From ea5d021f0c7aff8c0427c0bc06c5dc8b72f841f6 Mon Sep 17 00:00:00 2001 From: KaraZajac Date: Sat, 16 May 2026 20:29:48 -0400 Subject: [PATCH] tools/iamroot-fleet-scan.sh + docs/DETECTION_PLAYBOOK.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit iamroot-fleet-scan.sh — bash wrapper that scp's the iamroot binary to a host list, ssh-runs --scan --json on each, aggregates results into a single JSON document. Supports: - hosts list from file or stdin - user@host:port syntax - parallel xargs execution (default -P 4) - ssh key / extra ssh opts pass-through - --no-sudo for hosts where root isn't required - --summary-only to suppress per-host detail - --no-cleanup to leave the binary on disk Critical fix during smoke-test: iamroot's exit codes are SEMANTIC (0=OK, 2=VULNERABLE, 4=PRECOND_FAIL, 5=EXPLOIT_OK). The wrapper must NOT treat nonzero exit as a transport failure; success is defined by 'stdout contains valid JSON', failure by 'stdout empty'. Verified end-to-end on kctf-mgr → kctf-fuzz: fleet-scan reports ok=1, failed=0, summary.vulnerable groups by CVE: copy_fail_gcm, dirty_frag_esp×2, entrybleed. Per-host detail included. docs/DETECTION_PLAYBOOK.md — operational integration guide: - Lifecycle diagram (inventory → scan → fleet scan → deploy/mitigate/upgrade → monitor) - Recipes by team size: single host, small fleet, large fleet - SIEM integration patterns: Splunk, Elastic, Sigma - Auditd-event lookup commands per module key - VULNERABLE decision tree (patch vs mitigate vs compensate) - Mitigation revert procedures + side-effect table - False-positive tuning table per rule key - Pre-patch quarantine pattern - Maintenance contract / module-shipping SLA --- docs/DETECTION_PLAYBOOK.md | 302 ++++++++++++++++++++++++++++++++++++ iamroot | Bin 0 -> 141584 bytes tools/iamroot-fleet-scan.sh | 205 ++++++++++++++++++++++++ 3 files changed, 507 insertions(+) create mode 100644 docs/DETECTION_PLAYBOOK.md create mode 100755 iamroot create mode 100755 tools/iamroot-fleet-scan.sh diff --git a/docs/DETECTION_PLAYBOOK.md b/docs/DETECTION_PLAYBOOK.md new file mode 100644 index 0000000..2101f9c --- /dev/null +++ b/docs/DETECTION_PLAYBOOK.md @@ -0,0 +1,302 @@ +# IAMROOT detection playbook + +Operational guide for blue teams using IAMROOT defensively. Pairs +with `docs/DEFENDERS.md` (the "what" reference) — this is the "how to +make it part of your daily ops" guide. + +## The lifecycle + +``` + ┌─────────────┐ + │ inventory │ ← iamroot --list (what's bundled?) + └──────┬──────┘ + ▼ + ┌─────────────┐ + │ scan │ ← iamroot --scan --json (what am I vulnerable to?) + └──────┬──────┘ + ▼ + ┌─────────────┐ + │ fleet scan │ ← iamroot-fleet-scan.sh hosts.txt + └──────┬──────┘ + ▼ + ┌────────────┼────────────┐ + ▼ ▼ ▼ + ┌────────┐ ┌─────────┐ ┌──────────┐ + │ deploy │ │ mitigate│ │ upgrade │ ← three responses + │ rules │ │ (pre-fix│ │ (kernel │ + │(SIEM) │ │ stopgap)│ │ patch) │ + └────┬───┘ └─────┬───┘ └─────┬────┘ + └────────────┼────────────┘ + ▼ + ┌─────────────┐ + │ monitor │ ← ausearch -k iamroot-* / SIEM alerts + └─────────────┘ +``` + +## Recipes by team size + +### Single host (workstation / single server) + +```bash +# Daily/weekly hygiene check +sudo iamroot --scan + +# If anything's VULNERABLE, deploy detections + apply mitigation +sudo iamroot --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-iamroot.rules +sudo augenrules --load +sudo iamroot --mitigate copy_fail # or whichever module fired +``` + +### Small fleet (~10-100 hosts, SSH-reachable) + +Use `tools/iamroot-fleet-scan.sh`: + +```bash +# Hosts list — one per line; user@host:port supported +cat > hosts.txt < fleet-scan-$(date +%F).json + +# Show me hosts with any VULNERABLE finding +jq '.hosts[] | select(.scan.modules | map(.result == "VULNERABLE") | any) | .host' \ + fleet-scan-*.json + +# Show summary across the fleet +jq '.summary' fleet-scan-*.json +``` + +Output shape: + +```json +{ + "generated_at": "2026-05-16T22:00:00Z", + "n_hosts": 4, + "summary": { + "ok": 4, + "failed": 0, + "vulnerable": [ + { "cve": "CVE-2024-1086", "name": "nf_tables", "count": 2 }, + { "cve": "CVE-2023-0458", "name": "entrybleed", "count": 4 } + ] + }, + "hosts": [...] +} +``` + +### Larger fleet (>100 hosts) + +`iamroot-fleet-scan.sh` is intentionally simple (parallel ssh). For +fleets too large for SSH-fan-out, wrap it in your config-management +tool of choice: + +- **Ansible**: ship the binary via `copy:`, run via `command:`, parse + JSON with `jq` in a follow-on task +- **SaltStack**: `cmd.run` returning JSON; `salt-call --return` to your + SIEM +- **Fabric / Mitogen**: same shape, just Python-side + +Sample Ansible task: + +```yaml +- name: scan with iamroot + copy: + src: iamroot + dest: /tmp/iamroot + mode: '0755' +- name: run --scan --json + command: /tmp/iamroot --scan --json --no-color + register: scan + changed_when: false + failed_when: false # iamroot exit codes are semantic, not errors +- name: collect + set_fact: + iamroot_scan: "{{ scan.stdout | from_json }}" +- name: cleanup + file: + path: /tmp/iamroot + state: absent +``` + +## SIEM integration patterns + +### Splunk + +``` +# splunk input config (inputs.conf) +[script:///opt/iamroot/iamroot-cron-scan.sh] +interval = 86400 +source = iamroot +sourcetype = iamroot:scan +``` + +`iamroot-cron-scan.sh`: + +```bash +#!/bin/bash +/usr/local/bin/iamroot --scan --json --no-color +``` + +Search the indexed events: + +```spl +index=iamroot sourcetype="iamroot:scan" modules{}.result=VULNERABLE +| stats count by host modules{}.cve +``` + +### Elastic / OpenSearch + +Filebeat module reading the per-host scan JSON files (one per day), +indexed into an `iamroot-*` index pattern. Standard Kibana +visualization on `modules.cve` over time tracks vulnerability lifecycle. + +### Sigma → your platform + +```bash +# Ship Sigma rules into your platform +iamroot --detect-rules --format=sigma > /etc/sigma/iamroot.yml +# Convert to your target (Sentinel, Elastic, etc.) via sigmac +sigmac -t elastic /etc/sigma/iamroot.yml +``` + +## Day-to-day operational shape + +### What "good" looks like in the SIEM + +- Daily `iamroot --scan --json` from every host indexed +- Trend dashboard: count of VULNERABLE results by CVE over time +- Goal: every VULNERABLE → OK transition within SLA (e.g., 14 days for + patched-mainline bugs, 24h for actively-exploited) +- Alert on: any host with a result not seen yesterday (could indicate + a config drift, a new install, or a disabled mitigation) + +### Auditd events from the embedded rules + +After deploying `iamroot --detect-rules --format=auditd`: + +```bash +# By module key +sudo ausearch -k iamroot-copy-fail -ts today +sudo ausearch -k iamroot-dirty-pipe -ts today +sudo ausearch -k iamroot-pwnkit -ts today +sudo ausearch -k iamroot-nf-tables-userns -ts today +sudo ausearch -k iamroot-overlayfs -ts today + +# Anything iamroot-tagged in the last hour +sudo ausearch -k 'iamroot-*' -ts recent + +# Forward to syslog (rsyslog example) +# /etc/rsyslog.d/iamroot.conf: +:msg, contains, "iamroot-" @@your-siem.example.com:514 +``` + +### When a VULNERABLE result fires + +Decision tree: + +``` +A scan reports VULNERABLE for module X +│ +├── Q: Can I patch the underlying kernel / package? +│ ├── YES → schedule patch window. In the meantime: +│ │ iamroot --mitigate X (if supported) +│ │ Verify auditd rule for X is loaded. +│ │ Monitor for the rule key. +│ └── NO (legacy LTS, embedded device, prod freeze) → +│ iamroot --mitigate X (essential) +│ Compensating control: tighten LSM (SELinux/AppArmor) +│ Document in risk register +│ +└── Q: Was this VULNERABLE before? When? + ├── First time → config drift; investigate why detection now + │ produces this result + └── Persistent → mitigation isn't applied OR is being reverted + by config management; fix the config baseline +``` + +### Mitigation reverts + +Mitigations can break legitimate functionality: + +| Mitigation | Side effect | +|---|---| +| `copy_fail` blacklist algif_aead | strongSwan / IPsec breaks | +| `copy_fail` blacklist esp4/esp6 | IPsec breaks | +| `copy_fail` blacklist rxrpc | AFS / kAFS clients break | +| `copy_fail` AppArmor restrict userns=1 | bubblewrap, podman rootless break | + +If you applied a mitigation and now need to revert (e.g., the kernel +patch has rolled out fleet-wide): + +```bash +sudo iamroot --cleanup copy_fail +# OR manually: +sudo rm /etc/modprobe.d/dirtyfail-mitigations.conf +sudo rm /etc/sysctl.d/99-dirtyfail-mitigations.conf +# Reload affected modules / sysctls per your distro +``` + +## Common false positives + tuning + +| Rule key | False positive | Fix | +|---|---|---| +| `iamroot-copy-fail-afalg` | strongSwan, libcrypto using kernel crypto | `-F auid=` exclude service account UIDs | +| `iamroot-dirty-pipe-splice` | nginx, HAProxy, kTLS | `-F gid!