uptrace-go v1.30.1 // indirect github.com/vishvananda/netlink v1.3.0 // indirect - github.com/vishvananda/netns v0.0.4 // indirect + github.com/vishvananda/netns v0.0.5 // indirect github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 // indirect github.com/x448/float16 v0.8.4 // indirect @@ -226,17 +226,17 @@ require ( go.starlark.net v0.0.0-20240517230649-3792562d0b7f // indirect go.uber.org/zap v1.27.0 // indirect go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect - golang.org/x/crypto v0.27.0 // indirect + golang.org/x/crypto v0.28.0 // indirect golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect golang.org/x/image v0.18.0 // indirect golang.org/x/oauth2 v0.23.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/term v0.25.0 // indirect - golang.org/x/text v0.19.0 // indirect + golang.org/x/sync v0.9.0 // indirect + golang.org/x/term v0.26.0 // indirect + golang.org/x/text v0.20.0 // indirect golang.org/x/time v0.6.0 // indirect google.golang.org/genproto v0.0.0-20240515191416-fc5f0ca64291 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect google.golang.org/grpc v1.67.1 // indirect google.golang.org/protobuf v1.35.1 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect @@ -261,8 +261,6 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) -replace github.com/inspektor-gadget/inspektor-gadget => /home/afek/Projects/Armo/poc/armo/inspektor-gadget - replace github.com/vishvananda/netns => github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6 replace github.com/goradd/maps => github.com/matthyx/maps v0.0.0-20241029072232-2f5d83d608a7 diff --git a/go.sum b/go.sum index d07a8925..7bd93d08 100644 --- a/go.sum +++ b/go.sum @@ -178,8 +178,8 @@ github.com/containerd/containerd/api v1.7.19 h1:VWbJL+8Ap4Ju2mx9c9qS1uFSB1OVYr5J github.com/containerd/containerd/api v1.7.19/go.mod h1:fwGavl3LNwAV5ilJ0sbrABL44AQxmNjDRcwheXDb6Ig= github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8= github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= -github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= -github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= +github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= +github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY= github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= @@ -447,8 +447,8 @@ github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0 github.com/gookit/color v1.2.5/go.mod h1:AhIE+pS6D4Ql0SQWbBeXPHw7gY0/sjHoA4s/n1KB7xg= github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0= github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w= -github.com/gopacket/gopacket v1.2.0 h1:eXbzFad7f73P1n2EJHQlsKuvIMJjVXK5tXoSca78I3A= -github.com/gopacket/gopacket v1.2.0/go.mod h1:BrAKEy5EOGQ76LSqh7DMAr7z0NNPdczWm2GxCG7+I8M= +github.com/gopacket/gopacket v1.3.1 h1:ZppWyLrOJNZPe5XkdjLbtuTkfQoxQ0xyMJzQCqtqaPU= +github.com/gopacket/gopacket v1.3.1/go.mod h1:3I13qcqSpB2R9fFQg866OOgzylYkZxLTmkvcXhvf6qg= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY= github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= @@ -508,6 +508,8 @@ github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+h github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/inspektor-gadget/inspektor-gadget v0.34.1-0.20241118163702-0b117898586a h1:JszeDp2WhDldMRJla7ZJs2D/dAcoWZacAzws8ZAq9NM= +github.com/inspektor-gadget/inspektor-gadget v0.34.1-0.20241118163702-0b117898586a/go.mod h1:SX9luao86CnrEKOygVR/ylQ5Il04CXFMNg7cQhoiNV0= github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6 h1:fQqkJ+WkYfzy6BoUh32fr9uYrXfOGtsfw0skMQkfOic= github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= @@ -654,8 +656,8 @@ github.com/olvrng/ujson v1.1.0/go.mod h1:Mz4G3RODTUfbkKyvi0lgmPx/7vd3Saksk+1jgk8 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo/v2 v2.20.0 h1:PE84V2mHqoT1sglvHc8ZdQtPcwmvvt29WLEEO3xmdZw= github.com/onsi/ginkgo/v2 v2.20.0/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= -github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= -github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= +github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4= +github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -726,8 +728,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= -github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= +github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= @@ -1019,8 +1021,8 @@ golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1055,8 +1057,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= +golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1132,11 +1134,11 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= -golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= +golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= -golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= +golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= +golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1146,8 +1148,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= -golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= +golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1333,10 +1335,10 @@ google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ6 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20240515191416-fc5f0ca64291 h1:CTZGpOdDJr2Jq+LcJ/mpjG8mClGy/uJdBBVYbS9g5lY= google.golang.org/genproto v0.0.0-20240515191416-fc5f0ca64291/go.mod h1:ch5ZrEj5+9MCxUeR3Gp3mCJ4u0eVpusYAmSr/mvpMSk= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= -google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1:T6rh4haD3GVYsgEfWExoCZA2o2FmbNyKpTuAxbEFPTg= +google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 