=33 -F gid!=99` exclude web service accounts | +| `iamroot-pwnkit-execve` | gnome-software, polkit's own re-exec | Correlate by parent process; pkexec via gnome dbus is benign | +| `iamroot-nf-tables-userns` | docker rootless, podman, snap confined apps | Whitelist known userns-using service GIDs | +| `iamroot-overlayfs` | docker / containerd mounting overlayfs as root | The rule is intended for unprivileged-userns overlayfs mounts; add `-F auid>=1000` | + +## Pre-patch quarantine pattern + +If a CVE is in active exploitation and you can't patch immediately: + +```bash +# Stage 1: detect +sudo iamroot --scan --json | jq '.modules[] | select(.cve == "CVE-XXXX")' + +# Stage 2: mitigate (where supported) +sudo iamroot --mitigate + +# Stage 3: monitor — auditd rules already deployed +sudo ausearch -k 'iamroot-*' -ts today | grep + +# Stage 4: contain — temporarily restrict the trigger surface +# e.g., for nf_tables CVE-2024-1086: +echo 0 | sudo tee /proc/sys/kernel/unprivileged_userns_clone +# OR +sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1 + +# Stage 5: alert +# When auditd or sigma rule fires, page on-call +``` + +## Maintenance contract + +When IAMROOT ships a new module: + +1. CI test passes on at least one vulnerable + patched kernel pair +2. Detection rules ship alongside (auditd + sigma minimum) +3. CVES.md row added with patch status +4. NOTICE.md credits original researcher +5. ROADMAP.md updated + +Treat these as the SLA for any blue-team-facing deliverable. + +## When you find a new false positive + +File an issue at https://github.com/KaraZajac/IAMROOT/issues with: +- The exact ausearch line that fired +- The legitimate process that produced it +- Distro / kernel version + +Most false-positive fixes are a `-F` filter on the embedded rule — +small, mergeable. diff --git a/iamroot b/iamroot new file mode 100755 index 0000000000000000000000000000000000000000..bb95bc8efee52368863862a03594a30756e8a3cd GIT binary patch literal 141584 zcmeFadwdkd@;BTY5{X>g1wqk+5_R-|pk|dQpnFVY(TOgK61<@Th6Iq1FG;#b#+yB&FoWyd^aaJ9L)N(VgF#DT>p?rx_QBMQG!*3rL%tQESAnvSPymv zV=R#YYhB)=U2P<8{Y^H@0mgkZ&Fis$yPM^#zg7?N7x%^cq+B7dSbv#I(zq`PUsKIH zWB$(CEOG0v{XS~XW%eNE@4_|mKI^ajKJcb|i@Y!P@79j;KG#)df6RV@%eb%cM|t1B z{WZH`{k8asKH~o&CO>2UrkKrGe`D_}H1CW3tC;s$e=Xiy?M?k!b}06*)sFSox^L(& z{?Y#{{TyQ6cj!IYUhH4L*?{%eYVXcp{G-9o|F<7=8rWTCd$IFo(S;@ht-t29P`juD zvUbbu!&pKYi=Z#|>s=Tl`N#DohlZTy`*s|7poj05yR-M*UNbM}>Z|g`J$!B7tMW!) zkvA^Cr1Xl?e%D@cZQm=43$DDH?#nmpqj4p@$;uov+W;$Mj1@D+dR{QS`!_ioCgctq z<+}F$yEpd#E!_R%w~luHPdvy;VC=67JQoLlnEiG6V#i zuiIVHhDBx2{+Sx5o&|CGxiwCCU!3x;IOF;(4&E&e-Zf6Ux5p_zIZpY3aqxe{>Aw-D z{=7KlKZ%2v#i{2=oc>%Mr=G5H@H^tv|7{%nt~m8{jUzuiPCqY+Q-4Mr{Jl7MU7Y@$ z7pMHJIOXTZ>F1F+^{k46KN|HX zaq9mf4!$N%Js-zuH!)6mJr3S64&D$4e(5Nah&oqfalO4+rAlB2N8-;*{?m2TzNGH^-^J)WKLM_BU4ci?nbpzvA))#xAxS zT;|8gWcl)#@^>=EE@J1fji%pY+2M!H`Xe#rpEB{eF*wT|ljARD#X0_o50~V!V*luI z`Jjpmvd0$``dRka2?e8BVNtd}kL4B==Hy@7mlfs|6%`b*Vt-M7cHv_zJFg&n{D?6* ze*d@$Ic!}1wWCIlE*gJ=i0t#s3?1E5i7~h8<#(x<>uy< z6pv*S#uxi@CKO)Vmrcl-Fri>#4*kuUzzPfU^4N$GeoEY2@18kg_S zWx2)vQT}WDf*YlyM&ypmAC))m@f=ocUM}|2+!R7KSjmKfl6>kY#$W6&l9Dn;vMF13 zc2stDPNARW7C)As&2nYWC*({h&hf_#yd;l}D_a*B%b3oyH*{NoDpAtdM{ zYA7i5kH{;?AHxdA71C|_xDNwC-C#5P%WK&!zRa5jj=1{DYogz-?ic;)?i>AjO-ljy zby2kCdRi2_rUksFrK+p1Ok*Q5vj&eCol}%EW?Zp9rzmUiz`TO|oUBm~=V2^kCKTkG zQ$Io${mX)ku>{tJC9njRNdMxSgC#{#(D?5R);9Xx!dm_&N59LuTCV)3Zw|V8CjI;G z_n{Bgf9;~*EX4j7t;@PBw0-oOg~*SCwPV+|iH4cj+2h7_WUM_)H?gTNymSU*?bxj* zJ(K7&*)Ws-nCN6S(xhJ|x-A=T(p{*&GuT9v?n-nLD>Lb3R6dbSGwBMV+pt+CU2^`o zGchA`&3KX(FR}K8LuOoYwiy?*@TDd`HwK?<#@iOg;2{%V8iR*TydnlKH}Oae{><5O z-&z}kPc!k2G5C{RWcjTz_+uvC7=uqWakjPf{@DKlla9fMjFq@6248lb#Jk1dv(54; zG5Bj2%JMy9@Qr5q)EGR^EZ;8%PaY@h85x6*GRu#R!HZ11Fa~cl>nV-Frh0bxF$hcrrjVGN$~vTS#044yty;*Bx*472|{27k-M z55?dk&2b%z!7VbrxA?F$ z2DkXo7=uSFd5FO`Sn?2q_cOqzNmQRks zQ}#&x=8DA)iKoQijXz1eXAC}aj%+VA2A}&ci4Tdv(_fSL$QV4=9Pii|{GTRX7=v$o zRMt}(gIo2K#o#VDqL7Ceyc~`z&f#M4)PoXV8iSXa{cnuH*IM%!gRe}H?H-E3zcKM+ zG5F6W&VG>hS$e+S#FJz2?IxZQgTHF_r)Lbl-z=XRgSWj%w%0EPKV+6qkHJrw_{bRi zQ4=2+t{9w|c+VJoujOMGMuzSJDo*ciOhl7|?aJuB-ejlr#Y z%3|izxi);E4ew^dm)h|2Y< zv_2^|{O=ZsTo)VO(}t(o@Lo2&pAEmdYeBm?JhFd9V_!Qc3HzD#p!+VHtH z{5l)H(1!Q3;Y)3Je;Zz5!w1;#hz&=MkM&t=!*8%a$iEHu*zm13{6-tzXv3}CM0~gn z&#;w0WW#T=;m2$^a%!TV-7WI(je?9N+weg)+-1XWw&C4u_$@X(#fGakyr&J%wBe~X z{8k&@&xYS-!_#dz&i1X3YQqOxAnZdMe!C67*M{F=!$;ciAvS!h4aXUv^(nOBcUd6x zzYQO1!^>=VmJOe3!-v`MavOfP4WDhp@3G-?ZTP)5e4!1$&xS9x;rH9{3L8G$hDU7p z12%lE4S&#vZ?xeL+3>A4e1r{ewBaLdIJe=WZ1^D?j$A+MbIgWkTOdBB-3$GnW5bhe zc&-h1*>Ie_Tc2(=e5?h+{;}cXY^$Iyz*L_QeMdCN5q7frB}Fq%(0TXj+*@qYy$|S_K-L zpRtkXO3-k1j0n*mfrg7?EG2poXt*}UT%z9s4R^{YC;Ao8aB++>qGy1HS}_WVo(38& zjWLqwr$NJ&F@_NRIB2+*Mmo_&pyAROsYE{l8m^3yLiEF+;lda$qVER{*TrB&-vt^j zi*e{Q#(OJhxGF{?(KmsHi(+gfdH`s+CPswlt3kshF_sd2IcT^d#$2K=1`QX)C@1=S z&~QDBGNL$#-URf{}-U)Dj1DKSAm9$U~DA15;R-`BSQ2?py3i2 zONm|t8m@pbm*}@Z!v!$PiGBq%On;+{=oz44@*9OjPXi58-xx{s)1YDE8$*bG95hUO zBc13X&@kzZRH7dN4O8AoA^Ks^FyRds(f5Of>25Hh?*a{z-8giT<{vanb)%8!n?S=v zH#QPI05nW9 z1vE@zqm1YopkWFdg+xyS4HMWHN%Yg8Vfq?Fh<+S2OkN|M=pxWCb&XV_9{~*$*GM7y zVbCyb4Hwb(gN8|KFrx1Q4O7-Qbe!fNG)!2dk?5O1!*n$^5|RjZmI3m*}@Z!(=qdiGBq%Ohu!N=oz44A{vE6PXmn& z$QViV`R_VdZh3UW`X7E&-NW}X#)GGYFt)tM0JJq2^XaRUvaXEr@u!7Q^`KJLkug>C zD#^wl5h`_@+e!_>?LR~qdxZJ)q@Qs~JMGg%#xP&lr*u>Gj^A>|+!0mpx{))+zoS|` z>+$`}(?YCy3cl!7f1)jqhclM33R@~aa7qZ{s|aJx9zhye#yuH#`}DNh#SWG+%%@+G zw2iThET4X9(;W^rOglAH)eftH{r&jB#pvE7Md6vBFvh)=jB!!L7++M!7!R#ytlq0o zq@&KOTm^!{SM^?n!enZ_SE0CJy;q^QoU=z6Ixtu}=F@)lY5P=dr`F8B`csI&G2sm2 z*eq~t?4#|qs?6*zGkuQTVz(MTTMc`#o>V>U#eEn*_ni0(rkjlOA-s;6DD zmAKk#D;4|XPay`mg&L^o=hco4e=y^Lj0ZCw${11Y-lSzIE~7*Up@x%oE^$x?VP43| zc|cyMH7~#pkrxKa3roxkFhJym%jJa^mryq!*#f*Cm%8zS<3fZY&fs$>9G--EOdGO= zF@Cps0W7gDcyPgEUO3Cqa-kP4DDpz6Adwi~jSQj>P76`zReC#&x8=7h9mX8_?FxtS zg8X)sL-Q(KjDV#2IE=?m3*nBSgGT;oAuw}fevOg@9XJ?SCP9YPEvJPDOj2BDID_{k zFjh86>BIa_0AbD`9$>^*hcoy?g8Z7~4EozJrUoV{$;=rXpCAX5%vUEfn2F9{xQ#5C z;J+L9wo&ygrMEMfjgop=x9!A4{zf8W8Ct!OW_FXT!pc*ax{d=EJ6Pp!Z5UgP&a1ko z^BoSxA3Pz1ku9jZU6?a;f|~Al4hqj@Ermk|7~|0A#s{Z_;78h;qf)h6XXtlgzGv4W z2UE2wEV{I}_cO*f9uva7V~|_;^t9639Zc>2qciw76xJGebz87LjwLytRdJ`@^_<%sOpB=5iBGGJjiS+~cU-!eE?n>( zn6;y%t*Up;*bNqX&O(>;v|IL*kf$FLVo?9RgPgvTYM|O-G*$T1De`28&P9 zq}~3mgH=Lwtx2oh%otzzrx3=SvP2$A*r)aS!4AfsfnpS@1!OT*rJL)fzCX{E;M@iL>RcYFJJ7 zg;kd?oZd|hyW9~z09E(@vE*x`{RttUW%#2Bj2WknW1v||Z&gowX_Fl7?G8EGpXplH zCpR%>oI@ve?0IRvgK^`i5PY-{qAux|1rFwT zu-e(9)&0h!LI|@z8CjXy$ziJYhpMNge#6*MRcltYZ@K?>sQ!{ZnPIPz3WadDsx^p> zS~aaV_{XZ=b%fe#>8pC$9~&`I%{)!s-WIp_Yg(h~X^GGVS~LHf?Miyn+nM1miW>H$ zff<@Xy2`y9`^E1<46lG{d@$pIYM-9ebq8Z+;bdE3eIsN1=wTtWt=J_|(!G(frp-P* zX(+yY>C=-g#g{6dp7eKoS>e-@dgIGdpPn=TU*2h%Q`i?7!!ojl4b@JlQ}#n;^VtcE zY1@7JXvL+5J-5D%uGXr0(#V%-B0t;(0Z-hhYE`tOx+6UIFfErJRCFJWYUM7*`0a;< zsDv*i*LAq#srjhFvjG=J{UO8(I2P`RPuqJ~U0m-~=m=B|9dHJxGsXtF4-9f2$!+Ov zZn;l8%JD2z;6#Emh@6~gDWNOxLkQgsxnSnZoum2w<&-%h%B{`g>B+6+Edx|iW zDK+4js;BkY#aN5kVhn4!|5SR(t@dVq+Cci@@H_|OSN;aRrR|*uH6yt5S0cC0bFejt zXz=`Bg$Q_+M2F!g5l&~fYm@f7G6S`arp44hU$}ILaaN0b`@*Fojnk*2^6m?l-fJ9e zp)u2HNcgW)12-~NJK?`l4PUWlo`b2^U$GQ_!k!iL9L#^Cstb1_V<9?Qz5YDxFf za4*f6=U`2<)o{n2R3Snb(F*r&pbGzSSP0wnQ~ODs<~gvurG2bk?{Um?uwthgPGZ#m z#AE2EJ5o*jv7{Sg9_kBUvH2|r8yq^|zr`0$+xV7)WojqgJDNJ@M(YbyJAD0{{D033 z_t}X(BK#!d_Z%YS@Y8TrPwWTA*cGK`ENPcY8aL7h^iSrZLg|#eR4Zvy!N0FJ}uj&>bE7T+IF=bn=td~1Cv#) z*&V4LNVdAFr)~QR`d~k-a)%L@tc4{{w@xzKU~JJRGSP{dOCN;#{4SG8uXnorn|W>oEjTnPRV-5V)+iUz0Z zp7~!AN4FmoLaPl$N*|~sCrVG7`z2#qJ--MnZ3aKz0h0qK6DuI4PH(kV&$ISnxarKj z34Kn~>Mi9?_2nM*Dv3`C=d6e^oOBmk17Cq(xK9Xj7I_!*{xZ)xWa|0bl7OVMVeTWU z?zww6x(1m*8YsUGUBsCBOBNLpi@+dC@!_|avr@}XHAx1!$|fm=ZW2Fd5UJ@@?fNfh z#2oyr4n>?(VSiaw;)zSTAM;zwKbAE)pTipr)QXb)?1KEf09>^X z!o5$`8dhW9)IN7d_#DD^s=B8iiaY@K=pIxWQ?58#?h=&idrAoRrq$rOWc`aK51mut zAm%!oBk+oMyCbX5))-Uk6P3II#+;qJiW7{53=-9iYx^)l|ASfse;xA&A>dhD&VTNd zNlIzXXlLj!?LkmToRolI~i^iDN;Ev=5 ze2UA#JMDwmYqh-RJ|T|&c;11)FNs<+-@aD}Ii!vF29t`{?G-}SX}_?`QN7#@l^XWI3fU7KP&E%uZ;Wq$=+ zN8xZj_oV}7Np7-sLRy|5uZ8pZeWv!6Put6n86+Y>JZnvRK-$8!$W$TYV?O1U0bP51K5y>h4+Db}7>6MWcSA&g6f z5Mi&PfM0me%OJPVyh=}aD4JL4>yGf#kn5Js*4cx3wd3T&NoK+Hc1JP-^$vbE7a}7d z(o23cKBT26_cK2HXBwvhZt0$(b=ElBoE@FZwZBOD>8Jn2x0UByY!@QYEk<^RrmZr-v%Y~^@b3}61#nxsr^1o&2Cn8&+b~r zhVp$!&5+|1#+d$O0%B53%@+JaOrKT_tMdNLaH67WZB#w!UaEOua^RF>a#wwrQ1vHB zCNi;g@>95{-rHoFPoB4bAdUZ$i&o3cbni}n9fVJ7;5~kVQ--;Qt0nCz-7};X`VEnc zd=bO`bT&-YldeU-)xiFqaF1Lh;Sjr!n0zOqwV@;aOf~Qirk(O<@E@?K>qC*!T>p5v zS9YlPDwKK2m(m(4h3C;hs|)OTs^lW)@)|Wz)031Z?dRAZT%SS7HGK^Iqu=bf!7=$f zRrhSEp`l&hi7}gqNPA|bjOIR%3B7+e3BV2y9wgAvW!RZlo`t(=l3T}>t?{Vgv~j4L+^wg67NTjDoM-COhV8_|qfW+} zRuZ0Zk2?aNB2)Vcp@iSvM~11|cVy}7o;Rx*gA<+17@sE>&D1$$w@*@BT79Kx%b>55 zecEaM@lO=|NzT;j_?VxB7#un>xk%O19<3&AdsCgauZ!`oAg`f_|6bT9rDs-BH!F5y zs?zR}B~`5rUtkt z++zXA^`;%52<@T zlihnChf0B(WMZY{I9vfQ+Qtcs55cI<`O7DTxWREAjQ8X~(F!tmMYQp`ZN&+(&3Q zh*u4#VUUSC7p&2?Q>2voB~A!2{J|R>84sKn2{fJ#M3Sn>S2-8+w5bDQEfFkheOc>; z+~FzvOFJ;8ku~5+z)cslr@2gwFvdH9m!XKieRzl~w8nyzV2a zw&k$87{>>=I{1S$UtU@Y&ftx7 z&95Y5y!&`cBMeF`$nQxCjyRuFDVXb3lIy%m50>eu%hYN!>ds)k{)e1_Eob0->~~sk zKCO9hul+u4H~)gTR!fG zo9cpu<3x(@rumBaGgbXwhfnt;1S$IV`5MNW&WZY?nc+v1GXwR>*j3KQp0&6E<1X3j z>px%VnZTIy=}bhZLI?aEefk8);QoI&pT32Tz$Pil-1CDFWs{U1%o#iv><&+-n^fJi zV+**hh9&(i4T9#uTHF1-Uh{C&_fWG2Rktq zj5vc2wqdNY%)!`dyueL`SK$jwhWWxvNaXmg1{j%j@BiNmV;jHs4tuQw0+$11GE5l20OQbQFoM={U`))+D_Z;GAuLQ^9qd+cIAuU zs@A}FY!|}7!oslGDq_*x?-=95 zlj$g}8*_%%IT)+J0U}&9tmc+u*r>eGKH}53SKF=XuPUkJvPj0kRl?2^B=%(lP9{48 z*OI?`q$<%F!UNhzsuG-`GZC!a?Qn(;VQbWOljy5j1Ee4IG5##NuTM86u1eK5sJ*tU zp-2VNQhd%qyH#y_X8)Q@=gl>NW693IeyE0Z3lsfkhTCaptw5M!VS>Md^V1vJVk<7Wt@Zea2UH!Qe1`)-A41$U2X?u;1JEriMGV6S8;?C z;Ro6>xepp!r9Z1R@OO6z(e#6Lz7QV7w6+zfAA=2^jquU=E&FALb9q)0o7$zVkpSbd zJj3~^FNx)99onjaNCMarG)@cAw8g9K@@WU%kex<+YpS01ekFDN&6U*kqBDq^T?0oV0y*fYQ-Q8M zS75NGxof8o6v8o1Ac~N&l{nH)ZX?TAS{yOXV9Yp5!%t_G$TWjNFOS~7!nGYT*&%-= zV|>*aXxvythrrM{Uv3e?SbQ2D=@L_Xc4N(G2l>XWv~4;=U!N4hs~xSBC&g)pVHtkB zl`s`?&d`S^h2ZY(LafH2A%#St60lR?Y!eL!wh3WXa2EQmd%6K1zSY9Xrnm-q61P~G zkFcwOU9;6xPG%(%ylKjF>IV~mBwF-lepG0s{)zg|QsMq)7`X{u#d3ID;lLv>r<5yIo z>)1~j<3oQCf4amq99LBb3zhG=Mg%6>Hw@sT!g^+zk|*ao^);_){es=Hu6Aoatt1<4uW zAO9`{G%?x7VVI5KJS1FrzM!u7^t99psE2*na`0A5SY1cm5q|4-YtP4lJo0wZNeLOM zwoj{vX+0Lx(4YH<^U2>4KW^DU%61xALQuAsB_fi&`5gsnEO~qjnEst9k3pOi9ZM=1fgKcAUffJ$ zUN297OKc20bDLz~V?*5$(n7HJ`OwW$|B(oLp1~$8^&ifrx16@(XCy#($VwX%7?b(} zR=wP>NckcLq}B7KXsCf}-$S5{*(g(9=GitChuT?#wVGk7_7yxQ{{U6{l|=p!dVby( zjB_{Er`Eumunx7I(m{LZdk_tnC*!Rxs87{?qdTi{XT$eGG}YJ~&fIbtPag&cg`(UY zwo0=Q-YlJP!Y!kCx=-7~FZ|w$q;LL?tmVlgP&@n?JxfXSX?uOTSLp!f>r-qXeOyRK zN<@SJPLBCkdhZW^iy3KCazWUuB!(g-U13J5Q)5AuO$j{ zX`H>5DNE_^DkXwPWIY9#3N@TG=2-{xw^hSQuRjYLbGm|;hk}s{r>u+Jcb+l(zw?>@VgKLx zg!(_{6I=i9gZ}$J(0^nZ5~H<0)v)K1XONmg3`WpM@9Lti!E)Bq&XoP5sX%xLe1`t% z#+M)s$L#F?W_fAd-{MeAf5$BYD`kHlUPk=D-{+4;34@voWHfYMnYVx7} z2lD;a$0Q#weQcAD{h^pp~fh3 zc}tzSvq=XW2}If^A*iUTHDn;*KNZD85r3OH#;6$F;D!u}`tjkLgwO_A=e%BxTbr19 z{yj|9)8?#!8;YaU?>{mlAyf7vi-LdkjjZ|+A4M)y?I*tIYjm#Gv}a+T(@w56@D#J~ zC91X$mXg-M2XCMuZY#T?PfE$RD=7|n2ISDa1F@qkQP-3jG$r#@G9IjU?`YcJVh^i< z{oVMMZ&6F>Z6z1AI*~NnD;eMxJaL0OPlAu%!M%yji=>{Nwn?5Bb$Ci3uo0-~CeQ!r zn>_xh{|Yx#yi~>`S|XU*303#heL!)$g|w>rDqwGxlFS=v{+v^{kT&!qgs0W=FE+^? z1aFx3g-0vtnffHf!P|U82hC*ny+QN58$pvg{>9hUF=^S?6kBpWhYe@2V?QRbE>U6p zx(&qg!Tof6CM+UF9H8%)Nu3D{JyssQOq5!ohWz z=v!(po~hNSfn&}`UsA&z6jkGLzxMUwKJ6$;fvP!FYy|ZQl(OwRB6{NB@^z|_12DkF}fEx zl^}%xhwP*eLr0v!lQ{IDM5j#c6oqYveFk%sYHzjSGF5-@kg9vOeqb8tnc7a??JFUg zE|L8n=v?kkgELV@B@m?M$JPsx+5e!w`{4e2if|IUq~+QV@>VB0p8)T_GZ z)(;rty}yK=H^}Ad|4VVQs?{0;5Zs|GgJ=@9EgvIem{*HX@Y=annqa3?{i)=ks`jlK zs7^+NwEmW3$;`pDTTb!~XicAV0n`9IwAG*kHOaT?iI+${6Kk&wQ?=8G%A6Xi>YiuU z(z?QLFYs^C&#>p@WC!DWQBAljUg}HPFRHee_yHw%HzLQ{Py7;;4@FAOZTh=yhRW*_ z+t7n+oz(z$IG1;6Q+B+ae_z@0j{aXvgK-fp4@kk38njG;0R0F8c`)`am(vl3?m4*# z`NDq)p$`#(^(bN#DqPg`CAC%CTz8d>GBDXEF|2$9+Kxhjd%=nY{G?WRj8YNynoM2yfrE zR%-O5vVN?j6S{8(o1^Df&F>@M5XC4Z%NfL>C<0}LUy@?^Qq`{*jN@ainZI|Gyog_y zp#S_0P{=>xvm~BhPx!NhL-OC2z(jfZYkAw)=;bwM1PnsT(A9 zg`{#N)k9LVCDln%Rg!8Wsoy2_2a;^5r%m`4s7Y3J&s|F(4F>GHmUx!#Vec}=HzTF8 zUQZW+W2YXyfQP^y-SaqX8hG+Q!ln)PGw>V-U$_=!o3=y045f6PDf{s<6aE1)u(Y>U zt!jHJ0crL8i*@pxTx;M@NtH|&wj#$Movnn=(6p~b;s57vaCW;Ip}aMCvQDez%b+JIr{$YAGQFb$S1J*r)f#f01sxL<2Xl4`Dma2x zb?GXo^+Dw$#@MKwQKOxmrYmbHHKd^9o=Y5b4G}zia1Hi;uCsX^>VQP$YC-94begW< z0H4D0sPI$sCVa=wZQxlxKKctxO7l8ITYFMC*{ckpqy@?g&!~XDh9{P;YIQzM!20b8 zuOtPIkLCUNlyrVRvK_QP$xVg<63QB|{YEIt#qY z5M0@afRa}k3DzOI2p>&yQ4J@py$G}7RaElW>VxF<;e+qceiTou4=M;oQEa|mP7$5} z!gowBj_mLqQ%krer_*c^Rbz%R+x(3h(lySh_;nYgh`ety`E|0py-K%mmf|1eUguti zIDgNK3PeU=7I~E+{36_~RjYwxDbCQ(7}+GHkP5qx$dX=dA3sq|=cI)=oV&4(zWe#L zby(CVQk+5j9#2O228Cy@6M{rVMp3+Ul#c|d0ly(|*vu2^V2AM&wXFhLbpDAIWSPww zBWPXnfoQiM@30P?gla2)ACp$)j&S~~5KVQ`9-y}ON^Q|;Axa>=RQIcF^EpUXGk>;L zh^ATc{1|=xbZx7?7SfqJ`ug0jaYP;-IB|}1RwP*EZ-=we$l%bC(zdkWxOZe|-4)|?M15Lx znv5TQT@6)liytmb!TDb^bgp0Nj;LWbzUd8;-EB zVo9~3s&uUZ3-%6Da}Zmsf?Q`oQr8}GsoW$rn^(CPsFP5+Sn7lma4_p6=C*@u&7vL%1y*Gn_6uPMIX2zHKgaX5NGsMo-6fYEJRk%a zQC56CW0*UVku{8h6LYJiOV*E{(S-A-HMFRLe^L^zR?QEsmfKD67A%Z#ind+VJ^S90 zBYr?hK?HX_<*^|+scl0pW%S?y{yQjn`tV1yJbge6MIJ%ZW4qdRV&3zR#-~veJxZnR zR0GEoouQ=;ler_n+!@4NRrhG1f)=$H)I^K=1=Luih`F}^|Sv>^6N zikFy&B5;CL-E$q~F{%0mm%f4X14@a+F!ZkHy#tTX~Zl;ryJf%IQbZZUuUWHx)=+h3?c@-z)UDsfPJ(lPU;dx1|f!C}S zV#*|?eQIiIsx!o8|C&jUgY8}SVe#+fgK=Ld;_nh3LgzlZXV#k}^?eN?(t`(_p}QT3 zJRkWd(xK(Un7X+i@bo4j=={0qyy*H-b2Ki08N8s|+GQ;s2xe9|#LNtAoTh52Cq;;WyY1rnqx!^3edB;8>n%=jb8`3>@ zLMrwnUlC6un>fyYKeLWaN3`Io?#V>?RVY8G75*@0e!d|@(>nfRCAGdFA|-^{h5-@6 zuCn*sj_;A?+MfTvFXb;+;WSdAB~V6{>{z?e!QDDESJ zLlp_E)6AzBb09a{r*xNh!l+Ee3MY%a-mBmzj~MS=3D$a*)JmAwIJT=(5mY_=nd|}1 zXnAfW&Z9>wBPr`y)w_0o1L^fXZLd4R`>&L;ov}g)${8Vebro*>>@#z>E`12kP5PB| zYR0QItKp>dbMWMxS4qzdpMk$B->{07mCK)w9kXyH{0=_OtbbPpP1%$haLBf6lALP| zJY%I0O*>7wgH?j|hOEFg=hd32T{;QkW6f4dUO_9jerE1<@Ol88w_0wq7~82;(HxgY zXs-A2`ztV9oN`C_PP&Xd>#4Iy=q4#W`MOGQuCypTN$FXMUnW`ImX5P|WEJhjeF$_% z2Ep^6`A$zQSZtU)0Zi5YI_UA3m@WX2wx| zJ^dB@no1#z<)J4`ARwcU82mTzsr=R^mmmKLEYG#>GUYs%$I68 zR;05oI$sScDb$Y!JY&D6<-7$eryI{&4nM4cKkzAWm!f+Z$8dWz&)I`z468^j#TkcB zzjVSJdW1^9puP*vs>XN0i!ySxLNCqVrD1CD)EmyvU+vp=`U2>Q;JNoj}Z~FZ${D|i^+GCp*6_k5mlR{q-a@6cRqE6 zln}fKSmx#Ge&t53UaO{{MV(iu?hID9p-@0~ zl3`W%e7hQ%({;|}Yu%9y_xGAl=`+Z=yv~a_317a8#5Woc;%`@4;=8g9W8^PEqqsL| z&4}9|FoDbp3Q$xOkIx=gI5wvUp@13W>7Q0BavG)?rfei_$f8Z^DaO^wCNobhORa)4YmL4JY|s6pKlBb?SUJ zB(D^@D;?j4;M)*YdqDBxKE!bF@oDpEtiUi7*q6{Cg$SOQ^~<=6SGm`U@ZdNeH-HDY zh!qB2^T8jR+HVXr^&Owk5>`JE0^t)?_YC`t_Wayk`{?*RVeRy{cEDOXx z`Hl~%pYx$=!+z)q&t8SR&3wJmrV@%x=Z@DnGbk%S)( zRdvsrmx*DYn5m}8cza8VPdm4={rcTYT$D|#xnIPg#)}wcYjLQXKpjjHa#=rQz?WQ#gn5}VD3B0H!b{JbkVPG}hbhw^+4^{q zM!l*TeC}?^QaWhaL2r{u^yydJw-U>lsmOecSY4b2Pj2uC+`|fee8tWTkbdgQ@kBP_v}S!ylg2K$#!opB`p+0+N@U3 z?~;6U20J0~E!-1ICIv|}-LS@7K5Z8cR3`0`JX%Js8Io!!(}_gm7<$AvYJwT+AEg^dMgoXIC%4|NL3ji`Ph@ou7Y^bd7^a-KpwnU%X19-f0G&U-|(1 z=|K`_B;C!#`&K?MlgY08(oAlIUrJBL&MzmK-0%_9DjrFkO0UGAU?F_Vx1qPBZ;2nQ z@I`$~ueSH!oXZMuikwS0gI;Yf&s}QwF7xG>DHn4yc=G8EA%Z)c!M-#&JU@1U0>h`KA1|rgQE7W-lcAE&Ji$yiGdKlfAkO zMRuX_SbtOcqm?fbyVjVQ!CuDr;U(0cRUc7*roU+QXAa6#*xSFh9P_zD2;+%Xeq-Q8 ztbgEmVUp#4BB8Tj1vNJW*Lu@6;;QQdA&kEvb~^DVT1r={x@V;W11FUR}<|AEBnN!pn!+ zJ7nq#{~i(PDq70HO(k1Z-LrWHHKcDBqKVF3b3@rm+P zCxH`5{@Z9ve5Haodi^#zg1{mnjQ(;fg*;|2B6;kCwWxavqU)pmHasy9EoTjF^ZV9T zcmR^2?XldQCSn+#q)jt zq7v_)Rh{#yimyV|!&{#3z_};}9vy4An>7Lib1(u~&#q6Y{_WqHTFSz|Sx$Hr@HV8)WO+m4i@qZ}>l(;2 zv{Z|3fPTuj$Gu4&EM;mZDQOrldx{31=yeeb&8gXFih@?%5?sRMWgT`FB+bimFs&X( zIYTG`*bFk&dlmXwntHD?q#f%t6P_$t@boD6>UV^w#JhHV8V;DBUo2$+KVFSWI><^W z!lgA>F|H02;|jbZ%i?#JtVjbr?Rk7j)RoD?W^Pqq&s|I8E%ai#aMHFmP_Jgto5I{U zKTn14l3KBT{rdH}&isfwlItvt&@lUPu_zk-nND4tq`3ILg|gO<92CFkBI8;qrr|qD zp(piwqJCbmh&J+W&d{Z_Gv_IV;Vh*K)Nx^Ks0R;5@hcb54K8PJ5~6?&Z<7vMh^<8T zloGrC;EPgX!;ZR8O5@#8)RFb zO}E~e6=h; z{T(5UF)jNwZ<85LH#SDenxl_=EqL#zLB_WPcxiovf3| zI`@Pv-Zg9z!Wi0W4Px5dIKVgKe6Z(njNf-Y)t2hNm>ctm10TIh9D6rf+Y6{I2|+we z{m=#G)ZeY{dM;QXr>E-zD-4D=s@m;&yq0Oo{*k8j z@R|d*!d_>uLkj0=c$JP+AI#jxOuJ#EWjAQQ#4{Z_%|{oc=^)Qd_;YVd;{c)7 z8Shv-Xc9RLFc3yY4TSk`+i%{93Aod`ng8ANX}_oNp-R;ad?#v(e?l&-UrDK?x5Cu( zd)@{Y_R{mrZ(~#5%Y$#hT-!0(uLe%EnS7r+(sZefD=j)y)rUCLKqN`+Up?s>Rogga zQeq0ud`k9c)nsd4A}vA%ImuIMz(?~S<3tOWVZNvfy|m4atvSZ#SjRs znK!+Os5YMG{us}*P-gUA{vFV@eD#|oD$l+{qVf`6L_^0Txf_LOdY9}`cSJj}0s#j1 zCK*-ESb@A?Jnzv>T8P^O`ZEdVW`4zWSY1q(VFi?