h1:QCqS/PdaHTSWGvupk2F/ehwHtGc0/GYkT+3GAcR1CCc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= diff --git a/pkg/containerwatcher/v1/callbacks/base.go b/pkg/containerwatcher/v1/callbacks/base.go deleted file mode 100644 index 709e89f6..00000000 --- a/pkg/containerwatcher/v1/callbacks/base.go +++ /dev/null @@ -1,34 +0,0 @@ -package callbacks - -import ( - "github.com/kubescape/node-agent/pkg/applicationprofilemanager" - "github.com/kubescape/node-agent/pkg/metricsmanager" - "github.com/kubescape/node-agent/pkg/rulemanager" -) - -// EventProcessor defines the interface for processing different event types -type EventProcessor interface { - Process(event interface{}) -} - -// GenericWorkerCallback is the generic callback function for all worker pools -func GenericWorkerCallback(processor EventProcessor) func(interface{}) { - return func(i interface{}) { - processor.Process(i) - } -} - -// BaseEventProcessor provides common processing logic for all event types -type BaseEventProcessor struct { - metrics metricsmanager.MetricsManager - applicationProfileManager applicationprofilemanager.ApplicationProfileManagerClient - ruleManager rulemanager.RuleManagerClient - // Add other common dependencies here -} - -/* -func (b *BaseEventProcessor) commonProcessing(eventType utils.EventType, k8sContainerID string) { - b.metrics.ReportEvent(eventType) - b.ruleManager.ReportEvent(eventType, event) -} -*/ diff --git a/pkg/containerwatcher/v1/open_test.go b/pkg/containerwatcher/v1/open_test.go index 7fb4e084..083c183d 100644 --- a/pkg/containerwatcher/v1/open_test.go +++ b/pkg/containerwatcher/v1/open_test.go @@ -23,7 +23,7 @@ func BenchmarkIGContainerWatcher_openEventCallback(b *testing.B) { assert.NoError(b, err) mockExporter := metricsmanager.NewMetricsMock() - mainHandler, err := CreateIGContainerWatcher(cfg, nil, nil, relevancyManager, nil, nil, mockExporter, nil, nil, nil, nil, nil, nil, nil) + mainHandler, err := CreateIGContainerWatcher(cfg, nil, nil, relevancyManager, nil, nil, mockExporter, nil, nil, nil, nil, nil, nil, nil, nil) assert.NoError(b, err) event := &traceropentype.Event{ Event: types.Event{ diff --git a/pkg/processmanager/v1/process_manager_test.go b/pkg/processmanager/v1/process_manager_test.go index 6405763f..03773441 100644 --- a/pkg/processmanager/v1/process_manager_test.go +++ b/pkg/processmanager/v1/process_manager_test.go @@ -75,10 +75,10 @@ func TestProcessManagerBasics(t *testing.T) { Container: &containercollection.Container{ Runtime: containercollection.RuntimeMetadata{ BasicRuntimeMetadata: types.BasicRuntimeMetadata{ - ContainerID: containerID, + ContainerID: containerID, + ContainerPID: containerPID, }, }, - Pid: containerPID, }, }) @@ -106,10 +106,10 @@ func TestProcessTracking(t *testing.T) { Container: &containercollection.Container{ Runtime: containercollection.RuntimeMetadata{ BasicRuntimeMetadata: types.BasicRuntimeMetadata{ - ContainerID: containerID, + ContainerID: containerID, + ContainerPID: containerPID, }, }, - Pid: containerPID, }, }) @@ -197,10 +197,10 @@ func TestProcessRemoval(t *testing.T) { Container: &containercollection.Container{ Runtime: containercollection.RuntimeMetadata{ BasicRuntimeMetadata: types.BasicRuntimeMetadata{ - ContainerID: containerID, + ContainerID: containerID, + ContainerPID: containerPID, }, }, - Pid: containerPID, }, }) @@ -271,10 +271,10 @@ func TestContainerRemoval(t *testing.T) { Container: &containercollection.Container{ Runtime: containercollection.RuntimeMetadata{ BasicRuntimeMetadata: types.BasicRuntimeMetadata{ - ContainerID: containerID, + ContainerID: containerID, + ContainerPID: containerPID, }, }, - Pid: containerPID, }, }) @@ -305,10 +305,10 @@ func TestContainerRemoval(t *testing.T) { Container: &containercollection.Container{ Runtime: containercollection.RuntimeMetadata{ BasicRuntimeMetadata: types.BasicRuntimeMetadata{ - ContainerID: containerID, + ContainerID: containerID, + ContainerPID: containerPID, }, }, - Pid: containerPID, }, }) @@ -342,10 +342,10 @@ func TestMultipleContainers(t *testing.T) { Container: &containercollection.Container{ Runtime: containercollection.RuntimeMetadata{ BasicRuntimeMetadata: types.BasicRuntimeMetadata{ - ContainerID: c.id, + ContainerID: c.id, + ContainerPID: c.containerPID, }, }, - Pid: c.containerPID, }, }) @@ -389,10 +389,10 @@ func TestMultipleContainers(t *testing.T) { Container: &containercollection.Container{ Runtime: containercollection.RuntimeMetadata{ BasicRuntimeMetadata: types.BasicRuntimeMetadata{ - ContainerID: containers[0].id, + ContainerID: containers[0].id, + ContainerPID: containers[0].containerPID, }, }, - Pid: containers[0].containerPID, }, }) @@ -427,10 +427,10 @@ func TestErrorCases(t *testing.T) { Container: &containercollection.Container{ Runtime: containercollection.RuntimeMetadata{ BasicRuntimeMetadata: types.BasicRuntimeMetadata{ - ContainerID: containerID, + ContainerID: containerID, + ContainerPID: containerPID, }, }, - Pid: containerPID, }, }) @@ -461,10 +461,10 @@ func TestRaceConditions(t *testing.T) { Container: &containercollection.Container{ Runtime: containercollection.RuntimeMetadata{ BasicRuntimeMetadata: types.BasicRuntimeMetadata{ - ContainerID: containerID, + ContainerID: containerID, + ContainerPID: containerPID, }, }, - Pid: containerPID, }, }) @@ -598,10 +598,10 @@ func TestDuplicateProcessHandling(t *testing.T) { Container: &containercollection.Container{ Runtime: containercollection.RuntimeMetadata{ BasicRuntimeMetadata: types.BasicRuntimeMetadata{ - ContainerID: containerID, + ContainerID: containerID, + ContainerPID: containerPID, }, }, - Pid: containerPID, }, }) @@ -702,10 +702,10 @@ func TestProcessReparenting(t *testing.T) { Container: &containercollection.Container{ Runtime: containercollection.RuntimeMetadata{ BasicRuntimeMetadata: types.BasicRuntimeMetadata{ - ContainerID: containerID, + ContainerID: containerID, + ContainerPID: containerPID, }, }, - Pid: containerPID, }, }) diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook.go b/pkg/ruleengine/v1/r1011_ld_preload_hook.go index a2e623af..8447e248 100644 --- a/pkg/ruleengine/v1/r1011_ld_preload_hook.go +++ b/pkg/ruleengine/v1/r1011_ld_preload_hook.go @@ -11,6 +11,7 @@ import ( "github.com/kubescape/node-agent/pkg/utils" apitypes "github.com/armosec/armoapi-go/armotypes" + traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" "github.com/kubescape/go-logger" "github.com/kubescape/go-logger/helpers" ) @@ -68,12 +69,12 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut } if eventType == utils.ExecveEventType { - execEvent, ok := event.(*tracerexectype.Event) + execEvent, ok := event.(*events.ExecEvent) if !ok { return nil } - if allowed, err := isAllowed(&execEvent.Event, objectCache, execEvent.Comm, R1011ID); err != nil { + if allowed, err := isAllowed(&execEvent.Event.Event, objectCache, execEvent.Comm, R1011ID); err != nil { logger.L().Error("failed to check if ld_preload is allowed", helpers.String("ruleID", rule.ID()), helpers.String("error", err.Error())) return nil } else if allowed { @@ -82,19 +83,19 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut return rule.ruleFailureExecEvent(execEvent) } else if eventType == utils.OpenEventType { - openEvent, ok := event.(*traceropentype.Event) + openEvent, ok := event.(*events.OpenEvent) if !ok { return nil } - if allowed, err := isAllowed(&openEvent.Event, objectCache, openEvent.Comm, R1011ID); err != nil { + if allowed, err := isAllowed(&openEvent.Event.Event, objectCache, openEvent.Comm, R1011ID); err != nil { logger.L().Error("failed to check if ld_preload is allowed", helpers.String("ruleID", rule.ID()), helpers.String("error", err.Error())) return nil } else if allowed { return nil } - return rule.ruleFailureOpenEvent(openEvent) + return rule.ruleFailureOpenEvent(&openEvent.Event) } return nil @@ -103,14 +104,14 @@ func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event ut func (rule *R1011LdPreloadHook) EvaluateRule(eventType utils.EventType, event utils.K8sEvent, k8sObjCache objectcache.K8sObjectCache) bool { switch eventType { case utils.ExecveEventType: - execEvent, ok := event.(*tracerexectype.Event) + execEvent, ok := event.(*events.ExecEvent) if !ok { return false } return rule.shouldAlertExec(execEvent, k8sObjCache) case utils.OpenEventType: - openEvent, ok := event.(*traceropentype.Event) + openEvent, ok := event.(*events.OpenEvent) if !ok { return false } @@ -127,233 +128,7 @@ func (rule *R1011LdPreloadHook) Requirements() ruleengine.RuleSpec { } } -func (rule *R1011LdPreloadHook) ruleFailureExecEvent(execEvent *tracerexectype.Event) ruleengine.RuleFailure { - envVars, err := utils.GetProcessEnv(int(execEvent.Pid)) - if err != nil { - logger.L().Debug("Failed to get process environment variables", helpers.Error(err)) - return nil - } - - ldHookVar, _ := GetLdHookVar(envVars) - - upperLayer := execEvent.UpperLayer || execEvent.PupperLayer - - ruleFailure := GenericRuleFailure{ - BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - Arguments: map[string]interface{}{"envVar": ldHookVar}, - InfectedPID: execEvent.Pid, - FixSuggestions: fmt.Sprintf("Check the environment variable %s", ldHookVar), - Severity: R1011LdPreloadHookRuleDescriptor.Priority, - }, - RuntimeProcessDetails: apitypes.ProcessTree{ - ProcessTree: apitypes.Process{ - Comm: execEvent.Comm, - Gid: &execEvent.Gid, - PID: execEvent.Pid, - Uid: &execEvent.Uid, - UpperLayer: &upperLayer, - PPID: execEvent.Ppid, - Pcomm: execEvent.Pcomm, - Cwd: execEvent.Cwd, - Hardlink: execEvent.ExePath, - Path: getExecFullPathFromEvent(execEvent), - Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(&execEvent.Event), " ")), - }, - ContainerID: execEvent.Runtime.ContainerID, - }, - TriggerEvent: execEvent.Event.Event, - RuleAlert: apitypes.RuleAlert{ - RuleDescription: fmt.Sprintf("Process (%s) was executed in: %s and is using the environment variable %s", execEvent.Comm, execEvent.GetContainer(), fmt.Sprintf("%s=%s", ldHookVar, envVars[ldHookVar])), - }, - RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{ - PodName: execEvent.GetPod(), - PodLabels: execEvent.K8s.PodLabels, - }, - RuleID: rule.ID(), - Extra: execEvent.GetExtra(), - } - ruleFailure := GenericRuleFailure{ - BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - Arguments: map[string]interface{}{"envVar": ldHookVar}, - InfectedPID: execEvent.Pid, - FixSuggestions: fmt.Sprintf("Check the environment variable %s", ldHookVar), - Severity: R1011LdPreloadHookRuleDescriptor.Priority, - }, - RuntimeProcessDetails: apitypes.ProcessTree{ - ProcessTree: apitypes.Process{ - Comm: execEvent.Comm, - Gid: &execEvent.Gid, - PID: execEvent.Pid, - Uid: &execEvent.Uid, - UpperLayer: &upperLayer, - PPID: execEvent.Ppid, - Pcomm: execEvent.Pcomm, - Cwd: execEvent.Cwd, - Hardlink: execEvent.ExePath, - Path: getExecFullPathFromEvent(execEvent), - Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")), - }, - ContainerID: execEvent.Runtime.ContainerID, - }, - TriggerEvent: execEvent.Event, - RuleAlert: apitypes.RuleAlert{ - RuleDescription: fmt.Sprintf("Process (%s) was executed in: %s and is using the environment variable %s", execEvent.Comm, execEvent.GetContainer(), fmt.Sprintf("%s=%s", ldHookVar, envVars[ldHookVar])), - }, - RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{ - PodName: execEvent.GetPod(), - PodLabels: execEvent.K8s.PodLabels, - }, - RuleID: rule.ID(), - } - - return &ruleFailure -} - - return nil -} - -func (rule *R1011LdPreloadHook) handleOpenEvent(openEvent *events.OpenEvent) ruleengine.RuleFailure { - if openEvent.FullPath == LD_PRELOAD_FILE && (openEvent.FlagsRaw&(int32(os.O_WRONLY)|int32(os.O_RDWR))) != 0 { - ruleFailure := GenericRuleFailure{ - BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - Arguments: map[string]interface{}{ - "path": openEvent.FullPath, - "flags": openEvent.Flags, - }, - InfectedPID: openEvent.Pid, - FixSuggestions: "Check the file /etc/ld.so.preload", - Severity: R1011LdPreloadHookRuleDescriptor.Priority, - }, - RuntimeProcessDetails: apitypes.ProcessTree{ - ProcessTree: apitypes.Process{ - Comm: openEvent.Comm, - Gid: &openEvent.Gid, - PID: openEvent.Pid, - Uid: &openEvent.Uid, - }, - ContainerID: openEvent.Runtime.ContainerID, - }, - TriggerEvent: openEvent.Event.Event, - RuleAlert: apitypes.RuleAlert{ - RuleDescription: fmt.Sprintf("Process (%s) was executed in: %s and is opening the file %s", openEvent.Comm, openEvent.GetContainer(), openEvent.Path), - }, - RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{ - PodName: openEvent.GetPod(), - PodLabels: openEvent.K8s.PodLabels, - }, - RuleID: rule.ID(), - Extra: openEvent.GetExtra(), - } -func (rule *R1011LdPreloadHook) ruleFailureOpenEvent(openEvent *traceropentype.Event) ruleengine.RuleFailure { - ruleFailure := GenericRuleFailure{ - BaseRuntimeAlert: apitypes.BaseRuntimeAlert{ - AlertName: rule.Name(), - Arguments: map[string]interface{}{ - "path": openEvent.FullPath, - "flags": openEvent.Flags, - }, - InfectedPID: openEvent.Pid, - FixSuggestions: "Check the file /etc/ld.so.preload", - Severity: R1011LdPreloadHookRuleDescriptor.Priority, - }, - RuntimeProcessDetails: apitypes.ProcessTree{ - ProcessTree: apitypes.Process{ - Comm: openEvent.Comm, - Gid: &openEvent.Gid, - PID: openEvent.Pid, - Uid: &openEvent.Uid, - }, - ContainerID: openEvent.Runtime.ContainerID, - }, - TriggerEvent: openEvent.Event, - RuleAlert: apitypes.RuleAlert{ - RuleDescription: fmt.Sprintf("Process (%s) was executed in: %s and is opening the file %s", openEvent.Comm, openEvent.GetContainer(), openEvent.Path), - }, - RuntimeAlertK8sDetails: apitypes.RuntimeAlertK8sDetails{ - PodName: openEvent.GetPod(), - PodLabels: openEvent.K8s.PodLabels, - }, - RuleID: rule.ID(), - } - - return &ruleFailure -} - -func (rule *R1011LdPreloadHook) shouldAlertExec(execEvent *tracerexectype.Event, k8sObjCache objectcache.K8sObjectCache) bool { - // Java is a special case, we don't want to alert on it because it uses LD_LIBRARY_PATH. - if execEvent.Comm == JAVA_COMM { - return false - } - - // Check if the process is a MATLAB process and ignore it. - if execEvent.GetContainer() == "matlab" { - return false - } - - envVars, err := utils.GetProcessEnv(int(execEvent.Pid)) - if err != nil { - logger.L().Debug("Failed to get process environment variables", helpers.Error(err)) - return false - } - - ldHookVar, shouldCheck := GetLdHookVar(envVars) - if shouldCheck { - podSpec := k8sObjCache.GetPodSpec(execEvent.GetNamespace(), execEvent.GetPod()) - if podSpec != nil { - for _, container := range podSpec.Containers { - if container.Name == execEvent.GetContainer() { - for _, envVar := range container.Env { - if envVar.Name == ldHookVar { - return false - } - } - } - } - } - return true - } - - return false -} - -func (rule *R1011LdPreloadHook) EvaluateRule(eventType utils.EventType, event utils.K8sEvent, k8sObjCache objectcache.K8sObjectCache) bool { - switch eventType { - case utils.ExecveEventType: - execEvent, ok := event.(*tracerexectype.Event) - if !ok { - return false - } - return rule.shouldAlertExec(execEvent, k8sObjCache) - - case utils.OpenEventType: - openEvent, ok := event.(*traceropentype.Event) - if !ok { - return false - } - return rule.shouldAlertOpen(openEvent) - - default: - return false - } -} - -func (rule *R1011LdPreloadHook) shouldAlertOpen(openEvent *traceropentype.Event) bool { - return openEvent.FullPath == LD_PRELOAD_FILE && (openEvent.FlagsRaw&(int32(os.O_WRONLY)|int32(os.O_RDWR))) != 0 -} - -func GetLdHookVar(envVars map[string]string) (string, bool) { - for _, envVar := range LD_PRELOAD_ENV_VARS { - if _, ok := envVars[envVar]; ok { - return envVar, true - } - } - return "", false -} - -func (rule *R1011LdPreloadHook) ruleFailureExecEvent(execEvent *tracerexectype.Event) ruleengine.RuleFailure { +func (rule *R1011LdPreloadHook) ruleFailureExecEvent(execEvent *events.ExecEvent) ruleengine.RuleFailure { envVars, err := utils.GetProcessEnv(int(execEvent.Pid)) if err != nil { logger.L().Debug("Failed to get process environment variables", helpers.Error(err)) @@ -384,11 +159,11 @@ func (rule *R1011LdPreloadHook) ruleFailureExecEvent(execEvent *tracerexectype.E Cwd: execEvent.Cwd, Hardlink: execEvent.ExePath, Path: getExecFullPathFromEvent(execEvent), - Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(execEvent), " ")), + Cmdline: fmt.Sprintf("%s %s", getExecPathFromEvent(execEvent), strings.Join(utils.GetExecArgsFromEvent(&execEvent.Event), " ")), }, ContainerID: execEvent.Runtime.ContainerID, }, - TriggerEvent: execEvent.Event, + TriggerEvent: execEvent.Event.Event, RuleAlert: apitypes.RuleAlert{ RuleDescription: fmt.Sprintf("Process (%s) was executed in: %s and is using the environment variable %s", execEvent.Comm, execEvent.GetContainer(), fmt.Sprintf("%s=%s", ldHookVar, envVars[ldHookVar])), }, @@ -437,7 +212,7 @@ func (rule *R1011LdPreloadHook) ruleFailureOpenEvent(openEvent *traceropentype.E return &ruleFailure } -func (rule *R1011LdPreloadHook) shouldAlertExec(execEvent *tracerexectype.Event, k8sObjCache objectcache.K8sObjectCache) bool { +func (rule *R1011LdPreloadHook) shouldAlertExec(execEvent *events.ExecEvent, k8sObjCache objectcache.K8sObjectCache) bool { // Java is a special case, we don't want to alert on it because it uses LD_LIBRARY_PATH. if execEvent.Comm == JAVA_COMM { return false @@ -474,7 +249,7 @@ func (rule *R1011LdPreloadHook) shouldAlertExec(execEvent *tracerexectype.Event, return false } -func (rule *R1011LdPreloadHook) shouldAlertOpen(openEvent *traceropentype.Event) bool { +func (rule *R1011LdPreloadHook) shouldAlertOpen(openEvent *events.OpenEvent) bool { return openEvent.FullPath == LD_PRELOAD_FILE && (openEvent.FlagsRaw&(int32(os.O_WRONLY)|int32(os.O_RDWR))) != 0 } diff --git a/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go b/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go index be08d2a1..e361ffcb 100644 --- a/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go +++ b/pkg/ruleengine/v1/r1012_hardlink_created_over_sensitive_file.go @@ -78,16 +78,13 @@ func (rule *R1012HardlinkCreatedOverSensitiveFile) DeleteRule() { } func (rule *R1012HardlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure { - logger.L().Debug("Processing event", helpers.String("ruleID", rule.ID()), helpers.String("eventType", string(eventType))) if !rule.EvaluateRule(eventType, event, objCache.K8sObjectCache()) { - logger.L().Debug("Event does not match rule", helpers.String("ruleID", rule.ID()), helpers.String("eventType", string(eventType))) return nil } hardlinkEvent, _ := event.(*tracerhardlinktype.Event) if allowed, err := isAllowed(&hardlinkEvent.Event, objCache, hardlinkEvent.Comm, R1012ID); err != nil { - logger.L().Error("failed to check if hardlink is allowed", helpers.String("ruleID", rule.ID()), helpers.String("error", err.Error())) return nil } else if allowed { return nil From 01aced6231bc4a0f3c51a4493724d0dc16e4fee6 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Wed, 20 Nov 2024 17:01:45 +0200 Subject: [PATCH 18/23] WIP: Added enrich event function Signed-off-by: Afek Berger --- pkg/containerwatcher/v1/container_watcher.go | 6 ++++++ pkg/containerwatcher/v1/exec.go | 7 +------ pkg/containerwatcher/v1/hardlink.go | 8 +------- pkg/containerwatcher/v1/open.go | 8 ++------ pkg/containerwatcher/v1/symlink.go | 8 +------- 5 files changed, 11 insertions(+), 26 deletions(-) diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go index c2034a28..b0044f78 100644 --- a/pkg/containerwatcher/v1/container_watcher.go +++ b/pkg/containerwatcher/v1/container_watcher.go @@ -549,6 +549,12 @@ func (ch *IGContainerWatcher) Ready() bool { return ch.running } +func (ch *IGContainerWatcher) enrichEvent(event utils.EnrichEvent, syscalls []uint64) { + if ch.thirdPartyEnricher != nil { + ch.thirdPartyEnricher.Enrich(event, syscalls) + } +} + func reportEventToThirdPartyTracers(eventType utils.EventType, event utils.K8sEvent, thirdPartyEventReceivers *maps.SafeMap[utils.EventType, mapset.Set[containerwatcher.EventReceiver]]) { if thirdPartyEventReceivers != nil && thirdPartyEventReceivers.Has(eventType) { for receiver := range thirdPartyEventReceivers.Get(eventType).Iter() { diff --git a/pkg/containerwatcher/v1/exec.go b/pkg/containerwatcher/v1/exec.go index d360fdff..d8da57a7 100644 --- a/pkg/containerwatcher/v1/exec.go +++ b/pkg/containerwatcher/v1/exec.go @@ -16,12 +16,7 @@ func (ch *IGContainerWatcher) execEventCallback(event *tracerexectype.Event) { } execEvent := &events.ExecEvent{Event: *event} - if ch.thirdPartyEnricher != nil { - ch.thirdPartyEnricher.Enrich(execEvent, []uint64{unix.SYS_EXECVE, unix.SYS_EXECVEAT}) - if execEvent.GetExtra() != nil { - fmt.Println("execEventCallback GetExtra", execEvent.GetExtra()) - } - } + ch.enrichEvent(execEvent, []uint64{unix.SYS_EXECVE, unix.SYS_EXECVEAT}) if event.Retval > -1 && event.Comm != "" { ch.execWorkerChan <- execEvent diff --git a/pkg/containerwatcher/v1/hardlink.go b/pkg/containerwatcher/v1/hardlink.go index 1d99cd0d..d728a2c8 100644 --- a/pkg/containerwatcher/v1/hardlink.go +++ b/pkg/containerwatcher/v1/hardlink.go @@ -22,13 +22,7 @@ func (ch *IGContainerWatcher) hardlinkEventCallback(event *tracerhardlinktype.Ev return } - if ch.thirdPartyEnricher != nil { - syscalls := []uint64{unix.SYS_LINK, unix.SYS_LINKAT} - ch.thirdPartyEnricher.Enrich(event, syscalls) - if event.GetExtra() != nil { - fmt.Println("hardlinkEventCallback GetExtra", event.GetExtra()) - } - } + ch.enrichEvent(event, []uint64{unix.SYS_LINK, unix.SYS_LINKAT}) ch.hardlinkWorkerChan <- event } diff --git a/pkg/containerwatcher/v1/open.go b/pkg/containerwatcher/v1/open.go index 4f35ca3f..2f6717ac 100644 --- a/pkg/containerwatcher/v1/open.go +++ b/pkg/containerwatcher/v1/open.go @@ -16,12 +16,8 @@ func (ch *IGContainerWatcher) openEventCallback(event *traceropentype.Event) { } openEvent := &events.OpenEvent{Event: *event} - if ch.thirdPartyEnricher != nil { - ch.thirdPartyEnricher.Enrich(openEvent, []uint64{unix.SYS_OPEN, unix.SYS_OPENAT}) - if openEvent.GetExtra() != nil { - fmt.Println("openEventCallback GetExtra", openEvent.GetExtra()) - } - } + ch.enrichEvent(openEvent, []uint64{unix.SYS_OPEN, unix.SYS_OPENAT}) + if event.Err > -1 && event.FullPath != "" { ch.openWorkerChan <- openEvent } diff --git a/pkg/containerwatcher/v1/symlink.go b/pkg/containerwatcher/v1/symlink.go index c0d73960..47c6a49a 100644 --- a/pkg/containerwatcher/v1/symlink.go +++ b/pkg/containerwatcher/v1/symlink.go @@ -17,13 +17,7 @@ func (ch *IGContainerWatcher) symlinkEventCallback(event *tracersymlinktype.Even return } - if ch.thirdPartyEnricher != nil { - syscalls := []uint64{unix.SYS_SYMLINKAT, unix.SYS_SYMLINK} - ch.thirdPartyEnricher.Enrich(event, syscalls) - if event.GetExtra() != nil { - fmt.Println("symlinkEventCallback GetExtra", event.GetExtra()) - } - } + ch.enrichEvent(event, []uint64{unix.SYS_SYMLINK, unix.SYS_SYMLINKAT}) if isDroppedEvent(event.Type, event.Message) { logger.L().Ctx(ch.ctx).Warning("symlink tracer got drop events - we may miss some realtime data", helpers.Interface("event", event), helpers.String("error", event.Message)) From 66691acb8f3fdace8069d7fd045e2d5b015a2f5b Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Wed, 20 Nov 2024 17:48:10 +0200 Subject: [PATCH 19/23] WIP: Fixed malware panic bug Signed-off-by: Afek Berger --- pkg/malwaremanager/v1/clamav/clamav.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/malwaremanager/v1/clamav/clamav.go b/pkg/malwaremanager/v1/clamav/clamav.go index 3e5bf0eb..10c893f6 100644 --- a/pkg/malwaremanager/v1/clamav/clamav.go +++ b/pkg/malwaremanager/v1/clamav/clamav.go @@ -3,9 +3,10 @@ package malwaremanager import ( "github.com/cenkalti/backoff/v4" "github.com/dutchcoders/go-clamd" + tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" + traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" "github.com/kubescape/go-logger" "github.com/kubescape/go-logger/helpers" - events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/malwaremanager" "github.com/kubescape/node-agent/pkg/utils" nautils "github.com/kubescape/node-agent/pkg/utils" @@ -43,9 +44,9 @@ func (c *ClamAVClient) Scan(eventType nautils.EventType, event utils.K8sEvent, c // Check if the event is of type tracerexectype.Event or traceropentype.Event. switch eventType { case nautils.ExecveEventType: - return c.handleExecEvent(&event.(*events.ExecEvent).Event, containerPid) + return c.handleExecEvent(event.(*tracerexectype.Event), containerPid) case nautils.OpenEventType: - return c.handleOpenEvent(&event.(*events.OpenEvent).Event, containerPid) + return c.handleOpenEvent(event.(*traceropentype.Event), containerPid) default: return nil } From 20c9954d31b837f35a81fcc034820d39398da850 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Thu, 21 Nov 2024 09:39:42 +0200 Subject: [PATCH 20/23] WIP: Fixed event types in tests Signed-off-by: Afek Berger --- .../r0001_unexpected_process_launched_test.go | 56 ++++++++++-------- .../v1/r0002_unexpected_file_access_test.go | 22 +++---- .../r0007_kubernetes_client_executed_test.go | 19 +++--- ...0_unexpected_sensitive_file_access_test.go | 25 ++++---- .../r1000_exec_from_malicious_source_test.go | 19 +++--- .../v1/r1004_exec_from_mount_test.go | 21 ++++--- .../v1/r1011_ld_preload_hook_test.go | 58 ++++++++++--------- pkg/rulemanager/v1/rule_manager.go | 6 +- 8 files changed, 129 insertions(+), 97 deletions(-) diff --git a/pkg/ruleengine/v1/r0001_unexpected_process_launched_test.go b/pkg/ruleengine/v1/r0001_unexpected_process_launched_test.go index 7eff76af..f0261f1b 100644 --- a/pkg/ruleengine/v1/r0001_unexpected_process_launched_test.go +++ b/pkg/ruleengine/v1/r0001_unexpected_process_launched_test.go @@ -3,6 +3,8 @@ package ruleengine import ( "testing" + events "github.com/kubescape/node-agent/pkg/ebpf/events" + "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/utils" @@ -20,18 +22,20 @@ func TestR0001UnexpectedProcessLaunched(t *testing.T) { t.Errorf("Expected r to not be nil") } - e := &tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", + e := &events.ExecEvent{ + Event: tracerexectype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, }, }, }, + Comm: "/test", + Args: []string{"test"}, }, - Comm: "/test", - Args: []string{"test"}, } // Test with nil appProfileAccess @@ -64,18 +68,20 @@ func TestR0001UnexpectedProcessLaunched(t *testing.T) { } // Test with non-whitelisted exec - e = &tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", + e = &events.ExecEvent{ + Event: tracerexectype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, }, }, }, + Comm: "/asdasd", + Args: []string{"asdasd"}, }, - Comm: "/asdasd", - Args: []string{"asdasd"}, } ruleResult = r.ProcessEvent(utils.ExecveEventType, e, &objCache) if ruleResult == nil { @@ -111,18 +117,20 @@ func TestR0001UnexpectedProcessLaunchedArgCompare(t *testing.T) { objCache.SetApplicationProfile(profile) } - e := &tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", + e := &events.ExecEvent{ + Event: tracerexectype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, }, }, }, + ExePath: "/test", + Args: []string{"/test", "something"}, }, - ExePath: "/test", - Args: []string{"/test", "something"}, } // Test with whitelisted exec diff --git a/pkg/ruleengine/v1/r0002_unexpected_file_access_test.go b/pkg/ruleengine/v1/r0002_unexpected_file_access_test.go index 8ecfac38..bc97eb72 100644 --- a/pkg/ruleengine/v1/r0002_unexpected_file_access_test.go +++ b/pkg/ruleengine/v1/r0002_unexpected_file_access_test.go @@ -5,6 +5,7 @@ import ( corev1 "k8s.io/api/core/v1" + "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/objectcache" "github.com/kubescape/node-agent/pkg/utils" @@ -23,21 +24,22 @@ func TestR0002UnexpectedFileAccess(t *testing.T) { } // Create a file access event - e := &traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", + e := &events.OpenEvent{ + Event: traceropentype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, }, }, }, + Path: "/test", + FullPath: "/test", + Flags: []string{"O_RDONLY"}, }, - Path: "/test", - FullPath: "/test", - Flags: []string{"O_RDONLY"}, } - // Test with nil appProfileAccess ruleResult := r.ProcessEvent(utils.OpenEventType, e, &objectcache.ObjectCacheMock{}) if ruleResult != nil { diff --git a/pkg/ruleengine/v1/r0007_kubernetes_client_executed_test.go b/pkg/ruleengine/v1/r0007_kubernetes_client_executed_test.go index 25379326..b55ab6d2 100644 --- a/pkg/ruleengine/v1/r0007_kubernetes_client_executed_test.go +++ b/pkg/ruleengine/v1/r0007_kubernetes_client_executed_test.go @@ -3,6 +3,7 @@ package ruleengine import ( "testing" + "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" @@ -20,18 +21,20 @@ func TestR0007KubernetesClientExecuted(t *testing.T) { } // Create an exec event - e := &tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", + e := &events.ExecEvent{ + Event: tracerexectype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, }, }, }, + Comm: "/test", + Args: []string{}, }, - Comm: "/test", - Args: []string{}, } objCache := RuleObjectCacheMock{} diff --git a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access_test.go b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access_test.go index e45d7f2b..b530c093 100644 --- a/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access_test.go +++ b/pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access_test.go @@ -5,24 +5,27 @@ import ( traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" ) -func createTestEvent(path string, flags []string) *traceropentype.Event { - return &traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", +func createTestEvent(path string, flags []string) *events.OpenEvent { + return &events.OpenEvent{ + Event: traceropentype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, }, }, }, + Path: path, + FullPath: path, + Flags: flags, }, - Path: path, - FullPath: path, - Flags: flags, } } @@ -50,7 +53,7 @@ func createTestProfile(containerName string, paths []string, flags []string) *v1 func TestR0010UnexpectedSensitiveFileAccess(t *testing.T) { tests := []struct { name string - event *traceropentype.Event + event *events.OpenEvent profile *v1beta1.ApplicationProfile additionalPaths []interface{} expectAlert bool diff --git a/pkg/ruleengine/v1/r1000_exec_from_malicious_source_test.go b/pkg/ruleengine/v1/r1000_exec_from_malicious_source_test.go index 5345fb2f..86340f5c 100644 --- a/pkg/ruleengine/v1/r1000_exec_from_malicious_source_test.go +++ b/pkg/ruleengine/v1/r1000_exec_from_malicious_source_test.go @@ -3,6 +3,7 @@ package ruleengine import ( "testing" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/utils" tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" @@ -17,18 +18,20 @@ func TestR1000ExecFromMaliciousSource(t *testing.T) { t.Errorf("Expected r to not be nil") } // Create an exec event - e := &tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", + e := &events.ExecEvent{ + Event: tracerexectype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, }, }, }, + Comm: "/test", + Args: []string{}, }, - Comm: "/test", - Args: []string{}, } ruleResult := r.ProcessEvent(utils.ExecveEventType, e, &RuleObjectCacheMock{}) diff --git a/pkg/ruleengine/v1/r1004_exec_from_mount_test.go b/pkg/ruleengine/v1/r1004_exec_from_mount_test.go index 2d52b73c..afe06715 100644 --- a/pkg/ruleengine/v1/r1004_exec_from_mount_test.go +++ b/pkg/ruleengine/v1/r1004_exec_from_mount_test.go @@ -7,6 +7,7 @@ import ( tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" + events "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" corev1 "k8s.io/api/core/v1" ) @@ -18,19 +19,21 @@ func TestR1004ExecFromMount(t *testing.T) { if r == nil { t.Errorf("Expected r to not be nil") } - e := &tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", + e := &events.ExecEvent{ + Event: tracerexectype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, }, + Runtime: eventtypes.BasicRuntimeMetadata{ContainerID: "test"}, }, - Runtime: eventtypes.BasicRuntimeMetadata{ContainerID: "test"}, }, + Comm: "/test", + Args: []string{}, }, - Comm: "/test", - Args: []string{}, } // Test case where path is not mounted diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook_test.go b/pkg/ruleengine/v1/r1011_ld_preload_hook_test.go index 1807b379..e44e6c64 100644 --- a/pkg/ruleengine/v1/r1011_ld_preload_hook_test.go +++ b/pkg/ruleengine/v1/r1011_ld_preload_hook_test.go @@ -3,10 +3,10 @@ package ruleengine import ( "testing" + "github.com/kubescape/node-agent/pkg/ebpf/events" "github.com/kubescape/node-agent/pkg/utils" "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1" - tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" corev1 "k8s.io/api/core/v1" @@ -35,19 +35,21 @@ func TestR1011LdPreloadHook(t *testing.T) { } // Create open event - e := &traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", + e := &events.OpenEvent{ + Event: traceropentype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, }, }, }, + Comm: "test", + FullPath: "/etc/ld.so.preload", + FlagsRaw: 1, }, - Comm: "test", - FullPath: "/etc/ld.so.preload", - FlagsRaw: 1, } // Test with existing ld_preload file @@ -100,17 +102,19 @@ func TestR1011LdPreloadHook(t *testing.T) { } // Create open event - e2 := &tracerexectype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", + e2 := &events.OpenEvent{ + Event: traceropentype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, }, }, }, + Comm: "java", }, - Comm: "java", } // Test with exec event ruleResult = r.ProcessEvent(utils.ExecveEventType, e2, &objCache) @@ -118,19 +122,21 @@ func TestR1011LdPreloadHook(t *testing.T) { t.Errorf("Expected ruleResult to be nil since exec event is on java") } - e3 := &traceropentype.Event{ - Event: eventtypes.Event{ - CommonData: eventtypes.CommonData{ - K8s: eventtypes.K8sMetadata{ - BasicK8sMetadata: eventtypes.BasicK8sMetadata{ - ContainerName: "test", + e3 := &events.OpenEvent{ + Event: traceropentype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, }, }, }, + Comm: "test", + FullPath: "/etc/ld.so.preload", + FlagsRaw: 1, }, - Comm: "test", - FullPath: "/etc/ld.so.preload", - FlagsRaw: 1, } objCache = RuleObjectCacheMock{} diff --git a/pkg/rulemanager/v1/rule_manager.go b/pkg/rulemanager/v1/rule_manager.go index 3c351400..a47b6137 100644 --- a/pkg/rulemanager/v1/rule_manager.go +++ b/pkg/rulemanager/v1/rule_manager.go @@ -469,7 +469,11 @@ func (rm *RuleManager) enrichRuleFailure(ruleFailure ruleengine.RuleFailure) rul } ruleFailure.SetRuntimeAlertK8sDetails(runtimek8sdetails) - rm.enricher.EnrichRuleFailure(ruleFailure) + + if rm.enricher != nil { + rm.enricher.EnrichRuleFailure(ruleFailure) + } + return ruleFailure } From c791a02fd207c91eccb44c8d489fe1cea35f3ce6 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Tue, 26 Nov 2024 10:13:00 +0200 Subject: [PATCH 21/23] Added trace to exporter Signed-off-by: Afek Berger --- pkg/exporters/alert_manager.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkg/exporters/alert_manager.go b/pkg/exporters/alert_manager.go index 0629b8b0..9f412738 100644 --- a/pkg/exporters/alert_manager.go +++ b/pkg/exporters/alert_manager.go @@ -5,10 +5,12 @@ package exporters import ( "context" + "encoding/json" "fmt" "os" "time" + apitypes "github.com/armosec/armoapi-go/armotypes" "github.com/go-openapi/strfmt" "github.com/kubescape/go-logger" "github.com/kubescape/go-logger/helpers" @@ -45,6 +47,12 @@ func InitAlertManagerExporter(alertManagerURL string) *AlertManagerExporter { } func (ame *AlertManagerExporter) SendRuleAlert(failedRule ruleengine.RuleFailure) { + trace, err := traceToString(failedRule.GetBaseRuntimeAlert().Trace) + if err != nil { + logger.L().Error("Error converting trace to string", helpers.Error(err)) + trace = "" + } + processTree := failedRule.GetRuntimeProcessDetails().ProcessTree process := utils.GetProcessFromProcessTree(&processTree, failedRule.GetBaseRuntimeAlert().InfectedPID) if process == nil { @@ -91,6 +99,7 @@ func (ame *AlertManagerExporter) SendRuleAlert(failedRule ruleengine.RuleFailure "comm": process.Comm, "uid": fmt.Sprintf("%d", process.Uid), "gid": fmt.Sprintf("%d", process.Gid), + "trace": trace, }, }, } @@ -154,3 +163,11 @@ func (ame *AlertManagerExporter) SendMalwareAlert(malwareResult malwaremanager.M return } } + +func traceToString(t apitypes.Trace) (string, error) { + bytes, err := json.Marshal(t) + if err != nil { + return "", fmt.Errorf("error marshaling trace: %v", err) + } + return string(bytes), nil +} From d9c5310a6603cc1e7de377f19671a556a8ee2fc6 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Mon, 2 Dec 2024 10:15:39 +0200 Subject: [PATCH 22/23] fixed typo Signed-off-by: Afek Berger --- .../v1/r0006_unexpected_service_account_token_access.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go index f2a2507d..cfe33ce1 100644 --- a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go +++ b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go @@ -127,12 +127,12 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti return nil } - converedEvent, ok := event.(*events.OpenEvent) + convertedEvent, ok := event.(*events.OpenEvent) if !ok { return nil } - openEvent := converedEvent.Event + openEvent := convertedEvent.Event // Check if this is a token path - using optimized check if getTokenBasePath(openEvent.FullPath) == "" { From 9b413a89efa2d0ee0e1e9be656f1be162afd1837 Mon Sep 17 00:00:00 2001 From: Afek Berger Date: Tue, 3 Dec 2024 09:43:12 +0200 Subject: [PATCH 23/23] updaed ig Signed-off-by: Afek Berger --- go.mod | 2 ++ go.sum | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index a0c82daf..cafe7430 100644 --- a/go.mod +++ b/go.mod @@ -345,3 +345,5 @@ require ( ) replace github.com/vishvananda/netns => github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6 + +replace github.com/inspektor-gadget/inspektor-gadget => github.com/matthyx/inspektor-gadget v0.0.0-20241203073859-c65596d0bce0 diff --git a/go.sum b/go.sum index 8d27203e..47c91a52 100644 --- a/go.sum +++ b/go.sum @@ -624,8 +624,6 @@ github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+h github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/inspektor-gadget/inspektor-gadget v0.35.0 h1:+/DxlElkTYCmFhJORhU2/XLzzjLW2jTNYJf7Q6ku0ks= -github.com/inspektor-gadget/inspektor-gadget v0.35.0/go.mod h1:SX9luao86CnrEKOygVR/ylQ5Il04CXFMNg7cQhoiNV0= github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6 h1:fQqkJ+WkYfzy6BoUh32fr9uYrXfOGtsfw0skMQkfOic= github.com/inspektor-gadget/netns v0.0.5-0.20230524185006-155d84c555d6/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= @@ -704,6 +702,8 @@ github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3v github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/matthyx/inspektor-gadget v0.0.0-20241203073859-c65596d0bce0 h1:KYj3eYxemRi9hIhWJtL6V2YAR03Sfn0eli+IfK16hbg= +github.com/matthyx/inspektor-gadget v0.0.0-20241203073859-c65596d0bce0/go.mod h1:SX9luao86CnrEKOygVR/ylQ5Il04CXFMNg7cQhoiNV0= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=