{Ti|;tDQ|o$%ymwTAOQ9|st6}N zcUs0~u;p4Y8fgavl?Q0|C`g)y>b0Qag``wuKb%crF(8G6q_A^kjHgpjNi=sH1jw)z zRd$*QE(8_0X~^7Z$I8m;y~@~~@2wtL=T-8qHZyVhc4n+jCgPNtnK*f@3*t+84&?GA zP&kR+AuPjAIIE;ycM2-k;H(W{Iy4egu!AnKa7yMGOTG5?; zUcJ*yAoz_qwF1{&3=b<#QqIyEauHfg#3Kud&>SwD)=;dV-mB0rmhm!@xk%}7Y$3}O zSF&jhYYqInH%J{gC*PPGSfzAHW-Ng`h7xyp6~%!=!hhM(2ChSVbBA?!Eg4`wI5Iur@QeelAVsXt&M$t8A7L6Sn9 z+P{`UZmQFFh#!>B*HZ|ssJiEk4{7LQDQBAhI@fXm|0L_q=HGr3q=I5SUXtBPzpLb1 z+>MmUUAT%Jh4!7ZU#F$|!#tX>Yo4(tY^7{0h{nJwV|uIl_>R};zWMULpF-Asf%QT( zeO1nHJ1&Hl^zK~_7C0vSZPnREN1Vk(R^uliU{5b)jGyt95ETIGlb*QCK|ge7>_I!_ zt>QOZmYVUK1z!lkcfC%Wx8gT5UME@kFY%jIU(5OVtN2YnaOJiy{yKiM68(G#6R3Nd zDYuSOB%m@Xhv$%woa4sfb!432JI0I;v@wa<4?S1 zI*LUr%peYSVmDrk(lD83^~^V;JI4q#6b<4uz8MYTAame92XPLAT@=K@Q9gn=Z@z91 z;%I19KA!J+6l4EwoebjKL4!jOXEw2cZ$pZm?h((n3gQIbgg-M!>VI@h_dNZSB^-f#_DN_E|$tSzvFJB|Oa&j(pWjz)fDWn}J z(<**5aWZ4PW}O+o;m2R0F;vSNCze?^zJ(GVGTWqoGj9rGd^%9PyWAe%dHx;hP9d(f zr)$LU)YpVCP9SUNCDKq7-`OF{2G?4P`xu_JCVp4EPu287H8nE6^NY+$sly;BzC-Uz zxpGQ0KHQHV|5s}riumxA^dtjsKqF>+xFst?`lsgWy2ypOZmxCO^oL9mj%f8O@Dmac z5cys=Y{5?JEpxee+7Nou_LjLzUPa71L#yHaUln3d=x1jLrzf#Gc>NnzQ#hZubg;Gu z=UQEqr~-z|MGCkb-}f5SKxvT@&2xUa={qxin{rWMn|J#hpAx3><5?3S5(^a#uuuj1mKIdb>G zdkL{q75;ZK_ws+WSgQUMzW5bs$6Yepl7%TXXxogC@$f4xCh+r^L%gSPgN%UC;A~UvJ+aJ+kA42CjE}8& z)r^nf<-jfRvGd=f)$li@5^H;T_RC1iYw^DZzD)Dg0V-DaJP}nrO~|6fTOH(lK~!Mf zFPjrps(9Njc$sRM<7@vFHOHUCV$$~VKVBkp-1*!(6oyIu5BHI#&Nz>|8OeT0YX8HN zdaGL9lu3PIey5h~p)iiV1o4zQD@=x85HkCLXv?R#I<1D{Yb6w>+snf*SrN2soHyZl zJ5~35C!frCof7!0@R|J)W=gs3QBV6%=sJ=P&x1k6_~LquF73I=v<*$0jQ6RideY;d zor4a!BfM9g5cGUWFjA7P>S?z=NkwP8P5f>Te(Rq3vI9TL48rdv)m&@#)qIMN^kQ0q zy#FqF|ChBwkXA7@4BtLSCWbnv;^Aigx7kAQ<%?v;>nIL3?KZ^0`Vfn<-eZivQzZo7 zWRHUt>3Bbc%+XyTb03SOd@PpK5=p%#shyH~o>;Bwo&^hVzJ%UGv6#IlJ!p%k^`1lw zXa@m$--@U49WzPJ=3^P@o~}!*?V-9#2%|YVzj*JHWYQvB_#PLchg>b+%3H_3(3@8A zFZ^&9U-*h#^zaevv9H*~Dl6uN*Y{9PvlZ-uYNj7w79U*)s2dlBcNGy3$uigT&_+}Ws+ z-sFS06XlolgqLJx_<{KFB&EBIbEQV(Tr!u8;#|+ZOtwxpXXpYH&aw)-yfK+WTAt$K znJ-dlmor!ZZXcgP6I?x;Ciun2tqFeXa|&>Dooh{4#FjEFlHqSKU zTi46-iL!iMwEI6rsNN+rW8z!wW%w3jAYv-y~V@eUDk=8y>+qcXXZL_Y~~$Cx|KHPs?7QN$KgokdKo!T`g4%(LDHA(X-7~Tf@28fJbv$WCB+_K5?`0|2p?#u#|?N_bi3Gd*+2jqj?T`2^A;W=VU(2)5cH_5ql29duPHyg#zOO*U~SRoaFPOK!ym)LgWJ2-E}4CtQmlG8s(YHb1HRaLTW zh!sMyORG(}v4tC^LOtr9A5lIhJ7#c69Ow_xM2tl4&jDg zGGG1?FjV)HKiVqX(B%ao_#I)AnQrKq?m4@_n){Rp(=M&`F&NK6gRnM9)ih=Dt9q zT2avwZzz#z9(Q99E%Aoch0%C}%BN|qbs*vmMm-3ha2b#Ab+9O z%d-(I<2MVk_A5fiv5pJ{6WcQjIY(KSc9IHTPX8$x=gh&8GlHeYU;rg^Q`zo z#&j8f=s*20;}0`r=xq)XNVUEEr)PvPu8qbOc=a=K{ZFTPzO=}ixAC6{K|lD@I{wf% z9M!UTeh$GoH< zXIS^t6~m3?oj--bSM{{R6KKo&GM}+b=b+#5BX4}xC+6d4$OA)P)4r0W)=glHKl+If zya@M4N^Vy5wAp!7L*q=+U-w~#bk8RFAX{&lP?#uZ&jVJ_&!WWq&I+}m%6euax$^8! z7FxQVvN5)`P?-wnT8|ZKu5p5h3taQ^N`Q6ObGsnWO(p*`q@cU zPkVYiabpv9)xjun@4uv-a1$NGAawsGW4yD>Y%G?HQI-i|>?UPGdI--yN(MqcjN^30 zOU|^FZ`6J~4QSuTLeLKhP(0KfDZ6oi|IFz77|Wh=48SjNwAj;SH>UoF>-2j}ct+cN z+FaHCpqI7dcXc8`>8O|7@6(H2us=HZ^h@8%W43?_eyw63HfgPamj__tI7)ish5Txu zIzbK8I;IX1zW#?xwm<-AZ?YV7GtVhd8Y0nD zcQI50pJt;bls8lGYcc855qyDPRrt?p{iPew&%mercZ(!{>JWOWjGX!O_d6(r$|Ew zrn&aa-0^nPmQy9yzdx4wD8(%=c{4jsD<<-FiSDeKi%+Qh-tlOtBIU90vhxLvj!w`2hJma9SamxQ@IrYo0Hw>?#Pr+%( z&-&q?K;Xt7Kun1r)?LGYH{42a$6b>A2NqW_Cig1|I5D6TDSyU+VfRI_^e|S2x2+Y7 z!-O}-5V;<$E%R{H{%m&?eO4D54~ZG;m-Ccc(dGk zV|FkMKM9Q7xSm$nwQJ9*i1E3jv5XZji7CuwQgmPL2}v0}XJq2ivA55W#@;-?`cdy8 zWfbv9)%)~sj2K3saBt+3jKz2E>-wbW+Wz>djK%$92d4Y)fdVz0dntDy9?0E9vn3fB zFoR{l6A$F>b1$r*rD>>O44M%A3q#@nUwy?VrAO=A>j_lADq4sZ&u zh{JajDQhTKX?nY8~&G z>u+2SP36&1I3}DvoiSQIa*)U!mF{j0wXDYfv89v&Cttq)NdVUE?mGCzU>%z%<;8uJ zeFo()Wy&Lmp`agniGK@L8XZLa=7i=+%9o%1B<6CHdoe0vs6_8k8$bsi9^~XbFzjx{ zh6rC7+$n47udu0B1{|CKob+(+J^_LU1mF=m$lXp*j(2ESM12j@M6AD;mofG~e}=w& zr(xVLb}aXxA6CL0znrdrekWq`Xub9I*MdWP)hvYVob4Ue(?B4Umtf=(*RG1GjP3nn zxp_%qICnIVyMwmuz%aobZTztv1Tr^QS~nYb9|`6D04JSRx~K!;7-E#v`0k5B=C-NvmPM={~T|bQ$D~r>Z1BF4xAGi}?JNM%FTD#@? z@v!?6Tt@H_3wQ$Vi=fWD1Y4Oezw!^XCs;{5s20X{{W#!mJ0K7M=J)WhJ5a&csSgjk zS647L<-oAJ!$LbakyrxLuDcAaFBA?>2pb{zJbJB(FXBl5k87hvKzZ&kt!1$^t>ypH zA-b*(3YO{KN1AhQHRp84Dk4J?tzy-7f#^^554}{D{We0(X6om?39}U4mHrnKh-Z_k zra7lexhH5vbK5{U#C}Nm^3Avs-Go{FwKquzJ>8#sSYLfD?rwU|a1DQjni7jh{Qy=Z zea{L{aQz_ zk8QJhJqv9LC=>7qaZP~It-$$H*%a5oF@2_#yNO)o@?rPl+=FnH#URJ%hTfd(8XH9i|VpyzFRE&_^|LIUhXHxTAy}} zx%BT18iq-ayrcTeZ4SH)5-Je$TU#;303w8AZX|^RG}OgiM-Nf(Frvj1?zHP8x4My6 z6#v5S5pV&Fa6ouz3L+A44}gRqMi}4^$V0S%ML|I2@s9i^0Yo20*CV6bKdJBUr|r$2 z`2cTWO#dsL#h1!lBgpXwojzgTKtAT4NofuPTWR0V9u)gNYtXVl?Zs6N{r$8F7jL7@ zd%e>FvQG;4%9)!9B4!G=Vg2y|!x-Ozddoz;X`F>ExR)Rk?r6g_3^=rZNfg|Se)|B8MSZ+8o}OYbSE6}wwW5Cb zTZW-Gi71HSPvH)NKYg4reZyRF$;-=>N6>d~C(SPN@1zJS_#VHEeowi^V#5~WDjtM{ zdmkZ;gIffi)8}17KsM7gqT^x%+yXBZd|&EhOz(zcYd+xC!uf6PeyQO5dM6SRCENo* z$5q}@J$r{KdH?MTC~y5bA9DER*01IGwZ{6D!7m@Yq6@zJMd(ef_%&w(?h_L(4Z}Y~ zZbt*=_&R;<07`FjS0VFfbMBRfe+w7N=XS!)mN@Y-fH7P!_PlHut@`L3#{3)nm*d)n zJ4E_`Ca)11J6ea?FOLUu+uW;=uf#^M0sVz7$cz$pOXxx>G~V>GVKn>zspn_o5-dkQ z8^VS1Lsv4^s&AOX*p;2=df5;UHa{>1T^s*jk{0jXBvzN{21&uCm z*oQtiW!x|S(iZ@*G@GmkG}KeXHL+VkOX&OmZ7c&B^mI}U$t^_Q+ zr=O`AMi{0H2dt9*^Q7&)s+sK(KS8{{RPepMi81|vipI9NXX8GYJuXT}VT}hFDMGlw z@dxN}$zQXj^$(){jVj=v@utnTo2YNWdgyahQz;q$tZAJ2f@Pffbq5`SWBt}4z|B+; z8$n%i2k0CieNgY=Cecv#Q@oQ{-u2k@SWPmaKPSH#j zJ2OfNqfGrf;&{J(Ep5s!R6UP${-_t-2>2ECe5zrLJ{cL>KNx3HI zFJe3Ky+M3GmNAU+gQOt#JtAx|XQ8(r!HcvtP3!y#F_oXMv!?Rq*9~L*7L=&@HZ*@4 zJjhfr*12D|j1(v!6@0f0&>S#c=!eLkblOJSzEh=tH-&Onfb%_oti#BMHaw~!@xzOs z22{X@24oJ#yxal3iN0sgC-nPQ>}?PFq`h^fC9voFqfY~p6Ykmi#VN?u)XLu`sF%Hy zh4I_7U>66bAb?$p%e)(tKDj@scyxlOydnVEQb$25(?Ib7GesRe=8Q3f**38c>OVU7Eu>8bM{c}#Nal~)AEI-y4(zYFGf)4Z*wjV1F>#-#9m$>ip2Y|KQ z5&csMgnPf}x_KWZ<9a?g^5S(%q}=1epA~s4hepeW-s75k$?vY^I~M!32|CKpe-`!x zI95XwGyWMuTEdQWBR)O&6+)32i~{-Ldo4TCW?^(P&%5wveNiw>za%fUliHHj-j1{D z8rdSK&lO-3o)qtfagVfAX#7Dt5vDiR6AHNUtHrcmq`T|8nm{cFi-J^Wd}KY9{+=jZ z_f^Btm+laKAn0m`&vh>4IlNE!x)*$Z$IPnWqI$+LM;Nwi2;#2OZ&WHYULb~&5RLyD ze$=L$Bn{;mg8G5;a|iVKec0T_Pm0lSQQ=#+ncOtVZ&JZGo!(1@#xuYh3<-zRn1G&j z@ZL7FJZag3kiYO|>i0o7WD|C<{aoSSj>KNtI;b_hqwA#Hv2gB4yS^wXFaYA- z_nICb$fu<@Cy>DwZ?fxhhxPY*4MVy+u&RAsU0t15S`uWg5oENI@;?IdFp0{0i?y@% zk`n}JB1>YM*`u`mL&3e?uVYyRq4#TR;3FFt;)* zJ?a`!DVZKF5z2SCtEBoMm+IG5(WedcDOe{hLB!@rh>VZpxXRSQg2VsWyr22+_hSoT zL;4M_fM)C3k&_6QazpD@@V#09X5QwWtAF{{B0uHNPn`?J+VtjvhHEe0hGTQUJy##1 z7?$Btty#)9E}C1sj(VzoP{F$T&YfGv^wY7%L+>ok?ve71E);`;QvVMW8QNb}yq?F* zGftQOz6uYu0-#Uxi1Ogv=6U8sQkH(xOKwOHA*<0|-mD}A5% zv$fv-4u9@lso=Y*VCLML-$ru!0B#w&P&m_ZaPk0j z=iCf>i%rV=dOuNy9I>wxW2k?vhtS$rRwG_cI4ul+N63)G7yhKjTJ>9q#NG2LT9Y^E zPCZ=Iocpr_-xlt3SCN=`pKYIkaaDgKig}Hj3rZTcJH_?Frcnzkt$z+HN>hv_Zh^$3OB(ic_LT!@c9M>g~Al~r=#3@@$JW-qap2(4P)YFan4{7 z0Zc*F5LoiE>$CqU(sf>e;GvIl~yg)G&V*86J1P}CQ=x)8n+-4aW6Lk z9^qhJn6+e#jup^A&D->5{+LkcA)bQdxx@P3-Xu0_7)BgxSH6ix@}D(~;P78u!%q-7 z#4aGQh<8-Knws|=62FFM_ZoA}aP>nAhxNK{!_e16XnoJ@Ca`+freCkw4#U4Jxj#nq zfL2EJU%~0{sQ%@sVT}L#F`;j#?>FS=`}f870el}4-}NUqQ-62FslRP@e?y-oo%QMZ zB~k3qQT@TqhB4kuwak1t0=S+i;PAYmKO>?O>D%URtQS2E)6KuR zqx#1%)?dQkOMj=6=C>bkO>Vf-8teRh^Je(0n)fgNT9mt822Fx`xG8Lv8@QR4)!$_p z<6$bk95Ca@xURTajO#CEB6LbF>Bx_!Zx!tZ(0{@A26c|}avnN=PuNa=^%+{3R`PE? zs&DAD9m$bTz*D{k@^$X0wDSc@e4cww|LbO;-+?oL(#S6*_IHSc!=u>`d!Lkc?ngOt znGtjTv)HOmI8)|tb$?lG$eZ*QWDlP7`YZJHF84RZ*9x&+PYMUjx#HI^ZZ=VN7_j~T zzBxK`(Rh7nD%&m<&R%l~*6`2L&KJl=_5D0H;fVfYax%@HA?@6c_r(2K_od};B@+eI zFyNA6)E4gGZ8L`l1BO(vj2=hzPm7@07M!3@UWsMNo&|me1AH$}!xh~?C$L+e*hKJf z7eO`U{h$;zz{ktsOFk<6f+2sPg>CRT?kM6j|2i6NxNvsne(-OzdVc~YFI<@M;5qPt zDZh7486|=E;m45|&J%tBdsk?@;|%;f+c%0F0k@n3?a{Q>1Le6nW$bRoPB~D%9k&Ec z+rbW$XU`~O9yM(z$O+ryb0VxgN<~@~*VxciF>E_cVg1+?%1?Yf_=H>#Q=?9>`D0 zcU~kFd>x-GV*&5JfNRgsTzh`CDu3o@1NCR#EEQ%f{a6_b)VEE|Jux;hd+hm{u04kW z^=E!gD$F|fqxf>>ZTSt01KwY|_8dj!Rr%9D8>m11dqMA*Klk|9#BBeVJ~QarGrFq& z^qqnF({IafXb5tKOnAhAKK=g&a(AVq47WI+hP4wQS`ILqPODB-5+gOKXBW9e|{M1%nulv{09ggeh-o~Bg&823FqvdqzDP3WTd!jiEX;pgr<&e9cbPZoc_&eaP3&M;D zw?#PhgmXG3vbZ^SER;JiafYRD2ro&vr@Mw5QR(hk+b-FD&)|h$2ZIXppLEZ}N4#g; z8+!ECP}u?L?tA|Fm$`kbH#`u|y)BJB|H-iTZOQfhN2T1O(wII+@;)lLzCVTwzs4rc zk-YnmNxM#e7aU$5UWp>lbmkErpHMu346v3j0JX4;VWnS?k>}R56xGh#l@l}DK}fn51ZFH&z$J7 z<%i<1^~WyzXGe>Mr(>vB;{HK1EB4+IlTu^UdThing5F1PTLf7d4hphDH@pJRhjV&! zPN$W4O!p5xRTe&Nlvd(Z*M>*NKW6KFA-_un-(N>;4{5mCPCtz?edmy2=(lemIdf#2 zu%*8^g4+bWqx!8QCL?mn4UFkGSic(aYry)o7Qe2tem%4T{MrZ>p|SBpmS!Zs!EESW zeD+y|W2jnd{rWn7oooGi9KX&G4ZTodHM9c2Q1G3CG%}<5-{8$!@IAE{_M*Iy6{f?E zU$|4aViX#8-pJTJ=Rrqwzi`qx8ZK1+@m+8?x4Y*|VeB>OKbjF-Ud~o9mOnK&P0BqU z%CDU+MDTF6E)`~-u>vyOftgY@n92`dW*E)+Y0{UavVF}XquF1E3yn>?7~6XXe9in& zOpJn8zu|H#>@p08$J|l9VLkZRmvBGHgSg9T|2nAGpl81XZ7wet`_TkxH_i&`#t*835!vJ*CY-(7x^mT;HHXlQ8vOucnI*4{UGS{c)08w{hFq_F$R zGo>)=dCIW`eUgN7xx@O)>oA)I?&gsfvwN(2d7li^`tILg&7cCZA5{2Kp;7WvD(q?N zNK&8T8g7L8=goFv`Nn{O3ceM)fFH41t>g|JE>w2!favTq|u*hwVR{7!1+db zx&=n>tTW;9JIeu&SW5GbvLE8b0(v2QLGHtgIdJ2|5xNAD(+qOiZ2Xwr+?`f)Dn5Uh z+`grP?|<-%4bfQ`pJw&F9qU%`-7Uub^!0`@ah9boE%LvFF;=2d z+^y%^Xt6ss(7=&`^sF-_FZvEzZK*A6oc6cfi`qLyIu~c599Ib-?_8 zY>I2-7sAlne=${`v%@gP_u6ql$PY^=FkGnIjdMEZdczpM*8Z+fTq^kg%P>CZzdvq| zZ~0Ec7;h7HAgSPcdW1UIyB$}CS#mG*-^gFG3u;FF&(|4-{#Ls{QNZI;!E@FPWO3U! zi~s?g5(?ia_^K|3e-IpA3%>j5yy(9YzwT{dOka7UKoake0_%w0ekrv&{8fl%i)he8 z#uV2u^0eu%(`m)%jb+yA9)cHW?x=p2SrO`Z{a7nzOBLbPqW^@B7NSufwkv*Ry9q%( zfa-}IhLs}`c-%WGuG22~K65=|df#^YtG$n#ml440pMwiw?x_BiR_#J8I z3lL;od!|Xb=Z0P`+g1M3)H3GUvwF&|@@c2iUu9D6=&tfN%gdPltxJ&u+_h(A*~lSH z8Xnc=>c2u%+RpuGWa#CxjhkG15EUZir2LGs@-nt}EmH28hj|q1HD{fvycYb~@ThjC z{(C4kL^~wbLSK^ijZHF7NG#Y8Z9_glXG16V-mzI~Y@h9Ib zF)&!=&$P>X%<`^1+fUh5es*~o8+xN`xoeLx&Oe9z*P{KuoMNrSF;TN@SNSVb%h>qD zO($&sF1!3M%<`iBpG+;bzxf-*_J{5AU$fi)9NPcc9VcwR!!F-f(*7n#`!mOi?Yr&r zKD&J{+P~o73EThM6l=aSO4>hmievo$r`Y~}yZoO-Pi4ExA3LRtjj#Ff3ERKbF8@Df zd9glUbF@GD`(pbsyZp6w`&Xm=dvTRY5&ngno3HT==p(NrWbvKXkMUj#sWV?UNY)j_qYk`=zj485gT#XNWZ%cR`P_D!v1KI?E#uf!EFu3=nG5z767t{{`D$HGg- zUDt1=cYpJadSBPS(F(&9<=q)>!&+{0&(=TF0`xSn9yxdJpDu0=yP?(MCXjelyT*@O zpgb>sq>N2`Sl~H-^?~4saosXXr;n;q?j`?{-}_xHzn7wi^e=?Tsx4ifA`CgdP0?oEO`BI_;e zvq;5o^8q00H_Njh8rtS|PjlUjo4p00`0L*o)4#dNFm`O6!u+}YuHk19>bkXzxrUK1 z5>bm|{{=#wa4(nc_H3XBoG^m+mgDme{>u!cgM7M4za?yXAT{9QfBYBNLF*aG&|dBZnbFcAj&NTq#~U^ zSY}ITE83f+{ESba{aQ!+10%>k2`EK95I?)#Zn(45fY6&G|Kl+l`7!M3qif8o96-PG zGsccFMg~!fe(pxQPXajliu~CeV3ec!Z!R$mO5sg@Z(*2$X59;paN-@fk{YgI_)Q?) zJUr?5n49C;1!Eb7T;lwg-qa%1;DfY3xI}v367YUU^_N$JrF?Iy>*h`G8ODxn?lU)F z`LrOx$;f5zktIhel)u)1NzH0SD%`y9Er@8Y;G>WO1dDj&62lm;!W?#^-7l{;jEQ@( zGUStJuFQiZ*)={3ug^WG&<}V=`JUB=G5&u&4fvFH?nil%;u`V3j(Cms5JGfv`}9vqh7rm=B#n%^h99277<4kL zrifLeyeYU%0!vmW0iP| zg4vu)NIr7_NRW49EO{o9o>u zklRPoLe7&gFjBaBpHx^03-O0tH_CVmANeq@`+Ne`rbF;PhPmbg;vTS>4+rMfu~7A! z&AI)0eb6v=Tnqg4G=>6iY}hA}zh1v_wP8FQn7f?$-`FoGUo*VBsPvOm+PZKUBEi6X z@C$EZ1!gqA4Gd|xhLOo`$F-+0*YKqXjvKT9=w4Xjq=F9~1^QZm<&R-rv|XMk$V>lX zz%WAjb%6eN-l7A3mkE>WEkTch3PWDnAzI@yafvW z2k&Te?x}F@6{*npRTTarP6QIU>=yA}dEf9`AS$myJZNOV8!C$6dJcgX^)mt_*Zna> z#B1GKj1ld+bqElFyX{w?LMvHv0+cuE>Q#m@em=ce4*Ya3#=Xi~7^&dHdDoYQ3%d-{*voKYs7Uj`tfdzEeUJ)w~U$n_tHeLj=L`E43gx<*#}%toNkC zjF-VieGH>6_>SQ3t0cqFgRcvxD-7d1FETd1zXRwU_lw-k*yi%k0nol3h*p2k49A8e z;)sD1ws2Jmy8iZYxX9Fw`Fg+zW1^;_6*OBN@LG)>9hx>)82!&wfbdg z$wQKBweBB!p)C6~a`{^Fkb0VkR>#5Kd4Ms_a7Q|0qpp!Fh=AZ!4DFw7(H6p8$R2qN zGJTy;c~93T{B$@?{C@~ONC))i{NnIPxqYtTKVY7@!}??7xhYO55*gsUNO|Ael#uqp ztPlEdfxqVm3268m0BtyuY$rJTKiJ0);T!yxO}Ao89xOC&sUz;@`G8?e{K?W^c%P(W zIRdmG<$b?+oq}ODmrI34zc?~`QNGnGFXd-|zu$`+d@Q(n3UIY=mDw*~kEBRb4)qO+ z3D6LKgp}Jo0TXqMl#5<3dmVw=SYl)Y8p9$>2au0=hg4{6LhFqIGqXDKp)|hZ#VLgQ zRQU+GPwjkx!og|-=2}xGH(coOpwQOk9@1}F2^{z=%+kQ__W)=fz~1DJ=tsmJW#>#> z-~cVMXFfdj6o!oWAC-pmGS{9nPucNyh4%c8w`XX7_3zl`2LAgBVWh?jYQ;8Qf`u3v z)n-XM_hVFoZ?g6Qm8LMQ#cSwKziSwN=+(=l+=B?<-yxMfDk0<4#jYDpEn{r>5!W#M zeawbzPG+Bes^2iI?kSi~bY=5MPX5UE*53#NUPap}<(|;>6*#?(*VNE}{jNO;cbR?* z;AUi0tD#%Rm(#|~xc_gA?M3n?Ypa{F8INN#K1qm(QEB+kNckDNQThr;>28$%Za|E6 z3iIQh$1)e)cL;6+2vf?>xE$4-{NZj?Q_%_1whlky8ksBLq*lxXc+5MhpS!{^#;1rc zv&5Iz#g}RLf*hApe#SemF}8P|V^9?U!C7b>B`}WrMajodvdd9&CeG8uO2gQDDYiI2 zv~sjnbr3i@+7`fYIZ`xKg1 zR~p8|&vyGe;8F3#ak9#vUEv`oL3mJva(@wa3re*zaxt+9(_Rm_KQTQ!L&|TOE)6|2 zT^e~Z`zL89Wy_Gvn?y<=T;!jU1n-8pFg=e2&FypT36_!htA2{`CBi*R2pOZGf!rVN z$E9#M(z9+@07`d6UvV)(RcDR(xe`ETVzaMMU3dmkh81xrP1%L+q2t8Aktl=zwBkRT z@t-s@5CD-_w~63i+y;w(k-r%KA~^#7eboFHrysu&UW$JSH{62Z2?lQ0GI8PBFk+si zLgUxY#*mNdyD?-ShjDtpVVY~t@@W_G?8lu;wr6D-F4(+?Yk#}wH0@n#^~Nr3n|b!*|!{**xLLJ&J~zS$bTsB zgzv=|&Mhd9#QlOF8hRU38m|&nR!y!VqsnGfX%;20xka%;D){~zC6+BWjJ;4|NckC4 zUM?Qi-{IrAs1DiBv7N>IFy)4Z#82RAKBfUuL%u3JRJcc z!^pHjYYJd|Z5f^D!?;!&2Y^gDVHkZ4{f#ApfId9z##L#|HT)mc_MPq>WXyT`enxsC zsW7XhTEO-lOG$<#gOPVsSc~eGS((6J2akOzCR=Fy>7A6FV!D2H6Deh;Lj?W%Qdo@M zLlM`=K|0QNxpyGBhUh7rdpewZLn_Q#UJd`{rG|0;i!_us^xKwTBCcKg2tN$Fcg(D$KgSijexdO@^VrVGr!Ciw(myd;q8B5JY6R{xcuNbGzSoaJzxQ{EP;3 zpL@rwVzY#oZmYrzL;r3QW-d%+*31|A#LNe3_aZh#Dl}>^f52~j>k^vvToMHJV@=>{ zwz+4X>lz*+VQK-v?O7or;$%rvCI5^zR$`HB0bYY>Chdptg5Z z{|F82sQw8mc*K7nI46D05|WDnhk@Kv4(8IlO zw}&;rr||teABJ&6pIB@d{`<)B_REOV%3lb{Pi!W^+APNMi}e7_$M=&LXm$R4J?fX>&jnxhOxNhN*~VXvVt#u@>!ci=8W&0VFRk4-K3HlELz-n7&(#vg;lB|qcJiAns` zEEuf@P~sfIbH0lvEDExM)DkpYslc zFv}kF%JYovt+(KYG%@F+yVI5m&RzIl7JSOnjEzrSE#x=S@8@Uy2zCF%0aJIP=C7KH zQBdG!0&p#q3XPa2WXDff%sFh+pT|CojB1h4eaU#I7U@dJQtlxs_pAdQ$9E$RlbMc*9r>i{sXJOyV9o5Sg(MdsRleNKphEGmB>wR+Kh{cbAe*$+i z^g^BRKFS@|cdZt>S+G$Es~LK8>U9@FFFS2$oBPZe*Igi-kS~22`FbUk)s_pWyII7g z4ehVP!9;&}pM3#3GcM(QH;>bC=^i4u-*F+bwwm((c}+lr11Z-?4w;q5X9>oi_93nLVE=diIE(PrVQq4U+$RuX$v0 z`?Pi<<&@Lbh97}ePtP6DGm8x)e}(&WeaU-=6=pqi9(_HEiCndaLfS_l;!1^CE1~en`#MDZW1{}5 zMX*E#;mkCGh$SgMqh4ohujE*j=Rwn(7aPWSC5a-Xwz+=5T=+;T?@s@P}tH2KDtc zsW590NHXvH3>9yz7v;7!7H4A08OjmH_I5gE(t{xkU1%7HU<2#2`bZIZ|2ICyv7flS zh8()|`3sBZy5L*#XU4`mR+gOCa`XYsnMDKc!)l##;qm7c4toDR4^#8?&a(rF;k2wj z1$Z18)ds{l4HqgepGUmQ74sOIsHF1_`*`lKzD^v~Y@O-g9yEV*I?o`Sxx@NQ(O&jv z-X|wcH}R5vn(G(RX-3DEK6sz^$%z*n*n#v(RyMz#FYuYjN3ck67ci~4=qB_B7@IOv zANGp(@caO0_8VONn>$i8oe+H|L&!a1Sgv7Qbqtn{OCZ;ld~@BoAZJJ52*rWNK8=Bb z-8o92-E%Hz53yf&xjAyGED;67OJa(e&lNCtr<?Cu(INjTXNyf`u$(q zvvXhHZ@?#W=YH(eM%SKE^NLxLPsCeF*=R92`yK#WqK9e?;{j-|^o#Kq>^^!U{v!V9 z0(4*GH>})_u)Zy(n;`V>_yu}@1r_H~SYLLwFr|H%^fBTFLtJ;eZ#P*GZWL#g*IU6^ zY16)tJFwS<^~*g+kW%Y~tp~|H{#s|=*$qp?Ua0XYAY4C&5@Qe@NP$iEyH7xsy>$w6 zjlkXqg5%oLUPcDNC1qp~bPeM^;Ne5AkxoK(f|&T9C4}>;K*j6Yhma}6PogvMRw z8peH%m?YwdhYz`iUvf~=vxnX+ca41UJ;MMsJ>B(LGwHFw&w>P9W4CM3j}9VUw0^uhtYK746yz=xUJ=5J- zmk(i{x~=Dz@-rSmxmE{${xa?keAa6i4|nKlG3MBT|0G z)hPdINBPImZXV@v_u@TJbdNuRkrcsuw^Z=`;c>>sHSps|DFnR{1vC8X`PcKW=U>mi zo_{_6dj9qN>-pF7ujl{orwpP!V^e}{ZEM@u`gP%!V4HtMILLwUz<_cCBtD*m~+H@urtySejyf&g~nOb>3 zjxzj*SE|mBs;qTqQrWc1VsdiO`Gu-Qvzd&X)L1qdO(o+>QjW1YUYX@yXUVJ*>+Fl9 zov*shSAkGl$K?PJkKgZU@9?h$l|(|0@vcFxD&5IQf>*{^t*k|B zQDsYvMbhbnBFA{;HCf&@sL4E@P|_-^?T=(?wZ3$1jon*~ssWV4p_X9h+EuH3Y<*~D zN2s|IFMN#iR7UAm&_hB=$}|OgC8!K4IbJzxJKlEq+g1lVs64C9s+n4~OG(xyQ;Af! zl4MG)wyZL-I%RRhOozGHfImsOpqK-3iIuVJ=eR5K3;(R{J*<)d}t2jGKD#>GV z6vK^)c4&swLS-TmV_lJGZ!DF{c$B27MG}c(Bb}j^mS9_F^V&d=sgZuUlWOuU8ATKI z0d|QrHI+>9tO~=2Xr9NFgv=v2pT!QM2|1F?rp1&o<9H;Y%8dS02a{1YXJe(>SE;7vVF4y#*Qe<9nbY%(FvJopy;4XU;M zeYLSnD%}~4M0;eF)mJdiIj^j1xMqNJR#~@jfa4A0+gN+M)VXqPOG|KNM`&#eluSmxHtS^}(F*3w(DO023fTTQjK zNTyrXcvc0D0CLSLFJ& zS;~{L9ODg4ReL;%RJ1ph)rx1#K7*aDZEIHqJKKXT9if(B7^C&1GpR1QsW?VLWW_JM zuUFONJ^?OvdDbgu01<))46sNdk=lZ}1zSSF0P9kcG2Xw3XJhHkj2!J30}r%z23uD8 zTY3K?dJ#<}lX6tE3IZ1CeSe>tPAE~C_rwT}nE4Y2*t0CHq{UIUi=`u?o>>e9Jj=4N zwB1i6p>$;k?=+Q6XTz$t=FaB!)txQD%i8@_{fh(`n_H2TwSh?5!L-J~{AjYO@wIDA6f>DLI(~1g ztEureZsI;Zzp}==NS)6jT{y2=s)?=X^z$k@(!8Ojrjh&jyr!mk)%3nAlLeoU%0y)@ z5A;N`Dp22=&J|XTMKv`SqDGylvErmPR-WWb5mBt^^q2fvQSxi0bry&V5F8CH2knam zGxV`io&2HXm^dmBD?kLt-fjUA)Idy5Dss%)c)==`o}v@5P98ODa!-Wzi)@Bq8;B$5 zi*zed-lwR25iQzd5h9`!)G={GU=7r)V-4EZb+-CDBx=Z>BS=dyyox&xVxAa5d9$tl+DvMEGF(yEF!Tvj#&`1L$xA_ZYACsks~q2c|#2c zQ^AXblC_5dK^|PSD!8(vy@{O%k-?-{pwmUpr-BLm&$X1G_SW3CWKtS_FbF73oOvr) zG?h)nXli0y=1!yQv>bEx4q3|-$-w)m*}lF=W)NZ*9mUVxWYvEDI7j7lDW7?e#C61N5i7QQo{iF6Az z1hLAqux{ZZPeXlUT^)<2(u18?g3frPPe}|4o?lb|Mt7E9xVT}`XGit!XdheeZwvWb zI*M4OAuu=3QICS^$9YxEv*BDXC=!yArY-vzn~; z)HO6NW|=|7bYExF^3zwbm<=Y7GxyM^9+Z~Ov zzTOxZ2$ID`YfXGhD$^TNGGOS`ijptD$4WxBK2@r<>Bt~h(Hd$=$#69lQ!@C_dRfbw zP)CiLf_U4@JSpahw}w_SkJ=LfqeaJqV+fUMZFe-4?Dtq4`0ABwTh`MF_Mr!wBg29A zIlk1em6E@$J=ozBJ+XEv7!Lc)(rCS3t`e(JU7T_>D*jHSqLBohER2A#Nb!~RhNLWW zK_?Y4-$HC>Km5S zlg30WwP0p@BEW$-uc@>wI5BZEn)#f^O=#vqYXK}liVObCj$1+TY>kU}&f}})BpQ-q zJf2DQ5hHA=C*+vfw`%us9`~>7kk+<^J{=5rI)d#Tp_bKLOQjM^xhl&%mWryi!44_3 zvc0A+Rv`dV?o%|hKY2v)R0a}YE%hlTS*2FlO%)Z*shF(ts+b&)kQ&S5fv%^zse+q-LUMFInQW3n zJ{mMfIbSvBQdP|((M(EJxz;1|o|LLl8$i9z`grKw@e9i%$r$jfsAy{4_(jP`pS(;o zfzI*M+Kc%rw~AG@1utC}Y74e=k4Gq^s;PfVY3FPQT9U!Z4HZcV)iY&yXEmNp#!{23 znf=$={isSz<}zVLm0EJD%&e7&W&6@6gaPN$R#>GcKUL9GUzd`U`4&a%v6Y8Dp=sPk zn#OI=G;SkJqgV$Er#hc>MoDVi{6b@ecFtJ>kJh88yiZmEMHLlm(>O<}01&azr4=Gs zttXXHt`Qm;=t~K>J@$t70pzGRAqTFN8JTxMs!b*5Yl6YiQk)c+G(;#do$cW1i$r^rr0fA_ zMw*~hR!e6!I;^}s6l|_t8L~%0+D~T-F-544{4MPvF1|+X6%ogsUlcb19*?=nPB3cX zVz2FkTfG1Z!M?}>j(uOiY2zy@f&+>sTE~9X5nI)tO#sP3gH_Adu0anAoi90Ww1Aqc z*=SUjV{)v5b1zW@E@v{SlKJp@yST~aao&Knji!<@g@6Tou&N}xO$-M0xuw>|PB%?L zdPU42Dpaal=i$^_n(k=7{io2rix1aYcpsW|Y%$NsS7()stn!G7tmyFCcogN5DeDtd zLN&Z2Gsr!Jv}#Jq6~WhT)WS10yaOj>i;_t2hz6zvLKp9jC^%D`llmU0Et<+?vT3aZ zZj~gV%OX=R?M#$;4m{Z$FN(IL3KGt$NG4aM+q-D#No$CjzB8nws`O zwN~g~Y9r}%B-5A5bY^5#%P3K;Gn-6jlzt^4cgwL(XyTG8gR)r^6B_F#o=p;uWWoW7 z5O}O|mS!8wSVGohB3)S}=Bvyuz(T|`vf4v>KD2&(y+{U_AM`FGd%!4RSs)|xekH=8 zQ?C^|bs!0nh{R(n!Yu%eXgn2ytEAB|#(BRI)s#L` ziSsQHby7pT%2K0ku-b%xWhuht4L?M%m<_i5~D@0tH?=v@iUi>i$h!9HO;t7P> z*Er_`@jsi4_C%81a;%286R@gUMD3Ad!Ww}PPRq6fjdO*yqb!e)-Vl4ii8AK+Fd|7FvDuf4toZ1AxAdCskh6>Tl-BY$B2BrA=uI z`okPDu?^oRgI~++1FV@M&8CeHCPCT>*W2PaO)6SkZ~Kr?2@^lT&IRMMmdePn1wwrz z&=n~%+mU5(0x3#oWL4#IQj;@S8<<*UsEui0YBrYQo}^IVs6E^h z<@4oePm0&`WxPl%O07)u`Lf!W++T~8Bf*_PLG%Cih-G5@@>G_CQOjhLN#K0qNG)b= z?fPIFnXMwAxT?knQ`rn(dsz#QM5C!}QZun3W4yye#~xwl5vPync3&jZYoY`b!AwFt zXoPd_;i}pbRapS>%Yl|exppF)LcGezSIJRL<=55LsA^BG#UaZv=&My; zmD-Y&GjwFUFk@lg__;owNOgBB$!?F56vwHW;4z);N+{7@d5}15f)<-TaSsRdlIk>- ziHQ=Cgqjk?gz3yuO4{(u+vF&)(O{9ciKdcj3Wm*S6o8_oh&471ieMvz*-b1h4}m%< zq?6nNE8$=&%eO?5+5)Zt{7S5ayh~1`wopaBR_l>7TND+?JqfufQ{=O3YR0PsrkfiM$w8o^u8bV%1#ncO!xI>My5U)IO^ikh`5TDLDkm&HsdUqc zOEI<*IBHcyN$@IL;YTXCYC=o4h;M@NBIKoRXjMd3tF3XG21%UIq9xWkm6hO-wH`WYa)u6$HNK)p4ow1Q(JVpsWUg*XphE1Ooej2!9Xabd=TsoD}#K;w( zL8Z^30ca|!jRoIjE5c1qn!0vycFk)8p;e(^z(KuXLIrhRz~f3r)tnT-WDGE3bFzuZ zAlX)lsZvQIrTHXdawai|746D)^JoH&A*x1_hOmwD2r-x@MxzlaNi9XS{Xu_#$5f5C zuMT6tj`1oUitF00W901pio zRs3;SbYaXWVe+U`#+=42VZx3pa)Q_!3kG0GhrLUkFBYCmToyPonujJwdy>l4S($9v zKq3vEn9{9iFp4jwqkXdavI6|X(@M0LM@)uSP6|&10n8ATV3qA$S)DyF`uf|we6t|ovZwT^__vWEgdbvV1QrXqyq52SXj;f zA!ERK6)95z6=G{n=(0lq6X{B2AnXbVXm6KnuY-T4j-skrfLnuyBtC$Tu z)D-x)DsZfui{gXLv2HGs)*{Pl!!xx{swqglWOZ3;vbBVBZ9&sKK*bllFEVK2jV>7| zOo_uw3}LhG0JhdFcV^J?L8B1;iIoQPKS4QUx z{Ae*4mWPey4{1qQrP9BXpIg1M*+$z0nvZ2h8zxkcPCfGOXkU}f{BEqXHnQ&e7Lsd3lG`?lv`1<6wwaA zRwhGvmxdn;vvvy8)bk&a|EC6b`-h31=g!50#GH&_cy^Gqb-5o+)n7H)60&5nY| z9@k@1wV zqK$PCxG~6!P9Wi-Vn+6W;i8S&ER2iXTAR&;0U}8*_obDL5{-bj5{}89_Kvk}K{0*m zzr^FSf04a<;v6&9zX-m9MW;|vAN=J>L|9YOnOx5)0GDv7O41%2t)zKg!Q6G3>j8N) zm9d8wQ({ob!bRAov;B+69TV_Yw6uxUQRS;UdlVl8A~tzG<}{ZcxA8rZOw0olW{j_2 z)Jc=>Y?nf-I($&5n1kDrNhP~!tsT;(ldd#jT*3BMkCODP3$)rZAn#_7YOn+rCnVq@ z0Jkf?Dii7ERiW1YMK&l2{fkYsElNgmsZA3sdQB^NLP^!8w}2k_X#-4w7E9%d;^}b& zV&H*JjW;!U#oAWJEU_dO!@1E?B%NibGF6l%K!CGXLJ^&! z3O$am|A5Z+3nXvvgCiaT{QZg7>YpW}CBDAoHC^Nc--nu>px$IRVe@hN5>xxf`BsbP zxN^t&TA#4oNvU)RJ%!i#?KnwxbqAp)aE7+(1XPU{QXzFLY3x%;zK;CC7I5tZw34JmIW9+p zn$0pdD=E^M`d4*^T7n&mN;n8x*J;8o@d%}q;&}S2M*3vJQ?hA4h-iX{tGvHKD9DMX zt7x_A1oN_d%|Nb6myE}vAtm(n#8~Xa1lD{U^s#D^--N7*4KlZ+h_i*e8@F}9Xv$A+ zP47n^t4PnU@~)KDLo=s<3X6emPxZ-@HKZz0m!1e*aC#JS!R>GGz!!l4hrH9NHL&ZZ z9m15i-an+ID90f-pg1uZo_0j4ONmjj{69@39Ot6SLf?}}13f1h=n2(_@<1dC4{_u| zJt2Mg=gEW6PZBnTTC(WJ3CPP8 zA^|u>2Za*IhBR{)x{C-lTKM7y|e@6PpwQ~}rFF0cDL;{!tu7U3@(6({) zBvgMKia)Nx2SM%vK5V3Jn*9JL@<5t&k`6?R;laBOpW6o7T36a*OvSll8YSvU8=2Se zHj8cdc%nUWwAVv{9hQ8PgjpfoP)qc&=vxC>PmV36PE8J3_-19b6u#j@A1ITs%h+tN zK&dtSGMU4Ogi$LhAY2$+ihgre|HsoA2SY9@5#q$`VZO0e!kyF-)JOh4vUu9xjRUd+q}K0?B(sr3V$fk)EJCkk0JFkYYGSnvG2^iL zrqUXx(6!F?;L3Gvp^nQt*90%Oz3Wa;t~u0FEE^844~D6<OB~s zLoCF%c28GoKqmV?{0~$pgt7@C9Fu>9w?=54;m1lL!x>rTnStI&jH|MWYz3&O@~Z2+ zTqSh@*HT)<6a+b6SYt{TCnty0Pkjx^g}k1dHhmMm)FOZtWif$a$>oE#O~f+6PhxXA z($|?yDg&m!&t?-*M5A(AgGN9bEY%bWCE=RRl~!!rV#M5u;JDRz5F&@LRj$$0X|kjO zUP|GEko!{cIM`k@%3p-_Lknq5p~UWK1@%FWD+czNPl=qT0fuZ8toB6G@=~kKA`b^g zT%p99q<=29)g+KbQA0{bSJPdK*2L<+MBnOhh>Jqq>hPlyE2>UjQs^vg_bOXIQIrzb zbZ+%8Sg~N`wU)XS2NEvf2?d;rBg*feVH2F?-;d0f%6HVsNkudIdNSFpL{2o@DG?Qu zawKDOU;jW@JYLQ#C8$oK-&hAJ3Hq7A2Kz zIvJL(vV#Rxb7wE$Dfj>gpMn$)l0f242N3}SCAM*KLc|BG7~JjPIRJUfS|2kE)$->N zK4PZ6xO8d`_KX^KxF%Z>ot+6e37cFNZi6Np23Jjb$gLTur|6EDiVI^b)OMt8#;0gc z1j#cj`?;_X!CxcZ*-$h`Zmhf}yUDU$6isLd3QP#gpD@x0Z)&R`HmrzaN*O-OE-pq3 zeJ%1YK!>cvm8jroOj`*tl!KbAA~*yqYx>ff$x1{EMSm3(cSPFK2uzm%vPIMMl_b3L zOq~OsVstH1S|~Ar5UUVU;H#@lK@;gi{t1)mMQ$LTkrN6iqj2Xp>vbvGQd?UBYd2~X zJI-X2!Z9>U)^L^f2>k&}$e9sSga?h_IE&+2)Zpn-G>ZJKA}-Z3%GtpQ1B(}RE@}_} zP^>53LMclTEHE1nR4;W5Nm0!*B;uPJQuNnBsG$Z^#`~rcf+LxP8wQ7 zAr*_|1ou?m~M@LJz{!Fw=bH3yS2KY z1j0zt=#qI?Cef&fcRHAx; zxoDuDm8v-3)(PoTVjj~84$yA~q~P?6V+Fl3Wko5m)52lWah|L|h$5_3nW9ZX>6H`U zipUyBQoS&{)jE9SO#7I%VUBYzmK)rR2`j3jkBH{nPUzRHNUkP_n+xp2mPgVB8JVz@ zfDA`Jww;(Fm{c{MO(ZOEw(tvtPLj_YxP=^ZPUaEgQL|15oh~_^%E&y6$R@641?9p> zY`&;cFhWit6i3HI4<2xn3;0zC1=La;SioLyq28f*`-ts_P4){aBIdiLM@~XMAy=9r za0;iI_n!s%!;|lL3G`Okp1qS1wxaSje=}hPYgZXHReh_s0lYo3l8@bNg1j$JS60KmkU$WGwm3(UZ3k#j*k*NHnuT%UJ_kcWg!d>W#AW0dNWK|xLq7Dl=8~RDRmf6YIFJ!cOlq+T z4fEzyTCFYmf!YEE!6fVrNwQ)WIYJ(j(}~m|h?rBaD;P&74lhoB&H0eLn@yTJDX44BL;_rin_4U?$szB;`Ar~_8Y`aeeZ%v7US74O zN6wIYfKZ892Nz)iHm3{ZRn$XJQm=L%YE|VZujO!-PIk9%i6nU~hh zK<2iy^NJ#_6QHOedtdBfP~J6pAPxA?dgO}pc#*#?3VmkW0XRpen#YbyAfw*`R4z$P zQtf1kg}0&Yy06w$oLAw@iO@B862S=(i8%VS_!Z}smNKmZ#bp53(*<9ZgiO#!3@o6d z2FVI6y@YjEYGRI@YmVbrgS`_gDmDs$Y!d*FfOu;Wh2JwymD-nz@ol_2Bd59NYCiwU zN|nziT`|JEGky46sq%%6V5alW7f#L=Jn(JX#EW_6*)a0YB+A3=B#+5Xcl5H2QNm`Hn56RTaa#ABb16EEod z!)GemdqTZIG?I>VDG5az)GVn9JCtpKs5M31TJj3Bq!=X` z&qP!$lZ|TGj7&7M;yj+}vV@CLKPXF6?y#U0t!FhA9|UP~ANN++S&4X+nIuTHGFynK zCkv0-dVDjbkWv`9O-K&(PxwEaU69EZ(7umWGsX_b;*cuOIe2< zh*)HTL8OlyRWK7JUJE`MZCLeT2O)OFL=s9ert~W@p`8~?M!b}Tg3KHsHvWDe{7WKN zG29BAlc{eIia#5QxabLQ=TSl~3L)ejOxS@+BeP`ZB6VFg z(T&j=4kZP#OA|v&jgRG5rHSRx<)cdI@a2nfx0#BHdkiY}N<^1-Y!+=(JJa*R2)Cnc zDD^BaFSDW9sF8Vwqv<(k2|{?DBHhsO3$1jOF{_=Z4Y42lpjijr5r8+ZxRc+l^wd=0 zWxNeYv(ku^duj7ll~+~*r%S#xa>r;3zb5qo_al3S`+ZSvy&grQ5$F8v0fE8>jw zr0+Q1z(pUqzgYC~2)ryDO(tT&R6tyRTi~ggBm837%ahlM8deUUI# zMmwamUo7;0V#kwl{?f2&Wz&+?E9gAa;={tDv05hGBOPz^vvu}KnfRzaq8idlm>Xx} zVwAo|W_ckdJ(yaSsWp>joPF9M@RN!*(M#fGw%x6)GPjJtfpyk5Jr0}*xyH_Fsj%VV zc^9GBYFR|1ZisH%rH!I_H#_?`jbC08u$|Dz9<`N&K9N+l0ry;q4BV(ZNtFI+S5?v}W>BiEgb`LSi*hH0=ibXgDr7JE{@f+5Aze)3LLynjjbE7iw{j?&Q&;OPu}TOhpu*?mx#o zOzVZYyd|tugqi&!zK$4ie-A%}Fj5}3lRJ@oDdarqhRRaq*%(Nhtbnt8&W(i&33+t2 z$X+I&K@oqri<5^N(2;=Fp5p#;8tPVRD;iffH>#nCze5d2JM~03=|>0a*mKUV;DXx% zPmPLe*s`qEYXSEaAX&Gu5CL9Kg|||jhkq{cR4x#IReLHbI6ZTXB=^#}kTlnMJ$~Zp zP-Fv+d-&WO`N(CU_@b>jYfVGl^5t4}m1;y{mVYIVLM@9VjdJvE;Mp+8qps@K6A3&J zK?*rk=^l^pZH4lpz1~KTuH%kLT~@bd`D$Jszla#w;PFs_s5uPkqIhe8K)SQziJ)@` zxl(fHrt0FwsyChfr0n#1P^FXtInszTovaqtfRdrgDdOj@>60@pI z`3)o0#XGTe?GikEDHK|yHsYyWJ^G4OSI(=m=Gn2C?cnKY(Z$JOUtOXxY-TLVZ|wM^$#A(1r{D-E zO_G==hSW(%l8;}I;y3*H^CeQqNa$QhDNmr#Wym2#!keppyFv&F&iWog-r%Ixi#*rB z1CkU9$U0GyoMu`5m{FsIo=he1bRInj_J9v&pOs29++--w;585y*KtWkwRE@Cw|LpiLzm4k4;? zo%;t5l037BOO@8Ozx1AzA6!U^;{AByxt8l;u2IJ6l+(?z^h_*d3*;BlWwG$bOS>Qb zED7!rqA@(U#fx=DDiQJr#KMXFDf5YY#bjqdNcbxx$gfXJr%THkLUyO5<(5BC;k%NL zm>oZ*lfDk5tSKfu1*CsjA4)INp}?8Y%e|h8$_jp5g~LHoaC#cs=tSaiIB2n5KM)%? z?nJmen(Auj7X_$1V-XiExiqV``Qu6H4@F#y6cIX{u4q%|scngP7b<__vB>&xQrrL( zCy98WFrs(s5z!yn<78{!n^)YWiuRT9s#)Zj(T|qQh;KNdcIXg-BCb!eAEGgIF+DF3 z5GExwvC!2dK1d)L-{~oTq}NbeV-39h?Wr&_7;Fo7Osz`ue}5909qN%i>RL-I<}wgJ ze-phYePs9OvxDO05AF&z92fT^+w~yc@uQi89_ia7v36_}&yMF5v-w4a6xZ77(M}X= zxM4_{aEIbg1Ul!^5SOFw4;j-O;qkI5mO#6JwEmDcrd&7pM#~>Ty(6B^qaiY9GD3n2 z1Z@5>Mp*OqE_E4fk$zBp2-Di8x6*a^8tVg@cE#oP5d26Fu zCZ-gZR&j24xdteGc!w$gt|Argk!c2|lP{8dL@+jPA%Pb*{0TJP!1`OR$`{Jb9p|0B zdX{S)k}L&vp@YPfu}~ep^}2^uU*p=whPCCZRxUqFEkoDY4eJ`wMK@96YCWVU#Jd11 zV@X4g^z=q&8}i^xI6fyYY&i48oRm9F+~KASZl9KFkLcwgw1CFW;))z%OJ~$IahN~R z9!@4ur9)fk)$_iIA2=4dyW*$9T<4&nHWudr9doHkzp;L{p#~Co7rj-u&f)WrBjA3Z zz() zriTNax^{(y(_CB^Y~$oyf~c*;N@;&#OP^LN9A14?QHA=WlQPOn=TECW1V0bwPe&GD zQq+#OLVBjxaAyfcCYMPoQL=tWrGREfz;D$x*k zJ0%pVx!Y^2I$kuvp|vU|90Ldo z;L1eFr8zHVXio`7;-HJP9KdlA+Hh3#yjr)?=V%1EJQGX_`zxgJ6~y4=OD+dA?#B~n zSeb3g3D=3a<{JPk@KjXg*c0e#x(lQ$Csthmi8na9ZU#Q*r@d5 zoI({bcl)oRJjy-ja~5OW(U;z&?2e?Yg`dlW!Ej>n@y1+UH2qD_fh?AGr$~RuRjL0E z&zDZhNRPWIaqo@OE3Rc>gCONbTo0hNG7@LnMXI3bdG;ws-m^8%Fo-TP%gLJ>*Y(ZU zWPHy(fhi!rv$dD%Zn4L?8JIHawfK0PWsd$j#P*if5vwpkPign@yx!^gPBYli?u_lO zc$kUsAgjq#p{w)Kx9GT*9Z}-G$Ew1@OngptI!~WT56=EUR%BzUd_CY*$+ur7tvR($ z?B{Lu$;NM}QN0H}@OJv6=qgnxGw4B`^aA7<$9%=xx9fN>+o}f@EC#9Esu8!jDYuzz zq-8lIGkn2=vvEIVV(%JQmHDi(;1IE7Jr zOy=EVvidzHTein!YxkJ!lszW9bEnDvy31s*?K0U5yG-`!E|dLwm&sP{65sIq|1JL( z>@wM`-6lKo5N)5j+hm1#zJG4(tKZrF{-5;UzMUqk+AYTA%-tqiwcBJ(yG^!ux5>V< z+hqRTCc9&|$!^+hvLEa=*_PcVlVffVZuQOWTkyYa*UP`eZzpKm^{Q%1vF-YFI(r6N zlCJ?yr?C=?Kek<;uGkMG?7BC%_2YjsNk%4T{STYXLYIv(=cjEqWfm`Mv+b7bsybU^ zYl8jLw(DeDWCF+6ZMRqn(!Fmb-j)HhCs0*2yHZw-ssCh|+kSv;Bj9!RGHt+I9iLgg zOzf56A}oYkhRPuV?1V|$DBhnlW|4Tc#HmDKvm zdyD>W!{q?mu<-#?)rORK0c&|Un%W?x1>D>RVu?5%9(3EEC`YL={ScNaAHw3>Yh1Z= zyoDuZ|I`A2LI57)3+?!O1OWWTeC$a8D0uyWC(-6ghXQ~;0RF}=dZ>T>fhS8iTm;Ng z002eD!t*0sPy!_d0)TJ6zy83J|4HevhyoZPeBA5LK3j+IzRNsyX@jlY{;j!67p-*g ztf<`JSNZVeV$Yd8K*Oq5@j|$K0k`~&l?|&_uRf!7ZKLnlW8FMIH%#CNEH{8Mztb4T zk-j@p-d&AmKQg@|6xf||<2OhC^qaASKt8f6@!2iDa^&Y$-Qx94k%QxxFZuCym2+R| zTuD)W=9zW%4L<0=CF7&&Tm(Gl+AF=Lf+CF3Vd z#1A~(%*KwE3brQ<0OLmDU+0Uz9;ZDDtXXo!8!Z)st#zljT=CBGE1qkqcz(|!o<^cS z_`!x`&-oIWtzb7ITsmwkK5n-4!)KY!!7cTe!Obd}w! zc75}u_2(vruld%DHGQ+j#ap{MXo?A0^pyZhoH$MNfWz+vOrTMed zt3UYor_+D*=Q#}pYvXtR?8V|WzPA6Ed0T1cs^NK;{^G>C-SuNW7<1Ibg{MXryxOK; z{>9zje5N!@RDa^?i5twl{xu?muIHdPtA{b=Lmrk1u)H zz452-zWV6Pjp~fwopsClCzPx2xMy$j?$5rX?drU2?>%3g(fYSXCZ0EX&oN+w~@U6Em_{R6wKRM^`6Q)%?`;#XYytnKR51!cjt-C5G zT=eSP1II1fb@^F+gWg+>7bdmTjxN8tZ`|*S&wKQ|`)6IZv~=>wcU?XAJYCy(#qZyH zeN69(H%7j(?X|5NABermzG`p&$+6#i|Eg)F4@DP$m0WxDh|3S|J!ais7q07gY5!dx zU-kNfCog&Qi~XM*Gj!q)C;z@md3eaT;j**Vb@tpfY1F6lwtmm(>wc(YbI+u^&E4m1 z{YFRRwz0ps{pXiQF6ww{=35_K(Ry>?qsBXLoKi7&_N{k?eJ{=2bi>9|A1c4`$YZvu zg%@iNeDcM%-*o$)ePqvVw>|kEYp*VzlC1dN%&8;3=)G*$rxWjc*mLigw)JQ4TekPj zA2%9b{Cdf=aLvZ+FDz|a{M^~EKlSE2kAHvED@BuMY&n1G6$kG5`LE;a-){J%bN>sM zmAO}k?)c3|Z++*&ivQYj-FY_${xB=_Fg#&-VX}Klh6hf8u|jujP_Qk7{`NkB!3zzjxNf z-~4&+(^W4u{P`~%ri^;!n(ouzcrji$G;jM4F712oJG+Co?0k9rvzs^nz`gt0QOc<2 zb>mlMZ6B!**L?exTi<&AxqYYl+0vy8?!Q+%>G8d5R^GDVj#rPUEO{yxdg;DvyO?LcV?lrMjD*u$|*k8@K@(*ZsQHjN{oemiWYT zKxl{(jKvb_NxZh!6T7x|p6H1VX(jG)M`9gDES11lcrS``(?E2djIIG zMz`gs4xh8L_XGY``D-H!)!F#s>TC``1=7Vv(w|5gsPkT^o;}-UAv$}mDt;QB{$Q*p z{WBGe=?R1XP8kWYkfdgx>sC<*q~U4GLiHklDjd96-@sqe;Z6l+AG=uf&fe%&Q4t_s zzFU}4Nq##=VsP_w#)WEUxTDjZ^miBw)w6{j)nh%irqQbj;aGGoDOo+q3U77ITs6?G zd(d{(!^hY5TU_)>f9Ed{pKIv?as~U1BBEvo{ir9|Nym1D2t5g&M26!wFq)LRXR56Z z6JhS}Pk8vIKA&f#=23SGyY6T#%1?bf?(&`tBEwJ~S9|xXP9B|+k;`6V z&f$todo9W}QssE7A(I@5zqZB;+?Jm8F{+IXj5o+9RA7g^lGMjDd2q}j#SN^P-= z|Ao|^;Gt6=dj7^E;ec+RNa;qDi;sDycVj8_|V*UoP7%NkifRc`?yXZlCY3stHzD6FqIgmV2US2~z3u zxk;Eo=3(4UIop^_`XS=Q*vwneo?vB+U-{#Hz7qZbdg%+I#SV&Rbi>(_%jV*v8~lnZ zQmz`tL$)O=n^vt}QHO7E*DYVDhVl8~KnevwakQSc;6pm+7uJJ%!kEhscG1%e+ReCC z`-GA&-NyAqsGL80rzgtW{kT{(`c|W-dh}?RilUe*y!;sP@OnIU!$)du?JviLrWeg1 z@#Qyu6;L%&Mm!t{$5O_jqV-kP%uG&Pl$z%t+Cty)l% z$!(nLLu*fTeK;vsz|6Hlyl5{-<`lgmSQV-aSR^BitG*_=NV%J=U(l(C@I^$={xmnN zTDeX`SyP>-Hnh~OUemaizjd1I(f#WUbj*Wels3`ABlM)6h|ck-b^J-bh`$4!x8ho^ z2fFn#QPLb$T-!%;8?T@j;fXGm5O4XG^>l^g;rEd zq`26}FE>gdSUriqG|9ODH|$!B&r)&+8L@;R);uX{5~lLFy1~9&5Xm2Ul@auZQX*Oy zEzZK37PtjE{`hkD;Z~miw^*|}cxD(Mo(SsdsYWswj(Ix2;m!a>!tI%`R5WZPg9z)6 zg@eLsuMGd3qh7Sp2IICO{DXR;k<{aJ)Qh;-CDI~9*p<#Z5udi!g^wLP7ey~q_^dH! z?Yg-8p$COK8SC-MNGujtPn^dw^6YxFyX?3$T^~0`U{8OenUMWqO-tkQ<=J4IC=x2n zE6Tj+&Pz{rg!!MmY(r1tGwBGK>zzvp61u_D2nbJykLRf;M)e+?KWCq-E>tfb)FwDG9ahMXC0CrwaJf8D)6c^-b*o%M@RIIa8lgm$18!c5YJ2w7RX~47ewN* zV3$8SFNp8p2>VjB-kSz&n@A=}hE^JtNS!0{O-Zt;p8>7J>U>7EYZS(sBWz9XDL-)Liv z=9wtHB@^K|U*MA|dOl5$c6$!9&{8|?3$(>9%Ee&j#UQqGUkAfXAz$|J>kQnra0YAP z&$mndVqN$&xUMp7XN(S4tQYE6t)U*&Gf_dg+=eAo$~Uyg5pYy({e|; zmyi!S7&z`p@vv}gf!Lqo=jUyE)olPUiVlgF(%<-dEd4zi4~psUqAckH{WYa+ro@ak%aj8Bx(!xtP$|JJ2fO zF!c4c(aco8Y0;OV2U3Y}ve#oXCgYW+n_GM@B{gZ5|nz4$xa;!P;#Bg4vqvkaGlAH90f3RoyojNJljm>8wC*GX0rZK0P1#= zy*LVB=XR65I|`undXvo^4KQ%M$=XH(?7ZG&$L*n(W|cfcOth_9cG* z50fn~0*K#gvWtrVS_e$F1LNCF_DK;y+wCT+JpuskFj?dXfT24~w)Y5tzB^6!$q@jp z_nXY;2Izm#Wc}C+KQ`H3H^AVJP4=Z5pl_$iN{az%cbTlJ7+`pp$y$p626me)QVh`c z6O(O0Mb1Medj{bTnXG6GK*_@z+z=OZTDFa`h~HQ4~d_n2&W3_yI3$;!q8s6RDX z+gO0spPH<1EI{8+O*SwVVCbhN+dmed?QxTV0&w7Qla(m|{evdkpa2Z)GueIxAim#Z zrQ-lfo-tYHIDp}2Oty6#K>S&g?L+wUCYw|OQ2T<(f+Ya0FPZG25`Y6Qnd|_@2Te9+ zJizcPCTkfFQ1WM!-7p?tXvk!*BK%F0!2|$!+hlVm0C?Xu*~Jq8hW}==Jre**-Z$AN z`1=Esl}-fc|IlQe69EQ3HrdvR0Ii>zY!Cka++;sOOS0@1gGuiMYfB|N*<&y#0fUyme0d@joTPFh?C}8ZsWPrgjjHy!q`X(?oFa=;} zB4fi-0CrAdtZXX4&=kgkQvnW?GS-jrG{y#}0t`=QY(y!*;0(rEO99%BWbEcrfZCai zyR!aRWdd-9YCGWSm_La*7=OhodM7{pRw8*06XV1wsr=<(0s-^X8@E`F?R6`fZ8g? z`ey*ds~Ed;2EafSV|!)*9H?UKnHgwo&)Com0Ph0EK0$m77%MpvV0Zyz-Xj5Os~KxO z62M!-*j|hmF*f%ofZEd-+i(;>>uHSj;@HJ;B>}b#P4eu^BxP(zmBoKW5uF@!;Ycg!qrf)p`>8On9)W3 z1*1z4ek1^F`M$}Hqcj+Drw5ot={q-?Yyf$UQqrW9E*)3gQ`85iO<#24{8=0g=Jx@> z&?b}F*R2`=I0p@)wwi1dT1M3?C0kuSrF3)QGDY1q!nM_{lr||P^-57)amcNd*3sVp zfDgsr006IUHQC=N@71n)rSz)8dPTi*M7>hBb!465-8`yJso6AoiE>~>VP%0^scBKX zbxK*iqSh;=^&H<)#Mc4+7`=W}xKYT8L!K+PnJ;Hb$mt@v)8P>5`+39kf=jNSSXRGScVtl!2iwoe$ev>sL zjyk1evul}Bx~b5os6n?<+MtxwDMc;CK3<(VrHJ>}UKc=3f4UD5&jA-eRlmu`STwiX z8XKSDb=BFM*isC0QEn>~Ywl7Mz)r`qmt)z@N`GPD!v%si>y)BKq$RZ6t11NWUTd<` zv92vj$tIWPR*IGsw<<-gza;uSvk)M1t;tS72L z*>193)W;cf=@M%$HDMjg0N`LD!28=xcF^k27SW%zuCuHbwG?w28!(sEX|6Tq zm}@?z)^$(Lnl2HzT1Nn^y&*m4uf{n~^R^M^Srg7PAI`JWl>;TNU2dhOE^DGS7GoQ3 z9sy8#qseZy+R!A%WoL zCfkPsJs-mhk?3 ze_Bp%v`Jk*Cg)F=4UV4WYzH1V;n(?=TtKhk{R0U9E1V$XDFt#Mljww zrKqXc^-r<%*C|CSi#h&tjsQ6Gf%KZT$+b-BS0iqvq=8lw!80y90$|_)lRbnAg!EdG zYwVXQ!-a+Qxp@X(pKx4X#QN?wS&@bB5Ike3uJ9nPJ=si{(6=6bV4$YMiRWJpHo2OWq4BQ$TxcME{;nI~oF`1iUx(qe*^F&yvDSxGN}H=S zvjy08wHV;eCroyY)t86j=dQw#D`#I?V-qh1_~hp%JD%owj&-Uv?C8msVpp%DD}Bf} zuzrKZ05AT+WMguS4PWn%FqWi=~9wK!vufm(FX!1H#F0oePr$tK`B#>Z%d(pTVm-;MhUY~czwAFidv zu5$#84=-=yonrt7er>YJ`Nm)g@+qR1orQ((#UP<}aQEWo=5Or}tp%~A%# z5ylMCw~PgN=6RFN{TGZQj@7}j0QdjFWV@}g%94lLvgu5$b(0hT?;lNe49Of< zW{>kgo$F%9IE#L1RRAWvY_i{CxwzKd?dHsJj~hps=0ECSUNPCV*8F$ODf@U16c#>p zi1Fm}Uja~Gw~s|Tj>S9nv3OSj7&BzDA7i~Z4<~sz$5>1n2hjh9$(A2#EXF$dT}#e6 zg<}y!e19?7&-0H(Jl|Lhj02eU&LPL5zs}X;7>lN2+>^gL4xs2=lbuB4xE1*$U7XYF#n%+PUKaKL5MP-bUSK zdY#U-r(3EF&nkR#bk4N^rvY4y|HcE{@R`Y;#KVI_?-g2ckEj$VpBMO*K3B8yc|pB0 zT+pk0UJz3HTusX71$8-o7nbE-jhc!%U;T1Cz`_4E*?IZtvK3|340gVx*p+fDM%W;f zla@~ac=t<_{mL36nqzzq-$eWl2cLd47xVdX*#v;TuS_=E;x~M4PVe2CbMYG=-_s0E z07x>Ey@hQ+e)9}xG{~Kbe8sL+d}B^~==Uc8)D$rGIo6NsZMbfrnd_raaU*n4eD8(p z#E}yLid>9MqW;;6?b$5$OFpFy8TlX60{q3r*l(yz`+j&S?uR+A z<9e(nrOmZ5r&!-8_SW}L1n4YeY=CePU-qF4<3l;DS@9+u!_`>qgtTy4{(K_9-a^J+ zv-DvO9=r_KR9>%@%FdC6J91MJ?<*YpmPr81-HbhuIrdAHz7d_)^sFm(by||OSZh#k zz0b|q%T~UnC|jSd47<*>=%lgOb+)x)@+~^o_3WJl&{@pbudV(#1Lcub*dME~KU`PY zG3}e?|9@6KGm<-TAhOyDe@A=xW66;X-nM*9@xK}8f3~=!{#!{HczJA1A zx?Ia!0ibmDLU&?TjL1efLco+_=kT&fHe6n=?oTejYZ%PJU<@7#&H`tgk2XURW@ zkmm;{6z;(NLH6blNs{YoKbZ{Rox<2v7G0;;1=pXfdC*wA&icE#*yXo=;L?C&e(Dr} z4O1B#%PYwg6o4I$bTAcQpCjEQJo9j*!*h@?9qCS;3Q#&N z-40wITc-k4O=Aq#U)+;k#CM}Y_a2!F&^e8<_0(URT&`x$t=1_;xL@5m6=2Ua#+Fdt z)7?tZvf@sT0eQ*&Qvu$c#@K(-xLu7pncO;YpVC&iB)8b)E5@=up9&C(n2g&?D{Y%b zZyvREnG-8;%3#1yWay`?T~zhf=;=^^iA2rU7i3$=LOlJhs}B z$C{M^mutIy+tE^dkzF3ED?Zcy6B#ecI)l>yUOYbCR;0lf@l5S_#`vRUmR>~Yk%y-N zd~!TvtEmrY@6&>7;7Vm@!3Byclide28|&fuuRC!HHiU-1PF zA;BkPj`(zd7t0uX^y`fC;G)7Uxb9^0$7bYZxW^it4)Ac8&K{J(MRr0)W&i#~tCRza z;{1%^{pkRu<&5E2h;j2FpZ6*1N{d@9FAi8M6!xz=1E8ur-M@I=RfT7V<&2$#czjAp zNGam$(efDpE#-`DvHEtEeSAl_&b5!PuNY;Fz8L^_mNWLUMHBo?hU;XJ2v^vJ3NfwH zGJ2Ds_kDQg=}p%W1J?7^82~lj%zEN}1kXHMy^P&P^}N#6>fFcgba9nKrY;j@d^{iB z=Vffa;H@xQA7 zU!rn{C?0f_4-wJ+IF(!bFD`%LF#`Y56!#^>ZwViy-|9PpV${D$$`N7cEfKfD0S(moLN6ed0TsSz*{o zbrgpv?xuJ%#oH;qo8m_( zev0CkD1L|H&nO;MAEX;_VdQP4OcXKSl9N6u(39XB3aB zr1B{~f#Pb4niZ@fdo#MMGeuUzuD1M3JcPRdh;!*Rde2Pz?xSHZ7iq}yb zqPUyl%@l8^_-=|Hq4+6^U!wROia(=x6e@@TU<$=2P+U!M6UFN&4pH1q@n(v*Q+zkY zk5K#+#V=9(4#l5QJZb@zPw@#9S5w?X@j8k_6n9g+nd0pf-%ar&6hB4rOBBCD@n;l| zs;2TOK7rzDikm22M{$VaZi+Wkyq)5^DSm|F!-Y|VQ>(M;le` zXMQx8e*}D(g=iS|Yqa9PTgepdQ z5E{TU3Z95Xlh@1k}Mken##^9c^04t>NAhbaAis?Wd`0`M_Sa3t?s z^?8NLttCB)3^*KEpSS~#^oww*SCIkFiwa-{?0;L7OVxq#96s5Sb7iP;2|Q9yBLm(w zDu79r+$=-DmAn2?D)%6jE9KB`f*)|eFDCeq1HL&A{%w>V-VrTAAK@78$dmqIYS#cU zc1c&iBzP??DEuB20Q`aQ_Yr>CZ*S$n{|||0rKpG8W_=;y$UyL(IUyQfi2XSQ28n*; z{3)l8 z!3PLVYE#%t@WCI8^xT#b0De0{@Q2HY&Sn3+%;6<)&@oIKezP*fUhL{ zX#tn&+9@NcpZ5zmx6=cFN`mj?#$^E9<_-W>kHmVGz!23(t|I}wrXz{SOn4uM&wzoC2u>ZbS;GI32}i#H$X5s6%YkhM6^#<(F7=?2?;S&MsV9}`7Z6Ly z%k)nYT&Iq@3VV-~TIu=j&(RXwh#{f68s3 z0N|Shm-1iAE4=)Pkvj;(@%iQX#Zjlx%kyNJpI%xJ(kWV z{&*Oc1yb0+(@(SXgfd)J1l-kyGu)O3{sf0BFieKI{2mP2vJu>?2~4ys@w9rxR1jXsO3h402IM_dD35y2Yxx>iJvE`&+o}1o##nE zaD=#f?hNREWjxG)K8L*e);LT*9oiiFkmsn}5|TgVJ^sJS`ViyfcLH$#H6eHZjCALQ zPt60b%mYV%F}cR^Ob%Cs!(Y6XPYuU=SGm&T8?M+7{f>U<%Y%P=9{2-!;DdSK&vUq9 z3Bq)I%I_Oa00jUfQbW*>`a2BO++aVzQE*Re3CU`3eO8ou+09=u$+?(^jcS-!D2;qJbP!7zK{xyWV z##!elGQ5>1{eyY>`7M`TtMkCm&jWuj z&-iZ4lYU$tI_c->6{zhHbrrAl0>3+%i%u@d(?5^qDffju@W1AP|8oq^$0^YEvRI&` z9&a3SqYPvq`|YPYJ+G5^9uw*L9WAuM=kVz(%13wq|`JFZF zpFHV9l)j(%gWL!8+iP+Pd~n*2VluL zN*+EI$b-M9B)9ytIZyhV^1vUU`oxJ(3JY+6-(dY+)3eTx{+I{P-w4kjcj^JaeK+8} z8r}~jLJ>_qAu)^|Pke^Y;j9TXUXJzauQVS^NbfCusYR*W zL0XR_f7nFuR-zNB*S#iBeeS0ENO@j{-4YLtFRB0FsXTaI$pilf;n_*&8r&Zm0DPP$ z{iunw9y#`3;|MMfvZQ=o#^KrF)I9JNdEiTn$2d=~zya!iX-{)$9z5If!0#bE zgMSolkn+P`34dL{`Q1s>`{u#(dLH;k6N#=I^Krx^(a-V#f%^x+b)Vq<2~jTh!Gia2 zI6OO`KSBtnkD@)BNpWE$Qz7dh=4F$GtoO;O|z^^Ij3%A5F#Wpq@lHsY81z zqtME4uI)}9K1KOXldx?%~fy%*n~#6Idon!#?`pa+1{ zpN5|6Wgm4=QZ0x*DPK1A1Q1oER|`eLaRVYTe^A3`T#-nlMlzm=#gT&bXfKXm=u5|>uu;PI(jb3qra9m5Iq8YgHb2w@w{gH@f z_+@SD8tZ)8vc|JOIPed5%Xt(^_&YRw0o)S+!m1g`SVGsjt2KWT0{%$29Upwh-$rLR zlmvXBv0AeR-tcFZpH9f9v@9SCzh7X=izuC&KQQhIKs=%Iw~cfy?$@HJNF=u24r`aN zPJM%xjA=FP;E!}@vA7=9@CkD*6iD>OllCkDnFSN_G|uh}#*hT84)2hEX@-6Qb>?~< z2a{&AW~4j;+qgrwo(P9}wRprIO=ffyhiFEp9*G2E!At^4CVI7m-mNDPpBDFb=tf3f zE0?yRrdq460?{;20M^v6I?QFaKR3zKg%DZ}a(YFaN#1!czr-3eS94 zU+JlYK&7Vwy28nD2d81EUtZU+Z26KkYdKYF_*$_ho`kiSAd+jw2btaWMRrzC!XLMR zi5EGbNYQyR;3s<~v4}{L%gp8YmOoqdq4HJd%gBi|Z%*;mUS?J|5zEek3+A1E%}|zM z2MNS>h{$EVO=M+CLy$M=K^uUOq*I7hGyR)tmPeqd{+c*B^ z12Wfk-3F!Vq)|}un%1PS+`TV9 z%e7TaO=}w0YHRE2mp5wAq2ohawav?y)Hi6Ao=VRG(6q1-3slb6jASAiOGT`Y^J{Eu z2)U%yj!3LSYxf5sl+bl6IpPvCk*`pY&;!nbBH{J`t_X>w*5waJt*rB_K-2U@A{x{1 z$_;w>=gH$vUj;_y0Y$OxWK)g2th82#j7oWP~8K1NzYgcIL zrF`v*hDa=`uf<0s!AJ&UsbofS`$DRP4LRzzp30mH;b>G(0DoUA15diwjetKIvcAo) zfv)wzaKZv$`wcxB>@qqsVC|`JB&hjQ$xb~QKsMYSiM3;mZT*UQyA6CDE1FCfAuuNK zP32fTvsNiijTz;nqDH4bksjtM67>9r(G%40Nu^L&j|43tK(az=c_0!Ctk*j9WHQ{9 zMpAJyQer$D%qYrw^dwG z>2OrALr=!yNeyMwjE)kIt7d|di9ly2EhTh+MC-s|izT$AKhdElA)eheY5GL25Xs;Q zMlz9wHiaT{M%j)fM{IWF{OQ&c_%6H_NF@?_G?^Y`lHMQ`PbG~Ee3`o@?D=52Lxtq3 zMRgt7I!#h4#KyC!66w*&n5@vHcNuyn`6I)04of&%?GFYM8optO)R|e$SRk41Eu^w^ zX?7+`^8=@LGM0hCk={<(l<5#DARdnA7zZw^*fANrhXXkZMycj}BNnxDUFx^=azp^T zbe@48yD|smWzOub^+r0T!I=V~m>e4eyv5DTq;8Fb60{%d! zjtwBqX$ z6-3-5yS67%NgWr*fNt&mXgdlaqc@t#4C1J`u;Z5eUMTZ&u}LYM2+7bQ8UjO)Kb$2P z3EqT^IU197adJF=qKl7lLXY@U(Lg8o1NcU{H3nES`$MTx20>cr(SugMS!{|I%9{ak zq@WB;aXpcUWeOI^j_~QaY)sak3A#f$WKsFVZ$<%FdxvmpbrsTkj#VLpgG=r#_um@V zOvynu^yGTIHxnbVbJ7|*=9BD|?8c?{CSVwyxPMt6OC_~Hryf|JomyabR5eFij2!)x z**+&3MWcEkQ*;S&7MIbhnznXD18p87hOV!7kZuUobvD@i`B`)piY3+~u>rn~yFm;2 zgWX}n$w>L8O7>aCmWpOsP#5Z`berr-0s$7Qg@Ds=@YjtqxsZ`eWYZ!~m(g-j5Kf_# zfqXF%OK??LFx3?YO$%)BqeSVCgfGnOF{-bjM?y*6ND6Tx2j<-J3Se(#q&AWXBbhmI zG%bLug4T}2V#yMnGF5>f@Sz5#gkI~ze^tXct1$rKL%D1;Q(M^qI^+AyJ3I_wb8f_`JV?o-$x%4(rTlX?Db_V??K8S z?J;EVIP%9Szl_o6vpvZBNHWyXRUTRXb(CMm(qD%R@_bJQG<*Gwv6##+{dmY2-(bQZ z?@v4HkN4Kmhlk8B{d~xHh#Y?4{ctQ>=9m6H&W23Cm(p*DjHRCt8JzXUdw=MYLzXZ7 zaL5?n+ruF1FVo35j%SOu{L;^d6;pm^{bl$L*;Yw>($9#DrJoU5zO(&TP<}dgxBQk! z|0UAT3Fb#%EzbOSFAn=e-oLjl;Lt@J=?_H)C;i~{Kzn|b^2wOLxo8XW{)&umbmSi- z{|GXc^_4;XmhtV5{PI4zjJG~3bBaLMj;(-Z;r9AVzcwStc=y8?77q9FT?K~{6qQ&kg>DA z&hlTyCpBpfVvv4-WGu%?2KigYIKRf(@=HHKGM4FNkiTX83ALZtmUVwz-XpKI2wMba zd(e#%CXxB2-y18&&b7@CS+1mC99~Q!^AD1rAsM4@XM2$OW$fnn*wgu?pCTEzNyHRn zJ{jYERD1dIo{Wr(EW#AQ*?x52hqz=h(q2#6yQuUYs|?Qk=%x+Jm-qH$kooa>SbL!E z%!nOTZ5kH$N?Hu{zPALpm6yFIjx7FfS46H<`n%Yc3-a^?Rk8I;d path to iamroot binary (default: ./iamroot) +# --ssh-key ssh key file (passed to scp and ssh) +# --ssh-opts "..." extra ssh options (e.g. "-o ConnectTimeout=5") +# --remote-path

where to scp the binary (default: /tmp/iamroot) +# --no-sudo don't prefix the remote command with sudo +# --parallel run N hosts concurrently (default: 4) +# --summary-only skip per-host detail in stdout; print summary only +# --no-cleanup leave the binary behind on each host (default: rm) +# -h | --help this message +# +# Exit code: 0 if every host scanned (regardless of host-level vulns), +# 1 if any host failed to scan. + +set -euo pipefail + +BINARY="./iamroot" +SSH_KEY="" +SSH_OPTS="" +REMOTE_PATH="/tmp/iamroot" +USE_SUDO=1 +PARALLEL=4 +SUMMARY_ONLY=0 +CLEANUP=1 +HOSTFILE="" + +usage() { sed -n '2,/^$/p' "$0" | sed 's/^# \?//'; exit "${1:-0}"; } + +while [[ $# -gt 0 ]]; do + case "$1" in + --binary) BINARY="$2"; shift 2;; + --ssh-key) SSH_KEY="$2"; shift 2;; + --ssh-opts) SSH_OPTS="$2"; shift 2;; + --remote-path) REMOTE_PATH="$2"; shift 2;; + --no-sudo) USE_SUDO=0; shift;; + --parallel) PARALLEL="$2"; shift 2;; + --summary-only) SUMMARY_ONLY=1; shift;; + --no-cleanup) CLEANUP=0; shift;; + -h|--help) usage 0;; + -) HOSTFILE="/dev/stdin"; shift;; + *) HOSTFILE="$1"; shift;; + esac +done + +if [[ -z "$HOSTFILE" ]]; then + echo "error: no host file provided. Use -h for help." >&2 + exit 2 +fi + +if [[ ! -x "$BINARY" ]]; then + echo "error: iamroot binary not found / not executable: $BINARY" >&2 + exit 2 +fi + +if ! command -v jq >/dev/null 2>&1; then + echo "error: jq is required for JSON aggregation" >&2 + exit 2 +fi + +# Build ssh/scp option arrays +SSH_BASE=(-o StrictHostKeyChecking=no -o BatchMode=yes -o ConnectTimeout=10) +[[ -n "$SSH_KEY" ]] && SSH_BASE+=(-i "$SSH_KEY") +[[ -n "$SSH_OPTS" ]] && eval "SSH_BASE+=( $SSH_OPTS )" + +scan_one_host() { + local hostspec="$1" + local host port user + if [[ "$hostspec" == *:* ]]; then + port="${hostspec##*:}" + hostspec="${hostspec%:*}" + else + port="22" + fi + if [[ "$hostspec" == *@* ]]; then + user="${hostspec%@*}" + host="${hostspec#*@}" + else + user="" + host="$hostspec" + fi + local target="${user:+${user}@}${host}" + + local sudo_prefix="" + [[ "$USE_SUDO" -eq 1 ]] && sudo_prefix="sudo" + + # 1. scp the binary + if ! scp "${SSH_BASE[@]}" -P "$port" -q "$BINARY" \ + "${target}:${REMOTE_PATH}" 2>/dev/null; then + echo "{\"host\":\"${hostspec}\",\"ok\":false,\"error\":\"scp failed\"}" + return 1 + fi + + # 2. run --scan --json + # iamroot's exit codes are SEMANTIC (0=OK, 2=VULNERABLE, 4=PRECOND_FAIL, etc.) + # — nonzero is NOT a failure here. Treat ANY stdout JSON as success; + # only ssh-transport-level failures (key denied, network) are real + # failures, and those manifest as empty stdout + nonzero exit. + local scan_out + scan_out=$(ssh "${SSH_BASE[@]}" -p "$port" "$target" \ + "$sudo_prefix $REMOTE_PATH --scan --json --no-color" 2>/dev/null || true) + if [[ -z "$scan_out" ]]; then + echo "{\"host\":\"${hostspec}\",\"ok\":false,\"error\":\"ssh run failed (empty output)\"}" + # Still try to cleanup + [[ "$CLEANUP" -eq 1 ]] && ssh "${SSH_BASE[@]}" -p "$port" "$target" \ + "rm -f $REMOTE_PATH" 2>/dev/null || true + return 1 + fi + + # 3. cleanup + if [[ "$CLEANUP" -eq 1 ]]; then + ssh "${SSH_BASE[@]}" -p "$port" "$target" \ + "rm -f $REMOTE_PATH" 2>/dev/null || true + fi + + # 4. emit one combined JSON object + if ! echo "$scan_out" | jq --arg h "$hostspec" \ + '{host: $h, ok: true, scan: .}' 2>/dev/null; then + echo "{\"host\":\"${hostspec}\",\"ok\":false,\"error\":\"invalid JSON from iamroot\"}" + return 1 + fi +} + +# Read host list (strip comments, blank lines) +mapfile -t HOSTS < <(grep -vE '^\s*(#|$)' "$HOSTFILE") +if [[ ${#HOSTS[@]} -eq 0 ]]; then + echo "error: no hosts to scan" >&2 + exit 2 +fi + +# Optional progress to stderr +echo "[*] scanning ${#HOSTS[@]} host(s), parallel=$PARALLEL" >&2 + +# Run in parallel with xargs. Each invocation prints one JSON object. +export -f scan_one_host +export BINARY SSH_BASE SSH_KEY REMOTE_PATH USE_SUDO CLEANUP +# bash-export of an array doesn't survive, so re-serialize: +export SSH_BASE_STR="${SSH_BASE[*]}" + +# Simpler: collect per-host results sequentially (good enough for small +# fleets); parallel mode uses GNU xargs -P if available. +TMP=$(mktemp) +trap 'rm -f "$TMP"' EXIT + +if [[ "$PARALLEL" -gt 1 ]] && command -v xargs >/dev/null 2>&1; then + # -I{} implies -n1; specifying both warns on modern xargs. + printf '%s\n' "${HOSTS[@]}" | xargs -P"$PARALLEL" -I{} \ + bash -c 'scan_one_host "$@"' _ {} >> "$TMP" +else + for h in "${HOSTS[@]}"; do + scan_one_host "$h" >> "$TMP" || true + done +fi + +# Aggregate. `jq -s` slurps the line-delimited JSON into an array. +TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ) +RESULT=$(jq -s --arg ts "$TIMESTAMP" ' + . as $hosts + | { + generated_at: $ts, + n_hosts: ($hosts | length), + summary: { + ok: ($hosts | map(select(.ok)) | length), + failed: ($hosts | map(select(.ok | not)) | length), + vulnerable: ( + $hosts + | map(select(.ok)) + | map(.scan.modules // []) + | flatten + | map(select(.result == "VULNERABLE")) + | group_by(.cve) + | map({cve: .[0].cve, name: .[0].name, count: length}) + | sort_by(-.count) + ) + }, + hosts: $hosts + } +' "$TMP") + +if [[ "$SUMMARY_ONLY" -eq 1 ]]; then + echo "$RESULT" | jq 'del(.hosts)' +else + echo "$RESULT" +fi + +# Exit nonzero if any host failed +FAILED=$(echo "$RESULT" | jq -r '.summary.failed') +[[ "$FAILED" -eq 0 ]] || exit 1